Edit tour

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi

Overview

General Information

Sample name:	SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi
Analysis ID:	1664026
MD5:	d7661a891807b6508edab51e1cb60b25
SHA1:	ae6ea41a17ddd2995836ab9279207a5b444d539a
SHA256:	9395ad01afdd8d4a4b6dff33bf6e82e502d765f0a63315a88a97ba4279dcbb16
Tags:	msiuser-SecuriteInfoCom
Infos:

Detection

Score:	52
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Drops password protected ZIP file

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Found dropped PE file which has not been started or loaded

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Yara detected NirCmd tool

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7736 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7768 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe	JoeSecurity_NirCmd	Yara detected NirCmd tool	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi

Virustotal: Detection: 8%

Perma Link

Source:	Binary string: c:\Projects\VS2005\NirCmd\x64\release\NirCmd.pdb source: nircmd.exe.1.dr
Source:	Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdb source: NSudoLG.exe.1.dr
Source:	Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdbVV source: NSudoLG.exe.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: nircmd.exe.1.dr	String found in binary or memory: http://nircmd.nirsoft.net
Source: nircmd.exe.1.dr	String found in binary or memory: http://nircmd.nirsoft.net/%s.html
Source: nircmd.exe.1.dr	String found in binary or memory: http://nircmd.nirsoft.net/%s.htmlhttp://nircmd.nirsoft.net
Source: 24.bat.1.dr	String found in binary or memory: https://eject37.github.io/vlado/
Source: NSudoLG.exe.1.dr	String found in binary or memory: https://github.com/Thdub/NSudo_Installer
Source: NSudoLG.exe.1.dr	String found in binary or memory: https://nsudo.m2team.org
Source: NSudoLG.exe.1.dr	String found in binary or memory: https://nsudo.m2team.org.
Source: nircmd.exe.1.dr	String found in binary or memory: https://www.nirsoft.net
Source: nircmd.exe.1.dr	String found in binary or memory: https://www.nirsoft.netopenIf

System Summary

Drops password protected ZIP file

Source: DKTolz.zip.1.dr	Zip Entry: encrypted
Source: DKTolz.zip.1.dr	Zip Entry: encrypted

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\557ec7.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7FE0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\557ec9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\557ec9.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\557ec9.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\MSI7FE0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\557ec7.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File deleted: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior

Source: Yara match

File source: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe, type: DROPPED

Source: classification engine

Classification label: mal52.winMSI@2/25@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFDCFBD2CB60535132.TMP

Jump to behavior

Source: SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 88.31%

Source: SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior

Source: SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi

Static file information: File size 2027520 > 1048576

Source:	Binary string: c:\Projects\VS2005\NirCmd\x64\release\NirCmd.pdb source: nircmd.exe.1.dr
Source:	Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdb source: NSudoLG.exe.1.dr
Source:	Binary string: D:\Projects\MouriNaruto\NSudoPrivate\Source\Native\Output\Binaries\Release\x64\NSudoLG.pdbVV source: NSudoLG.exe.1.dr

