Edit tour

Windows Analysis Report
app__v7.3.5_.msi

Overview

General Information

Sample name:	app__v7.3.5_.msi
Analysis ID:	1523421
MD5:	2d6151dbbbb50c077564ef7ffc971a4e
SHA1:	b67ec6dd683f5f8b12d52aa79aeee9a498380589
SHA256:	2eae05e829f353c9a8d01683187eb759dbf73f90ccd435f03d46761b03247fbd
Tags:	msiRobotDropperuser-aachum
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7548 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\app__v7.3.5_.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7580 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7660 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 01297D2E2EDE3162BB91A5AD2CF048CC MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Sigma Signatures

Sigma detected: Msiexec Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.1.209, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7660, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 63583

Suricata Signatures

ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-01T15:52:32.919981+0200	2829202	1	A Network Trojan was detected	192.168.2.4	63583	104.21.1.209	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown

HTTPS traffic detected: 104.21.1.209:443 -> 192.168.2.4:63583 version: TLS 1.2

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: app__v7.3.5_.msi, MSID34.tmp.1.dr, 480495.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb- source: app__v7.3.5_.msi, 480495.msi.1.dr, MSIDF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git-bash.pdb source: git-bash.exe.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git-gui.pdb source: git-gui.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: app__v7.3.5_.msi, MSIC95.tmp.1.dr, 480495.msi.1.dr, MSIAF.tmp.1.dr, MSICD5.tmp.1.dr, MSIDD3.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr, MSIDF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:63583 -> 104.21.1.209:443

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: check-key.com

Source: unknown

HTTP traffic detected: POST /licenseUser.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: check-key.comContent-Length: 110Cache-Control: no-cache

Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://docs.jquery.com/License
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript
Source: chrome_elf.dll.1.dr	String found in binary or memory: http://https:///true1...
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://javascript.nwbox.com/IEContentLoaded/
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://jquery.com/
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://sizzlejs.com/
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html
Source: app__v7.3.5_.msi, 480495.msi.1.dr	String found in binary or memory: https://check-key.com/licenseUser.phpDoAppSearchExAI_SET_RESUMEAI_SET_INSTALLSendCollectedDataAI_Ext
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: git-gui.exe.1.dr, git-bash.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63583
Source: unknown	Network traffic detected: HTTP traffic on port 63583 -> 443

Source: unknown

HTTPS traffic detected: 104.21.1.209:443 -> 192.168.2.4:63583 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\480495.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC95.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID34.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID93.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI333.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{3E28EEFE-5291-43E1-AA61-E4D35B611491}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9AC.tmp	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIAA0.tmp

Jump to behavior

Source: git.exe0.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-cmd.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: bash.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-bash.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: gitk.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: sh.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: scalar.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-gui.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: chrome_elf.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: git.exe.1.dr	Static PE information: Number of sections : 13 > 10

Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: app__v7.3.5_.msi	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs app__v7.3.5_.msi
Source: app__v7.3.5_.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs app__v7.3.5_.msi
Source: app__v7.3.5_.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs app__v7.3.5_.msi
Source: app__v7.3.5_.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs app__v7.3.5_.msi
Source: app__v7.3.5_.msi	Binary or memory string: OriginalFilenameMsiTempFiles.dllF vs app__v7.3.5_.msi
Source: app__v7.3.5_.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs app__v7.3.5_.msi

Source: classification engine

Classification label: mal48.winMSI@4/118@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLA8C.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI92e8e.LOG

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\app__v7.3.5_.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 01297D2E2EDE3162BB91A5AD2CF048CC
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 01297D2E2EDE3162BB91A5AD2CF048CC	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: app__v7.3.5_.msi

Static file information: File size 57166336 > 1048576

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: app__v7.3.5_.msi, MSID34.tmp.1.dr, 480495.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb- source: app__v7.3.5_.msi, 480495.msi.1.dr, MSIDF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git-bash.pdb source: git-bash.exe.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git-gui.pdb source: git-gui.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: app__v7.3.5_.msi, MSIC95.tmp.1.dr, 480495.msi.1.dr, MSIAF.tmp.1.dr, MSICD5.tmp.1.dr, MSIDD3.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: app__v7.3.5_.msi, 480495.msi.1.dr, MSIDF.tmp.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr

Static PE information: 0xF676C81F [Wed Jan 12 13:26:55 2101 UTC]

Source: NVIDIA GeForce Experience.exe.1.dr	Static PE information: section name: .oldntma
Source: NVIDIA GeForce Experience.exe.1.dr	Static PE information: section name: .crthunk
Source: NVIDIA GeForce Experience.exe.1.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.1.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.1.dr	Static PE information: section name: .gehcont
Source: libGLESv2.dll.1.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.1.dr	Static PE information: section name: .gehcont
Source: node.dll.1.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.1.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.1.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.1.dr	Static PE information: section name: .oldntma
Source: chrome_elf.dll.1.dr	Static PE information: section name: CPADinfo
Source: smartgit-updater.exe.1.dr	Static PE information: section name: .xdata
Source: bash.exe.1.dr	Static PE information: section name: .xdata
Source: bash.exe.1.dr	Static PE information: section name: .debug
Source: git.exe.1.dr	Static PE information: section name: .xdata
Source: git.exe.1.dr	Static PE information: section name: .debug
Source: sh.exe.1.dr	Static PE information: section name: .xdata
Source: sh.exe.1.dr	Static PE information: section name: .debug
Source: git-gui.exe.1.dr	Static PE information: section name: .xdata
Source: git-gui.exe.1.dr	Static PE information: section name: .debug
Source: git.exe0.1.dr	Static PE information: section name: .xdata
Source: git.exe0.1.dr	Static PE information: section name: .debug
Source: gitk.exe.1.dr	Static PE information: section name: .xdata
Source: gitk.exe.1.dr	Static PE information: section name: .debug
Source: scalar.exe.1.dr	Static PE information: section name: .xdata
Source: scalar.exe.1.dr	Static PE information: section name: .debug
Source: git-bash.exe.1.dr	Static PE information: section name: .xdata
Source: git-bash.exe.1.dr	Static PE information: section name: .debug
Source: git-cmd.exe.1.dr	Static PE information: section name: .xdata
Source: git-cmd.exe.1.dr	Static PE information: section name: .debug
Source: UnRAR.exe.1.dr	Static PE information: section name: _RDATA
Source: MSID34.tmp.1.dr	Static PE information: section name: .didat
Source: MSI2F4.tmp.1.dr	Static PE information: section name: .didat

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgitc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\sh.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git-gui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID34.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID93.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\node.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC95.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit-updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-cmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI333.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\scalar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\gitk.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC95.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAA0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID34.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIDD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICF5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI333.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID93.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSICD5.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\chrome_elf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgitc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICD5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\sh.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDD3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAA0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git-gui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID34.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSICF5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID93.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\node.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC95.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit-updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIAF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIDF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-cmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI333.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\scalar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\gitk.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: 480495.msi.1.dr

Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	21 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Timestomp	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\jvm.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\UnRAR.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-profile-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-rtlsupport-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-synch-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-sysinfo-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-timezone-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-core-util-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-conio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-convert-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-environment-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-filesystem-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-locale-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-math-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-multibyte-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-private-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-process-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-runtime-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-stdio-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-string-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\api-ms-win-crt-time-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\bash.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\git.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\sh.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git-gui.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\git.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\gitk.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\scalar.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-bash.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\git-cmd.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\node.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit-updater.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgit.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\smartgitc.exe	0%	ReversingLabs
C:\Windows\Installer\MSI2F4.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI333.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAA0.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIAF.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC95.tmp	0%	ReversingLabs
C:\Windows\Installer\MSICD5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSICF5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID34.tmp	0%	ReversingLabs
C:\Windows\Installer\MSID93.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIDD3.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIDF.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://sizzlejs.com/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://jquery.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
check-key.com	104.21.1.209	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://check-key.com/licenseUser.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
https://check-key.com/licenseUser.phpDoAppSearchExAI_SET_RESUMEAI_SET_INSTALLSendCollectedDataAI_Ext	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
https://sectigo.com/CPS0	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://docs.jquery.com/License	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
http://sizzlejs.com/	app__v7.3.5_.msi, 480495.msi.1.dr	false	URL Reputation: safe	unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://https:///true1...	chrome_elf.dll.1.dr	false		unknown
http://webreflection.blogspot.com/2007/08/global-scope-evaluation-and-dom.html	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	git-gui.exe.1.dr, git-bash.exe.1.dr	false	URL Reputation: safe	unknown
http://erik.eae.net/archives/2007/07/27/18.54.15/#comment-102291	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
http://javascript.nwbox.com/IEContentLoaded/	app__v7.3.5_.msi, 480495.msi.1.dr	false		unknown
http://jquery.com/	app__v7.3.5_.msi, 480495.msi.1.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.1.209	check-key.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523421
Start date and time:	2024-10-01 15:50:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	app__v7.3.5_.msi
Detection:	MAL
Classification:	mal48.winMSI@4/118@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: app__v7.3.5_.msi

