Edit tour

Windows Analysis Report
g6lWBM64S4.msi

Overview

General Information

Sample name:	g6lWBM64S4.msi renamed because original name is a hash value
Original sample name:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89.msi
Analysis ID:	1592153
MD5:	40e97f78a0784d68c57e746ee36a76e0
SHA1:	b8918d64b00b3b0e6b85800bba3a976860a1c3e3
SHA256:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89
Tags:	bankerjanelaratlatammsisituacaonssprj-comtrojanuser-johnk3r
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses shutdown.exe to shutdown or reboot the system

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Msiexec Initiated Connection

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Execution of Shutdown

Sigma detected: Suspicious MsiExec Embedding Parent

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 3320 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1700 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2316 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cmd.exe (PID: 6812 cmdline: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3336 cmdline: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

shutdown.exe (PID: 2640 cmdline: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15 MD5: FCDE5AF99B82AE6137FB90C7571D40C3)

conhost.exe (PID: 3336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\EGvKWow\kBiTrog.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 3336, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kBiTrog

Sigma detected: Direct Autorun Keys Modification

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", CommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", ProcessId: 3336, ProcessName: reg.exe

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.16.1, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2316, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2316, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", ProcessId: 6812, ProcessName: cmd.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 2316, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Sigma detected: Suspicious Execution of Shutdown

Source: Process started

Author: frack113: Data: Command: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15, CommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\shutdown.exe, NewProcessName: C:\Windows\SysWOW64\shutdown.exe, OriginalFileName: C:\Windows\SysWOW64\shutdown.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2316, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15, ProcessId: 2640, ProcessName: shutdown.exe

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2316, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe", ProcessId: 6812, ProcessName: cmd.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:44:02.007687+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.16.1	443	TCP
2025-01-15T20:44:02.721981+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.16.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: g6lWBM64S4.msi

Virustotal: Detection: 8%

Perma Link

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: g6lWBM64S4.msi, 54d8d3.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.16.1:443

Source: global traffic	HTTP traffic detected: GET /molde/calvao1.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com
Source: global traffic	HTTP traffic detected: GET /molde/arvore.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /molde/calvao1.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com
Source: global traffic	HTTP traffic detected: GET /molde/arvore.png HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: situacaonssprj.com

Source: global traffic

DNS traffic detected: DNS query: situacaonssprj.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 19:44:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Wed, 15 Jan 2025 19:44:17 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C91A9Pp1OATyhLqfs4ZFPavNNTE%2Fdwavft3LccoPO%2BlZpLsb6jl3cr84mTDEa7U9eLch1Qib3%2FMo3oPpM%2FfDz5QL6zJycTNbgdSrHSxMZ8nuQ0jV%2FnyEYC5IQvnhS%2BGc2Sapb9Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90285bad2bf77293-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2028&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=783&delivery_rate=1423695&cwnd=158&unsent_bytes=0&cid=6f14c267eda6f7a6&ts=168&x=0"
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 15 Jan 2025 19:44:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Wed, 15 Jan 2025 19:44:17 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t96YoDLpMA1glPSt1BxA%2BgO1hvZZK3BHstwpqVpZSxp9lsF5863oWjExGzFGllSbg4uZLTof9%2FR815E8ROibZHT8hS6tpTvjQ7dQRxd2MpiE7EJ7EtyLoyMivAp97DpoLsz8%2F4E%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90285bb19c008ce0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1786&rtt_var=680&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=782&delivery_rate=1598248&cwnd=215&unsent_bytes=0&cid=e7f7855e4b8fee5f&ts=165&x=0"

Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://collect.installeranalytics.com
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.com
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: EGvKWow.png.2.dr, kBiTrog.png.2.dr	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\54d8d3.msi			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1F90.tmp			Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1F90.tmp

Jump to behavior

Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameInstallerAnalytics.dllF vs g6lWBM64S4.msi
Source: g6lWBM64S4.msi	Binary or memory string: OriginalFilenameembeddeduiproxy.dllF vs g6lWBM64S4.msi

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"

Source: classification engine

Classification label: mal52.rans.winMSI@13/11@1/1

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\EGvKWow\

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\goldex.ses

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: g6lWBM64S4.msi

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Source: C:\Windows\SysWOW64\reg.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Source: C:\Windows\SysWOW64\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior

Source: EGvKWow.lnk.2.dr

LNK file: ..\..\..\..\..\..\..\EGvKWow\kBiTrog.exe

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\tracking.ini

Jump to behavior

Source: g6lWBM64S4.msi

Static file information: File size 2361856 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\bin\x86\embeddeduiproxy.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb\ source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdbu source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\InstallerAnalytics.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: g6lWBM64S4.msi, 54d8d3.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbg source: g6lWBM64S4.msi, 54d8d3.msi.1.dr

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kBiTrog			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run kBiTrog			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Windows\Installer\MSI1F90.tmp

Jump to dropped file

Source: C:\Windows\SysWOW64\msiexec.exe TID: 1908

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: 54d8d3.msi.1.dr

Binary or memory string: 01234567890.0.0.0.%dVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IROOT\CIMV2SELECT * FROM Win32_ComputerSystemSELECT * FROM Win32_BIOSManufacturerModelVersionGetting system informationManufacturer [Model [BIOS [IsWow64Processkernel32Software\Microsoft\Windows NT\CurrentVersionSYSTEM\CurrentControlSet\Control\ProductOptionsCurrentMajorVersionNumberCurrentMinorVersionNumberCurrentVersionCurrentBuildNumberReleaseIdCSDVersionProductTypeProductSuiteWinNTServerNTSmall BusinessEnterpriseBackOfficeCommunicationServerTerminal ServerSmall Business(Restricted)EmbeddedNTDataCenterPersonalBladeEmbedded(Restricted)Security ApplianceStorage ServerCompute Server Failed to create IWbemLocator object. Error code: \\Could not connect to WMI provider. Error code: Failed to initialize security. Error code: Could not set proxy blanket. Error code: WQLWMI Query failed: []. Error code:

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\shutdown.exe "C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	21 Registry Run Keys / Startup Folder	11 Process Injection	21 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
g6lWBM64S4.msi	8%	Virustotal		Browse
g6lWBM64S4.msi	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Installer\MSI1F90.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
https://situacaonssprj.com/molde/calvao1.png	0%	Avira URL Cloud	safe
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	0%	Avira URL Cloud	safe
https://situacaonssprj.com/molde/arvore.png	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
situacaonssprj.com	104.21.16.1	true	false	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://situacaonssprj.com/molde/arvore.png	false	Avira URL Cloud: safe	unknown
https://situacaonssprj.com/molde/calvao1.png	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.advancedinstaller.com	g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	false		high
http://collect.installeranalytics.com	g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	false		high
https://www.thawte.com/cps0/	g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	false		high
https://www.thawte.com/repository0W	g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	false		high
https://collect.installeranalytics.com	g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	false		high
https://collect.installeranalytics.comhttp://collect.installeranalytics.comhttps://installeranalytic	g6lWBM64S4.msi, 54d8d3.msi.1.dr, MSI1F90.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	EGvKWow.png.2.dr, kBiTrog.png.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.16.1	situacaonssprj.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592153
Start date and time:	2025-01-15 20:43:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	g6lWBM64S4.msi renamed because original name is a hash value
Original Sample Name:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89.msi
Detection:	MAL
Classification:	mal52.rans.winMSI@13/11@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 2.23.77.188, 20.242.39.171, 13.95.31.18, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, e3913.cd.akamaiedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, cac-ocsp.digicert.com.edgekey.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, azureedge-t-prod.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
14:43:59	API Interceptor	3x Sleep call for process: msiexec.exe modified
19:44:12	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk
19:44:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run kBiTrog C:\Users\user\EGvKWow\kBiTrog.exe
19:44:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run kBiTrog C:\Users\user\EGvKWow\kBiTrog.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.16.1	MACHINE SPECIFICATIONS.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	1001-13.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	trow.exe	Get hash	malicious	Unknown	Browse	www.wifi4all.nl/
	8L6MBxaJ2m.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/0xli/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.kkpmoneysocial.top/86am/
	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	https://file-exchange.doc-extension.com/HXxGM/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/?qrc=test@test.org	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	1U9rHEz9Rg.dll	Get hash	malicious	Wannacry	Browse	13.107.246.45
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Order.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Order.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	Order.xls	Get hash	malicious	Unknown	Browse	13.107.246.45
	random.exe	Get hash	malicious	LiteHTTP Bot	Browse	13.107.246.45
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	13.107.246.45
bg.microsoft.map.fastly.net	1647911459241874440.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	0430tely.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	Order.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	Order.xls	Get hash	malicious	Unknown	Browse	199.232.210.172
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	199.232.214.172
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://drive.google.com/file/d/1dNrtjTqb59ZQTE3gUuVhSjEbFXuJRXW7/view?usp=sharing&ts=6786e61f	Get hash	malicious	Unknown	Browse	199.232.214.172
	Sample1.exe	Get hash	malicious	Unknown	Browse	199.232.214.172
	alN48K3xcD.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://file-exchange.doc-extension.com/HXxGM/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Handler.exe	Get hash	malicious	DanaBot, PureLog Stealer, Vidar	Browse	172.64.41.3
	https://fingertip.com/incoming-document	Get hash	malicious	HTMLPhisher	Browse	172.67.40.50
	https://www.google.com.tr/url?sa==SlzLhhFsJ7fGjpM8fvOAkm1z4KC&rct=fETOvblSpCqm85GTYKVdXKip5bkW26kcBgD7HeLR8E6psRE86jAuyRjA7fyhhYHpWk&sa=t&url=amp/sasaol.com/ccy/ptsd/vTd7ocRQy71kDqeKXneUsLH4CLz/YWxpc29uLnNtaXRoQHJic2ludC5jb20=	Get hash	malicious	Unknown	Browse	172.67.196.214
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/?qrc=test@test.org	Get hash	malicious	HTMLPhisher	Browse	104.18.94.41
	http://www.schoolhouselearningcenter.net/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://52f1897b.5648702dd4d5255cab645104.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://q89x88qh.r.ap-southeast-1.awstrack.me/L0/https:%2F%2Fblackdoor.in%2Fcazxccall%2Frtyucallingzxc%2F/1/010e01946a4fedf7-6a14e9da-4611-4b34-a7c5-f58f00519f0d-000000/p9HvzYrykwYBivTgZCa5Kf2-wBc=194	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://lgray785.wixsite.com/my-site-4	Get hash	malicious	HTMLPhisher	Browse	172.67.162.22
	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	172.67.183.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	new-riii-1-b.pub.hta	Get hash	malicious	LummaC	Browse	104.21.16.1
	EZsrFTi.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.16.1
	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	L#U043e#U0430d#U0435r.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.16.1
	Adobe-Acrobat-Pro-2025.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.16.1
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1
	Set-Up.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.16.1

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI1F90.tmp	9rybs.msi	Get hash	malicious	Unknown	Browse
	0cjB1Kh8zU.msi	Get hash	malicious	Unknown	Browse
	2ztvLMT477.msi	Get hash	malicious	Unknown	Browse
	ahx8PyqunR.msi	Get hash	malicious	Unknown	Browse
	Fatrr_wakMkxp.msi	Get hash	malicious	Unknown	Browse
	Fatrr_UewhcWF.msi	Get hash	malicious	Unknown	Browse
	https://tinyurl.com/2abosd8k	Get hash	malicious	Unknown	Browse
	AOEI-LEHOLLZCZW.msi	Get hash	malicious	Unknown	Browse
	DRTO10179793.msi	Get hash	malicious	Unknown	Browse
	pubg-lite-pc.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\tracking.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.2776134368191165
Encrypted:	false
SSDEEP:	3:1EX:10
MD5:	EC3584F3DB838942EC3669DB02DC908E
SHA1:	8DCEB96874D5C6425EBB81BFEE587244C89416DA
SHA-256:	77C7C10B4C860D5DDF4E057E713383E61E9F21BCF0EC4CFBBC16193F2E28F340
SHA-512:	35253883BB627A49918E7415A6BA6B765C86B516504D03A1F4FD05F80902F352A7A40E2A67A6D1B99A14B9B79DAB82F3AC7A67C512CCF6701256C13D0096855E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[General]..

C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\{E3E53D21-CD36-4CDD-840F-84D7E898228C}.session

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	5.264683242230275
Encrypted:	false
SSDEEP:	6:rIlUDoFsVnFCDjfpvgGD5gBGSbN7/FOPEfQcb7XjBWhj2UNOoHTUQ:ceDoWVFAjKG9yGSbJgPGfXjMhx
MD5:	D3470F0F4F835329919E8942D131FED9
SHA1:	E947D1381593C29E9AC4F51DFCFDC71C0007EB43
SHA-256:	1FEDE82C3B6DBD49E6B7DD8637B7267E152C31B6EBCBD93DA53530E282DF65CA
SHA-512:	06F488CE948FC00B9C189857B5C053037FB58407FB25CB2BCDC94C1D9012AD67B8DBE89BA7726B9A474F36DD08A1B936CD519E6CE87E4DA8A98B7EDEF5282C59
Malicious:	false
Preview:	[Hit {1EC06C6F-96B1-43BB-91D5-97B255A1913E}]..Queue Time = 0..Hit Type = lifecycle..Life control = end..Life status = user abort..Protocol Version = 3..Application ID = 67871a621816c20044ac2e86..Application Version = 1.0.0..Client ID = DAEAB75799C435D42318F8D52234354ADC62633C..Session ID = {E3E53D21-CD36-4CDD-840F-84D7E898228C}..

C:\Users\user\AppData\Local\Temp\goldex.ses

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6
Entropy (8bit):	2.2516291673878226
Encrypted:	false
SSDEEP:	3:gpyn:g4n
MD5:	A067F5EC97BA51B576825B69BC855E58
SHA1:	907D296538A45D5B593512881D721C7D347B8E04
SHA-256:	CF3E339D25C3C023C9417FFC5D8E73F1DA828B18FEECAF14FDB9C24D04E49BA0
SHA-512:	F6058F37CF764E6CD807D9C0E9DE881849E4C94EC1D2E0C0EB504ABF77147E77CB09113B087E1C10E790C3EC45780E5986D29B2A84B364C5F697F884B1549F4D
Malicious:	false
Preview:	NULL..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Wed Jan 15 18:44:02 2025, mtime=Wed Jan 15 18:44:02 2025, atime=Wed Jan 15 18:44:02 2025, length=4520, window=hide
Category:	dropped
Size (bytes):	897
Entropy (8bit):	5.05511548530761
Encrypted:	false
SSDEEP:	12:8mtRE4+G89RK/CgSHjAtJfEeREwuLoY44t2YZ/elFlSJmZmV:8mtzrCR8B+AjMeOIHqyFm
MD5:	7BE6248FC7180828FD31231887B88007
SHA1:	04E0323B8367CE365CB531B1614EA48E26075396
SHA-256:	142166B70590F7D7DC350394827A8E1B8CE25A17A6ED4DD6E498017EBCF8D435
SHA-512:	26865AA599EDF70174BF9160DB07F1F708F6B570E990EF031AAA65255819E686CB0E2378A449EA9F675D0006F1410A4A113C71EA4D77DDE850EC7F059F867B73
Malicious:	false
Preview:	L..................F.... ...H...g..H...g..H...g.......................... .:..DG..Yr?.D..U..k0.&...&......vk.v......K.g...1.g......t...CFSF..1...../Z....EGvKWow...t.Y^...H.g.3..(.....gVA.G..k...@....../Z../Z............................[I..E.G.v.K.W.o.w...B.b.2...../Z.. .kBiTrog.exe.H....../Z../Z......i...................... ..k.B.i.T.r.o.g...e.x.e.......Q...............-.......P...........m..r.....C:\Users\user\EGvKWow\kBiTrog.exe..(.....\.....\.....\.....\.....\.....\.....\.E.G.v.K.W.o.w.\.k.B.i.T.r.o.g...e.x.e...C.:.\.U.s.e.r.s.\.j.o.n.e.s.........\|....I.J.H..K..:...`.......X.......932923...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\user\EGvKWow\EGvKWow.png

