Edit tour

Windows Analysis Report
TradingStationPublisher.msi

Overview

General Information

Sample name:	TradingStationPublisher.msi
Analysis ID:	1502153
MD5:	a0b0622ca3973228b148e5f246080b63
SHA1:	a57b550318880f3a61e172b0b7663bcdb57a23c1
SHA256:	2e1e0f1e3633c8cd7bc11fc6574a93f0e7dbd76a3fa6ef2027ecdf0c03c90db2
Tags:	msi
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7496 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TradingStationPublisher.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7548 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7596 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D01A3FF5829F0F5B771FA5AB009E87F8 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 8148 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B3CFD1C5B1A07D95A7F37C5DD98B4186 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe	ReversingLabs: Detection: 18%
Source: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe	Virustotal: Detection: 30%			Perma Link

Multi AV Scanner detection for submitted file

Source: TradingStationPublisher.msi	ReversingLabs: Detection: 15%
Source: TradingStationPublisher.msi	Virustotal: Detection: 15%			Perma Link

Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\log4cplus\bin\win32\log4cplus.pdb source: log4cplus.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\fxcm_src\tiramisu\vendors\rtmp\cpp\fxcmrtmp\bin\win32\fxcmrtmp.pdb source: fxcmrtmp.dll.1.dr
Source:	Binary string: E:\sberkovsky\openssl\out32dll\gsssleay32.pdb source: gsssleay32.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\candleworks\windowstradingapplications\order2go2\cpp\bin\win32\Order2Go2.pdb source: Order2Go2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\gstool3\bin\win32\gstool3.pdb source: gstool3.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\candleworks\windowstradingapplications\order2go2\cpp\bin\win32\ForexConnect.pdb source: ForexConnect.dll.1.dr
Source:	Binary string: d:\o2g2_build\20110923\3rd_party\gehtsoft\gstool2\bin\gstool2.pdb source: gstool2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\expat\bin\win32\gsexpat.pdb source: gsexpat.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\fxcm_src\tiramisu\messaging\cpp\fxtp\bin\win32\fxtp.pdb source: fxtp.dll.1.dr
Source:	Binary string: msvcr80.i386.pdb source: msvcr80.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\candleworks\windowstradingapplications\order2go2\net\bin\dotnet20\win32\fxcore2.pdb source: fxcore2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\ForexConnect_API-1.3_Win32_build\workspace\FXCM_SRC\Tiramisu\vendors\fxcm\pdas\cpp\pdas\bin\Win32\pdas.pdb source: pdas.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\candleworks\windowstradingapplications\order2go2\net\bin\dotnet20\win32\fxcore2.pdb0 source: fxcore2.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\fxcm_src\tiramisu\vendors\rtmp\cpp\rtmptp\bin\win32\rtmptp.pdb source: rtmptp.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\httplibrary\bin\win32\httplib.pdbP source: httplib.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\gstool3\bin\win32\gstool3.pdbp source: gstool3.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\candleworks\windowstradingapplications\order2go2\cpp\bin\win32\Order2Go2.pdbd source: Order2Go2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\fxcm_src\tiramisu\messaging\cpp\fxmsg\bin\win32\fxmsg.pdb source: fxmsg.dll.1.dr
Source:	Binary string: E:\sberkovsky\openssl\out32dll\gslibeay32.pdb source: gslibeay32.dll.1.dr
Source:	Binary string: e:\Jenkins\jobs\ForexConnect_API_Win32_build\workspace\FXCM_SRC\Tiramisu\vendors\rtmp\cpp\logger\bin\Win32\fxcmlogger.pdb source: fxcmlogger.dll.1.dr
Source:	Binary string: e:\Jenkins\jobs\ForexConnect_API_Win32_build\workspace\FXCM_SRC\Tiramisu\vendors\rtmp\cpp\logger\bin\Win32\fxcmlogger.pdbM* source: fxcmlogger.dll.1.dr
Source:	Binary string: D:\projects\FXCMPublisher\obj\Debug\Trading_Station_Publisher.pdb source: Trading_Station_Publisher.exe.1.dr
Source:	Binary string: E:\sberkovsky\openssl\out32dll\gslibeay32.pdb source: gslibeay32.dll.1.dr
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\httplibrary\bin\win32\httplib.pdb source: httplib.dll.1.dr
Source:	Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: TradingStationPublisher.msi, 685ada.msi.1.dr, MSI4801.tmp.0.dr, 685ad8.msi.1.dr, MSI5C10.tmp.1.dr, MSI5C5F.tmp.1.dr, MSI47A2.tmp.0.dr
Source:	Binary string: d:\jenkins\jobs\ForexConnect_API-1.3_Win32_build\workspace\3rd_party\zlib\bin\Win32\gszlib.pdb source: gszlib.dll.1.dr
Source:	Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: TradingStationPublisher.msi, 685ada.msi.1.dr, MSI4801.tmp.0.dr, 685ad8.msi.1.dr, MSI5C10.tmp.1.dr, MSI5C5F.tmp.1.dr, MSI47A2.tmp.0.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}	Jump to behavior

Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://ocsp.comodoca.com0:
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Trading_Station_Publisher.exe.1.dr	String found in binary or memory: http://www.fxcorporate.com
Source: Trading_Station_Publisher.exe.1.dr	String found in binary or memory: http://www.fxcorporate.com7http://dbfx.fxcorporate.com
Source: Trading_Station_Publisher.exe.1.dr	String found in binary or memory: http://www.myfxbook.com/help/trading-station-publisher-wizard
Source: Trading_Station_Publisher.exe.1.dr	String found in binary or memory: http://www.myfxbook.com/help/trading-station-publisher-wizard.html
Source: gslibeay32.dll.1.dr, gsssleay32.dll.1.dr	String found in binary or memory: http://www.openssl.org/V
Source: gslibeay32.dll.1.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: gslibeay32.dll.1.dr	String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEprng
Source: gstool3.dll.1.dr	String found in binary or memory: http://www.unicode.org/cldr/)
Source: gszlib.dll.1.dr	String found in binary or memory: http://www.zlib.net/D
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	String found in binary or memory: https://secure.comodo.com/CPS0L
Source: Trading_Station_Publisher.exe.1.dr	String found in binary or memory: https://upload1.myfxbook.com/fxcm-upload.html?

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\685ad8.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C10.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C5F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5CBE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\685ada.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\685ada.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI5C10.tmp

Jump to behavior

Source: TradingStationPublisher.msi

Binary or memory string: OriginalFilenameDPCA.DLLT vs TradingStationPublisher.msi

Source: Trading_Station_Publisher.exe.1.dr, tripple.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Trading_Station_Publisher.exe.1.dr, tripple.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: classification engine

Classification label: mal56.winMSI@6/54@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Myfxbook Ltd

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML5D0A.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI47A2.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: TradingStationPublisher.msi	ReversingLabs: Detection: 15%
Source: TradingStationPublisher.msi	Virustotal: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TradingStationPublisher.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D01A3FF5829F0F5B771FA5AB009E87F8 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B3CFD1C5B1A07D95A7F37C5DD98B4186
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D01A3FF5829F0F5B771FA5AB009E87F8 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B3CFD1C5B1A07D95A7F37C5DD98B4186	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior

Source: Trading Station Publisher.lnk.1.dr	LNK file: ..\AppData\Roaming\Microsoft\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}\_D7ED1792E3BE1F33D0BDF7.exe
Source: Trading Station Publisher.lnk0.1.dr	LNK file: ..\..\..\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}\_BB9EECDA4E810BDECD5258.exe

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >

Source: TradingStationPublisher.msi

Static file information: File size 2931712 > 1048576

Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\log4cplus\bin\win32\log4cplus.pdb source: log4cplus.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\fxcm_src\tiramisu\vendors\rtmp\cpp\fxcmrtmp\bin\win32\fxcmrtmp.pdb source: fxcmrtmp.dll.1.dr
Source:	Binary string: E:\sberkovsky\openssl\out32dll\gsssleay32.pdb source: gsssleay32.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\candleworks\windowstradingapplications\order2go2\cpp\bin\win32\Order2Go2.pdb source: Order2Go2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\gstool3\bin\win32\gstool3.pdb source: gstool3.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\candleworks\windowstradingapplications\order2go2\cpp\bin\win32\ForexConnect.pdb source: ForexConnect.dll.1.dr
Source:	Binary string: d:\o2g2_build\20110923\3rd_party\gehtsoft\gstool2\bin\gstool2.pdb source: gstool2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\expat\bin\win32\gsexpat.pdb source: gsexpat.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\fxcm_src\tiramisu\messaging\cpp\fxtp\bin\win32\fxtp.pdb source: fxtp.dll.1.dr
Source:	Binary string: msvcr80.i386.pdb source: msvcr80.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\candleworks\windowstradingapplications\order2go2\net\bin\dotnet20\win32\fxcore2.pdb source: fxcore2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\ForexConnect_API-1.3_Win32_build\workspace\FXCM_SRC\Tiramisu\vendors\fxcm\pdas\cpp\pdas\bin\Win32\pdas.pdb source: pdas.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\candleworks\windowstradingapplications\order2go2\net\bin\dotnet20\win32\fxcore2.pdb0 source: fxcore2.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\fxcm_src\tiramisu\vendors\rtmp\cpp\rtmptp\bin\win32\rtmptp.pdb source: rtmptp.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\httplibrary\bin\win32\httplib.pdbP source: httplib.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\gstool3\bin\win32\gstool3.pdbp source: gstool3.dll.1.dr
Source:	Binary string: e:\jenkins\jobs\forexconnect_api_win32_build\workspace\candleworks\windowstradingapplications\order2go2\cpp\bin\win32\Order2Go2.pdbd source: Order2Go2.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\fxcm_src\tiramisu\messaging\cpp\fxmsg\bin\win32\fxmsg.pdb source: fxmsg.dll.1.dr
Source:	Binary string: E:\sberkovsky\openssl\out32dll\gslibeay32.pdb source: gslibeay32.dll.1.dr
Source:	Binary string: e:\Jenkins\jobs\ForexConnect_API_Win32_build\workspace\FXCM_SRC\Tiramisu\vendors\rtmp\cpp\logger\bin\Win32\fxcmlogger.pdb source: fxcmlogger.dll.1.dr
Source:	Binary string: e:\Jenkins\jobs\ForexConnect_API_Win32_build\workspace\FXCM_SRC\Tiramisu\vendors\rtmp\cpp\logger\bin\Win32\fxcmlogger.pdbM* source: fxcmlogger.dll.1.dr
Source:	Binary string: D:\projects\FXCMPublisher\obj\Debug\Trading_Station_Publisher.pdb source: Trading_Station_Publisher.exe.1.dr
Source:	Binary string: E:\sberkovsky\openssl\out32dll\gslibeay32.pdb source: gslibeay32.dll.1.dr
Source:	Binary string: msvcp80.i386.pdb source: msvcp80.dll.1.dr
Source:	Binary string: d:\jenkins\jobs\forexconnect_api-1.3_win32_build\workspace\3rd_party\gehtsoft\httplibrary\bin\win32\httplib.pdb source: httplib.dll.1.dr
Source:	Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb source: TradingStationPublisher.msi, 685ada.msi.1.dr, MSI4801.tmp.0.dr, 685ad8.msi.1.dr, MSI5C10.tmp.1.dr, MSI5C5F.tmp.1.dr, MSI47A2.tmp.0.dr
Source:	Binary string: d:\jenkins\jobs\ForexConnect_API-1.3_Win32_build\workspace\3rd_party\zlib\bin\Win32\gszlib.pdb source: gszlib.dll.1.dr
Source:	Binary string: F:\gx\VS\out\binaries\x86ret\bin\i386\DPCA.pdb? source: TradingStationPublisher.msi, 685ada.msi.1.dr, MSI4801.tmp.0.dr, 685ad8.msi.1.dr, MSI5C10.tmp.1.dr, MSI5C5F.tmp.1.dr, MSI47A2.tmp.0.dr