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
check-key.com	app__v7.1.7_.msi	Get hash	malicious	Unknown	Browse	172.67.129.237

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCA	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://k7qo.sarnerholz.cam/APRjVfmk	Get hash	malicious	Unknown	Browse	172.67.179.163
	asegurar.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	dcsegura.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	188.114.97.3
	asegura.vbs	Get hash	malicious	Remcos	Browse	188.114.97.3
	grace.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.21.69.9
	Sales_Contract_Main_417053608_09.2024.pdf	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://pt9w4x.nauleacepr.com/9QLzRhIr/#Ygovernment.relations@rolls-royce.com	Get hash	malicious	HTMLPhisher	Browse	104.18.86.42
	https://vwkugoia0yciq0buttompanj2.ntvultra.com/viciorhthvgh/forhwural/coupletri/QdhahVchT/yEjbKM/anNhbGFzQGhvbGxhbmRjby5jb20=	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	e.dll	Get hash	malicious	Dridex Dropper	Browse	104.21.1.209
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.21.1.209
	Passport.vbs	Get hash	malicious	Unknown	Browse	104.21.1.209
	Aj#U00e1nlatk#U00e9r#U00e9s 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.21.1.209
	18000012550_20240930_0078864246#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.1.209
	PRORA#U010cUNSKA ZAHTEVA 09-30-2024#U00b7pdf.vbe	Get hash	malicious	GuLoader, Lokibot	Browse	104.21.1.209
	A 413736796#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.1.209
	Solicitud de presupuesto 09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.21.1.209
	SOLICITUD DE PEDIDO (Universidade de S#U00e3o Paulo (USP))09-30-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	104.21.1.209
	Recibo de transferencia#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.21.1.209

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\NVIDIA GeForce Experience.exe	app__v7.1.7_.msi	Get hash	malicious	Unknown	Browse
	app__v5.20.03.msi	Get hash	malicious	Unknown	Browse
	app__v6.25.3_.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\jvm.dll	app__v7.1.7_.msi	Get hash	malicious	Unknown	Browse
	app__v5.20.03.msi	Get hash	malicious	Unknown	Browse
	app__v6.25.3_.msi	Get hash	malicious	Unknown	Browse
	app__v6.20.9_.msi	Get hash	malicious	Unknown	Browse
	app__v6.20.5_.msi	Get hash	malicious	Unknown	Browse
	app__v6.20.0_.msi	Get hash	malicious	Unknown	Browse
	app__v6.15.9_.msi	Get hash	malicious	Unknown	Browse
	launch-v3.17.msi	Get hash	malicious	Unknown	Browse
	x64__installer___v4.8.6.msi	Get hash	malicious	Unknown	Browse
	x64__installer___v4.7.5.msi	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	337166
Entropy (8bit):	6.899647537964628
Encrypted:	false
SSDEEP:	6144:nX5b5U2MBVOUMgdkhVYPph0lhSMXlBXBW/yX8H:X5b5tMjOUMgcsph0lhSMXle48H
MD5:	A82F9FE5258B71FCF8326CBDE4AF70AB
SHA1:	F796FC8B21558ABC7F497755DBAB5C6AE70A5253
SHA-256:	79EB81ADF4F85A8429B41975A5315C34B20157176E7C9133C6CC4C8840868FDA
SHA-512:	AEC8D045C335D89CF627333FAC39018DF3E0C3DC84350645372D7B04882BB85187D54B5F21ED2F672E700D252E7D0E75499AB69E6ACC62DCABDD25BF8EF28553
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@.NAY.@.....@.....@.....@.....@.....@......&.{3E28EEFE-5291-43E1-AA61-E4D35B611491}..NoqotApp..app__v7.3.5_.msi.@.....@.....@.....@......icon_35.exe..&.{EE3A39B9-5A50-459E-950A-80F951511BDC}.....@.....@.....@.....@.......@.....@.....@.......@......NoqotApp......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....AI_RemoveAllTempFilesL...AI_RemoveAllTempFiles.@......h...MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4..pp.#p.#p.#..."{.#..."..#..."f.#vR."b.#vR."g.#vR."?.#..."..#p.#..#.R."`.#.R."q.#.RX#q.#p.0#q.#.R."q.#Richp.#................PE..L...m.e.........."!...&..................... ............................................@A....................................<.......................h:..........@c..p....................c.......b..@............ ...............................text............................... ..`.rdata...v... ...x