Source: 7z.exe.1.dr

Static PE information: section name: .sxdata

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: 24.bat.1.dr

Binary or memory string: sc start VMTools >nul 2>&1

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: nircmd.exe.1.dr	Binary or memory string: Shell_TrayWnd
Source: nircmd.exe.1.dr	Binary or memory string: Progman
Source: nircmd.exe.1.dr	Binary or memory string: progman
Source: nircmd.exe.1.dr	Binary or memory string: "Userenv.dllCreateEnvironmentBlockCreateProcessWithLogonWExplorer.exeShell_TrayWndProgmanSetConsoleDisplayModeEnumDisplayDevicesAmasterwaveoutsynthcdmicrophonephoneauxlineheadphoneswaveinaltctrlshiftextplusspcentertabescinsdelDllRegisterServerDllUnregisterServerNirCmdWinClsfolder.loopcountcurrdate.currtime.sys.nir.param.fparam.clipboardNirComLinenowexefilesystemwindowsnircmdcommon_desktopcommon_start_menucommon_programsdesktopstart_menuprogramsstartupappdatalocalappdatacookiesfavoritesrecentcommon_startupcommon_favoritesprogramfilescommon_programfilesmydocumentsnormallowbelownormalabovenormalhighrealtimeSeTcbPrivilegeSeDebugPrivilegenohexnoasciibinCannot find the specified process !Failed to load the process library !leftshiftrightshiftleftctrlrightctrlleftmenurightmenudownupleftrighthomeendinsertdeletecommaminusperiodlwinrwinappspageuppagedownmultiplyaddsubtractseperatordividebackspacepausecapslocknumlockscrollprintscreen#32770clicksettextshowshownahidehideshowflashmaxminsettopmostfocusactivateenabledisabletoggledisabletogglehidetogglemintogglemaxredrawsetsizesendmsgpostmsgcenterchildmovedlgclickdlgsettextdlgsetfocus+style-style+exstyle-exstyletranstitlestitleititleetitleidclassprocessalltopalltopnodesktopprogmanshell_traywndbuttonallFailed to create the shortcut !nircmd.exe %sadmin$\nircmd.exe\\cfocusedsystemsoundsSound Devicesdefault_recordshowerrorparamsfilecmdwaitloopremotecopymultiremoteqboxcomqboxcomtopinfoboxqboxqboxtopexec2execexecmdcmd.execommand.com%s /c %sregsetvalThe specified key is not valid !SZEXPAND_SZDWORDBINARYregdelvalregdelkeyCannot delete the key, because it contains one or more subkeys.regeditinisetvalinidelvalinidelsecrasdialdlginetdialThe dialing function is not available in your system !rasdialUnable to receive dialup information of the specified entry !moverecyclebinemptybinrashangupFailed to hung up this RAS itemCannot find the specified connection name !exitwinlogoffpoweroffrebootshutdownforceforceifhungabortshutdowninitshutdowncmdshortcutcmdshortcutkeyshortcutshexecFailed to execute this file !clonefiletimesetfiletimesetfilefoldertimesetconsolemodeconsolewritesetconsolecolordebugwritesetcursorsetcursorwinrestartexplorersendkeypress+sendkeypresssendmousewheeldblclickmovecursorchangebrightness\\.\LCDsetbrightnesssetprimarydisplaysetdisplaymonitor:-updatereg-allusersFailed to change the display setting !Invalid display values !closeprocessFailed to close the specified process !killprocessFailed to kill the specified process !memdumpserviceUnable to load the services library !stopcontinuestartrestartautomanualdisabledbootwinhandleactiveforegroundlockwsclearsetfilereadfilewritefilewriteufileaddfileaddufilecopyimagesaveimageloadclpsaveclpsetdialuplogonFailed to set the logon details for this dialup item !scriptmediaplayopen "%s" type mpegvideo alias %splay %sclose %surlshortcut%fav%Failed to create the internet shortcut !monitoroffonasync_offasync_onasync_lowscreensaverscreensavertimeoutrunassystemwinlogon.exeruninteractiv
Source: nircmd.exe.1.dr	Binary or memory string: shell_traywnd

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: DKTolz.zip.1.dr

Binary or memory string: Unlocker.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	2 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Software Packing	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Process Injection	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi	8%	Virustotal		Browse
SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe	8%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://nsudo.m2team.org	0%	Avira URL Cloud	safe
https://eject37.github.io/vlado/	0%	Avira URL Cloud	safe
https://nsudo.m2team.org.	0%	Avira URL Cloud	safe
http://nircmd.nirsoft.net	0%	Avira URL Cloud	safe
http://nircmd.nirsoft.net/%s.html	0%	Avira URL Cloud	safe
https://www.nirsoft.netopenIf	0%	Avira URL Cloud	safe
http://nircmd.nirsoft.net/%s.htmlhttp://nircmd.nirsoft.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://eject37.github.io/vlado/	24.bat.1.dr	false	Avira URL Cloud: safe	unknown
https://nsudo.m2team.org	NSudoLG.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://nsudo.m2team.org.	NSudoLG.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://nircmd.nirsoft.net/%s.html	nircmd.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://github.com/Thdub/NSudo_Installer	NSudoLG.exe.1.dr	false		high
http://nircmd.nirsoft.net/%s.htmlhttp://nircmd.nirsoft.net	nircmd.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.nirsoft.netopenIf	nircmd.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://nircmd.nirsoft.net	nircmd.exe.1.dr	false	Avira URL Cloud: safe	unknown
https://www.nirsoft.net	nircmd.exe.1.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1664026
Start date and time:	2025-04-13 09:46:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi
Detection:	MAL
Classification:	mal52.winMSI@2/25@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.213.193, 204.79.197.222, 52.149.20.212
Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe	RAT.bin.exe	Get hash	malicious	Unknown	Browse
	random.exe	Get hash	malicious	Amadey	Browse
	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse
	lcc333.exe	Get hash	malicious	Unknown	Browse
	lcc333.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe	random.exe	Get hash	malicious	Amadey	Browse
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe	random.exe	Get hash	malicious	Amadey	Browse
	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse
	KcQriAEcni.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe	random.exe	Get hash	malicious	Amadey	Browse
	random.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse

Created / dropped Files

C:\Config.Msi\557ec8.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	8046
Entropy (8bit):	5.575060558938956
Encrypted:	false
SSDEEP:	96:USNfirnJuBEvLXeJdOWbj1UgXTCsThqeOUgXTC6j2E+O6/ThqeHHhqhk5LbWgJGH:U9eJdx3OgXOILhgXOHHLhfRGMpI9
MD5:	6845464B86A0A78072318327592688C9
SHA1:	7E1E7EE3F128F3A246E3FD728819442A36472BAF
SHA-256:	B0818F628D0742501ECBC0238691606BE4B50CE60E07771104F5A8FB2ACE4092
SHA-512:	8C9F830532319C5FDC829BE357A64844B654C9FD1994C2742D302CB4064BEF7A8645D9E1CC97AEF9E382083086C54005A94253A3FB3C02E448B3A52B5CFBEDFE
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@...Z.@.....@.....@.....@.....@.....@......&.{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}..BatchInstallerFinal0.SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi.@.....@.....@.....@........&.{2FEBEFEC-3D15-443D-856A-ECF4E5D1E024}.....@.....@.....@.....@.......@.....@.....@.......@......BatchInstallerFinal......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RunBatch....ProcessComponents..Updating component registration..&.{6EC2C8CD-1C41-4D4A-BDF5-9C437360A5D9}&.{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}.@......&.{D5BCE95B-D33B-4A96-9678-5FDDE88152CE}&.{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..2.C:\Users\user\AppData\Local\Temp\MyTempTool\Work\....8.C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe....;.C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe....<.C:\Users\user\AppData\Local\Temp\MyTempTool\Work\DKTolz.zip..-.C:\Users\user\AppData\Loc

C:\Users\user\AppData\Local\Temp\MyTempTool\24.bat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 text, with very long lines (456), with CRLF line terminators
Category:	dropped
Size (bytes):	24694
Entropy (8bit):	5.530949814438894
Encrypted:	false
SSDEEP:	384:Wx+iy0VO6ZIegQGF5zpT3mvv9vj5WUO1R1b9ftqkqoiaVWyWLhxdOMI/by+nfU:Y+i53vlvj5WVzi1ajUkG
MD5:	350D172630B12F10564C78EEF37E3F95
SHA1:	0A9B8BD75D63679B1F35F812388CDEC0E3A72BF3
SHA-256:	73BC1BD40DCB68AC6DBF25FFB5E0B708F43FD4CA8A17D08647EEB89641B37062
SHA-512:	9C71F7610BF948274CD7A0502467000B5E57C12F455492E4C47E5C1681BE4AF1241500BBCD041403F33DDADD560EFB8C35A079E5740C71D53E875A106A37434A
Malicious:	false
Reputation:	low
Preview:	if "%~1" == "" (.. start "" /min "%comspec%" /c "%~f0" any_word.. exit /b..)........:Start...chcp 65001 >nul...Color 0f...set "Arch=" & set "ArgNsudo=" & set "MainFolder1=" & set "MainFolder2=" & set "ProcList=" & set "NumberWin="........SetLocal EnableDelayedExpansion...cd /d "%~dp0Work"...set "Arch=x64" & (If "%PROCESSOR_ARCHITECTURE%"=="x86" if not defined PROCESSOR_ARCHITEW6432 set Arch=x86)...reg query "HKU\S-1-5-19" >nul 2>&1 \|\| nircmd elevate "%~f0" && exit......if defined WT_SESSION (....reg add "HKCU\Console\%%%%Startup" /v "DelegationConsole" /t REG_SZ /d "{B23D10C0-E52E-411E-9D5B-C09FDF709C7D}" /f >nul....reg add "HKCU\Console\%%%%Startup" /v "DelegationTerminal" /t REG_SZ /d "{B23D10C0-E52E-411E-9D5B-C09FDF709C7D}" /f >nul...)......reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f >nul 2>&1...if /i "%USERNAME%" neq "%COMPUTERNAME%$" NSudoLG -U:T -P:E -UseCurrentConsole %0 && exit.....set "Ve

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	847872
Entropy (8bit):	6.656804355357899
Encrypted:	false
SSDEEP:	24576:b82Iz/8J9oDionNtypHq6geLmUB1HXBxCbx5MwRv8:bBYUzoDtiqELmW6nR8
MD5:	426CCB645E50A3143811CFA0E42E2BA6
SHA1:	3C17E212A5FDF25847BC895460F55819BF48B11D
SHA-256:	CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567
SHA-512:	1AB13E8E6E0CA4CA2039F104D53A5286C4196E930319C4FE374FA3BF415214BB7C7D2A9D8CA677A29C911A356CCA19A1CECAE16DD4BF840BCE725F20DE4C8FF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: random.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E...........z.....n..........n.....n......................7......L.....7......U'."..............Rich...........PE..L.....f.............................X............@.......................................@.................................<k..x....`.......................p..xg......................................................P............................text............................... ..`.rdata...g.......h..................@..@.data................h..............@....sxdata......P.......p..............@....rsrc........`.......r..............@..@.reloc...u...p...v...z..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\DKTolz.zip

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
Category:	dropped
Size (bytes):	1344991
Entropy (8bit):	7.9998426171656325
Encrypted:	true
SSDEEP:	24576:gZY4fvMxwjEK/DepbF/480y/UZbtit+FM1YGbBLinoDceZrN97W0rxX:gC4f0xw4K/k/iYYBBM1YGtLIoTNxTF
MD5:	B4163C2AF1EBA60ECDD85C4DCBA6BEEE
SHA1:	01D8C4E1D9423427FC1CBC9DA1F441D3CEE02D47
SHA-256:	8EA3DEBBC3EEE93B37B27188477BB573EAF0868BC33ECAF27DABC5D6DF39F3B1
SHA-512:	C90F16B4E0B577941F5EFC006AFAF79FAB91FDC66C6463916E5A3ED81506EE51A73C6CB492FE12F6F4F4298421CE73D2EDFF238E145AC1F1F79A85705A057479
Malicious:	false
Reputation:	low
Preview:	PK......c.d.mZ.tBm.e...,......Unlocker.exe......AE...^....UF>w!g'.p`..W\...\H..ZH.....'4..!V.T0......&V6..[W....P:...%.....N.[-..NQ.d....g..W.F...8.:]3./..B....C......Z..rK. ....2PJ.u.w.b.<...r....n.....o.....P...I...r.a.piW...Vq...oe.E.2.I,....A.>.I..S..2.NSq.=t.>.u%:..T.....:..O2H.p.U.H.n...~H.0.Y.(.2...b.m...\|...{.>..T.Tw..\|F".<....T...B.:....p.!2..........3..D..q..).....5..h.R2..5n.......@.......\|....-kf..........._g.Z`......2&.....D....]jE.Wp_..i..'...t..+.....E..##.H..K...~.z=d.<:RTj.....c)J..\..[..y....@r..%.x..%.;<F..V..._.CWj.....).-u.......^.E....M.Y...}.m....O......L.8.wV.k..O.m.he....Q.rS.q...O..5...\}.{RcQ/.....Yh.......yR.....>7.G. ."A..L...0.Xv4..H..W...... ..\|&i..9..~k>..OM......$x...'.\.,m.w1...M#....\.7I.j;..x.wf...V...mML.....j.@......Y..;....bl../t..0.jZ....=,.&.0......KuR...o.t./.......i..C.....[....L.......E._nW5..9.....i..q...+.......3..o.wJ3...\..c*!y....`.k.w1./"...9"3........p.........r..b...jB."/..n..:p.

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	178176
Entropy (8bit):	6.44195082808804
Encrypted:	false
SSDEEP:	3072:XVLC09ymR7sITY17jR7h05cDnxngU9yInRU+Wi+StbaoJLQfo8BuA6N3ls:XT9yO7sITYNmYnbyInRU+Wi+StbaoJLR
MD5:	423129DDB24FB923F35B2DD5787B13DD
SHA1:	575E57080F33FA87A8D37953E973D20F5AD80CFD
SHA-256:	5094AD359D8CF6DC5324598605C35F68519CC5AF9C7ED5427E02A6B28121E4C7
SHA-512:	D3F904C944281E9BE9788ACEA9CD31F563C5A764E927BCDA7BAE6BEDCC6AE550C0809E49FD2CF00D9E143281D08522A4F484ACC8D90B37111E2C737E91AE21CE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: random.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f.....................$A...........................................m.............................Rich....................PE..d.....*a.........."......v...H.................@..........................................`.................................................(........@..p.... .................. .......p.......................(... ...8...............x............................text....t.......v.................. ..`.rdata..xt.......v...z..............@..@.data...............................@....pdata....... ......................@..@.rsrc...p....@......................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	26112
Entropy (8bit):	7.672968651286905
Encrypted:	false
SSDEEP:	384:KwoPn3OgrkyDyjNKA7DY+kRKzRq92/A2Yo8SKwRS0JSqRdmMOOI1Kz+ge+u0GgfT:tofFhw9NkRKFqIA4Q0ndmMI15glZBf
MD5:	E783BC59D0ED6CFBD8891F94AE23D1B3
SHA1:	47FE9045DA4B1BE2A52D80C0B3CF790E04D29108
SHA-256:	5C1211559DDA10592CFEDD57681F18F4A702410816D36EDA95AEE6C74E3C6A47
SHA-512:	D09FC6574359A5DF8885B035A8D05C4743D58F56FEE3FFC2CC4FD7C3BEEC93C8994CD1F296B99A2F0F17B13EC7B03415912F49E13F5D1541839878F6BC498020
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: random.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: KcQriAEcni.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..^..@...@...@.....b.@.....q.@.....#.@.v...\|.@...A.3.@.....~.@.....~.@.Rich..@.........................PE..L...[.rL.................`...........J.......P....@..........................`............@..................................Q.......P..............................................................8L..H...........................................UPX0....................................UPX1.....`.......^..................@....rsrc........P.......b..............@......................................................................................................................................................................................................................................................................................................................................................................................................3.04.UPX!....

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	119808
Entropy (8bit):	6.207959191525698
Encrypted:	false
SSDEEP:	3072:oG0tOQJC9TPafQy26RAA3hh5Tgr559MJZpOSDUDyjHHKHlLz1Ms/b:2OQJC9uICA11l1MYb
MD5:	4A9DA765FD91E80DECFD2C9FE221E842
SHA1:	6F763FBD2B37B2CE76A8E874B05A8075F48D1171
SHA-256:	2E81E048AB419FDC6E5F4336A951BD282ED6B740048DC38D7673678EE3490CDA
SHA-512:	4716E598E4B930A0EC89F4D826AFAA3DADE22CF002111340BC253A618231E88F2F5247F918F993ED15B8CE0E3A97D6838C12B17616913E48334EE9B713C1957A
Malicious:	false
Yara Hits:	Rule: JoeSecurity_NirCmd, Description: Yara detected NirCmd tool, Source: C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Joe Sandbox View:	Filename: RAT.bin.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: lcc333.exe, Detection: malicious, Browse Filename: lcc333.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............c.X.c.X.c.X...X.c.X...X.c.X...X.c.X...X.c.X...X.c.X...X.c.X.c.X.b.X...X.c.X...X.c.X...X.c.XRich.c.X........................PE..d.....'f..........#......R...~......P\.........@....................................;...................................................................8............................w...............................................p..X............................text...#P.......R.................. ..`.rdata...^...p...`...V..............@..@.data...............................@....pdata..............................@..@.rsrc...8...........................@..@........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\557ec7.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: BatchInstallerFinal, Author: YourCompany, Keywords: Installer, Comments: This installer database contains the logic and data required to install BatchInstallerFinal., Template: Intel;1033, Revision Number: {2FEBEFEC-3D15-443D-856A-ECF4E5D1E024}, Create Time/Date: Mon Apr 7 05:00:24 2025, Last Saved Time/Date: Mon Apr 7 05:00:24 2025, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:	dropped
Size (bytes):	2027520
Entropy (8bit):	7.9889120315906545
Encrypted:	false
SSDEEP:	49152:D3+c1etIfBu4IsWY1iEMx5YrM9MHYYtL+GeOxc:qcEI5dTddSYr4MHHLNeEc
MD5:	D7661A891807B6508EDAB51E1CB60B25
SHA1:	AE6EA41A17DDD2995836AB9279207A5B444D539A
SHA-256:	9395AD01AFDD8D4A4B6DFF33BF6E82E502D765F0A63315A88A97BA4279DCBB16
SHA-512:	B909887ACEBBA72A4F5F1516A51F64B9676FA77FAA39B86283B639C7115E081D37758246B3F9D4BFAEE726E3174D71154235DA097B55EBBE943D942EC03883E4
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\557ec9.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: BatchInstallerFinal, Author: YourCompany, Keywords: Installer, Comments: This installer database contains the logic and data required to install BatchInstallerFinal., Template: Intel;1033, Revision Number: {2FEBEFEC-3D15-443D-856A-ECF4E5D1E024}, Create Time/Date: Mon Apr 7 05:00:24 2025, Last Saved Time/Date: Mon Apr 7 05:00:24 2025, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:	dropped
Size (bytes):	2027520
Entropy (8bit):	7.9889120315906545
Encrypted:	false
SSDEEP:	49152:D3+c1etIfBu4IsWY1iEMx5YrM9MHYYtL+GeOxc:qcEI5dTddSYr4MHHLNeEc
MD5:	D7661A891807B6508EDAB51E1CB60B25
SHA1:	AE6EA41A17DDD2995836AB9279207A5B444D539A
SHA-256:	9395AD01AFDD8D4A4B6DFF33BF6E82E502D765F0A63315A88A97BA4279DCBB16
SHA-512:	B909887ACEBBA72A4F5F1516A51F64B9676FA77FAA39B86283B639C7115E081D37758246B3F9D4BFAEE726E3174D71154235DA097B55EBBE943D942EC03883E4
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI7FE0.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	2797
Entropy (8bit):	5.655558104432254
Encrypted:	false
SSDEEP:	48:FlS1ciSSEN+Nt0jNhFNihP30NBkW7amU9NLNBlIIZ76eUd2nbqjJEVltbGs:FSGCYhvihkBHu3BBXmerbAJEP1/
MD5:	4BF0156600435AA4F229582ABDBBEA11
SHA1:	33C6160FAD96E01820B67CA2277A7A5BAADB4791
SHA-256:	BA03B97074916C6320DA08ED0628AB3767DECA0FE41EEFFDEF6F38F86C17385A
SHA-512:	DBAC4EDA2AEB789EE32DD56F1EFB863BC927077C657B5C98D0031395132AAC9E2C0F05A7CDC24899DD769BBC499376059CC93914600F5C8FD243B64D972FC6BC
Malicious:	false
Preview:	...@IXOS.@.....@...Z.@.....@.....@.....@.....@.....@......&.{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}..BatchInstallerFinal0.SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi.@.....@.....@.....@........&.{2FEBEFEC-3D15-443D-856A-ECF4E5D1E024}.....@.....@.....@.....@.......@.....@.....@.......@......BatchInstallerFinal......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RunBatch....J...RunBatch.@....-.C:\Users\user\AppData\Local\Temp\MyTempTool\d."C:\Windows\SysWOW64\cmd.exe" /c start "" /min "C:\Users\user\AppData\Local\Temp\MyTempTool\24.bat"....ProcessComponents..Updating component registration.....@.....@.....@.]....&.{6EC2C8CD-1C41-4D4A-BDF5-9C437360A5D9}3.C:\Users\user\AppData\Local\Temp\MyTempTool\24.bat.@.......@.....@.....@......&.{D5BCE95B-D33B-4A96-9678-5FDDE88152CE}8.C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size:

C:\Windows\Installer\SourceHash{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1917295712352736
Encrypted:	false
SSDEEP:	12:JSbX72Fj4XAlfLIlHmRprh+7777777777777777777777777ZDHFVsBcului8jUz:JUUIYKSzuFhF
MD5:	49F861F1A40BE8D1B1D0C71742FC85E4
SHA1:	B2E0D66F94553FA9C941A293146CF575EC94ECE5
SHA-256:	6E5350720EB1A175FE1B76E1AC9CB3BC3EA7AB25CBE24140A91F2DE0A084BBC3
SHA-512:	1572DEFA2DD4103DCB354B454407E0CBB93C90E50177397E9FE6E6726C03A158C1746BBEB6A661BBF87C8058C9544A62308EF73D62F6F3B002B5A67BCB25A8F8
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5510318616429448
Encrypted:	false
SSDEEP:	48:S+8PhzuRc06WX4wnT5gpHV7gB4m9LqN9LNS5oErg9LqN9LNSITSq:Sxhz1AnTk+7ONhONq
MD5:	ADAE87DDFE012E6A5DBF992263C2F22D
SHA1:	BF5C7546BC7DCC9368F14CAADC5BCD08DF265A6F
SHA-256:	17411A784C08A237A4FD86A662C9C0A22B338EBEEA17DF66FF999DDB70159250
SHA-512:	3F3F2B1D2C594BCCE14006BC2E660BFE9766F4E3BE434921633BECDCB72E2D064D9F62357BDB14DEAEF44652E730E78455C10A1AA9A441222C6AB4D7CB53FC50
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375180433208739
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauy:zTtbmkExhMJCIpErH
MD5:	13B149EA8AD17EF7924FA1D4C9DA2036
SHA1:	BED882170CE2B5DE4E851A59C825D8C836EB1C13
SHA-256:	2A9BC47121BE96FE367333418A29FD418C5E197F960712D7CD2E809F95CAC76C
SHA-512:	A60606C1F36D5A27583B6E3F95AF3DD5D7489015AA921DF252BCCC589E412F7903371EF4E0DF9FF9B1BEC7437E7D6144B19460C6E22DC932C5B5912C2968A741
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF16966A50DFB3C57B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1D7C6EB6FB9C7E36.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF1F68E91BE27C2D2C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF30851EB4A2E12E40.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.242726112657023
Encrypted:	false
SSDEEP:	48:EQrufM+xFX4XT511pHV7gB4m9LqN9LNS5oErg9LqN9LNSITSq:dry0TJ+7ONhONq
MD5:	1654463D160ABC82E3018875CF4FE111
SHA1:	D190A1D341D24D3F450D76BA6DC498E778D5416C
SHA-256:	10B944189A6B7E210DDB7E44362967025D2014C5EAF37A83301A7472D8B325CC
SHA-512:	79B68B0485BB15C79FDFCF671C1AE3CEC601D51170731F7742F91BB62DDB48DF7BB47B21B483CECF7E018A85A5B8720D922DD26122A878AA5ED71598FCC496FB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF45D8B367B42734F3.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.242726112657023
Encrypted:	false
SSDEEP:	48:EQrufM+xFX4XT511pHV7gB4m9LqN9LNS5oErg9LqN9LNSITSq:dry0TJ+7ONhONq
MD5:	1654463D160ABC82E3018875CF4FE111
SHA1:	D190A1D341D24D3F450D76BA6DC498E778D5416C
SHA-256:	10B944189A6B7E210DDB7E44362967025D2014C5EAF37A83301A7472D8B325CC
SHA-512:	79B68B0485BB15C79FDFCF671C1AE3CEC601D51170731F7742F91BB62DDB48DF7BB47B21B483CECF7E018A85A5B8720D922DD26122A878AA5ED71598FCC496FB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5884D3248E265D9B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5510318616429448
Encrypted:	false
SSDEEP:	48:S+8PhzuRc06WX4wnT5gpHV7gB4m9LqN9LNS5oErg9LqN9LNSITSq:Sxhz1AnTk+7ONhONq
MD5:	ADAE87DDFE012E6A5DBF992263C2F22D
SHA1:	BF5C7546BC7DCC9368F14CAADC5BCD08DF265A6F
SHA-256:	17411A784C08A237A4FD86A662C9C0A22B338EBEEA17DF66FF999DDB70159250
SHA-512:	3F3F2B1D2C594BCCE14006BC2E660BFE9766F4E3BE434921633BECDCB72E2D064D9F62357BDB14DEAEF44652E730E78455C10A1AA9A441222C6AB4D7CB53FC50
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF5C9AAEB70EEA19D5.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAAE96159BD8AC062.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.08583243503479025
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOVwDHBy2rQ+YCWstIVky6lU:2F0i8n0itFzDHFVsBc0U
MD5:	3BB470F049375B3A744E7F43C2B5C610
SHA1:	CA316D4AA05C3532C6EDAC3685E929002002E8EF
SHA-256:	2E38337A5A39C090A9A0D85BD0ADA527AEB7C5D30197D1DF75AB2DB7A1750C0F
SHA-512:	E6AD5A7B62667529E3FE107471DA55668058C909496AB97868127F8ADC771D181FA9DB3F9ACBE3A356387DF54295A894B84E7DCAE6EF7FF65F69400480DB9689
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAEE8D1BCBCF99326.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.5510318616429448
Encrypted:	false
SSDEEP:	48:S+8PhzuRc06WX4wnT5gpHV7gB4m9LqN9LNS5oErg9LqN9LNSITSq:Sxhz1AnTk+7ONhONq
MD5:	ADAE87DDFE012E6A5DBF992263C2F22D
SHA1:	BF5C7546BC7DCC9368F14CAADC5BCD08DF265A6F
SHA-256:	17411A784C08A237A4FD86A662C9C0A22B338EBEEA17DF66FF999DDB70159250
SHA-512:	3F3F2B1D2C594BCCE14006BC2E660BFE9766F4E3BE434921633BECDCB72E2D064D9F62357BDB14DEAEF44652E730E78455C10A1AA9A441222C6AB4D7CB53FC50
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFB992966D07C96236.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFDCFBD2CB60535132.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.1381808274402744
Encrypted:	false
SSDEEP:	48:KbgTJ9LqN9LNSK9LqN9LNS5oErSZgBQpHV:c0ONxONv+
MD5:	1D0A6519E2C177CFB4F9D87683829658
SHA1:	4D4A1905143DDEC60031630FD38F5AE9266675C6
SHA-256:	2D4D89A436E56B0ABA4423E3610F88471CDA7390A3372227F21F70A265BEABB8
SHA-512:	59BB336558EDC10A4B11738EA9C933A7F25C9DAD9DB0E79E4AEE2C35E9D9D16F83DEF7906DEF8922DFB06A585468361D5ABC4509A1467C736916BF9634538F25
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE70C173D3E8107F6.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.242726112657023
Encrypted:	false
SSDEEP:	48:EQrufM+xFX4XT511pHV7gB4m9LqN9LNS5oErg9LqN9LNSITSq:dry0TJ+7ONhONq
MD5:	1654463D160ABC82E3018875CF4FE111
SHA1:	D190A1D341D24D3F450D76BA6DC498E778D5416C
SHA-256:	10B944189A6B7E210DDB7E44362967025D2014C5EAF37A83301A7472D8B325CC
SHA-512:	79B68B0485BB15C79FDFCF671C1AE3CEC601D51170731F7742F91BB62DDB48DF7BB47B21B483CECF7E018A85A5B8720D922DD26122A878AA5ED71598FCC496FB
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: BatchInstallerFinal, Author: YourCompany, Keywords: Installer, Comments: This installer database contains the logic and data required to install BatchInstallerFinal., Template: Intel;1033, Revision Number: {2FEBEFEC-3D15-443D-856A-ECF4E5D1E024}, Create Time/Date: Mon Apr 7 05:00:24 2025, Last Saved Time/Date: Mon Apr 7 05:00:24 2025, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Entropy (8bit):	7.9889120315906545
TrID:	Microsoft Windows Installer (60509/1) 88.31% Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:	SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi
File size:	2'027'520 bytes
MD5:	d7661a891807b6508edab51e1cb60b25
SHA1:	ae6ea41a17ddd2995836ab9279207a5b444d539a
SHA256:	9395ad01afdd8d4a4b6dff33bf6e82e502d765f0a63315a88a97ba4279dcbb16
SHA512:	b909887acebba72a4f5f1516a51f64b9676fa77faa39b86283b639c7115e081d37758246b3f9d4bfaee726e3174d71154235da097b55ebbe943d942ec03883e4
SSDEEP:	49152:D3+c1etIfBu4IsWY1iEMx5YrM9MHYYtL+GeOxc:qcEI5dTddSYr4MHHLNeEc
TLSH:	3F95335D79C0A5B8EA467B3F1C0A97A207F5CCB12F799022AD1432B58332AF16239D75
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

⊘No network behavior found

Statistics

Click to jump to process

Memory Usage

• msiexec.exe
• msiexec.exe

Click to jump to process

Behavior

• msiexec.exe
• msiexec.exe

Click to jump to process

System Behavior

Analysis Process: msiexec.exePID: 7736, Parent PID: 3964

Function Logs

General

Target ID:	0
Start time:	03:47:09
Start date:	13/04/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi"
Imagebase:	0x7ff6fe4f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

Process Token Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 7768, Parent PID: 632

Function Logs

General

Target ID:	1
Start time:	03:47:09
Start date:	13/04/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6fe4f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

File Activities

File Opened

File Written

File Read

File Attributes Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Process Token Activities

Token Adjusted

Show Windows behavior

Object Security Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\557ec8.rbs

C:\Users\user\AppData\Local\Temp\MyTempTool\24.bat

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\7z.exe

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\DKTolz.zip

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\NSudoLG.exe

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\cecho.exe

C:\Users\user\AppData\Local\Temp\MyTempTool\Work\nircmd.exe

C:\Windows\Installer\557ec7.msi

C:\Windows\Installer\557ec9.msi

C:\Windows\Installer\MSI7FE0.tmp

C:\Windows\Installer\SourceHash{90C11C8A-AD21-4E7E-BDFA-BD9C724A6087}

C:\Windows\Installer\inprogressinstallinfo.ipi

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

C:\Windows\Temp\~DF16966A50DFB3C57B.TMP

C:\Windows\Temp\~DF1D7C6EB6FB9C7E36.TMP

C:\Windows\Temp\~DF1F68E91BE27C2D2C.TMP

C:\Windows\Temp\~DF30851EB4A2E12E40.TMP

C:\Windows\Temp\~DF45D8B367B42734F3.TMP

C:\Windows\Temp\~DF5884D3248E265D9B.TMP

C:\Windows\Temp\~DF5C9AAEB70EEA19D5.TMP

C:\Windows\Temp\~DFAAE96159BD8AC062.TMP

C:\Windows\Temp\~DFAEE8D1BCBCF99326.TMP

C:\Windows\Temp\~DFB992966D07C96236.TMP

Windows Analysis Report
SecuriteInfo.com.PUA.Tool.NirCmd.4.6339.9293.msi