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcore2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Order2Go2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmlogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gslibeay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\rtmptp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI47A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI4801.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxtp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C5F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\ForexConnect.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\pdas.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\log4cplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C10.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmrtmp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gszlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\httplib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C5F.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5C10.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trading Station Publisher.lnk

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Order2Go2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcore2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmlogger.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gslibeay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI47A2.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\rtmptp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI4801.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxtp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C5F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\ForexConnect.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\pdas.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\log4cplus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsssleay32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcp80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5C10.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmrtmp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gszlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\httplib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	22 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TradingStationPublisher.msi	16%	ReversingLabs
TradingStationPublisher.msi	15%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\ForexConnect.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\ForexConnect.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Order2Go2.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Order2Go2.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe	18%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe	30%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmlogger.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmlogger.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmrtmp.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmrtmp.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcore2.dll	3%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcore2.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxmsg.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxmsg.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxtp.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxtp.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gslibeay32.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gslibeay32.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsssleay32.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsssleay32.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool2.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool2.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool3.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool3.dll	1%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gszlib.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gszlib.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\httplib.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\httplib.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\log4cplus.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\log4cplus.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcp80.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcp80.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\pdas.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\pdas.dll	0%	Virustotal	Browse
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\rtmptp.dll	0%	ReversingLabs
C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\rtmptp.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI47A2.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI47A2.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI4801.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI4801.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI5C10.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C10.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI5C5F.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI5C5F.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://www.openssl.org/V	0%	URL Reputation	safe
http://www.openssl.org/V	0%	URL Reputation	safe
http://www.zlib.net/D	0%	URL Reputation	safe
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe
http://www.myfxbook.com/help/trading-station-publisher-wizard	0%	Avira URL Cloud	safe
http://www.myfxbook.com/help/trading-station-publisher-wizard.html	0%	Avira URL Cloud	safe
https://secure.comodo.com/CPS0L	0%	Avira URL Cloud	safe
http://www.unicode.org/cldr/)	0%	Avira URL Cloud	safe
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEprng	0%	Avira URL Cloud	safe
http://www.fxcorporate.com	0%	Avira URL Cloud	safe
https://upload1.myfxbook.com/fxcm-upload.html?	0%	Avira URL Cloud	safe
http://www.fxcorporate.com7http://dbfx.fxcorporate.com	0%	Avira URL Cloud	safe
http://www.myfxbook.com/help/trading-station-publisher-wizard.html	0%	Virustotal		Browse
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEprng	0%	Virustotal		Browse
http://www.myfxbook.com/help/trading-station-publisher-wizard	0%	Virustotal		Browse
https://secure.comodo.com/CPS0L	0%	Virustotal		Browse
http://www.fxcorporate.com	0%	Virustotal		Browse
https://upload1.myfxbook.com/fxcm-upload.html?	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.myfxbook.com/help/trading-station-publisher-wizard	Trading_Station_Publisher.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEprng	gslibeay32.dll.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0L	TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	TradingStationPublisher.msi, 685ada.msi.1.dr, 685ad8.msi.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.myfxbook.com/help/trading-station-publisher-wizard.html	Trading_Station_Publisher.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.openssl.org/V	gslibeay32.dll.1.dr, gsssleay32.dll.1.dr	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.zlib.net/D	gszlib.dll.1.dr	false	URL Reputation: safe	unknown
http://www.unicode.org/cldr/)	gstool3.dll.1.dr	false	Avira URL Cloud: safe	unknown
https://upload1.myfxbook.com/fxcm-upload.html?	Trading_Station_Publisher.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fxcorporate.com	Trading_Station_Publisher.exe.1.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.fxcorporate.com7http://dbfx.fxcorporate.com	Trading_Station_Publisher.exe.1.dr	false	Avira URL Cloud: safe	unknown
http://www.openssl.org/support/faq.html	gslibeay32.dll.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502153
Start date and time:	2024-08-31 08:52:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TradingStationPublisher.msi
Detection:	MAL
Classification:	mal56.winMSI@6/54@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Config.Msi\685ad9.rbs

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	15425
Entropy (8bit):	5.897561072130315
Encrypted:	false
SSDEEP:	192:QZBXDlxcDuZ+2oesJaOIMaOTjhMAD+wODpG:QD5d+2caKaOhMAHr
MD5:	837EFEA30DC4061C787EDADC5A7FAC46
SHA1:	AED08E2E71A50C7EBE2040490073D8D3FE8EF57B
SHA-256:	352226CBDC52890F64DAD02C5201B51657BEAF31A5D585A99EFE8D882F32604D
SHA-512:	E11B73F4CB609AE14776B2C0A0B1DD9B030C271D5B91EB5932E4DC4BF85378BF8796C21F93512C039E6051937B6E4432CDE1470D9D0E3C506C4EBA29FAA3DF6B
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}..Trading Station Publisher..TradingStationPublisher.msi.@.....@.....@.....@......_853F67D554F05449430E7E.exe..&.{38E8AABD-CF58-4632-80B8-4A82F220D6A0}.....@.....@.....@.....@.......@.....@.....@.......@......Trading Station Publisher......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{845AF08E-A028-7924-3451-AF6ECBF9865E}&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}.@......&.{61C2DF3B-3E02-435E-ED90-A5A5D505D784}&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}.@......&.{EBB273E9-778D-3428-1F17-DB809DDE2B62}&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}.@......&.{BC9A1375-1470-F1E0-B12D-2B8EDFC54470}&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}.@......&.{C3D3CFE5-19AB-24E1-066F-5A29C37DCE72}&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}.@......&.{D5F53411-F316-B962-D71F-707B2147145A}&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\ForexConnect.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	729088
Entropy (8bit):	6.368380548088654
Encrypted:	false
SSDEEP:	12288:1eq6r2VxaQ3MPnNIyO32KlibHRd9whzy5L6OmS41iaDxvp5ufSojqx9aaJrvD+4/:pYFvOijR/wISlt91Fn2nO
MD5:	EB8F584025B1CFC011E213144D0FEC65
SHA1:	CC4BD48738CEC3E25D54E3C14F90AFA564C13581
SHA-256:	9B0E151E2835D60BD8272A232150015ADA56D2E28E362C9F759EC18D08E85AF4
SHA-512:	2662186D5215D3738B5D70D3E67BD85B20A11019F02C823CDE9594B31743352960AABD515B9C882C2B28F801099FC5D08FE023C13A0E94DA3747233C6A397F7D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!.d.e...e...e....Tt.d...BVg.k...BVw.`....W.c...BVd.y...BVq.t...e......BVx.....BVp.d...BVv.d...BVr.d...Riche...........PE..L......T...........!.........P...............................................0............@..............................'...Z....... ..l....................0..\|...................................hN..@............................................text...\........................... ..`.rdata..D...........................@..@.data....C.......@..................@....rsrc...l.... ......................@..@.reloc.......0....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Microsoft.VC80.CRT.manifest

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504), with CRLF line terminators
Category:	dropped
Size (bytes):	1869
Entropy (8bit):	5.395078491534145
Encrypted:	false
SSDEEP:	48:3SlK+hk6g4u09kkK23zWO09kkKFzv09kkKldSzY:Clth9uXkd3COXkgTXkX8
MD5:	541423A06EFDCD4E4554C719061F82CF
SHA1:	2E12C6DF7352C3ED3C61A45BAF68EACE1CC9546E
SHA-256:	17AD1A64BA1C382ABF89341B40950F9B31F95015C6B0D3E25925BFEBC1B53EB5
SHA-512:	11CF735DCDDBA72BABB9DE8F59E0C180A9FEC8268CBFCA09D17D8535F1B92C17BF32ACDA86499E420CBE7763A96D6067FEB67FA1ED745067AB326FD5B84188C6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <noInheritable></noInheritable>.. <assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.762" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>.. <file name="msvcr80.dll" hash="10f4cb2831f1e9288a73387a8734a8b604e5beaa" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms><dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity"></dsig:Transform></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></dsig:DigestMethod><dsig:DigestValue>n9On8FItNsK/DmT8UQxu6jYDtWQ=</dsig:DigestValue></asmv2:hash></file>.. <file name="msvcp80.dll" hash="b2082dfd3009365c5b287448dcb3b4e2158a6d26" hashalg="SHA1"><asmv2:hash xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xml

