Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
KL027.msi

Overview

General Information

Sample name:KL027.msi
Analysis ID:1579296
MD5:877af3069bc2925f5b886a96fc3ca471
SHA1:e72343f6c04fecd9cc0dd441071586152b147ecf
SHA256:2ae7e0a629003e3aaade78a51b247c5e2f85a96e07a0ef9720dde29bbd886189
Tags:AgentFakeAPPmsiTrojanuser-panda
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:20%

Signatures

Checks for available system drives (often done to infect USB drives)
Drops PE files
Found dropped PE file which has not been started or loaded
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

  • System is w10x64
  • msiexec.exe (PID: 6572 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\KL027.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 4480 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 432 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 499EA3959C85834165A9E8DE49DEC93F C MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: KL027.msi
Source: Binary string: Mono.Cecil.Pdb.dll source: KL027.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: KL027.msi, viewer.exe.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: KL027.msi
Source: Binary string: s Mono.Cecil.Pdb.dll source: KL027.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: KL027.msi, MSI2438.tmp.0.dr, MSI2497.tmp.0.dr, MSI24B7.tmp.0.dr, MSI24D8.tmp.0.dr, MSI23E9.tmp.0.dr, MSI25A4.tmp.0.dr, MSI236B.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: KL027.msi, viewer.exe.2.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: KL027.msiBinary or memory string: OriginalFilenameviewer.exeF vs KL027.msi
Source: KL027.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs KL027.msi
Source: KL027.msiBinary or memory string: OriginalFilenameExternalUICleaner.dllF vs KL027.msi
Source: classification engineClassification label: clean2.winMSI@4/8@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI236B.tmpJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\KL027.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 499EA3959C85834165A9E8DE49DEC93F C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 499EA3959C85834165A9E8DE49DEC93F CJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: KL027.msiStatic file information: File size 55966720 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb source: KL027.msi
Source: Binary string: Mono.Cecil.Pdb.dll source: KL027.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: KL027.msi, viewer.exe.2.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\ExternalUICleaner.pdb3 source: KL027.msi
Source: Binary string: s Mono.Cecil.Pdb.dll source: KL027.msi
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: KL027.msi, MSI2438.tmp.0.dr, MSI2497.tmp.0.dr, MSI24B7.tmp.0.dr, MSI24D8.tmp.0.dr, MSI23E9.tmp.0.dr, MSI25A4.tmp.0.dr, MSI236B.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: KL027.msi, viewer.exe.2.dr
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2438.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI25A4.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\viewer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI24B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI2497.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI236B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI23E9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSI24D8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2438.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI25A4.tmpJump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\viewer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI24B7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI2497.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI236B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI23E9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI24D8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media
Windows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Process Injection
OS Credential Dumping11
Peripheral Device Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
DLL Side-Loading
LSASS Memory11
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1579296 Sample: KL027.msi Startdate: 21/12/2024 Architecture: WINDOWS Score: 2 5 msiexec.exe 12 2->5         started        8 msiexec.exe 2->8         started        file3 13 C:\Users\user\AppData\Local\...\MSI25A4.tmp, PE32 5->13 dropped 15 C:\Users\user\AppData\Local\...\MSI24D8.tmp, PE32 5->15 dropped 17 C:\Users\user\AppData\Local\...\MSI24B7.tmp, PE32 5->17 dropped 19 4 other files (none is malicious) 5->19 dropped 10 msiexec.exe 1 8->10         started        process4 file5 21 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 10->21 dropped

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSI236B.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI236B.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI23E9.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI23E9.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI2438.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI2438.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI2497.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI2497.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI24B7.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI24B7.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI24D8.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI24D8.tmp1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\MSI25A4.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\viewer.exe0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1579296
Start date and time:2024-12-21 13:40:14 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:KL027.msi
Detection:CLEAN
Classification:clean2.winMSI@4/8@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .msi
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
No simulations
No context
No context
No context
No context
MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\MSI23E9.tmpSkype_translate6.3.1.msiGet hashmaliciousUnknownBrowse
    letsVPN-5.2.msiGet hashmaliciousUnknownBrowse
      EhSODySB7R.exeGet hashmaliciousGhostRat, Nitol, Young LotusBrowse
        ScreenBeam_Conference_Windows.msiGet hashmaliciousUnknownBrowse
          ScreenBeam_Conference_Windows.msiGet hashmaliciousUnknownBrowse
            ScreenBeam_Conference_Windows.msiGet hashmaliciousUnknownBrowse
              App_version 3.1.msiGet hashmaliciousRedLine, SectopRATBrowse
                promot_s.msiGet hashmaliciousLummaC StealerBrowse
                  njYYgDgfwY.msiGet hashmaliciousUnknownBrowse
                    Psiphon_3.179.msiGet hashmaliciousHTMLPhisherBrowse
                      C:\Users\user\AppData\Local\Temp\MSI236B.tmpSkype_translate6.3.1.msiGet hashmaliciousUnknownBrowse
                        letsVPN-5.2.msiGet hashmaliciousUnknownBrowse
                          EhSODySB7R.exeGet hashmaliciousGhostRat, Nitol, Young LotusBrowse
                            ScreenBeam_Conference_Windows.msiGet hashmaliciousUnknownBrowse
                              ScreenBeam_Conference_Windows.msiGet hashmaliciousUnknownBrowse
                                ScreenBeam_Conference_Windows.msiGet hashmaliciousUnknownBrowse
                                  App_version 3.1.msiGet hashmaliciousRedLine, SectopRATBrowse
                                    promot_s.msiGet hashmaliciousLummaC StealerBrowse
                                      njYYgDgfwY.msiGet hashmaliciousUnknownBrowse
                                        Psiphon_3.179.msiGet hashmaliciousHTMLPhisherBrowse
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Joe Sandbox View:
                                          • Filename: Skype_translate6.3.1.msi, Detection: malicious, Browse
                                          • Filename: letsVPN-5.2.msi, Detection: malicious, Browse
                                          • Filename: EhSODySB7R.exe, Detection: malicious, Browse
                                          • Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse
                                          • Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse
                                          • Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse
                                          • Filename: App_version 3.1.msi, Detection: malicious, Browse
                                          • Filename: promot_s.msi, Detection: malicious, Browse
                                          • Filename: njYYgDgfwY.msi, Detection: malicious, Browse
                                          • Filename: Psiphon_3.179.msi, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Joe Sandbox View:
                                          • Filename: Skype_translate6.3.1.msi, Detection: malicious, Browse
                                          • Filename: letsVPN-5.2.msi, Detection: malicious, Browse
                                          • Filename: EhSODySB7R.exe, Detection: malicious, Browse
                                          • Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse
                                          • Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse
                                          • Filename: ScreenBeam_Conference_Windows.msi, Detection: malicious, Browse
                                          • Filename: App_version 3.1.msi, Detection: malicious, Browse
                                          • Filename: promot_s.msi, Detection: malicious, Browse
                                          • Filename: njYYgDgfwY.msi, Detection: malicious, Browse
                                          • Filename: Psiphon_3.179.msi, Detection: malicious, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Reputation:moderate, very likely benign file
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          • Antivirus: Virustotal, Detection: 1%, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):602432
                                          Entropy (8bit):6.4696654484377945
                                          Encrypted:false
                                          SSDEEP:6144:waFYTdIO9QmvIeVKVhaxkSBULBA4tKSM3BZC4o4AOlKmN9ysU5pvs8g73iK:JYL9HXVW0xOA+KlZC4vA55s8g73iK
                                          MD5:A9941233B9415B479D3B4F3732161EAB
                                          SHA1:CB2D99AF52B3B1C712943B13E45D85C80C732E57
                                          SHA-256:CE34CC14E8D26119E1BF28A3A8368DA6E10D13851004E2675976C5AD58B122E2
                                          SHA-512:CFD6C425587E5E7C57B6F4655E2A48C871313E2BACF63CC0955CCAE1A384610644F26AA76BEE0A2A327CD77C2AE7DEF8EA9CB0C7C7C87FAB1C8196BAC82037F7
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............u.u.u.L.v.u.L.p.4.u.;.q.u.;.v.u.;.p..u.L.q.u.L.s.u.L.t.u.t.!.u..|...u..u.u...u...u..w.u.Rich..u.........PE..L......d.........."!...$.>...........Y.......P...............................0............@.........................`X..d....a..,.......................@=.......h.....p...................@...........@............P..h............................text....=.......>.................. ..`.rdata...,...P.......B..............@..@.data...8%...........p..............@....rsrc...............................@..@.reloc...h.......j..................@..B........................................................................................................................................................................................................................................................................................
                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):429568
                                          Entropy (8bit):6.534588738111638
                                          Encrypted:false
                                          SSDEEP:12288:tbiQnSDqYisDEiD3jbTFiuiSiO+kP53nUNlQ:tbvnSDqJsDEiD3PTFTFiS53UNW
                                          MD5:1458A72D86B87E1329CFC549B98D1E4D
                                          SHA1:00D73B4E31B7395EE4BCCAB5B456D1D91C407AB9
                                          SHA-256:E6368DAD109C3710E17A2B6C123BAFF05B424A3653B5C094E7621AF37A8C824B
                                          SHA-512:4A7A32F1AE336B2377D3EA476481E8FE4BFAAAF12488CF024E7150DD26A4148DED762442F665EA4A69169D458ADF8DC717A73FF4C8BCD6F34E3A6FD4536B1E46
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:..M~m..~m..~m......sm.......m......mm......im....../m......im.......m......gm..~m...m..j...dm..j.s..m..~m...m..j....m..Rich~m..........PE..L......d.........."....$.........................@.................................sf....@..................................4..........8........................:..@...p...............................@...............l............................text...F........................... ..`.rdata...R.......T..................@..@.data....7...P.......,..............@....rsrc...8............F..............@..@.reloc...:.......<...R..............@..B................................................................................................................................................................................................................................................................................................
                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Template: ;1033, Last Saved By: ciprian, Revision Number: {F02FAAA2-A115-4256-8A34-700EBBCA224D}, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 936, Number of Words: 2, Name of Creating Application: letvpndesktop, Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                          Entropy (8bit):7.988764056833537
                                          TrID:
                                          • Windows SDK Setup Transform Script (63028/2) 43.45%
                                          • Microsoft Windows Installer (60509/1) 41.72%
                                          • Visual Basic Script (13500/0) 9.31%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 5.52%
                                          File name:KL027.msi
                                          File size:55'966'720 bytes
                                          MD5:877af3069bc2925f5b886a96fc3ca471
                                          SHA1:e72343f6c04fecd9cc0dd441071586152b147ecf
                                          SHA256:2ae7e0a629003e3aaade78a51b247c5e2f85a96e07a0ef9720dde29bbd886189
                                          SHA512:bdf0e44f1c94187750da4f457d3c331da0b977520b1a0e98c0331a1a6286892caeb9e15e346ba08f7024e3a2fc58c76ced2f3890c46e715498673ea080a728fc
                                          SSDEEP:1572864:vmGx0lFZc5KssedqDOq4pdra+T5qQXr6dmzXv0lPdNb:vzejcMedkOzhFqQXr6EzoPdF
                                          TLSH:CAC73321B186CA36C26F13369D64FF6E06797D62332704EBB3E87EBE4574AC15270942
                                          File Content Preview:........................>...................V...................................x.......}...~...................................................................................g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z..
                                          Icon Hash:2d2e3797b32b2b99
                                          No network behavior found

                                          Click to jump to process

                                          Click to jump to process

                                          Click to jump to process

                                          Target ID:0
                                          Start time:07:41:07
                                          Start date:21/12/2024
                                          Path:C:\Windows\System32\msiexec.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\KL027.msi"
                                          Imagebase:0x7ff60b6d0000
                                          File size:69'632 bytes
                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          Target ID:1
                                          Start time:07:41:07
                                          Start date:21/12/2024
                                          Path:C:\Windows\System32\msiexec.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                          Imagebase:0x7ff60b6d0000
                                          File size:69'632 bytes
                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          Target ID:2
                                          Start time:07:41:08
                                          Start date:21/12/2024
                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 499EA3959C85834165A9E8DE49DEC93F C
                                          Imagebase:0x6b0000
                                          File size:59'904 bytes
                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          No disassembly