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	26747
Entropy (8bit):	5.3354839574811335
Encrypted:	false
SSDEEP:	384:rIZA1hRLR3Cf1dvsv6Qsmhifm5wGEvLvE7uVd5bATX:sZArRLR3Cf1dv23iwwbvLaO5b0X
MD5:	E4233A59C354B105D6A2C0E1C2BEA05A
SHA1:	85DE6D31D2428535344753A4A13EFE1162BE3FCF
SHA-256:	A933EACC4A326A88BE0EB49C6D1A1775ADD2ECC3CA777409DF5124355B5B674E
SHA-512:	C0765E062678CA96FCD2B034889B056BDB077089048E056D730D222D81E47BEC953FD71451A650F1F592CC6E14ECDBA85B4ECCE5404F629323652C0174FE440C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>.. Generator: Adobe Illustrator 26.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->..<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"... viewBox="0 0 55 55" style="enable-background:new 0 0 55 55;" xml:space="preserve">..<g>...<g>....<linearGradient id="SVGID_1_" gradientUnits="userSpaceOnUse" x1="2.7994" y1="32.6842" x2="40.5625" y2="33.9325">.....<stop offset="0" style="stop-color:#E66966"/>.....<stop offset="0.1096" style="stop-color:#D9575C"/>.....<stop offset="0.374" style="stop-color:#BF3246"/>.....<stop offset="0.6191" style="stop-color:#AC1636"/>.....<stop offset="0.8354" style="stop-color:#A0062C"/>.....<stop offset="1" style="stop-color:#9C0029"/>....</linearGradient>....<path style="fill:url(#SVGID_1_);" d="M2.662,11.042v38.362l6.77,5.136V14.855L2.662,11.042L2.662,11.042z"/>.........<linearGradient id="SVGID_00000020358057779141704330000004975

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EE3A39B9-5A50-459E-950A-80F951511BDC}, Number of Words: 10, Subject: NoqotApp, Author: Haye Cosq, Name of Creating Application: NoqotApp, Template: x64;2057, Comments: This installer database contains the logic and data required to install NoqotApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Sep 30 16:03:45 2024, Last Saved Time/Date: Mon Sep 30 16:03:45 2024, Last Printed: Mon Sep 30 16:03:45 2024, Number of Pages: 450
Entropy (8bit):	7.946264592203114
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	app__v7.3.5_.msi
File size:	57'166'336 bytes
MD5:	2d6151dbbbb50c077564ef7ffc971a4e
SHA1:	b67ec6dd683f5f8b12d52aa79aeee9a498380589
SHA256:	2eae05e829f353c9a8d01683187eb759dbf73f90ccd435f03d46761b03247fbd
SHA512:	22a30787cf820da489ed59b8f6401b1282b923a66f796211c2300f1864f4f10bee01d24133bfcb35975695f32273796cacdef03d726345c7a12cfb8ce6509979
SSDEEP:	1572864:0p+Ty2SfWnHDk8FjVbfzPTq4h+RZYoFczfDiQPU8azMCAJ:h/0WnHDkkjBPTq4kYoFefTPU8awCm
TLSH:	53C72311B87C8027D76B1B393959BB9BA55B3CA2475125FBB3A47B2A13348C31237B07
File Content Preview:	........................>...................i.......................y........................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7..