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Order2Go2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	581632
Entropy (8bit):	6.303966258540416
Encrypted:	false
SSDEEP:	12288:zp/TVOyXfuaVIXYSrkSDAVI8+L441o63J4GVILKrKP+DQWWQsx+0noRN8JrOUV3h:7iLX1o0J7rXQdrcgF
MD5:	27969032314FDE7128095CE104030344
SHA1:	561A989886C8C21190506DD68A01A017BE088230
SHA-256:	E99B2328C6A7731AAC78631A5422EEA07685B26AD17B732807BB1F403D66D461
SHA-512:	34AE4C8AD208F5205C82557E014685F8284EE026179E9CC80BAE6A050DE5E4D2FB98F21132FB9460FA30B14C7C91698CA3CF89773F6CC3AA4211DEB018180134
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{V..8...8...8...F...8...U...8...E...8.D.e...8...V...8...C...8...9...8...J...8...B...8...D...8...@...8.Rich..8.........PE..L....?.O...........!..... ...................0......................................GZ....@.................................k......................................P4...............................{..@............0...............................text............ .................. ..`.rdata...u...0.......0..............@..@.data....E.......P..................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	5.778338583895287
Encrypted:	false
SSDEEP:	1536:G6glIQ12U0mepF/7GTLTY0iPjJesgmW47QlbXuJsaHy+UKKMOMJ0vabmS1VP:o+8B0mQ7GXTY0GHg/lCsabKMOMJn1VP
MD5:	D56CCAD643F04051F8B70768FB67D11C
SHA1:	482B649A17C830C7034D99A8C61BE61D01942F5E
SHA-256:	C0854006EBA6B068AE2047DA60EF7187DDF7171A09F266E05338A05F934D5326
SHA-512:	03298A5313E2BDBA0AD917FF677050E93D3331692A12FBF50B00E3CD871587B66E34BB6D9C5F0348736DBE6DE765599E1FB831A90F373C6E92AD831833BD92A0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 18% Antivirus: Virustotal, Detection: 30%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d..............0..p............... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc..............................@..B.......................H...........8...........H...@............................................0..X.........}.....r...p}.....(........}......}......}.......}.......}.......}.......}.......}.......}.....r...p}.....(........}......}.......0..G..........}......}......}.......}.......}.......}.......}.......}.......}....&...}........0............{.....+...0............{.....+...0............{.....+...0............{.....+...0............{.....+...0............{.....+...0............{.....+..*

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe.config

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2110
Entropy (8bit):	4.539202036310091
Encrypted:	false
SSDEEP:	48:cjrNKHNqq/wKDXHJQDJlDHD4x3+GnH1nKDvgrub:grCIq4SX+XjIlnVnSvgrub
MD5:	14A5682D775E523A5FF7C3F88102C28E
SHA1:	ED3AE9796290DB0BB7ED27063E6CAE6090D7D19D
SHA-256:	554C4051DAA547C2585DEABDC41B1F20DB57CD176A0F48C90B3CEC2E72A97982
SHA-512:	3F62A43FAC23F95C48254222BD18E01D31EE97D0F5C071C897411F62DDB11526642C9048B8E93916B2A4CDD01145E1F411FC7314CB45C970A7C46B3826A298B1
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <configSections>.. <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >.. <section name="myfxbook.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />.. .. </sectionGroup>.. </configSections>.. <userSettings>.. <myfxbook.Properties.Settings>.. <setting name="UserName" serializeAs="String">.. <value>sda</value>.. </setting>.. <setting name="Password" serializeAs="String">.. <value />.. </setting>.. <setting name="Connection" serializeAs="String">.. <value>Demo</value>.. </setting>.. <setting name=

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmlogger.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.843477027538867
Encrypted:	false
SSDEEP:	384:cv7XV65FbEZh/z63cRfCoFjUSMMdrZ69lrIM:cv7XV651u4cRf7pUrel
MD5:	22B1547525951A042BDBE8FA6BD89508
SHA1:	FE7C2D70F0C5DF123D43A3C82A82CBAA52A2DD4D
SHA-256:	847E52336798B020F502AC211351B6342385E49BC1D27BE6A5CDFE09A344630C
SHA-512:	62666B00224D514DB590D61387EBC01C661291EBDCE37398C6DBAA36188CF777B3D5DBBBA4C2808FA6DF2134EEDACEF705B078FF08C2B39E97115B2E988FA81D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........].............B.......@.......B.......B.......B..............K........B.......B.......B.......B......Rich....................PE..L....>.O...........!................1&.......0...............................p.......0....@..........................8..X....3..P....P.......................`...... 1...............................2..@............0...............................text...\|........................... ..`.rdata..8....0....... ..............@..@.data...`....@.......,..............@....rsrc........P......................@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmrtmp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36352
Entropy (8bit):	6.297787029918726
Encrypted:	false
SSDEEP:	768:lwMRv0a02C0gGr0ISW2VlYA4i1oPqOgNMSP:lh2a8Xo0JW2VlYABZOgNMS
MD5:	037F9154E43D84508AE8DF7296AFF1F2
SHA1:	83F5A8D01ABCBB0938E6B866BFCC614B5FA98CD7
SHA-256:	427736009F998D854A97369819CDBFAF910B6357DDE05AA0A0488CBAC6EEBB65
SHA-512:	9BC4195C1F9075EEE5F992C2A05A75D33FAB028B3B0C5DDEC395136F5CB768E03C6074017F03452BA08BD15C56031F34B8B4991708A64670ACA17CF6F583365D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W...............o......4m......4m......4m.............4m..........,...4m......4m......4m......4m......Rich............PE..L....>.O...........!.....^...,.......b.......p............................................@......................... ...........d................................... q...............................y..@............p...............................text...*\.......^.................. ..`.rdata..1....p.......b..............@..@.data................~..............@....rsrc...............................@..@.reloc..R...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcore2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	217088
Entropy (8bit):	5.953982854584702
Encrypted:	false
SSDEEP:	3072:TNP/YVajzPuKt1mIWjS4Ptw98TU2PGTqYsaeKVcFOgPv3kh:TBYkuKH3CS98Y2PG+7KaOgn0
MD5:	F058F7F09905D3AFC91B7FC9EFE61BFA
SHA1:	574F887E5378950CB5E98FDC61BF301145571FF3
SHA-256:	C01A3D85E25ED0B1E773C223BA0A856C8CC03D5C1714C519E412160FB4D83871
SHA-512:	F4555173549E448429108F33B053A81837EA125727F64F7F6CE4D48E2691E581F244A39E729CCF53D9265EA290931EA18AA283E96BDE65DBD25551314C08BF79
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........H.7.).d.).d.).d*&.d.).dn..d.).d~.d.).d..d.).d..d.).d..d.).d..d.).d.).d.).d..d.).d..d.).d..d.).dRich.).d................PE..L...'..T...........!.........0............... ...............................P......!.....@..........................................0.......................@..l....!..............................X"..@............ ..\............!..H............text............................... ..`.rdata..h.... ....... ..............@..@.data........ ....... ..............@....rsrc........0.......0..............@..@.reloc.......@.......@..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxmsg.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.211179725023109
Encrypted:	false
SSDEEP:	6144:+kara17tOtPGin0ReVVVKVV/3sxEDrkxYtyttn6UTOj0ah0:+karaptOtPGin0ReVVVKVV/f3yttwh
MD5:	329F9CDF702B6EDFDB2A92957C83359B
SHA1:	26C5DD78730B685341DC429DA193D49CB073B01E
SHA-256:	0D92316B2D151EE35D47294C07AD9F348CA3E0E56766C53B1F5F2459AEAA1BD0
SHA-512:	7A8D0A72E5D1E619A72911822A04762465D7630BFCD2F48F1056AD1C6E3B2A3897E54C55A40E3617D4091FA64E7CE4C8A5CCB8DD64ED46367C77367BB954F140
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2.2.2..!.0..#.?..#.7..#.>....0..#..9....9.2....#.*..#.3..#.3..#.3.Rich2.........PE..L......T...........!.........@......Y........................................P.......Y....@......................... ..................d.................... ...-...................................6..@...............L............................text............................... ..`.rdata..$...........................@..@.data...X...........................@....rsrc...d...........................@..@.reloc..v.... ...0..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxtp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	6.117424624199627
Encrypted:	false
SSDEEP:	3072:3rYes/8AU+U6A3eAoBjcOjLbM+frsBthN5I:3rYyAU+U6/jcOjc+fr0
MD5:	9029D67B382DA1AA00B0D5156C514D15
SHA1:	DF75B36BABDB8F215AF23555B252A9250EE581A6
SHA-256:	CFC56D7D9F9090A3AA5F422A6C7564C9BDA7EDA7FE36EEFFF1C9DDF346BC439C
SHA-512:	BB284A53641C9182048BF881E0BC1E6AB3E9EBE5F4F0FA45BA02BF8AEE07F59E2BF555DB21CE22297F4A92ACC6D946AFCD535F9E652C9AE7B559455BECC97CC6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Fx..'..'..'.. .h.'...k.'...{.'..4/K.'...x.'..t(K.'...m.'..'...'...d.'...l.'...n.'..Rich.'..........................PE..L......T...........!.........0............... ...............................`............@..........................o......^..x....0.......................@.......!...............................4..@............ ...............................text............................... ..`.rdata..b.... ....... ..............@..@.data...............................@....rsrc........0....... ..............@..@.reloc..x....@... ...0..............@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	245760
Entropy (8bit):	6.1091094624124755
Encrypted:	false
SSDEEP:	6144:rKgaOZAp05/OwXSZBhaUNhZp5RTOgEmy1Ku:rKgLAp0kwXiaUNXp52Yu
MD5:	BCB8325D65ACB3B1B560FBD5AD6B5D6E
SHA1:	1887E023799736E5764FAB3AB207456B6A3A5D48
SHA-256:	8D1F10593F37F0FBA2D0962879F5B27DD984D64334272D3D320721D2094BC42E
SHA-512:	1EF4476A82AE6BE1DDF74E262F834544656475C3EBA70C38EE4F99357BA67F6B043C2564E9BA07CF2307B6BF499585107B7305AC07C910823AE2917B5385B54B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^....{...{...{.......{..=....{..=....{..=....{..=....{...t...{...{..n{..=....{..=....{..=....{..=....{..Rich.{..................PE..L...y..T...........!.....P...`......#D.......`.......................................w....@..............................+.....P.......P........................"...a..................................@............`...............................text....M.......P.................. ..`.rdata......`.......`..............@..@.data...............................@....rsrc...P...........................@..@.reloc...#.......0..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gslibeay32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1036288
Entropy (8bit):	6.780568161518855
Encrypted:	false
SSDEEP:	12288:N1+DCtg4wxVUk/ZEwCUbrQ5kWP7wr1c+EeThwbpTLQqRmbPNw1:lvwxVhVrQ57P7Aee1EpvhRmDNw1
MD5:	BFB734AD660EB1A6F8F2F355C727CB08
SHA1:	33E4EF48F4A62449A00E4A3454621398F6B02C36
SHA-256:	632710AAA31E1BC5E08D6C1EAF43E51EC0394D8D8E9DC5BD512FDA453996467D
SHA-512:	3C27917A15F12E1938791DF57620423BB1B0AB8E48D2F9157796FFC1D4A3875F5364AF0A0B265D8F8349812761BFF75533BBE7DF1F8628208B0B68A00D747D21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}3r^9R..9R..9R....b.8R....g.;R....r.;R...]A.2R..9R...R....q.1P....a.!R....f.8R....`.8R....d.8R..Rich9R..................PE..L...y..N...........!..... ..........Ua.......0..........................................................................h...........@.......................P.......2...............................................0..t............................text............ .................. ..`.rdata.......0.......0..............@..@.data........ ....... ..............@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsssleay32.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	225280
Entropy (8bit):	6.253045136457586
Encrypted:	false
SSDEEP:	6144:Iqim3anrS9VptSk8WyTsi9NC9M2kdZdPmbScpnKis:IqX3UrS9Vp4k8WyAi9NC9GdZdPmbS3
MD5:	C26A1F9278EC87231930C41322612606
SHA1:	BFF4A9F0B6B24B0C18B4F196203700E870A354D0
SHA-256:	5324C79FE6C9F2A4C64AE463AE209732B5D06905987CCA3C8D9D4B3C8F2254E4
SHA-512:	8AE64AEA3EAA743BFC8770739F80BE6A44854FE8A569DE637E2900AE87814C5DB2E0FA288413BE6B12EE715DEDE9FD24DC1E798231487546938DA1A1B2511AD4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._n.....A...A...A...A...A<..A...A<..A...A<..A...A...A[..A<..A!..A<..A...A<..A...A<..A...ARich...A................PE..L......N...........!.....p...........l.......................................p.......i..............................p...C.......P....@.......................P...... ...................................@............................................text....a.......p.................. ..`.rdata..............................@..@.data...`(.......0..................@....rsrc........@.......@..............@..@.reloc.......P... ...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool2.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	655360
Entropy (8bit):	5.653920879427816
Encrypted:	false
SSDEEP:	6144:ZUIsjn9FHg420wuBjENc4MfGjIsh+Og3/OI4wzAqSo:ZpAHX20lt+cCjI/sqSo
MD5:	4604866647482C5BB8FD303B93631EA7
SHA1:	F6D202BFE4D0EB25FD81795F2FE0DA2D86B710A8
SHA-256:	AC54EB0E1C6B7B79BF980F486DA3B68E45332F50B5E0D34F9546F25DF73869C1
SHA-512:	DF1981AA3ECB432E0C5E6B845A2BC30DB4AB8BB1A8496502959EB3D453D37BF5983CE1B816A8975EBCA238D5D20E7D1A0825D5EE11BF7B753C1FE9C9D1FE0B1D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................qR....P....P....P...%....%.....P..........P.....P....P....P...Rich..........................PE..L.....\|N...........!.........0............................................................@..............................{...........p.. '......................h:..P...............................@4..@............... ............................text...L........................... ..`.rdata..(O.......P..................@..@.data...pM... ...P... ..............@....rsrc... '...p...0...p..............@..@.reloc...Q.......`..................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool3.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	118784
Entropy (8bit):	6.095349764036509
Encrypted:	false
SSDEEP:	3072:/BWYsOTsr7PPRUatbBye/XzO3mOz1CHEmOTdV:tsOBCNR/XzO3mOz
MD5:	B9A9841E4BAEBEAD71F78AAD2067D295
SHA1:	136AF3E9275CAC13C6592886D8E426FB2F476981
SHA-256:	00B19E4A5319A891E5DAB6DEB8D2559BE0106BC7E4F8D2CE7DDCA9C451984A90
SHA-512:	6D4B481C818D8513C0D51399DA15826D6D420299E70F23CEE5E327F083A6C7F6334276D62B8F2B585F76865A496449BCB7D2E746D536D5F77F54356683FBD427
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T."...L...L...L..62...L.741...L.74"...L.74!...L.......L.747...L...M...L.74>...L.746...L.740...L.744...L.Rich..L.................PE..L......T...........!................5.....................................................@.........................`B... ...(..x........'..............................................................@............................................text............................... ..`.rdata..3c.......p..................@..@.data...,....p.......p..............@....rsrc....'.......0..................@..@.reloc..@........ ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gszlib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	6.106641875022546
Encrypted:	false
SSDEEP:	768:amRYPPQ4R22ix8zm2S5nz+FXlk+qwjOHkkU/JXcmB3N1ZCRTTeGOJdp6DIOlIOCK:6PW55uOhkd1KtOrcDIOlIOCnToIfX6G
MD5:	E72812E2955D9CB0D42BF9C887DF2F80
SHA1:	74CB5AEE40FA4299174A117254D904EDADA73BD2
SHA-256:	B7AE0DEBF3630DA7FCE7842F8419D7BD5C805C59B24B93753E8982358EAE7B41
SHA-512:	B882FD1FE4AD23B27793DDEC8B60FB08BDC8FC4F4A01AB59A1DB7E952B7FAB45998BDB39EFC7C0FE01A0A7FE6C3661AFB7E2AD99CB1C2056FA94BABB7BB2AE97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(..Dl...l...l.......i...K...o...K...m...K...n...K...b.......n...l...A...K...c...K...m...K...m...K...m...Richl...........PE..L......T...........!.........................................................@............@.........................`...!...l...<.... .. ....................0......................................(...@............................................text............................... ..`.rdata...M.......P..................@..@.data...............................@....rsrc... .... ....... ..............@..@.reloc.......0.......0..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\hash.dat

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	823
Entropy (8bit):	5.535512577901941
Encrypted:	false
SSDEEP:	24:YE4kKLU/KMPY/w4GKDStaWuY9bZbRJ4dbRqz:YHkaGjgLGZ0W34vqz
MD5:	37FA1C1A4AFD0C3AB8CBB8FD3A598D8E
SHA1:	F636AEEE1E30FDDFF1F98462C0291FD7CA23C6B9
SHA-256:	4DBCC708376CD267A126D0612A4A6C5B555BE73AEA3A33D453FEAA9B42F1E181
SHA-512:	D08F816833D70DE26BB8976471EF0CB0877085542364A5CBF97F54E7DE43CBD80245BCEC96B309BC41DB3B306392391D1FD3DB1D91CE73490DF3FE55F9EF4868
Malicious:	false
Preview:	......................ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089.....0System.Collections.Specialized.OrderedDictionary.....KeyComparer.ReadOnly.InitialCapacity.ArrayList....$System.Collections.IEqualityComparer....................................PTrading_Station_Publisher, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null....."System.Collections.DictionaryEntry....._key._value........a...........AccountObject.....name.broker.login.password.pin.url.type.accountId.enable.message......................a......FXCM..................http://www.fxcorporate.com......Demo......................M..$.... or password............M..$......gd......FXCM.................http://www.fxcorporate.com......Demo......................M..$.................yK.[...y.....$.................yK.[...y......

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\httplib.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172032
Entropy (8bit):	6.1222448229535855
Encrypted:	false
SSDEEP:	3072:g49GpERfOF5tMISFlvap0Qz7lEBB2fJOj9yBQSUEORxnGf:gTERQtMISrvap3z66JOjCQDRxQ
MD5:	A521197D5627D4A44E4D7204F23D3032
SHA1:	369F3EFEBD87337A5217CF4C9A59AE0E8FC1A1D5
SHA-256:	2B2E136CCF250B54BD840DAF01BEAEAFCCA0DF7DB76648D75297F37753E290C7
SHA-512:	F06EA066B66ADC38C097557749FEE707C305A6B5C19B1FA14CC9DAF4C59D63649B24A85A942C0E8F7D0DEA997A350AA81CC388C8ABB3BF1F22A72B483945DCC6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,...hm..hm..hm......im..O...em..O...jm..O...nm...e..mm..hm..m..b..bm..O...cm..O...tm..O...im..O...im..O...im..Richhm..........PE..L......T...........!.................w..............................................Ti..............................@...............p........................... ..p...................................@...............D............................text............................... ..`.rdata.............................@..@.data...(....P.......P..............@....rsrc........p.......`..............@..@.reloc..........0...p..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\icon3.ico

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 30x30, 8 bits/pixel
Category:	dropped
Size (bytes):	2166
Entropy (8bit):	5.326061420932968
Encrypted:	false
SSDEEP:	24:O+R/+cb9qcPjlaaSHr7kmc1PpDjApyJriHp2BAdQy7jSDm+lmXXO3h:BR+cYyQch1xXAiri6Aqy7+q8fx
MD5:	707B63D5034649499FE8C4BD5074AE74
SHA1:	5E7A0E113112522FD793591E768891EA393D9A0E
SHA-256:	BFF78BDFAFB875E4A4D27000CBFA0DA63BFF8E2E4E9B88D493DC2B00FD0D0A9F
SHA-512:	9A63E48966468D7B5858DCF01A9985148278E1B9BF7DE978CE701620B0A259B8B98774A7143455FB2E7A50A1A4B90C9C4B2793252ECA5E004E8BC382FE8238A0
Malicious:	false
Preview:	..............`.......(.......<.......................................LGD./,.2/-.520.853.A=:.FB?.JFC.HDA....." ......%#!.MIE.;85.(&$.>;8.....+)'.C@=..................%.>BE.<N]."(-.%+0.B...C...C...C...Az..B{..D}..>j..K[j.AKT.GQZ.,...0...+...4...7.......:...6...2...=...)g..@...9...8...C...?...8...4w..0l..,b..(X..D...7y..>...3h../]..:t..$Fi.3`..6c../V}.G...9e..5[..Gr..Hs..8Wu.Ei..1Jc.Hl..4Me.=P.7Og..,9... .E\r.Jaw.)5A.6AL.CMW.FIL......t.......}.......g...U.. ... ...$...$...(....m...[...I...S...^..+}..!Y..n...%=..=d. Jv.%U...(@.$Mx. ;X.$>Z..#2.-?R.#/<.FOY..W...O...w...h...Q...y...q...{...s...}...u....5..M.......-Z..P...F...4^.. 0......&5.038...............................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\log4cplus.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	352256
Entropy (8bit):	6.317097323155809
Encrypted:	false
SSDEEP:	6144:yEG/TwqJE67HEFEBmr2/mqKHMoSG9Avnrv8l4q5wOxIbc5ihlOjS3QUlR:K/Tw6EiHEFEBBmqKsoGrOn5BIbGSaU
MD5:	56056C2FB1843C3D8CDEA54DA7627E6D
SHA1:	57B120658141EB3B0CCC84E727266471CA6A7CA1
SHA-256:	F151ECD1D00E524A86F4070E87280F9460FACCCBC305A53BD5622967D0A21A70
SHA-512:	E2BC4FF21BEC091E79C6B1016003268E8528E1CDC7AC055729CBF71B1166FB56D3476B52FEFFA0717F9F16FE56CCA16D968378D04D5B70DE855D1D382CD02BB6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".LfrD.frD.frD..:.grD.A.9.brD.A.).krD.A.?.brD.A..crD.frE..rD..}..arD.A.6.CrD.A.>.grD.A.8.grD.A.<.grD.RichfrD.........PE..L......T...........!.....0... ......u........@...............................`..................................................x.......d.......................8H...D..............................@i..@............@...............................text...E*.......0.................. ..`.rdata.......@.......@..............@..@.data............ ..................@....rsrc...d...........................@..@.reloc...I.......P..................@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcp80.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.402420828464982
Encrypted:	false
SSDEEP:	12288:Q1HyurvZ0JPjuTtSu86th1n/hUgiW6QR7t5j3Ooc8NHkC2eo:Q1HyurvZ0liTwuhtjnj3Ooc8NHkC2eo
MD5:	4C8A880EABC0B4D462CC4B2472116EA1
SHA1:	D0A27F553C0FE0E507C7DF079485B601D5B592E6
SHA-256:	2026F3C4F830DFF6883B88E2647272A52A132F25EB42C0D423E36B3F65A94D08
SHA-512:	6A6CCE8C232F46DAB9B02D29BE5E0675CC1E968E9C2D64D0ABC008D20C0A7BAEB103A5B1D9B348FA1C4B3AF9797DBCB6E168B14B545FB15C2CCD926C3098C31C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...."qE...........!.....@... ...............P....B\|.........................p......u.....@.............................L...T...<............................ ..L2...S..............................Pe..@............P.. ............................text....;.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	626688
Entropy (8bit):	6.8397070634061174
Encrypted:	false
SSDEEP:	12288:6Fqi2VC1J7Zs7a5zchr46CIfsyZmGyYCqeC:6Ui2C1JdoiEdmGyYu
MD5:	E4FECE18310E23B1D8FEE993E35E7A6F
SHA1:	9FD3A7F0522D36C2BF0E64FC510C6EEA3603B564
SHA-256:	02BDDE38E4C6BD795A092D496B8D6060CDBE71E22EF4D7A204E3050C1BE44FA9
SHA-512:	2FB5F8D63A39BA5E93505DF3A643D14E286FE34B11984CBED4B88E8A07517C03EFB3A7BF9D61CF1EC73B0A20D83F9E6068E61950A61D649B8D36082BB034DDFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L...8"qE...........!.....0...p......+#.......@.....x......................................@..........................q...~..Pc..<....`.......................p..H3...B...............................F..@............@...............................text...*'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\pdas.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	151552
Entropy (8bit):	6.281756635113041
Encrypted:	false
SSDEEP:	3072:7Rl4L3k6YT0GGVLvb/BvVRYreBx8SwnOD5TKu9W:Fl4LtYT0Gi/1VRAnOD5T99W
MD5:	A8F9E36C75929A343BB81782903C9E51
SHA1:	B357F8A44200010A1BFF1B4336A3725D28C94808
SHA-256:	68C177F5201211D1336F26E430B21B052652BC43EFAC80D25752D218F2053E66
SHA-512:	D4D6BDDD15BE8F0A70A6A035CD20451DE00C8600228B9F48DB719B6B6676D74FEF2EEEB7DBD95A80068278C6551CA55BE3EB9F7B831C2EE95132C1E0DEA1C7D0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-ZE.i;+.i;+.i;+...U.h;+.N.V.j;+.N.F.d;+.N.E.n;+.N.P.e;+.4v.b;+.i;*..:+.N.Y.u;+.N.Q.h;+.N.W.h;+.N.S.h;+.Richi;+.........PE..L......T...........!.....P...........=.......`...............................P......].....@.................................4...........l.................... ...!...e..............................(...@............`...............................text....L.......P.................. ..`.rdata..,....`.......`..............@..@.data...............................@....rsrc...l...........................@..@.reloc..8(... ...0... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\rtmptp.dll

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	6.041769796155931
Encrypted:	false
SSDEEP:	1536:+4McOFawVSrfn+XpUQFv5aE7Cjd0Vaup4rdcA9fVQV4OgMuREDk3Eq:Uefn+XU0lyrdf9hOgMuRn
MD5:	326EF508920E8927DB1936AC475151DE
SHA1:	A8FE6BFC1A2DFD8E575096C4777B5F1E2000DA10
SHA-256:	98805010361824E641C47B4F21EAE3F5AE69C39494B2626D7DCB494B96668E62
SHA-512:	D390677673548A1F5D58A6CCEC1387B95D760EF8C7F0630AC9D926E9C3DDADBF1D87C968A07B79641DB11C7CE3A3A1C6DFB01DD2DFAE57891F8E996647FB205D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................}......................H...................................................Rich............PE..L....>.O...........!.................................................................#....@..........................k.......?..........l.......................\.......................................@............................................text...\........................... ..`.rdata...l.......p..................@..@.data........p... ...p..............@....rsrc...l...........................@..@.reloc..R........ ..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CFG4800.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.875519398611903
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHNQAZFVKXRAmIRMNHRd4N+RAW4QIMOov:TMV0kI002V7VQ7VNQA1Q7VRd4NuAW4Q9
MD5:	C517737DD6B59D0BD576A0A484C12E8B
SHA1:	B5BEC2BDE6FFDB8BA9CF790E4BB97B02E78F8225
SHA-256:	0774A3FD610BE54DAF2801AC6763F7FDE87073D95435900874C9A61B14F88F50
SHA-512:	15A45BE84D184A0C6AFE84F3A76CDD1C896C3BE79776DC5B875F9C70790BCE8099ECBFD2F76037813AE70CFBEBA678092F602041DFEE09BDBD3B852144833094
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v2.0.50727"/><supportedRuntime version="4.0.0"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\CFG5C3F.tmp

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	158
Entropy (8bit):	4.875519398611903
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHNQAZFVKXRAmIRMNHRd4N+RAW4QIMOov:TMV0kI002V7VQ7VNQA1Q7VRd4NuAW4Q9
MD5:	C517737DD6B59D0BD576A0A484C12E8B
SHA1:	B5BEC2BDE6FFDB8BA9CF790E4BB97B02E78F8225
SHA-256:	0774A3FD610BE54DAF2801AC6763F7FDE87073D95435900874C9A61B14F88F50
SHA-512:	15A45BE84D184A0C6AFE84F3A76CDD1C896C3BE79776DC5B875F9C70790BCE8099ECBFD2F76037813AE70CFBEBA678092F602041DFEE09BDBD3B852144833094
Malicious:	false
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v2.0.50727"/><supportedRuntime version="4.0.0"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\MSI47A2.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.504247783181216
Encrypted:	false
SSDEEP:	6144:ruAOGlvgiHqfcTmGZ8009t0svTPxmx4yAyA5bDB+urH+nPAMyoZ3:iclvgiHAcTmS80g9vTMx4yAyA5b0urH0
MD5:	684F2D21637CB5835172EDAD55B6A8D9
SHA1:	5EAC3B8D0733AA11543248B769D7C30D2C53FCDB
SHA-256:	DA1FE86141C446921021BB26B6FE2BD2D1BB51E3E614F46F8103FFAD8042F2C0
SHA-512:	7B626C2839AC7DF4DD764D52290DA80F40F7C02CB70C8668A33AD166B0BCB0C1D4114D08A8754E0AE9C0210129AE7E885A90DF714CA79BD946FBD8009848538C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|U..84..84..84...Z..;4......;4...U..<4....0.54....2..4....3.%4...Y..j4...Y..)4...Y..-4......#4..84..f5...Z..$4...Z..94...Z>.94...Z..94..Rich84..........PE..L...p..a.........."!.....N...v...............`......................................O.....@..........................Z..:.......................................l....(..T...........................X(..@............................................text....L.......N.................. ..`.data...<....`.......R..............@....idata...............b..............@..@.rsrc................r..............@..@.reloc..l........0...x..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI4801.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.504247783181216
Encrypted:	false
SSDEEP:	6144:ruAOGlvgiHqfcTmGZ8009t0svTPxmx4yAyA5bDB+urH+nPAMyoZ3:iclvgiHAcTmS80g9vTMx4yAyA5b0urH0
MD5:	684F2D21637CB5835172EDAD55B6A8D9
SHA1:	5EAC3B8D0733AA11543248B769D7C30D2C53FCDB
SHA-256:	DA1FE86141C446921021BB26B6FE2BD2D1BB51E3E614F46F8103FFAD8042F2C0
SHA-512:	7B626C2839AC7DF4DD764D52290DA80F40F7C02CB70C8668A33AD166B0BCB0C1D4114D08A8754E0AE9C0210129AE7E885A90DF714CA79BD946FBD8009848538C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|U..84..84..84...Z..;4......;4...U..<4....0.54....2..4....3.%4...Y..j4...Y..)4...Y..-4......#4..84..f5...Z..$4...Z..94...Z>.94...Z..94..Rich84..........PE..L...p..a.........."!.....N...v...............`......................................O.....@..........................Z..:.......................................l....(..T...........................X(..@............................................text....L.......N.................. ..`.data...<....`.......R..............@....idata...............b..............@..@.rsrc................r..............@..@.reloc..l........0...x..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}\_853F67D554F05449430E7E.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 30x30, 8 bits/pixel
Category:	dropped
Size (bytes):	2166
Entropy (8bit):	5.326061420932968
Encrypted:	false
SSDEEP:	24:O+R/+cb9qcPjlaaSHr7kmc1PpDjApyJriHp2BAdQy7jSDm+lmXXO3h:BR+cYyQch1xXAiri6Aqy7+q8fx
MD5:	707B63D5034649499FE8C4BD5074AE74
SHA1:	5E7A0E113112522FD793591E768891EA393D9A0E
SHA-256:	BFF78BDFAFB875E4A4D27000CBFA0DA63BFF8E2E4E9B88D493DC2B00FD0D0A9F
SHA-512:	9A63E48966468D7B5858DCF01A9985148278E1B9BF7DE978CE701620B0A259B8B98774A7143455FB2E7A50A1A4B90C9C4B2793252ECA5E004E8BC382FE8238A0
Malicious:	false
Preview:	..............`.......(.......<.......................................LGD./,.2/-.520.853.A=:.FB?.JFC.HDA....." ......%#!.MIE.;85.(&$.>;8.....+)'.C@=..................%.>BE.<N]."(-.%+0.B...C...C...C...Az..B{..D}..>j..K[j.AKT.GQZ.,...0...+...4...7.......:...6...2...=...)g..@...9...8...C...?...8...4w..0l..,b..(X..D...7y..>...3h../]..:t..$Fi.3`..6c../V}.G...9e..5[..Gr..Hs..8Wu.Ei..1Jc.Hl..4Me.=P.7Og..,9... .E\r.Jaw.)5A.6AL.CMW.FIL......t.......}.......g...U.. ... ...$...$...(....m...[...I...S...^..+}..!Y..n...%=..=d. Jv.%U...(@.$Mx. ;X.$>Z..#2.-?R.#/<.FOY..W...O...w...h...Q...y...q...{...s...}...u....5..M.......-Z..P...F...4^.. 0......&5.038...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}\_BB9EECDA4E810BDECD5258.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 30x30, 8 bits/pixel
Category:	dropped
Size (bytes):	2166
Entropy (8bit):	5.326061420932968
Encrypted:	false
SSDEEP:	24:O+R/+cb9qcPjlaaSHr7kmc1PpDjApyJriHp2BAdQy7jSDm+lmXXO3h:BR+cYyQch1xXAiri6Aqy7+q8fx
MD5:	707B63D5034649499FE8C4BD5074AE74
SHA1:	5E7A0E113112522FD793591E768891EA393D9A0E
SHA-256:	BFF78BDFAFB875E4A4D27000CBFA0DA63BFF8E2E4E9B88D493DC2B00FD0D0A9F
SHA-512:	9A63E48966468D7B5858DCF01A9985148278E1B9BF7DE978CE701620B0A259B8B98774A7143455FB2E7A50A1A4B90C9C4B2793252ECA5E004E8BC382FE8238A0
Malicious:	false
Preview:	..............`.......(.......<.......................................LGD./,.2/-.520.853.A=:.FB?.JFC.HDA....." ......%#!.MIE.;85.(&$.>;8.....+)'.C@=..................%.>BE.<N]."(-.%+0.B...C...C...C...Az..B{..D}..>j..K[j.AKT.GQZ.,...0...+...4...7.......:...6...2...=...)g..@...9...8...C...?...8...4w..0l..,b..(X..D...7y..>...3h../]..:t..$Fi.3`..6c../V}.G...9e..5[..Gr..Hs..8Wu.Ei..1Jc.Hl..4Me.=P.7Og..,9... .E\r.Jaw.)5A.6AL.CMW.FIL......t.......}.......g...U.. ... ...$...$...(....m...[...I...S...^..+}..!Y..n...%=..=d. Jv.%U...(@.$Mx. ;X.$>Z..#2.-?R.#/<.FOY..W...O...w...h...Q...y...q...{...s...}...u....5..M.......-Z..P...F...4^.. 0......&5.038...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Installer\{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}\_D7ED1792E3BE1F33D0BDF7.exe

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows icon resource - 1 icon, 30x30, 8 bits/pixel
Category:	dropped
Size (bytes):	2166
Entropy (8bit):	5.326061420932968
Encrypted:	false
SSDEEP:	24:O+R/+cb9qcPjlaaSHr7kmc1PpDjApyJriHp2BAdQy7jSDm+lmXXO3h:BR+cYyQch1xXAiri6Aqy7+q8fx
MD5:	707B63D5034649499FE8C4BD5074AE74
SHA1:	5E7A0E113112522FD793591E768891EA393D9A0E
SHA-256:	BFF78BDFAFB875E4A4D27000CBFA0DA63BFF8E2E4E9B88D493DC2B00FD0D0A9F
SHA-512:	9A63E48966468D7B5858DCF01A9985148278E1B9BF7DE978CE701620B0A259B8B98774A7143455FB2E7A50A1A4B90C9C4B2793252ECA5E004E8BC382FE8238A0
Malicious:	false
Preview:	..............`.......(.......<.......................................LGD./,.2/-.520.853.A=:.FB?.JFC.HDA....." ......%#!.MIE.;85.(&$.>;8.....+)'.C@=..................%.>BE.<N]."(-.%+0.B...C...C...C...Az..B{..D}..>j..K[j.AKT.GQZ.,...0...+...4...7.......:...6...2...=...)g..@...9...8...C...?...8...4w..0l..,b..(X..D...7y..>...3h../]..:t..$Fi.3`..6c../V}.G...9e..5[..Gr..Hs..8Wu.Ei..1Jc.Hl..4Me.=P.7Og..,9... .E\r.Jaw.)5A.6AL.CMW.FIL......t.......}.......g...U.. ... ...$...$...(....m...[...I...S...^..+}..!Y..n...%=..=d. Jv.%U...(@.$Mx. ;X.$>Z..#2.-?R.#/<.FOY..W...O...w...h...Q...y...q...{...s...}...u....5..M.......-Z..P...F...4^.. 0......&5.038...............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Trading Station Publisher.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	3077
Entropy (8bit):	2.972226371666541
Encrypted:	false
SSDEEP:	24:8ARGkd1LX6b0ZymCFpTO3+z8y4vQO4844d/rkvQO485lRvMfdu1jHevQO48:8FktZtspE+zYIZB4d/IIZAUfdu1j+IZ
MD5:	D5A9C82DA9272CB99F890DD4D3F7B2F4
SHA1:	14859ACAF9D273D78A4976050AA9DA8C09D3B89D
SHA-256:	163EA47D1FC2877EE8A6E50267411F0053F262049E48C10169F885152DF65D86
SHA-512:	4185A29A895613C3CEAC81186F35F4C4B11B8A8CF66596D4F1B45B462EF242B12F59AA4ECCE41D2AF679365C5F0D1EA9B0F0EC584EA7E5F99700F164733931BA
Malicious:	false
Preview:	L..................F.P......................................................u....P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y.6....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......Y.6..user.<......CW.^.Y.6..............................j.o.n.e.s.....V.1.....CW.^..AppData.@......CW.^.Y.6...........................%..A.p.p.D.a.t.a.....V.1......Y.6..Roaming.@......CW.^.Y.6..........................._..R.o.a.m.i.n.g.....\.1......Y.6..MICROS~1..D......CW.^.Y.6...........................8..M.i.c.r.o.s.o.f.t.....\.1......Y.6..INSTAL~1..D.......Y.6.Y.6....y.....................C'..I.n.s.t.a.l.l.e.r.......1......Y.6..{C9F02~1..~.......Y.6.Y.6.....#.......................{.C.9.F.0.2.3.1.D.-.7.C.8.2.-.4.D.3.D.-.B.C.5.C.-.9.8.F.D.A.8.0.9.C.5.A.A.}.......2.v....Y.6!._BB9EE~1.EXE..h.......Y.6.Y.6.....+......................._.B.B.9.E.E.C.D.A.4.E.8.1.0.B.D.E.C.D.5.2.5.8...e.x.e.......U.....\.....\.....\.I.n.s.t.a.l.l.e.r

C:\Users\user\Desktop\Trading Station Publisher.lnk

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	3117
Entropy (8bit):	2.987618086075137
Encrypted:	false
SSDEEP:	24:8ARGkd1LX6b0ZymCFpTO3IxRkvQOFX4d/rkvQOF8lRvMfdu1jHvbIENDvQOF:8FktZtspEhIy4d/IIXUfdu1jPbjDI
MD5:	82C6C8B78FE0B9662650A02AF34FC145
SHA1:	6CACF22E033522DADFB552C90EC06A0489A63520
SHA-256:	EA841DF56A1E9BED5EA2E78E56383CD1924B1F3F73F3202DAF10246EB39BB9B3
SHA-512:	2C48F8D488D3D97319B802139FA54C3C5792F580D5984617A37A22D9D898545452E6D47E8E444BABBEA87438BD01205F763D6880BC598E98DD46090AB0D493B0
Malicious:	false
Preview:	L..................F.P......................................................u....P.O. .:i.....+00.../C:\...................x.1.....CW;^..Users.d......OwH.Y.6....................:.....K...U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......Y.6..user.<......CW.^.Y.6..............................j.o.n.e.s.....V.1.....CW.^..AppData.@......CW.^.Y.6...........................%..A.p.p.D.a.t.a.....V.1......Y.6..Roaming.@......CW.^.Y.6..........................._..R.o.a.m.i.n.g.....\.1......Y.6..MICROS~1..D......CW.^.Y.6...........................8..M.i.c.r.o.s.o.f.t.....\.1......Y.6..INSTAL~1..D.......Y.6.Y.6....y.....................C'..I.n.s.t.a.l.l.e.r.......1......Y.6..{C9F02~1..~.......Y.6.Y.6.....#.......................{.C.9.F.0.2.3.1.D.-.7.C.8.2.-.4.D.3.D.-.B.C.5.C.-.9.8.F.D.A.8.0.9.C.5.A.A.}.......2.v....Y.6!._D7ED1~1.EXE..h.......Y.6.Y.6....d+......................._.D.7.E.D.1.7.9.2.E.3.B.E.1.F.3.3.D.0.B.D.F.7...e.x.e.......i.....\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g

C:\Windows\Installer\685ad8.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {38E8AABD-CF58-4632-80B8-4A82F220D6A0}, Title: Trading Station Publisher, Author: Myfxbook Ltd, Number of Words: 2, Last Saved Time/Date: Tue Jul 4 07:50:13 2023, Last Printed: Tue Jul 4 07:50:13 2023
Category:	dropped
Size (bytes):	2931712
Entropy (8bit):	7.819782117088115
Encrypted:	false
SSDEEP:	49152:VAkYicL5MDIaVlizXL9vSbTxzepmXItHSNXXg60/3xrka6V1xQ+jqdIviB8xbjN0:bYic5Mr+XxvSbV5XIty9t0/3Rkz+4Dxb
MD5:	A0B0622CA3973228B148E5F246080B63
SHA1:	A57B550318880F3A61E172B0B7663BCDB57A23C1
SHA-256:	2E1E0F1E3633C8CD7BC11FC6574A93F0E7DBD76A3FA6EF2027ECDF0C03C90DB2
SHA-512:	7B75B61D9135D2EA88155D12CD2BDAFF0575DC7EFDCB73F786C476F4E44EA18F51BEC60AA484521A5F577693FACF5BC52018B355A9B24361A84E4016F4FA01DA
Malicious:	false
Preview:	......................>...................-...............8...................o...p...q...r...s.......(...............................................................................................................................................................................................................................................................................................................................................................................................................................Z................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...F...i...:...;...<...=...>...?...@...A...B...C...D...Y.......G...H...I...J...K...L...M...........P...Q...R...S...T...U...V...W...X...[...a...d...\...]...^..._...`...g...b...c...j...e...f...E...h...k.......N...l...m...n...........................u...v...w...x...y...z...

C:\Windows\Installer\685ada.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {38E8AABD-CF58-4632-80B8-4A82F220D6A0}, Title: Trading Station Publisher, Author: Myfxbook Ltd, Number of Words: 2, Last Saved Time/Date: Tue Jul 4 07:50:13 2023, Last Printed: Tue Jul 4 07:50:13 2023
Category:	dropped
Size (bytes):	2931712
Entropy (8bit):	7.819782117088115
Encrypted:	false
SSDEEP:	49152:VAkYicL5MDIaVlizXL9vSbTxzepmXItHSNXXg60/3xrka6V1xQ+jqdIviB8xbjN0:bYic5Mr+XxvSbV5XIty9t0/3Rkz+4Dxb
MD5:	A0B0622CA3973228B148E5F246080B63
SHA1:	A57B550318880F3A61E172B0B7663BCDB57A23C1
SHA-256:	2E1E0F1E3633C8CD7BC11FC6574A93F0E7DBD76A3FA6EF2027ECDF0C03C90DB2
SHA-512:	7B75B61D9135D2EA88155D12CD2BDAFF0575DC7EFDCB73F786C476F4E44EA18F51BEC60AA484521A5F577693FACF5BC52018B355A9B24361A84E4016F4FA01DA
Malicious:	false
Preview:	......................>...................-...............8...................o...p...q...r...s.......(...............................................................................................................................................................................................................................................................................................................................................................................................................................Z................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...F...i...:...;...<...=...>...?...@...A...B...C...D...Y.......G...H...I...J...K...L...M...........P...Q...R...S...T...U...V...W...X...[...a...d...\...]...^..._...`...g...b...c...j...e...f...E...h...k.......N...l...m...n...........................u...v...w...x...y...z...

C:\Windows\Installer\MSI5C10.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.504247783181216
Encrypted:	false
SSDEEP:	6144:ruAOGlvgiHqfcTmGZ8009t0svTPxmx4yAyA5bDB+urH+nPAMyoZ3:iclvgiHAcTmS80g9vTMx4yAyA5b0urH0
MD5:	684F2D21637CB5835172EDAD55B6A8D9
SHA1:	5EAC3B8D0733AA11543248B769D7C30D2C53FCDB
SHA-256:	DA1FE86141C446921021BB26B6FE2BD2D1BB51E3E614F46F8103FFAD8042F2C0
SHA-512:	7B626C2839AC7DF4DD764D52290DA80F40F7C02CB70C8668A33AD166B0BCB0C1D4114D08A8754E0AE9C0210129AE7E885A90DF714CA79BD946FBD8009848538C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|U..84..84..84...Z..;4......;4...U..<4....0.54....2..4....3.%4...Y..j4...Y..)4...Y..-4......#4..84..f5...Z..$4...Z..94...Z>.94...Z..94..Rich84..........PE..L...p..a.........."!.....N...v...............`......................................O.....@..........................Z..:.......................................l....(..T...........................X(..@............................................text....L.......N.................. ..`.data...<....`.......R..............@....idata...............b..............@..@.rsrc................r..............@..@.reloc..l........0...x..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5C5F.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	305152
Entropy (8bit):	6.504247783181216
Encrypted:	false
SSDEEP:	6144:ruAOGlvgiHqfcTmGZ8009t0svTPxmx4yAyA5bDB+urH+nPAMyoZ3:iclvgiHAcTmS80g9vTMx4yAyA5b0urH0
MD5:	684F2D21637CB5835172EDAD55B6A8D9
SHA1:	5EAC3B8D0733AA11543248B769D7C30D2C53FCDB
SHA-256:	DA1FE86141C446921021BB26B6FE2BD2D1BB51E3E614F46F8103FFAD8042F2C0
SHA-512:	7B626C2839AC7DF4DD764D52290DA80F40F7C02CB70C8668A33AD166B0BCB0C1D4114D08A8754E0AE9C0210129AE7E885A90DF714CA79BD946FBD8009848538C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|U..84..84..84...Z..;4......;4...U..<4....0.54....2..4....3.%4...Y..j4...Y..)4...Y..-4......#4..84..f5...Z..$4...Z..94...Z>.94...Z..94..Rich84..........PE..L...p..a.........."!.....N...v...............`......................................O.....@..........................Z..:.......................................l....(..T...........................X(..@............................................text....L.......N.................. ..`.data...<....`.......R..............@....idata...............b..............@..@.rsrc................r..............@..@.reloc..l........0...x..............@..B................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI5CBE.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	17709
Entropy (8bit):	5.967159757517172
Encrypted:	false
SSDEEP:	384:hCMU0M5dSdsRJDhDCk4N6RyUuzuOu304rA0We:hCMusdsR6NeuzuOuEDW
MD5:	7AE499BEEC2789AD61D50444C1F4669F
SHA1:	8BB1F846B3CFB59D56CBFB527EFC07E0E0704626
SHA-256:	D6E0AD851DACBF06C3700C66CAFAF15B9CFFB549AC335D086BD44243F1BC00FF
SHA-512:	BC2164D9C53340BAE0DDF1560BFF1870644672B1F6D3B72A532542905A6620940924C6E31E2C5422293CE46945B8B2F136CD50E80C326B6FCEF81D434FFA0B42
Malicious:	false
Preview:	...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}..Trading Station Publisher..TradingStationPublisher.msi.@.....@.....@.....@......_853F67D554F05449430E7E.exe..&.{38E8AABD-CF58-4632-80B8-4A82F220D6A0}.....@.....@.....@.....@.......@.....@.....@.......@......Trading Station Publisher......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{845AF08E-A028-7924-3451-AF6ECBF9865E}I.C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll.@.......@.....@.....@......&.{61C2DF3B-3E02-435E-ED90-A5A5D505D784}I.C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll.@.......@.....@.....@......&.{EBB273E9-778D-3428-1F17-DB809DDE2B62}F.C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\hash.dat.@.......@.....@.....@......&.{BC9A1375-1470-F1E0-B12D-2B8EDFC54470}N.C:\Program Fil

C:\Windows\Installer\SourceHash{C9F0231D-7C82-4D3D-BC5C-98FDA809C5AA}

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.1710781429389707
Encrypted:	false
SSDEEP:	12:JSbX72FjpQliAGiLIlHVRp2h/7777777777777777777777777vDHFtE15YkNl0G:JoIQI5OnE15YfF
MD5:	0DD579BD86F17AAF13634BD242C39B9F
SHA1:	8D439CD0C5AA8B4224D4FF9A920FD5F757040632
SHA-256:	285B50EE4C30F31F30DB665BB382C164EF5E915BA0521C7100001954BAFF56CC
SHA-512:	CF46F8D44299437CE36E4213820863D7E264111C4D0CDEDFC0D60E0F9BD6417116B607F460420387FA41C0EC22EA1A9D200638A0FFF6FD1EDB5D658BDAF48707
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\inprogressinstallinfo.ipi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.627875271205442
Encrypted:	false
SSDEEP:	48:e8PhwuRc06WXJ+jT5wiHbQSkdm5ls4pW5ls4gooXrzSkdDTz:Rhw1VjTBHkEf
MD5:	4E121B6CAB7CB38B7850A3184A045D81
SHA1:	F75C8C3C0077749F166BF71F6800BCFB74D4BE26
SHA-256:	50E06D8CC248F230216654944F1F090A2E702C8DA8F899ED3E1C928D9991AFB4
SHA-512:	D1AA6D8B2E9966425E4697BFCDD67217817AFB137954A829C2DFCFCA7736C6D9D4DA54A82BC1501FA1122479A3A0F74CBA0B7520EF6168EEFB92C61B20B1A716
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	432221
Entropy (8bit):	5.375179731496798
Encrypted:	false
SSDEEP:	1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauN:zTtbmkExhMJCIpErY
MD5:	A15480E26D8210C21F0483EC32BD3BF2
SHA1:	39AC467FE50CB33B22F9E0F1176AA1A072F38D2B
SHA-256:	F4C44B22FCE17B9444A4F1E5DECC3F214C085CC76EF202DCB48DA3369A11C24B
SHA-512:	7499CF38853F917993B2536A70F7A1C2652F6BE3656E35B40EB8FFC74D2B2B71DBCF2D1BC02EADD81DC01FF877F311DE0FEA197D411A4744EC4D2D54344D23A8
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

C:\Windows\Temp\~DF17E8BB0EEC5F308C.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF2644C9926A78DCE0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF64E116F222740F5B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF6CA362C3AA904E35.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.627875271205442
Encrypted:	false
SSDEEP:	48:e8PhwuRc06WXJ+jT5wiHbQSkdm5ls4pW5ls4gooXrzSkdDTz:Rhw1VjTBHkEf
MD5:	4E121B6CAB7CB38B7850A3184A045D81
SHA1:	F75C8C3C0077749F166BF71F6800BCFB74D4BE26
SHA-256:	50E06D8CC248F230216654944F1F090A2E702C8DA8F899ED3E1C928D9991AFB4
SHA-512:	D1AA6D8B2E9966425E4697BFCDD67217817AFB137954A829C2DFCFCA7736C6D9D4DA54A82BC1501FA1122479A3A0F74CBA0B7520EF6168EEFB92C61B20B1A716
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF771C0CDFFF9C296B.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2984911690083623
Encrypted:	false
SSDEEP:	48:bZ4uDJveFXJZT5PiHbQSkdm5ls4pW5ls4gooXrzSkdDTz:N4nxTsHkEf
MD5:	8A0259547FE3A8D1F8633559BB8EFEC1
SHA1:	7EEEB5FF37351EFD01F4D5FB61DECDB239DE2154
SHA-256:	BC06D9ED77F80EC3537A1172DD73B1BF1CD73AF15F7D4F10C675BC6DF5705136
SHA-512:	88385D01162F571D6DE675140ED6AD55FF805066790AFE7BA9083381AE03864B70AAF6B58967032484D2BAB659AF0E0B4489DD0AD518EA610AED4DFE8A03C100
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF7E721A1F1407846A.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	1.627875271205442
Encrypted:	false
SSDEEP:	48:e8PhwuRc06WXJ+jT5wiHbQSkdm5ls4pW5ls4gooXrzSkdDTz:Rhw1VjTBHkEf
MD5:	4E121B6CAB7CB38B7850A3184A045D81
SHA1:	F75C8C3C0077749F166BF71F6800BCFB74D4BE26
SHA-256:	50E06D8CC248F230216654944F1F090A2E702C8DA8F899ED3E1C928D9991AFB4
SHA-512:	D1AA6D8B2E9966425E4697BFCDD67217817AFB137954A829C2DFCFCA7736C6D9D4DA54A82BC1501FA1122479A3A0F74CBA0B7520EF6168EEFB92C61B20B1A716
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF87E40AF1FBC90FF0.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.07706497333076831
Encrypted:	false
SSDEEP:	6:2/9LG7iVCnLG7iVrKOzPLHKOtnE+KtKO83Ny1qVky6l9X:2F0i8n0itFzDHFtE15YkN
MD5:	31CD0FCC52C7BEA2D1421D82471DBEC7
SHA1:	F1D59DB4D83513A31B1798F58CA9A5A56B7DBED0
SHA-256:	39107761FB5B6C7C7549143FE7EF11BD8534F8E249E4E7A001B14DC5AF67E799
SHA-512:	96FD794135BD0550026E1E54C463243E84A6A35E917CBF0348A4DD58DB8F41F7A68614A0B12515677A78643472974575323E110FB40D2583B16C0F301D647F03
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DF9C70C067C5203211.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2984911690083623
Encrypted:	false
SSDEEP:	48:bZ4uDJveFXJZT5PiHbQSkdm5ls4pW5ls4gooXrzSkdDTz:N4nxTsHkEf
MD5:	8A0259547FE3A8D1F8633559BB8EFEC1
SHA1:	7EEEB5FF37351EFD01F4D5FB61DECDB239DE2154
SHA-256:	BC06D9ED77F80EC3537A1172DD73B1BF1CD73AF15F7D4F10C675BC6DF5705136
SHA-512:	88385D01162F571D6DE675140ED6AD55FF805066790AFE7BA9083381AE03864B70AAF6B58967032484D2BAB659AF0E0B4489DD0AD518EA610AED4DFE8A03C100
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFAB99B570AB83F240.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFD4319B94E9DB9C69.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	1.2984911690083623
Encrypted:	false
SSDEEP:	48:bZ4uDJveFXJZT5PiHbQSkdm5ls4pW5ls4gooXrzSkdDTz:N4nxTsHkEf
MD5:	8A0259547FE3A8D1F8633559BB8EFEC1
SHA1:	7EEEB5FF37351EFD01F4D5FB61DECDB239DE2154
SHA-256:	BC06D9ED77F80EC3537A1172DD73B1BF1CD73AF15F7D4F10C675BC6DF5705136
SHA-512:	88385D01162F571D6DE675140ED6AD55FF805066790AFE7BA9083381AE03864B70AAF6B58967032484D2BAB659AF0E0B4489DD0AD518EA610AED4DFE8A03C100
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE46B22D1505AEE55.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Temp\~DFE9ED549134836D65.TMP

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	0.1706931399016165
Encrypted:	false
SSDEEP:	24:hOFvb+ipV+dcipV+d+P55LsERI8q1qs55LsERgoV2BwG+KZkg6bA+a:hMT+SkdcSkdm5ls4pW5ls4gooXr6bAT
MD5:	08F7831ED387A3FC089B9C965FC53BD6
SHA1:	F75EB66169959F242A40C5DAD87468FC00DF751F
SHA-256:	5BBA32AA38D43AFCFB6D97D2D215806D5D965C68CCA14CCD8625A075E581BB2A
SHA-512:	13DF7AD7056F6C39D6F0227C0F7635EA6B8D65C90D6A566FBC6C85E0F68E28C59C275B4512875C2AF330DAE91D26F66A23CF49559106814DB2C8ACB0EFCCE672
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {38E8AABD-CF58-4632-80B8-4A82F220D6A0}, Title: Trading Station Publisher, Author: Myfxbook Ltd, Number of Words: 2, Last Saved Time/Date: Tue Jul 4 07:50:13 2023, Last Printed: Tue Jul 4 07:50:13 2023
Entropy (8bit):	7.819782117088115
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	TradingStationPublisher.msi
File size:	2'931'712 bytes
MD5:	a0b0622ca3973228b148e5f246080b63
SHA1:	a57b550318880f3a61e172b0b7663bcdb57a23c1
SHA256:	2e1e0f1e3633c8cd7bc11fc6574a93f0e7dbd76a3fa6ef2027ecdf0c03c90db2
SHA512:	7b75b61d9135d2ea88155d12cd2bdaff0575dc7efdcb73f786c476f4e44ea18f51bec60aa484521a5f577693facf5bc52018b355a9b24361a84e4016f4fa01da
SSDEEP:	49152:VAkYicL5MDIaVlizXL9vSbTxzepmXItHSNXXg60/3xrka6V1xQ+jqdIviB8xbjN0:bYic5Mr+XxvSbV5XIty9t0/3Rkz+4Dxb
TLSH:	C9D52311B6C79632D2BB0530796AA3B02B7D7C205CF1890FE394766D2D3269063B5FA7
File Content Preview:	........................>...................-...............8...................o...p...q...r...s.......(......................................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exePID: 7496, Parent PID: 2580

General

Target ID:	0
Start time:	02:53:35
Start date:	31/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\TradingStationPublisher.msi"
Imagebase:	0x7ff6c10a0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 7548, Parent PID: 620

General

Target ID:	1
Start time:	02:53:35
Start date:	31/08/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6c10a0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 7596, Parent PID: 7548

General

Target ID:	2
Start time:	02:53:35
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D01A3FF5829F0F5B771FA5AB009E87F8 C
Imagebase:	0x370000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: msiexec.exePID: 8148, Parent PID: 7548

General

Target ID:	6
Start time:	02:54:46
Start date:	31/08/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding B3CFD1C5B1A07D95A7F37C5DD98B4186
Imagebase:	0x370000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TradingStationPublisher.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\685ad9.rbs

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\ForexConnect.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Microsoft.VC80.CRT.manifest

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Order2Go2.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\Trading_Station_Publisher.exe.config

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmlogger.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcmrtmp.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxcore2.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxmsg.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\fxtp.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsexpat.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gslibeay32.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gsssleay32.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool2.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gstool3.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\gszlib.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\hash.dat

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\httplib.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\icon3.ico

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\log4cplus.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcp80.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\msvcr80.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\pdas.dll

C:\Program Files (x86)\Myfxbook Ltd\Trading Station Publisher\rtmptp.dll

Windows Analysis Report
TradingStationPublisher.msi