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4520
Entropy (8bit):	5.018104510047841
Encrypted:	false
SSDEEP:	96:1j9jwIjYj5jDK/D5DMF+C8k/ZqXKHvpIkdNArR89PaQxJbGD:1j9jhjYj9K/Vo+nk8aHvFdNAre9ieJGD
MD5:	E3B668779426227199C1AA26CFD88198
SHA1:	CD2D0B0CF4A164732ECE2D9D13F0983FBEB55AD1
SHA-256:	397DAAAE612398CB8160B42229464573C7AD5E15746F665A7E2918020EBC0A0C
SHA-512:	AE79E981A2B0DCAF6B931CF02501EFA1437332384269DF15CF522EA8B038265B85FD3B1E61AB89DC64493B1154DF2ABFABE483D050FAD54035106F8070612241
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Attention Required! \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded', f

C:\Users\user\EGvKWow\Luo Painter.dll (copy)

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4520
Entropy (8bit):	5.018104510047841
Encrypted:	false
SSDEEP:	96:1j9jwIjYj5jDK/D5DMF+C8k/ZqXKHvpIkdNArR89PaQxJbGD:1j9jhjYj9K/Vo+nk8aHvFdNAre9ieJGD
MD5:	E3B668779426227199C1AA26CFD88198
SHA1:	CD2D0B0CF4A164732ECE2D9D13F0983FBEB55AD1
SHA-256:	397DAAAE612398CB8160B42229464573C7AD5E15746F665A7E2918020EBC0A0C
SHA-512:	AE79E981A2B0DCAF6B931CF02501EFA1437332384269DF15CF522EA8B038265B85FD3B1E61AB89DC64493B1154DF2ABFABE483D050FAD54035106F8070612241
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Attention Required! \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded', f

C:\Users\user\EGvKWow\kBiTrog.exe (copy)

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4520
Entropy (8bit):	5.016755636852287
Encrypted:	false
SSDEEP:	96:1j9jwIjYj5jDK/D5DMF+C8k/ZqXKHvpIkdNCrR89PaQxJbGD:1j9jhjYj9K/Vo+nk8aHvFdNCre9ieJGD
MD5:	FE8A4971275803E7A83234AE1C0F6FBB
SHA1:	D837E8FC9E69BFBB42BB90CF6F05776C1A877FC7
SHA-256:	D566B2BAEE8AC6BE2140662F1CEE4A32547A28601CD3FCE39A62EA68B29D5B17
SHA-512:	BFF04BA9411C285D4E243E6ABE05DA5FE7234B55998682CFE0F5690F84B17D52F169B5A655B42B2A2AA9AA48828E8EB5E6094F2DBC2116BD2FA15039EDE96B6B
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Attention Required! \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded', f

C:\Users\user\EGvKWow\kBiTrog.png

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	HTML document, ASCII text, with very long lines (394)
Category:	dropped
Size (bytes):	4520
Entropy (8bit):	5.016755636852287
Encrypted:	false
SSDEEP:	96:1j9jwIjYj5jDK/D5DMF+C8k/ZqXKHvpIkdNCrR89PaQxJbGD:1j9jhjYj9K/Vo+nk8aHvFdNCre9ieJGD
MD5:	FE8A4971275803E7A83234AE1C0F6FBB
SHA1:	D837E8FC9E69BFBB42BB90CF6F05776C1A877FC7
SHA-256:	D566B2BAEE8AC6BE2140662F1CEE4A32547A28601CD3FCE39A62EA68B29D5B17
SHA-512:	BFF04BA9411C285D4E243E6ABE05DA5FE7234B55998682CFE0F5690F84B17D52F169B5A655B42B2A2AA9AA48828E8EB5E6094F2DBC2116BD2FA15039EDE96B6B
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Attention Required! \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->.<style>body{margin:0;padding:0}</style>... [if gte IE 10]> >.<script>. if (!navigator.cookieEnabled) {. window.addEventListener('DOMContentLoaded', f