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:52:32.161407948 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.161511898 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:32.161648989 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.169430971 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.169450045 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:32.863373995 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:32.863466978 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.914913893 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.914973974 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:32.915198088 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:32.915262938 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.919842958 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.919928074 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:32.919958115 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:33.378515959 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:33.378578901 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:33.378581047 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:33.378760099 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:33.381782055 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:33.381833076 CEST	443	63583	104.21.1.209	192.168.2.4
Oct 1, 2024 15:52:33.381880045 CEST	63583	443	192.168.2.4	104.21.1.209
Oct 1, 2024 15:52:33.381956100 CEST	63583	443	192.168.2.4	104.21.1.209

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:51:45.033210993 CEST	53	54556	1.1.1.1	192.168.2.4
Oct 1, 2024 15:52:32.135344982 CEST	58224	53	192.168.2.4	1.1.1.1
Oct 1, 2024 15:52:32.151513100 CEST	53	58224	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-10-01 13:52:32 UTC	196	OUT	POST /licenseUser.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 User-Agent: AdvancedInstaller Host: check-key.com Content-Length: 110 Cache-Control: no-cache
2024-10-01 13:52:32 UTC	110	OUT	Data Raw: 44 61 74 65 3d 30 31 25 32 46 31 30 25 32 46 32 30 32 34 26 54 69 6d 65 3d 30 39 25 33 41 35 32 25 33 41 33 31 26 50 72 6f 64 75 63 74 4c 61 6e 67 75 61 67 65 3d 32 30 35 37 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 39 35 37 31 26 4c 61 6e 67 75 61 67 65 49 64 65 6e 74 3d 31 37 37 38 26 55 76 6f 53 74 61 74 65 3d 31 30 30 30 39 Data Ascii: Date=01%2F10%2F2024&Time=09%3A52%3A31&ProductLanguage=2057&BuildVersion=9571&LanguageIdent=1778&UvoState=10009
2024-10-01 13:52:33 UTC	588	IN	HTTP/1.1 500 Internal Server Error Date: Tue, 01 Oct 2024 13:52:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cache-Control: no-store CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fAMhY6zDx5hM9dneSOMs0h%2Bt2RNvX0e7RuyrMJbVpR9I5AsrPDJLQC2N1ubxqPudCS%2FjuObZwPf8aGQ25P7ugaOTnEC7063wsRU%2BF%2BMX4QJ24hZ24%2BnjQrnpTw9X7i%2Bk"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cbcef0e1b9b0f6b-EWR
2024-10-01 13:52:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:51:25
Start date:	01/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\app__v7.3.5_.msi"
Imagebase:	0x7ff74ac20000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	1
Start time:	09:51:26
Start date:	01/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff74ac20000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	09:51:28
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 01297D2E2EDE3162BB91A5AD2CF048CC
Imagebase:	0xb10000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report app__v7.3.5_.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\480497.rbs

C:\Users\user\AppData\Local\Temp\MSI92e8e.LOG

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-add-remove.svg

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-custom.svg

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-remove.svg

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box-repair.svg

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\box.svg

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\client.png

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\client_server.png

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\common.js

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\customize.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\diskcost.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\exit.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\fatalerror.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\fileinuse.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\folder.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\jquery-1.3.2.js

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\maintwelcome.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\maintype.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\outofdisk.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\outofrbdisk.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\prepare.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\progress.html

C:\Users\user\AppData\Local\Temp\{3E28EEFE-5291-43E1-AA61-E4D35B611491}\Spring.742DA8B7\progress\progressbar.css

Windows Analysis Report
app__v7.3.5_.msi

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre