Edit tour

Windows Analysis Report
RequestFeeEstimateApp.msi

Overview

General Information

Sample name:	RequestFeeEstimateApp.msi
Analysis ID:	1545776
MD5:	6ff29c2e00a2ec0c6ad386cd7aba0111
SHA1:	2223e3d3a1d9c214379ed39226565a8a295eca42
SHA256:	1b1254e810e86475bd3ebb4362e1495d16c39a377da3052796779b3445b840bc
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

May use bcdedit to modify the Windows boot settings

Modifies existing windows services

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Classification

Process Tree

System is w7x64

msiexec.exe (PID: 3404 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\RequestFeeEstimateApp.msi" MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 3432 cmdline: C:\Windows\system32\msiexec.exe /V MD5: AC2E7152124CEED36846BD1B6592A00F)

msiexec.exe (PID: 3516 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

msiexec.exe (PID: 3988 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285 MD5: 4315D6ECAE85024A0567DF2CB253B7B0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdb source: RequestFeeEstimateApp.exe.1.dr
Source:	Binary string: DPCA.pdb source: RequestFeeEstimateApp.msi, 5a8528.msi.1.dr, MSI44DE.tmp.1.dr, MSIA016.tmp.0.dr, MSI8AD3.tmp.0.dr, 5a852b.msi.1.dr, MSI7012.tmp.1.dr
Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdbH source: RequestFeeEstimateApp.exe.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: 5a852a.rbs.1.dr, MSI31BD.tmp.1.dr	String found in binary or memory: http://www.pt.qld.gov.au
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: http://www.pt.qld.gov.au/
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: http://www.pt.qld.gov.au/site-footer/privacy/
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/fee-estimates
Source: RequestFeeEstimateApp.exe.config.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/fee-estimates/#protection
Source: RequestFeeEstimateApp.exe.1.dr	String found in binary or memory: https://www.pt.qld.gov.au/media/1094/guide-for-financial-management-clients.pdf

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8528.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8529.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a8529.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI31BD.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_853F67D554F05449430E7E.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a852b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a852b.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI7012.tmp

Jump to behavior

Source: RequestFeeEstimateApp.msi

Binary or memory string: OriginalFilenameDPCA.DLL^ vs RequestFeeEstimateApp.msi

Source: metadata-2.1.dr	Binary string: highlight.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\66program files\windows sidebar\gadgets\rssfeeds.gadgeticon.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: wmplayer.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images**undocked_black_moon-new_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: buttonup_off.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: system.web.dynamicdata.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\BBprogram files (x86)\windows sidebar\gadgets\weather.gadget\images33docked_black_moon-waxing-gibbous_partly-cloudy.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: system.addin.contract.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: btn-previous-static.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: keypad.xml22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\99program files\dvd maker\shared\dvdstyles\specialoccasion,,specialnavigationup_selectionsubpicture.png22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.1.dr	Binary string: scenes_intro_bg_pal.wmv22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.1.dr	Binary string: acxtrnal.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\((windows\diagnostics\system\device\en-us
Source: metadata-2.1.dr	Binary string: sbdrop.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}

Source: classification engine

Classification label: clean5.winMSI@6/26@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\The Public Trustee of Queensland

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\Public\Desktop\Request for Fee Estimate Application.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIA016.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\RequestFeeEstimateApp.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rpcrtremote.dll	Jump to behavior

Source: Request for Fee Estimate Application.lnk.1.dr	LNK file: ..\..\..\..\..\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe
Source: Request for Fee Estimate Application.lnk0.1.dr	LNK file: ..\..\..\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RequestFeeEstimateApp.msi

Static file information: File size 1386496 > 1048576

Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdb source: RequestFeeEstimateApp.exe.1.dr
Source:	Binary string: DPCA.pdb source: RequestFeeEstimateApp.msi, 5a8528.msi.1.dr, MSI44DE.tmp.1.dr, MSIA016.tmp.0.dr, MSI8AD3.tmp.0.dr, 5a852b.msi.1.dr, MSI7012.tmp.1.dr
Source:	Binary string: c:\CIMSDevelopment\DOTNET45\Z_CIMSUtilities\LegalAdminFeeQuoteRequestApp\LegalAdminFeeQuoteRequestApp\obj\Debug\RequestFeeEstimateApp.pdbH source: RequestFeeEstimateApp.exe.1.dr

Source: RequestFeeEstimateApp.exe.1.dr

Static PE information: section name: .text entropy: 7.403983026003714

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIA016.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7012.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI44DE.tmp			Jump to dropped file

Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: bcdedit.exe.mui22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Request for Fee Estimate Application.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7012.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIA016.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI44DE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe TID: 3428	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 3460	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 3536	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 4008	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: metadata-2.1.dr	Binary or memory string: lsm.exe22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests,,microsoft-hyper-v-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\##windows\system32\spp\tokens\ppdlic
Source: metadata-2.1.dr	Binary or memory string: iasmigplugin-dl.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\syswow64\migwiz\replacementmanifests33microsoft-hyper-v-client-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\,,program files (x86)\internet explorer\en-us
Source: metadata-2.1.dr	Binary or memory string: imscmig.dll22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\--windows\system32\migwiz\replacementmanifests44microsoft-hyper-v-drivers-migration-replacement.man22\\?\Volume{8049f198-1016-11e7-b87b-806e6f6e6963}\

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	2 Windows Service	2 Windows Service	22 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Bootkit	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	11 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RequestFeeEstimateApp.msi	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIA016.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI44DE.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI7012.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.pt.qld.gov.au/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.pt.qld.gov.au/media/1094/guide-for-financial-management-clients.pdf	RequestFeeEstimateApp.exe.1.dr	false		unknown
https://www.pt.qld.gov.au/fee-estimates	RequestFeeEstimateApp.exe.config.1.dr	false		unknown
https://www.pt.qld.gov.au/fee-estimates/#protection	RequestFeeEstimateApp.exe.config.1.dr	false		unknown
http://www.pt.qld.gov.au	5a852a.rbs.1.dr, MSI31BD.tmp.1.dr	false		unknown
http://www.pt.qld.gov.au/	RequestFeeEstimateApp.exe.config.1.dr	false	0%, Virustotal, Browse	unknown
http://www.pt.qld.gov.au/site-footer/privacy/	RequestFeeEstimateApp.exe.config.1.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545776
Start date and time:	2024-10-31 00:59:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RequestFeeEstimateApp.msi
Detection:	CLEAN
Classification:	clean5.winMSI@6/26@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, VSSVC.exe, svchost.exe
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:00:01	API Interceptor	2061x Sleep call for process: msiexec.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSIA016.tmp	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268 (1).zip	Get hash	malicious	Flawedammyy	Browse
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip	Get hash	malicious	Flawedammyy	Browse
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip	Get hash	malicious	Flawedammyy	Browse
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip	Get hash	malicious	Flawedammyy	Browse
	AutoFlasher_Installer.msi	Get hash	malicious	Unknown	Browse
	AvtoKomander_Installer.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268 (1).zip	Get hash	malicious	Flawedammyy	Browse
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip	Get hash	malicious	Flawedammyy	Browse
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip	Get hash	malicious	Flawedammyy	Browse
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip	Get hash	malicious	Flawedammyy	Browse
	AutoFlasher_Installer.msi	Get hash	malicious	Unknown	Browse
	AvtoKomander_Installer.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Config.Msi\5a852a.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	9467
Entropy (8bit):	5.645482197671566
Encrypted:	false
SSDEEP:	96:cecuqdumNdOgeOo8cQeM8i8egDlZHUYvvJCsAqeDlZHUYvvJC6jY9D8p38XPYAq3:ccl+ZePlp/vMRlp/vMepo/UuUpBN
MD5:	19ACAD40FAFE4CB009DDC1F0C9E8CD7B
SHA1:	755350A361405515FC2388742D376FAF3E96648B
SHA-256:	A69A661C116A12A413C0FF1115B543E0C52176FBEFE32EEA3E90D6BCFD552595
SHA-512:	A51713555968C378D766EA5320EA011D0B6D93A0D887FB98CD7F2F2F0AFE31752EEA82458CC1FDC8BC3548947850E701729767866C762BC2EF8A8AD0627CF198
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@..^Y.@.....@.....@.....@.....@.....@......&.{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}$.Request for Fee Estimate Application..RequestFeeEstimateApp.msi.@.....@.....@.....@......_853F67D554F05449430E7E.exe..&.{58DACE45-1C39-4451-931D-0E84B499215B}.....@.....@.....@.....@.......@.....@.....@.......@....$.Request for Fee Estimate Application......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BD27B1CB-21C9-1D0D-6D34-8F4E1604DF69}&.{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}.@......&.{80865FD2-12E5-F4DF-BD21-47A453A747E7}&.{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}.@......&.{AF603AD0-87BA-6536-8CA4-21B517E581E6}&.{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}.@........RemoveODBC..Removing ODBC components....InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..].C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\....}.C:\Program Files (x8

C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\PTQ_Seal.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	104699
Entropy (8bit):	7.7609707533942816
Encrypted:	false
SSDEEP:	3072:cMIQjd5q5fEC0p8AsZQ/arYsiBUtibejn:KQI0p8zKsiBM7D
MD5:	2D4EBBA7237F864F370D31A2DAEC2089
SHA1:	B25BF414ADFC9A2EBFF0919F48A8F998941DD18B
SHA-256:	0E1CD281B5AAF53954E5CECDC53B50D3BE787D834C1265213D941A6072FD808D
SHA-512:	A132AA0E033B7048C6605ECF3C9B66AED526AFD7A272BB7B9CC4E7E94B1200B8D2F822F90E5F81A321DAC09B00B9A0A6299E399EECAC5D10561D35842601107C
Malicious:	false
Reputation:	low
Preview:	...... ......................(...~...00.............. ..........N...........h............. ..<..^!..00.... ..%..C^.. .... .............. .h.......(... ...@...........................................................................................................................y.........................y.............y.x.................y...............................yy.x..............yY................x....y.y.........x..............y..........y............wy.......y............x...y.x..._x..y...y......y...........y.....y......yX.....y............x...Y....y..Y.......y.....x.......x......Y.y.......yY......Y.....x.......y..........y.Y...Y.y...............................................y.............y.w..............p............y.p............................?...........................................................................................................?............(....... .................................................................................................

C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	724480
Entropy (8bit):	7.468824562320777
Encrypted:	false
SSDEEP:	12288:01+b8ibt9QIw8OVPyWCITe4Ea5eWesD5jJQIw8OV:01+b8ivw8nwTedT8djlw8
MD5:	2F9C41D29B1DD3067B70E9A93697E887
SHA1:	AEB6B3AF53631EDEF9CFC41D11B60FE0FE6BD572
SHA-256:	5723753472D2838C947E55CE3079BFDF530FD683E45021BE5845AF0DBBFD6B4F
SHA-512:	ECAD266CAD53DD1EF4D8A622A4B8F602F26B1616336C2B07CC0D5794E4C66DBB817E90B7B84FC256D56EE2F5B50D3BE9456901B23D9EF5D74F42DED9699D2144
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....B[.................d..........n.... ........@.. ....................................@................................. ...K.......8....................`...................................................... ............... ..H............text...tb... ...d.................. ..`.rsrc...8............f..............@..@.reloc.......`......................@..B................P.......H..................p...H...............................................b..}.....(.......(..........0..,.........,..{.......+.....-...{....o........(......0..M.............(....s......s....}.....sq...}.....{....o......(......{......o......{....o.....{....o......{......s....o......{....r...po......{.... .....Os....o .....{.....o!.....{....r...poh.....{.....r...po"...t....op.....{.....ob.....{....r)..p"...A...s#...o$.....{.....om.....{......s....o......{.....ok.....{........s

C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	789
Entropy (8bit):	5.059563364581662
Encrypted:	false
SSDEEP:	12:TMHdGGsV92OpemtsS6pt9CseWLm1rfSg9HY9Cs56m8KSXJt9CsSm1riFxXeJY9C0:2d824DWY7erXz
MD5:	238D1B72D7132AE0B496D159F010B888
SHA1:	1B79FEB98E8BD80F7DDBA0B6DB38EE5BDBD444E1
SHA-256:	B414AE243E4987EEC967A030B91CAB0E38D946E9662199AAD8BC25E0098ACE20
SHA-512:	E24C014F1ED038C63B8B6DC4AB7D5F465713784C1830B72FFA0F363B315D63CE3C8D450199F9852000E3A8197CF3A42C0B47E5D5FD70D24CE24DB50F1F2EEBB8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v2.0.50727" sku="Client"/></startup>.. <appSettings>.... RFC 1827 : WP 2884 : Privacy Link -->.. <add key="PrivacyLink" value="http://www.pt.qld.gov.au/site-footer/privacy/"/>.. .. RFC 1827 : WP 2959 : Download Link -->.. <add key="DownloadLink" value="https://www.pt.qld.gov.au/fee-estimates"/>.... RFC 1827 : WP 2884 : PTQ Website -->.. <add key="PTQWebsite" value="http://www.pt.qld.gov.au/"/>.... RFC 1827 : WP 2959 : Protection Orders Link -->.. <add key="ProtectionOrdersLink" value="https://www.pt.qld.gov.au/fee-estimates/#protection"/>.... .. .. </appSettings>....</configuration>..

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Request for Fee Estimate Application.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2713
Entropy (8bit):	2.6586088055814665
Encrypted:	false
SSDEEP:	24:8AVkp7yveI4XtcRi+MHXEkmd9Q3a2cR+MHXEkNymDMzSykO4WHXEk:8TuevCRqH/mdKT45H/wmgzSyqWH/
MD5:	AF5A8FFC8DB84DCF2F4652DFE48BB3CC
SHA1:	E5F917472CAA3D64CE16FF80A54BDB7C25537455
SHA-256:	711A8BDA748F22320019051C85EA9DDB7F10BD34289BACCBD506E2691D2C7B1C
SHA-512:	6F6D34229CD3CEE8AFE62607CE64935B183D63847C13A069755408B6C1E2940EA4B77DD285A423DCE7076E727E77F66412133FC28A85684055ABE3D1D617BD09
Malicious:	false
Reputation:	low
Preview:	L..................F.P...........................................................P.O. .:i.....+00.../C:\...................R.1......WD...Windows.<.......:...WD....p.....................W.i.n.d.o.w.s.....X.1....._Y6...INSTAL~1..@......wJ.u_Y6..........................I.n.s.t.a.l.l.e.r.......1....._Y6...{9D7BF~1..z......_Y6._Y6..........................{.9.D.7.B.F.F.B.3.-.B.E.9.3.-.4.B.8.1.-.B.8.0.F.-.6.A.8.8.0.0.1.2.3.7.B.B.}.......2....._Y6.!._FC159~1.EXE..d......_Y6._Y6.........................._.F.C.1.5.9.5.D.E.2.9.5.0.1.B.E.6.2.0.D.6.6.A...e.x.e.......c.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.D.7.B.F.F.B.3.-.B.E.9.3.-.4.B.8.1.-.B.8.0.F.-.6.A.8.8.0.0.1.2.3.7.B.B.}.\._.F.C.1.5.9.5.D.E.2.9.5.0.1.B.E.6.2.0.D.6.6.A...e.x.e.].C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.h.e. .P.u.b.l.i.c. .T.r.u.s.t.e.e. .o.f. .Q.u.e.e.n.s.l.a.n.d.\.R.e.q.u.e.s.t. .f.o.r. .F.e.e. .E.s.t.i.m.a.t.e. .A.p.p.l.i.c.a.t.i.o.n.\.W.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\

C:\System Volume Information\SPP\OnlineMetadataCache\{fe7b918d-19da-4ca8-93fe-5495b57b5003}_OnDiskSnapshotProp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3104
Entropy (8bit):	3.671280510449249
Encrypted:	false
SSDEEP:	48:M0g2rXSFN38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8H:M0g2rXSX4PUiF8fHzbOHXOHB9BpiV
MD5:	F519311D1E350811F2BA3F5A0B75D8F4
SHA1:	E8CBD19B69EFD2D3A5E8AE34A27127424EBC4340
SHA-256:	37165DA3D030444509192BDB3728B94B810E8F64A3CAEC49B31E1CC50332653B
SHA-512:	B3D6AAB342E4F0FEFDBFFAB10F86DFAD03A6EEBF7AFE05EB148B34B63EB93AE093FE4BB7741FCE753ED9B6A645A8D27EC7F090325FE1591F14DACF144849C9B4
Malicious:	false
Reputation:	low
Preview:	.D.....M..,....c..of......................{....L..T..{P.9.......V...++..........M..0.<fK...; ...............................$.......8.../......./...I.n.s.t.a.l.l.e.d. .R.e.q.u.e.s.t. .f.o.r. .F.e.e. .E.s.t.i.m.a.t.e. .A.p.p.l.i.c.a.t.i.o.n.................C.:.\.W.i.n.d.o.w.s.\...............2.1.6.2.4.0.................W.O.R.K.G.R.O.U.P.........wj...L.#.gCyM....................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...\|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .A.c.t.i.v.e.X. .2.5...0...0...1.2.7.....'.......

C:\System Volume Information\SPP\metadata-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	SysEx File - Twister
Category:	dropped
Size (bytes):	9068216
Entropy (8bit):	3.679387874265603
Encrypted:	false
SSDEEP:	12288:gF4TYRYEzT4G09wqLB9K43gd8caDtDIY8/mhjTLQSI5JnJYKnAOYlTL9VZYbEIIw:ahjq9g8caP7y0ljdAGmm/rmHp
MD5:	F0C4B102E647E325A8C88869A674934E
SHA1:	D7F1675452FB53C1601356154E8FE26F9215D0F6
SHA-256:	5BE687AB73983F9457B37D6EC6BD10455A4A1BFC94FF1DBBB04AFC734F1D8AC8
SHA-512:	F7553D537B6229D71BD20DDC072CE56BC0AC1537B76CF2C6E2FE533F3917507FEB44A7D7EB5B52B8141042ADB2FBA6E4C87493322308B46F3523883D6787A350
Malicious:	false
Reputation:	low
Preview:	.%..=..J.....>.(.g.$............^...................... ...Y.......Y...<.B.A.C.K.U.P._.C.O.M.P.O.N.E.N.T.S. .x.m.l.n.s.=.".x.-.s.c.h.e.m.a.:.#.V.s.s.C.o.m.p.o.n.e.n.t.M.e.t.a.d.a.t.a.". .v.e.r.s.i.o.n.=.".1...2.". .b.o.o.t.a.b.l.e.S.y.s.t.e.m.S.t.a.t.e.B.a.c.k.u.p.=.".y.e.s.". .s.e.l.e.c.t.C.o.m.p.o.n.e.n.t.s.=.".y.e.s.". .b.a.c.k.u.p.T.y.p.e.=.".f.u.l.l.". .p.a.r.t.i.a.l.F.i.l.e.S.u.p.p.o.r.t.=.".y.e.s.". .s.n.a.p.s.h.o.t.S.e.t.I.d.=.".f.e.7.b.9.1.8.d.-.1.9.d.a.-.4.c.a.8.-.9.3.f.e.-.5.4.9.5.b.5.7.b.5.0.0.3.".>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.n.s.t.a.n.c.e.I.d.=.".5.9.8.9.2.0.4.9.-.a.3.c.8.-.4.0.3.4.-.9.3.6.9.-.8.a.0.8.c.9.4.0.6.e.4.7.". .w.r.i.t.e.r.I.d.=.".e.8.1.3.2.9.7.5.-.6.f.9.3.-.4.4.6.4.-.a.5.3.e.-.1.0.5.0.2.5.3.a.e.2.2.0.". .b.a.c.k.u.p.S.c.h.e.m.a.=.".0.".>.<.C.O.M.P.O.N.E.N.T. .c.o.m.p.o.n.e.n.t.N.a.m.e.=.".S.y.s.t.e.m. .F.i.l.e.s.". .c.o.m.p.o.n.e.n.t.T.y.p.e.=.".f.i.l.e.g.r.o.u.p."./.>.<./.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S.>.<.W.R.I.T.E.R._.C.O.M.P.O.N.E.N.T.S. .i.

C:\System Volume Information\SPP\snapshot-2

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	3104
Entropy (8bit):	3.671280510449249
Encrypted:	false
SSDEEP:	48:M0g2rXSFN38RN3xp/7wP8c1SFjwL7feGp9bHfOIgbR1fOIgBKEBKRC6v6Rey8H:M0g2rXSX4PUiF8fHzbOHXOHB9BpiV
MD5:	F519311D1E350811F2BA3F5A0B75D8F4
SHA1:	E8CBD19B69EFD2D3A5E8AE34A27127424EBC4340
SHA-256:	37165DA3D030444509192BDB3728B94B810E8F64A3CAEC49B31E1CC50332653B
SHA-512:	B3D6AAB342E4F0FEFDBFFAB10F86DFAD03A6EEBF7AFE05EB148B34B63EB93AE093FE4BB7741FCE753ED9B6A645A8D27EC7F090325FE1591F14DACF144849C9B4
Malicious:	false
Reputation:	low
Preview:	.D.....M..,....c..of......................{....L..T..{P.9.......V...++..........M..0.<fK...; ...............................$.......8.../......./...I.n.s.t.a.l.l.e.d. .R.e.q.u.e.s.t. .f.o.r. .F.e.e. .E.s.t.i.m.a.t.e. .A.p.p.l.i.c.a.t.i.o.n.................C.:.\.W.i.n.d.o.w.s.\...............2.1.6.2.4.0.................W.O.R.K.G.R.O.U.P.........wj...L.#.gCyM....................).(?..P............. ...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\...............C.:.\...........N).A.j..j...............(...0.......,...2.......2...\.\.?.\.V.o.l.u.m.e.{.8.0.4.9.f.1.9.8.-.1.0.1.6.-.1.1.e.7.-.b.8.7.b.-.8.0.6.e.6.f.6.e.6.9.6.3.}.\.......4...............(.C.:.).........<...@...D...H...L...P...T...X...\...`...d...h...l...p...t...x...\|...........%.......%...A.d.o.b.e. .A.c.r.o.b.a.t. .R.e.a.d.e.r. .D.C. .1.9...0.1.0...2.0.0.9.8.....).......)...A.d.o.b.e. .F.l.a.s.h. .P.l.a.y.e.r. .2.5. .A.c.t.i.v.e.X. .2.5...0...0...1.2.7.....'.......

C:\Users\user\AppData\Local\Temp\CFGCCF0.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.875519398611903
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHNQAZFVKXRAmIRMNHRd4N+RAW4QIMOov:TMV0kI002V7VQ7VNQA1Q7VRd4NuAW4Q9
MD5:	C517737DD6B59D0BD576A0A484C12E8B
SHA1:	B5BEC2BDE6FFDB8BA9CF790E4BB97B02E78F8225
SHA-256:	0774A3FD610BE54DAF2801AC6763F7FDE87073D95435900874C9A61B14F88F50
SHA-512:	15A45BE84D184A0C6AFE84F3A76CDD1C896C3BE79776DC5B875F9C70790BCE8099ECBFD2F76037813AE70CFBEBA678092F602041DFEE09BDBD3B852144833094
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v2.0.50727"/><supportedRuntime version="4.0.0"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\CFGFDEF.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.875519398611903
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHNQAZFVKXRAmIRMNHRd4N+RAW4QIMOov:TMV0kI002V7VQ7VNQA1Q7VRd4NuAW4Q9
MD5:	C517737DD6B59D0BD576A0A484C12E8B
SHA1:	B5BEC2BDE6FFDB8BA9CF790E4BB97B02E78F8225
SHA-256:	0774A3FD610BE54DAF2801AC6763F7FDE87073D95435900874C9A61B14F88F50
SHA-512:	15A45BE84D184A0C6AFE84F3A76CDD1C896C3BE79776DC5B875F9C70790BCE8099ECBFD2F76037813AE70CFBEBA678092F602041DFEE09BDBD3B852144833094
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v2.0.50727"/><supportedRuntime version="4.0.0"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	252568
Entropy (8bit):	6.5933161998287
Encrypted:	false
SSDEEP:	6144:XqdkSo9TbxFLiDFqhxqGHpH8QSZ69Jn+:XqcBJiDRGF8QV9Jn
MD5:	DD2FED15306CBB7F32245077364A8FE1
SHA1:	57B96A29654E2CE235AFCC209AF63706341D2B7B
SHA-256:	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
SHA-512:	02E7616D589CF697413071C14221D970A6992BB07EEFF200094BD1ABF01A00C47E49FDA4E6FED0DED0FA88F1EBE7C355E8182ED774695DDB5523BCE93633B6D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268 (1).zip, Detection: malicious, Browse Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip, Detection: malicious, Browse Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip, Detection: malicious, Browse Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip, Detection: malicious, Browse Filename: AutoFlasher_Installer.msi, Detection: malicious, Browse Filename: AvtoKomander_Installer.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\|../../../.S./../.jQ/../..@/../.../K../.jT/../../.../..~/.../..C/../..D/../..A/../Rich../........................PE..L...5..S.........."!.....B...........3.......`......................................W.....@..........................O..#...............H................>.......%..`...8...............................@............................................text...#A.......B.................. ..`.data...@J...`.......F..............@....idata...............`..............@..@.rsrc...H............p..............@..@.reloc...%.......&...v..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIA016.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	252568
Entropy (8bit):	6.5933161998287
Encrypted:	false
SSDEEP:	6144:XqdkSo9TbxFLiDFqhxqGHpH8QSZ69Jn+:XqcBJiDRGF8QV9Jn
MD5:	DD2FED15306CBB7F32245077364A8FE1
SHA1:	57B96A29654E2CE235AFCC209AF63706341D2B7B
SHA-256:	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
SHA-512:	02E7616D589CF697413071C14221D970A6992BB07EEFF200094BD1ABF01A00C47E49FDA4E6FED0DED0FA88F1EBE7C355E8182ED774695DDB5523BCE93633B6D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268 (1).zip, Detection: malicious, Browse Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip, Detection: malicious, Browse Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip, Detection: malicious, Browse Filename: MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268.zip, Detection: malicious, Browse Filename: AutoFlasher_Installer.msi, Detection: malicious, Browse Filename: AvtoKomander_Installer.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\|../../../.S./../.jQ/../..@/../.../K../.jT/../../.../..~/.../..C/../..D/../..A/../Rich../........................PE..L...5..S.........."!.....B...........3.......`......................................W.....@..........................O..#...............H................>.......%..`...8...............................@............................................text...#A.......B.................. ..`.data...@J...`.......F..............@....idata...............`..............@..@.rsrc...H............p..............@..@.reloc...%.......&...v..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF91053F43BDA8E722.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.1854526906917077
Encrypted:	false
SSDEEP:	48:igBT+SkdKTySkdKTz5ls4pW5ls4goBrMO:7wMyMb7O
MD5:	2ED4B12BF2E821C4002608059C912AE4
SHA1:	F771A3CDD525B4347E0091ED50423449EF9ADECB
SHA-256:	4FB38E1D60F6140430AC86A779B79612852E0D9B30E949B9B7746EC38D4F4434
SHA-512:	1CF6265D358C046BD61F08062040E2AC1671756B7B2E91A54B5610325D87753B996A762BC8A022542F83FAB2A4DDDAA810F78F0A21DB572F0A668E9700FCEC1F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA3758A8D517DBC85.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07575967204559468
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOyLR3v9X6AgVRlIyVky6lX:2F0i8n0itFzDHFyLRf9qFVaX
MD5:	87EB8A7655E3D83E1D4A5A76873BF766
SHA1:	BEE6F512A06E83EE93BC1D8096EC8DDD8B4F78A6
SHA-256:	6DBF560EF4697CBDC19732781C2FF557C6AC9EB86E574CD34AC25119636D4C1E
SHA-512:	900716636ED0ED5CB41708DA199B79F71C2E536453934470E47397BCD21AD85AAC86A1E0C9B8EADFF53BB6F107B34B28184E4C3BC7E92F4FBC933EBB534DA917
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA8CE440D36CE0491.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Request for Fee Estimate Application.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	2701
Entropy (8bit):	2.6500782709548485
Encrypted:	false
SSDEEP:	24:8AVkp7yveI4XtcC6O/+MHXES6qd9Q3a2cR+MHXES6BymDMzSyf9c4WHXES6:8TuevCcRHXdKT45HTmgzSyfRWH
MD5:	85B910CC386DC7C631F28DF69CC453C1
SHA1:	103CB7CCB070BAC173B76E12A4268B3F8A3C6FAD
SHA-256:	23AD24F4C2DE7F3C3D7B1F1D82D87A0F7D41294856458AC6B3F31E2378FDD9BA
SHA-512:	ABAB7AE389FA5BF9E1E97A2DF5626A76379D55871B70C1DE90E2FDBBAC970FC83F810DE09BB4630B863D78986C30DBBD9C331505F0FB881D45ED010159242C39
Malicious:	false
Preview:	L..................F.P...........................................................P.O. .:i.....+00.../C:\...................R.1......WD...Windows.<.......:...WD....p.....................W.i.n.d.o.w.s.....X.1....._Y6...INSTAL~1..@......wJ.u_Y6..........................I.n.s.t.a.l.l.e.r.......1....._Y6...{9D7BF~1..z......_Y6._Y6..........................{.9.D.7.B.F.F.B.3.-.B.E.9.3.-.4.B.8.1.-.B.8.0.F.-.6.A.8.8.0.0.1.2.3.7.B.B.}.......2....._Y6.!._A8567~1.EXE..d......_Y6._Y6.........................._.A.8.5.6.7.1.E.A.B.9.5.3.4.0.2.0.1.4.5.B.A.D...e.x.e.......].....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.D.7.B.F.F.B.3.-.B.E.9.3.-.4.B.8.1.-.B.8.0.F.-.6.A.8.8.0.0.1.2.3.7.B.B.}.\._.A.8.5.6.7.1.E.A.B.9.5.3.4.0.2.0.1.4.5.B.A.D...e.x.e.].C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.T.h.e. .P.u.b.l.i.c. .T.r.u.s.t.e.e. .o.f. .Q.u.e.e.n.s.l.a.n.d.\.R.e.q.u.e.s.t. .f.o.r. .F.e.e. .E.s.t.i.m.a.t.e. .A.p.p.l.i.c.a.t.i.o.n.\.W.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.D.7.B.F

C:\Windows\Installer\5a8528.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {58DACE45-1C39-4451-931D-0E84B499215B}, Title: Request for Fee Estimate Application, Subject: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Author: The Public Trustee of Queensland, Comments: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Number of Words: 2, Last Saved Time/Date: Mon Jul 9 02:53:09 2018, Last Printed: Mon Jul 9 02:53:09 2018
Category:	dropped
Size (bytes):	1386496
Entropy (8bit):	7.448064665716837
Encrypted:	false
SSDEEP:	24576:K61LiszNw8CBvw8Sw834wj1w8R8B+8gT2w89ZBk54PMGeGLw8:K61Lisz8BW38EPTUB4g5
MD5:	6FF29C2E00A2EC0C6AD386CD7ABA0111
SHA1:	2223E3D3A1D9C214379ED39226565A8A295ECA42
SHA-256:	1B1254E810E86475BD3EBB4362E1495D16C39A377DA3052796779B3445B840BC
SHA-512:	085BDCD27781F764817D6FFD7EF8A45B66DE96C1AFB364D9C437C9822985A2A0B1008A39E650CF7E4F330B540DD8C1C35FCB610E360F19D3F3ED64185922CD6A
Malicious:	false
Preview:	......................>...................................8...................d...e...f...g...p...q...D...E...........................................................................................................................................................................................................................................................................................................................................................................................................................Z................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...F...n...:...;...<...=...>...?...@...A...B...C...D...Y...k...G...l...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...[...\...]...`..._...^...E...m...a...b...c.......................i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\5a8529.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.692020166422997
Encrypted:	false
SSDEEP:	48:y0VrcDHHvuiB0SkdKTz5ls4pW5ls4goBrDSkdKTxTTJ:yoXiB0MbSMp
MD5:	171FADDF34145029F458DCA616C12058
SHA1:	5D68CE6B8E6D1D07B9B1376105919D2ED6AFDE5A
SHA-256:	21CA042F64B4A6A2E209C4176C4B5FF83A5E74D7C25103F4DA22FC5940BCCA24
SHA-512:	593AD669D6EF03A34C0364114E2FCDE5801FC9387D72AECFD29452BA0E602976817A223E61BAFC73AC57E3743307A130779A712ACBC3047BDCD9EE2DB8078518
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\5a852b.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {58DACE45-1C39-4451-931D-0E84B499215B}, Title: Request for Fee Estimate Application, Subject: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Author: The Public Trustee of Queensland, Comments: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Number of Words: 2, Last Saved Time/Date: Mon Jul 9 02:53:09 2018, Last Printed: Mon Jul 9 02:53:09 2018
Category:	dropped
Size (bytes):	1386496
Entropy (8bit):	7.448064665716837
Encrypted:	false
SSDEEP:	24576:K61LiszNw8CBvw8Sw834wj1w8R8B+8gT2w89ZBk54PMGeGLw8:K61Lisz8BW38EPTUB4g5
MD5:	6FF29C2E00A2EC0C6AD386CD7ABA0111
SHA1:	2223E3D3A1D9C214379ED39226565A8A295ECA42
SHA-256:	1B1254E810E86475BD3EBB4362E1495D16C39A377DA3052796779B3445B840BC
SHA-512:	085BDCD27781F764817D6FFD7EF8A45B66DE96C1AFB364D9C437C9822985A2A0B1008A39E650CF7E4F330B540DD8C1C35FCB610E360F19D3F3ED64185922CD6A
Malicious:	false
Preview:	......................>...................................8...................d...e...f...g...p...q...D...E...........................................................................................................................................................................................................................................................................................................................................................................................................................Z................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...F...n...:...;...<...=...>...?...@...A...B...C...D...Y...k...G...l...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...[...\...]...`..._...^...E...m...a...b...c.......................i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI31BD.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	318370
Entropy (8bit):	7.759644010028659
Encrypted:	false
SSDEEP:	6144:GrI0p8zKsiBM7XrI0p8zKsiBM7ErI0p8zKsiBM74:GrIw8OV8rIw8OVzrIw8OVl
MD5:	8085DEBF94D5322A9AAE216FDBE654A8
SHA1:	F07E5756D1B4BF4BE9C4D89D2C5F2B5A2F2A8F7D
SHA-256:	25A7E9185A0CEDCBC5B43FA5F896215D739077C3F25499198C06731C3F4E9C5A
SHA-512:	B84A59419D300EF0470C3149FC929C2477F198C55CA13C023DFDF28C4E55FFA50B037322B93F6C1F794F4971BF1BB0EC6A3A4395E968BF9CC72618558B5EA895
Malicious:	false
Preview:	...@IXOS.@.....@..^Y.@.....@.....@.....@.....@.....@......&.{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}$.Request for Fee Estimate Application..RequestFeeEstimateApp.msi.@.....@.....@.....@......_853F67D554F05449430E7E.exe..&.{58DACE45-1C39-4451-931D-0E84B499215B}.....@.....@.....@.....@.......@.....@.....@.......@....$.Request for Fee Estimate Application......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{BD27B1CB-21C9-1D0D-6D34-8F4E1604DF69}i.C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\PTQ_Seal.ico.@.......@.....@.....@......&.{80865FD2-12E5-F4DF-BD21-47A453A747E7}v.C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe.@.......@.....@.....@......&.{AF603AD0-87BA-6536-8CA4-21B517E581E6}}.C:\Program Files (x86)\The Public Trustee of Queensland\R

C:\Windows\Installer\MSI44DE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	252568
Entropy (8bit):	6.5933161998287
Encrypted:	false
SSDEEP:	6144:XqdkSo9TbxFLiDFqhxqGHpH8QSZ69Jn+:XqcBJiDRGF8QV9Jn
MD5:	DD2FED15306CBB7F32245077364A8FE1
SHA1:	57B96A29654E2CE235AFCC209AF63706341D2B7B
SHA-256:	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
SHA-512:	02E7616D589CF697413071C14221D970A6992BB07EEFF200094BD1ABF01A00C47E49FDA4E6FED0DED0FA88F1EBE7C355E8182ED774695DDB5523BCE93633B6D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\|../../../.S./../.jQ/../..@/../.../K../.jT/../../.../..~/.../..C/../..D/../..A/../Rich../........................PE..L...5..S.........."!.....B...........3.......`......................................W.....@..........................O..#...............H................>.......%..`...8...............................@............................................text...#A.......B.................. ..`.data...@J...`.......F..............@....idata...............`..............@..@.rsrc...H............p..............@..@.reloc...%.......&...v..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7012.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	252568
Entropy (8bit):	6.5933161998287
Encrypted:	false
SSDEEP:	6144:XqdkSo9TbxFLiDFqhxqGHpH8QSZ69Jn+:XqcBJiDRGF8QV9Jn
MD5:	DD2FED15306CBB7F32245077364A8FE1
SHA1:	57B96A29654E2CE235AFCC209AF63706341D2B7B
SHA-256:	1274CCA896F0FD797B330E5EA4605A080DA505B7E14FFBBF4181B61AC998C649
SHA-512:	02E7616D589CF697413071C14221D970A6992BB07EEFF200094BD1ABF01A00C47E49FDA4E6FED0DED0FA88F1EBE7C355E8182ED774695DDB5523BCE93633B6D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........\|../../../.S./../.jQ/../..@/../.../K../.jT/../../.../..~/.../..C/../..D/../..A/../Rich../........................PE..L...5..S.........."!.....B...........3.......`......................................W.....@..........................O..#...............H................>.......%..`...8...............................@............................................text...#A.......B.................. ..`.data...@J...`.......F..............@....idata...............`..............@..@.rsrc...H............p..............@..@.reloc...%.......&...v..............@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\SourceHash{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1688542301820988
Encrypted:	false
SSDEEP:	12:JSbX72FjjXJAGiLIlHVRpuBh/7777777777777777777777777vDHFyLRf9qFVaj:JJZQI58/sLRfCFF
MD5:	2B969A3F439B19C21A204054107F0FE3
SHA1:	5D9EDC8BA8FCD9DDA8271BEFDFE3372C6A3AC4F1
SHA-256:	5F57285BE691B55A987A2E8E6832D307FC4133215E878F43370AA06613613BA2
SHA-512:	6EA584D3F1494F27B161FA8DBFE701FDCC895B1D6E52B57D297888725AD672F2EDAD323655719A9D262B438598E39DC438BC4E936D7783AC26D5363610B9A4A5
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_853F67D554F05449430E7E.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	104699
Entropy (8bit):	7.761068292851662
Encrypted:	false
SSDEEP:	3072:HMIrjd5q5fEC0p8AsZQ/arYsiBUtibejn:brI0p8zKsiBM7D
MD5:	5EE612F98743557DC1E379A59B726A4E
SHA1:	1C1A08D3683ECD545C556F7A70499741FCFED2BD
SHA-256:	9910D351858CC3EC827BB40A2434560715EDC9961D83F7A485FD176D1E0BC2A9
SHA-512:	ECC3435A8D7BD0C6FF82AAD973C17835BF98C6E58D848B173431D0AEA5B51A8E87F47718FB032EA95E9AD5BC125CF824099D4AD012B328F77F28C8F08FF96F5B
Malicious:	false
Preview:	...... ......................(...~...00.............. ..........N...........h...........IHDR.<..^!..00.... ..%..C^.. .... .............. .h.......(... ...@...........................................................................................................................y.........................y.............y.x.................y...............................yy.x..............yY................x....y.y.........x..............y..........y............wy.......y............x...y.x..._x..y...y......y...........y.....y......yX.....y............x...Y....y..Y.......y.....x.......x......Y.y.......yY......Y.....x.......y..........y.Y...Y.y...............................................y.............y.w..............p............y.p............................?...........................................................................................................?............(....... .................................................................................................

C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	104699
Entropy (8bit):	7.761068292851662
Encrypted:	false
SSDEEP:	3072:HMIrjd5q5fEC0p8AsZQ/arYsiBUtibejn:brI0p8zKsiBM7D
MD5:	5EE612F98743557DC1E379A59B726A4E
SHA1:	1C1A08D3683ECD545C556F7A70499741FCFED2BD
SHA-256:	9910D351858CC3EC827BB40A2434560715EDC9961D83F7A485FD176D1E0BC2A9
SHA-512:	ECC3435A8D7BD0C6FF82AAD973C17835BF98C6E58D848B173431D0AEA5B51A8E87F47718FB032EA95E9AD5BC125CF824099D4AD012B328F77F28C8F08FF96F5B
Malicious:	false
Preview:	...... ......................(...~...00.............. ..........N...........h...........IHDR.<..^!..00.... ..%..C^.. .... .............. .h.......(... ...@...........................................................................................................................y.........................y.............y.x.................y...............................yy.x..............yY................x....y.y.........x..............y..........y............wy.......y............x...y.x..._x..y...y......y...........y.....y......yX.....y............x...Y....y..Y.......y.....x.......x......Y.y.......yY......Y.....x.......y..........y.Y...Y.y...............................................y.............y.w..............p............y.p............................?...........................................................................................................?............(....... .................................................................................................

C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_FC1595DE29501BE620D66A.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 9 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
Category:	dropped
Size (bytes):	104699
Entropy (8bit):	7.761068292851662
Encrypted:	false
SSDEEP:	3072:HMIrjd5q5fEC0p8AsZQ/arYsiBUtibejn:brI0p8zKsiBM7D
MD5:	5EE612F98743557DC1E379A59B726A4E
SHA1:	1C1A08D3683ECD545C556F7A70499741FCFED2BD
SHA-256:	9910D351858CC3EC827BB40A2434560715EDC9961D83F7A485FD176D1E0BC2A9
SHA-512:	ECC3435A8D7BD0C6FF82AAD973C17835BF98C6E58D848B173431D0AEA5B51A8E87F47718FB032EA95E9AD5BC125CF824099D4AD012B328F77F28C8F08FF96F5B
Malicious:	false
Preview:	...... ......................(...~...00.............. ..........N...........h...........IHDR.<..^!..00.... ..%..C^.. .... .............. .h.......(... ...@...........................................................................................................................y.........................y.............y.x.................y...............................yy.x..............yY................x....y.y.........x..............y..........y............wy.......y............x...y.x..._x..y...y......y...........y.....y......yX.....y............x...Y....y..Y.......y.....x.......x......Y.y.......yY......Y.....x.......y..........y.Y...Y.y...............................................y.............y.w..............p............y.p............................?...........................................................................................................?............(....... .................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {58DACE45-1C39-4451-931D-0E84B499215B}, Title: Request for Fee Estimate Application, Subject: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Author: The Public Trustee of Queensland, Comments: The Public Trustee provides estimates of its fund management fees to firms or organisations representing claimants in Court proceedings where damages may be awarded as a result of injury or disablement. The Request for Fee Estimate Application may be used by firms or organisations to request fee estimates from the Public Trustee., Number of Words: 2, Last Saved Time/Date: Mon Jul 9 02:53:09 2018, Last Printed: Mon Jul 9 02:53:09 2018
Entropy (8bit):	7.448064665716837
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	RequestFeeEstimateApp.msi
File size:	1'386'496 bytes
MD5:	6ff29c2e00a2ec0c6ad386cd7aba0111
SHA1:	2223e3d3a1d9c214379ed39226565a8a295eca42
SHA256:	1b1254e810e86475bd3ebb4362e1495d16c39a377da3052796779b3445b840bc
SHA512:	085bdcd27781f764817d6ffd7ef8a45b66de96c1afb364d9c437c9822985a2a0b1008a39e650cf7e4f330b540dd8c1c35fcb610e360f19d3f3ed64185922cd6a
SSDEEP:	24576:K61LiszNw8CBvw8Sw834wj1w8R8B+8gT2w89ZBk54PMGeGLw8:K61Lisz8BW38EPTUB4g5
TLSH:	D8550192B6DF5231E0670231667B6B311E7EBC35A9F0C8076358B74C1C316D0AB65BAA
File Content Preview:	........................>...................................8...................d...e...f...g...p...q...D...E..................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exePID: 3404, Parent PID: 1244

General

Target ID:	0
Start time:	20:00:01
Start date:	30/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\RequestFeeEstimateApp.msi"
Imagebase:	0xff550000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 3432, Parent PID: 404

General

Target ID:	1
Start time:	20:00:01
Start date:	30/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0xff550000
File size:	128'512 bytes
MD5 hash:	AC2E7152124CEED36846BD1B6592A00F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 3516, Parent PID: 3432

General

Target ID:	3
Start time:	20:00:02
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 15D085CEE9AA24273C52817D86F1DFDC C
Imagebase:	0xb50000
File size:	73'216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 3988, Parent PID: 3432

General

Target ID:	6
Start time:	20:01:25
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding E19954DDDCA32EB259172C345C0E3285
Imagebase:	0xb50000
File size:	73'216 bytes
MD5 hash:	4315D6ECAE85024A0567DF2CB253B7B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RequestFeeEstimateApp.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\5a852a.rbs

C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\PTQ_Seal.ico

C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe

C:\Program Files (x86)\The Public Trustee of Queensland\Request for Fee Estimate Application\RequestFeeEstimateApp.exe.config

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Request for Fee Estimate Application.lnk

C:\System Volume Information\SPP\OnlineMetadataCache\{fe7b918d-19da-4ca8-93fe-5495b57b5003}_OnDiskSnapshotProp

C:\System Volume Information\SPP\metadata-2

C:\System Volume Information\SPP\snapshot-2

C:\Users\user\AppData\Local\Temp\CFGCCF0.tmp

C:\Users\user\AppData\Local\Temp\CFGFDEF.tmp

C:\Users\user\AppData\Local\Temp\MSI8AD3.tmp

C:\Users\user\AppData\Local\Temp\MSIA016.tmp

C:\Users\user\AppData\Local\Temp\~DF91053F43BDA8E722.TMP

C:\Users\user\AppData\Local\Temp\~DFA3758A8D517DBC85.TMP

C:\Users\user\AppData\Local\Temp\~DFA8CE440D36CE0491.TMP

C:\Users\Public\Desktop\Request for Fee Estimate Application.lnk

C:\Windows\Installer\5a8528.msi

C:\Windows\Installer\5a8529.ipi

C:\Windows\Installer\5a852b.msi

C:\Windows\Installer\MSI31BD.tmp

C:\Windows\Installer\MSI44DE.tmp

C:\Windows\Installer\MSI7012.tmp

C:\Windows\Installer\SourceHash{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}

C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_853F67D554F05449430E7E.exe

C:\Windows\Installer\{9D7BFFB3-BE93-4B81-B80F-6A88001237BB}\_A85671EAB9534020145BAD.exe

Windows Analysis Report
RequestFeeEstimateApp.msi