C:\Windows\Installer\54d8d3.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E0B8551D-748E-4EB1-A05B-5BD8DF540DF9}, Number of Words: 10, Subject: UJUCERYERTY, Author: YEAYRIEMNRYTA, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o UJUCERYERTY., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	2361856
Entropy (8bit):	6.567035537407821
Encrypted:	false
SSDEEP:	49152:qqDxGSFVtaNDAJK8tKk5ojmrhCMz5vk3ukDln/hFRFNUEekBWWsRkn4frUMXjDt4:XxMDAtKknz5vqu+sRe4frUMXjcY
MD5:	40E97F78A0784D68C57E746EE36A76E0
SHA1:	B8918D64B00B3B0E6B85800BBA3A976860A1C3E3
SHA-256:	60B60873D6CFA59A1B467931FFE7EFDC0575B02255C549502DE50AD05D8F3B89
SHA-512:	5D89D06C903E437F899BB8C1FE4EEAF2433C0AD897D1D591216213DCADD37328E28FD5746A72187D09FE29A746602F789A4DA6184AA7877D1F104788F3B4563D
Malicious:	false
Preview:	......................>...................%...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U...............................................................................................................................................................................................................................................................................................................................c...............%...7........................................................................................... ...!..."...#...$.../...0...'...(...)...*...+...,...-...........1...5...2...3...4...8...6...@...C...9...:...;...<...=...>...?...Q...A...B...H...D...E...F...G...p...a...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`.......b...d...u...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...v.......w...x...y...z...

C:\Windows\Installer\MSI1F90.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	780768
Entropy (8bit):	6.387720196228063
Encrypted:	false
SSDEEP:	12288:8tlNr2btWAp/wEqjh/lNKCQSZ1YVzsRiiqn6BbFAmrhymkM49+Og2Z04KHjJaI/5:8tlNrgpSZKVsRkn4frUMXjJaI/tWogPa
MD5:	573F5E653258BF622AE1C0AD118880A2
SHA1:	E243C761983908D14BAF6C7C0879301C8437415D
SHA-256:	371D1346EC9CA236B257FED5B5A5C260114E56DFF009F515FA543E11C4BB81F7
SHA-512:	DFFF15345DBF62307C3E6A4C0B363C133D1A0B8B368492F1200273407C2520B33ACB20BFF90FEAC356305990492F800844D849EE454E7124395F945DE39F39EA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 9rybs.msi, Detection: malicious, Browse Filename: 0cjB1Kh8zU.msi, Detection: malicious, Browse Filename: 2ztvLMT477.msi, Detection: malicious, Browse Filename: ahx8PyqunR.msi, Detection: malicious, Browse Filename: Fatrr_wakMkxp.msi, Detection: malicious, Browse Filename: Fatrr_UewhcWF.msi, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: AOEI-LEHOLLZCZW.msi, Detection: malicious, Browse Filename: DRTO10179793.msi, Detection: malicious, Browse Filename: pubg-lite-pc.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#P.Qg1..g1..g1..sZ..j1..sZ...1...E..v1...E..p1...E..51..sZ...1..sZ..f1..sZ..z1..g1..T0...E..+1...E..f1...Ex.f1..g1..e1...E..f1..Richg1..........PE..L.../.`.........."!.........B......4................................................j....@..........................;......@=...............................0......X%..p....................&.......%..@............................................text............................... ..`.rdata..............................@..@.data.......P.......@..............@....rsrc...............................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375158504760705
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauc:zTtbmkExhMJCIpErR
MD5:	7E3F4F06EA319FDD14458876126F6AD4
SHA1:	8AB9DE03715F9639517ED7921E1118CD374ED6F3
SHA-256:	504EE58BC4392D4A3B994B4FAD9D569564EA1D894ABE281596CE48466E846C1E
SHA-512:	20E156CC5CD0AF74D085F1CC50AD66176DF8D7E01F053A537D1806ECAD665543C983C92FD820AEEC624EF00E20705B78A2DE1B1F4207A1D0A0A529289D06B335
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {E0B8551D-748E-4EB1-A05B-5BD8DF540DF9}, Number of Words: 10, Subject: UJUCERYERTY, Author: YEAYRIEMNRYTA, Name of Creating Application: Advanced Installer 18.3 build e2a0201b, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o UJUCERYERTY., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	6.567035537407821
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	g6lWBM64S4.msi
File size:	2'361'856 bytes
MD5:	40e97f78a0784d68c57e746ee36a76e0
SHA1:	b8918d64b00b3b0e6b85800bba3a976860a1c3e3
SHA256:	60b60873d6cfa59a1b467931ffe7efdc0575b02255c549502de50ad05d8f3b89
SHA512:	5d89d06c903e437f899bb8c1fe4eeaf2433c0ad897d1d591216213dcadd37328e28fd5746a72187d09fe29a746602f789a4da6184aa7877d1f104788f3b4563d
SSDEEP:	49152:qqDxGSFVtaNDAJK8tKk5ojmrhCMz5vk3ukDln/hFRFNUEekBWWsRkn4frUMXjDt4:XxMDAtKknz5vqu+sRe4frUMXjcY
TLSH:	28B58D1275DA8736EA7E8134A5AAD73621FA3FE00BB154DF53C4593A0EB05C242B2F17
File Content Preview:	........................>...................%...................................................................................................................J...K...L...M...N...O...P...Q...R...S...T...U..................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T20:44:02.007687+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.16.1	443	TCP
2025-01-15T20:44:02.721981+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.16.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 20:44:01.538208008 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:01.538248062 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:01.538321972 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:01.541510105 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:01.541521072 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.007620096 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.007687092 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.011517048 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.011526108 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.011831045 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.055347919 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.099355936 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157418966 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157459021 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157488108 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157501936 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.157512903 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157556057 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.157562017 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157583952 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.157620907 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.159845114 CET	49730	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.159852982 CET	443	49730	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.242734909 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.242770910 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.242919922 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.243215084 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.243227005 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.721900940 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.721981049 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.723335028 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.723342896 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.723581076 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.724824905 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.767366886 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877383947 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877424002 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877450943 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877475023 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877504110 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.877518892 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877542019 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877563000 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.877578020 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.877752066 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.877765894 CET	443	49731	104.21.16.1	192.168.2.4
Jan 15, 2025 20:44:02.877774954 CET	49731	443	192.168.2.4	104.21.16.1
Jan 15, 2025 20:44:02.877780914 CET	443	49731	104.21.16.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 20:44:01.362901926 CET	53497	53	192.168.2.4	1.1.1.1
Jan 15, 2025 20:44:01.533077002 CET	53	53497	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 20:44:01.362901926 CET	192.168.2.4	1.1.1.1	0x5e9b	Standard query (0)	situacaonssprj.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:01.533077002 CET	1.1.1.1	192.168.2.4	0x5e9b	No error (0)	situacaonssprj.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:16.277858019 CET	1.1.1.1	192.168.2.4	0xba5e	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:16.277858019 CET	1.1.1.1	192.168.2.4	0xba5e	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 20:44:56.105959892 CET	1.1.1.1	192.168.2.4	0x7941	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 15, 2025 20:44:56.105959892 CET	1.1.1.1	192.168.2.4	0x7941	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

situacaonssprj.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.16.1	443	2316	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:44:02 UTC	169	OUT	GET /molde/calvao1.png HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: situacaonssprj.com
2025-01-15 19:44:02 UTC	904	IN	HTTP/1.1 403 Forbidden Date: Wed, 15 Jan 2025 19:44:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Wed, 15 Jan 2025 19:44:17 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C91A9Pp1OATyhLqfs4ZFPavNNTE%2Fdwavft3LccoPO%2BlZpLsb6jl3cr84mTDEa7U9eLch1Qib3%2FMo3oPpM%2FfDz5QL6zJycTNbgdSrHSxMZ8nuQ0jV%2FnyEYC5IQvnhS%2BGc2Sapb9Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90285bad2bf77293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2030&min_rtt=2028&rtt_var=766&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=783&delivery_rate=1423695&cwnd=158&unsent_bytes=0&cid=6f14c267eda6f7a6&ts=168&x=0"
2025-01-15 19:44:02 UTC	465	IN	Data Raw: 31 31 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11a8<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-01-15 19:44:02 UTC	1369	IN	Data Raw: 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 Data Ascii: 8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.error
2025-01-15 19:44:02 UTC	1369	IN	Data Raw: 6f 74 2d 66 75 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 Data Ascii: ot-full"> <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two">
2025-01-15 19:44:02 UTC	1325	IN	Data Raw: 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 3a 20 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 66 6f 6e 74 2d 73 65 6d 69 62 6f 6c 64 22 3e 39 30 32 38 35 62 61 64 32 62 66 37 37 32 39 33 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 68 69 64 64 65 6e 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 0a 20 20 20 20 20 20 59 6f 75 Data Ascii: em sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">90285bad2bf77293</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> You
2025-01-15 19:44:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.16.1	443	2316	C:\Windows\SysWOW64\msiexec.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 19:44:02 UTC	168	OUT	GET /molde/arvore.png HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: situacaonssprj.com
2025-01-15 19:44:02 UTC	898	IN	HTTP/1.1 403 Forbidden Date: Wed, 15 Jan 2025 19:44:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Wed, 15 Jan 2025 19:44:17 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t96YoDLpMA1glPSt1BxA%2BgO1hvZZK3BHstwpqVpZSxp9lsF5863oWjExGzFGllSbg4uZLTof9%2FR815E8ROibZHT8hS6tpTvjQ7dQRxd2MpiE7EJ7EtyLoyMivAp97DpoLsz8%2F4E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90285bb19c008ce0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1791&min_rtt=1786&rtt_var=680&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2845&recv_bytes=782&delivery_rate=1598248&cwnd=215&unsent_bytes=0&cid=e7f7855e4b8fee5f&ts=165&x=0"
2025-01-15 19:44:02 UTC	471	IN	Data Raw: 31 31 61 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 11a8<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2025-01-15 19:44:02 UTC	1369	IN	Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 Data Ascii: <meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css"
2025-01-15 19:44:02 UTC	1369	IN	Data Raw: 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 63 61 70 74 63 68 61 2d 63 6f 6e 74 61 69 6e 65 72 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 73 65 63 74 69 6f 6e 20 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 Data Ascii: l"> <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two"> <di
2025-01-15 19:44:02 UTC	1319	IN	Data Raw: 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 3a 20 3c 73 74 72 6f 6e 67 20 63 6c 61 73 73 3d 22 66 6f 6e 74 2d 73 65 6d 69 62 6f 6c 64 22 3e 39 30 32 38 35 62 62 31 39 63 30 30 38 63 65 30 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 68 69 64 64 65 6e 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e 0a 20 20 20 20 20 20 59 6f 75 72 20 49 50 3a 0a Data Ascii: block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">90285bb19c008ce0</strong></span> <span class="cf-footer-separator sm:hidden">•</span> <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1"> Your IP:
2025-01-15 19:44:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:43:58
Start date:	15/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\g6lWBM64S4.msi"
Imagebase:	0x7ff7d2f00000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:43:58
Start date:	15/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d2f00000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:43:59
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 196436DA6AF92AFC4A38F9C5C8CAFD36
Imagebase:	0xed0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:44:12
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:44:12
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:44:12
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v kBiTrog /t reg_sz /d "C:\Users\user\EGvKWow\kBiTrog.exe"
Imagebase:	0xa0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:44:12
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:44:16
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\shutdown.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\shutdown.exe" /r /f /t 15
Imagebase:	0xf50000
File size:	23'552 bytes
MD5 hash:	FCDE5AF99B82AE6137FB90C7571D40C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:44:16
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g6lWBM64S4.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\tracking.ini

C:\Users\user\AppData\Local\AdvinstAnalytics\67871a621816c20044ac2e86\1.0.0\{E3E53D21-CD36-4CDD-840F-84D7E898228C}.session

C:\Users\user\AppData\Local\Temp\goldex.ses

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EGvKWow.lnk

C:\Users\user\EGvKWow\EGvKWow.png

C:\Users\user\EGvKWow\Luo Painter.dll (copy)

C:\Users\user\EGvKWow\kBiTrog.exe (copy)

C:\Users\user\EGvKWow\kBiTrog.png

C:\Windows\Installer\54d8d3.msi

C:\Windows\Installer\MSI1F90.tmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
g6lWBM64S4.msi