Windows Analysis Report
v.1.6.3x64.msi

Overview

General Information

Sample name:	v.1.6.3__x64__.msi
Analysis ID:	1532356
MD5:	0ba05fd48cf928447ecf3ce8fbed1544
SHA1:	e3e57c4adf4719a85ec2b15f1605d47f501a348a
SHA256:	da6cd7e37214c30e69a8b2817e1f361cff10bec40645785af3f01593debeac64
Tags:	LegionLoadermsiRobotDropperuser-aachum
Infos:

Detection

LegionLoader

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Suricata IDS alerts for network traffic

Yara detected LegionLoader

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Creates files inside the system directory

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Msiexec Initiated Connection

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Satacom, LegionLoader		No Attribution	https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-extension/109807/	https://malpedia.caad.fkie.fraunhofer.de/details/win.satacom

Signatures

Source: unknown

HTTPS traffic detected: 172.67.221.87:443 -> 192.168.2.4:49807 version: TLS 1.2

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: v.1.6.3__x64__.msi, MSI9825.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb- source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git-bash.pdb source: git-bash.exe.1.dr
Source:	Binary string: obs.pdb~~ source: obs.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: libEGL.dll.pdb source: libEGL.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git-gui.pdb source: git-gui.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: obs.pdb source: obs.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: v.1.6.3__x64__.msi, MSIA1C6.tmp.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git.pdb source: git.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49807 -> 172.67.221.87:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: key-crack.com

Source: unknown

HTTP traffic detected: POST /licenseUser.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: key-crack.comContent-Length: 110Cache-Control: no-cache

Source: node.dll.1.dr	String found in binary or memory: http://.css
Source: node.dll.1.dr	String found in binary or memory: http://.jpg
Source: v.1.6.3__x64__.msi	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: node.dll.1.dr	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: avformat-60.dll.1.dr	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: node.dll.1.dr	String found in binary or memory: http://html4/loose.dtd
Source: node.dll.1.dr	String found in binary or memory: http://narwhaljs.org)
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr, libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: node.dll.1.dr	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: avformat-60.dll.1.dr	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: node.dll.1.dr	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: node.dll.1.dr	String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: node.dll.1.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr, libEGL.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: libEGL.dll.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: node.dll.1.dr	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: node.dll.1.dr	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: zlib.dll.1.dr	String found in binary or memory: http://www.zlib.net/D
Source: node.dll.1.dr	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: node.dll.1.dr	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
Source: node.dll.1.dr	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
Source: node.dll.1.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: node.dll.1.dr	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: node.dll.1.dr	String found in binary or memory: https://crbug.com/v8/7848
Source: node.dll.1.dr	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: node.dll.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: node.dll.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: node.dll.1.dr	String found in binary or memory: https://encoding.spec.whatwg.org
Source: node.dll.1.dr	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: node.dll.1.dr	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: node.dll.1.dr	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: node.dll.1.dr	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: node.dll.1.dr	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: node.dll.1.dr	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: node.dll.1.dr	String found in binary or memory: https://github.com/antirez/linenoise
Source: node.dll.1.dr	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/master/index.js
Source: node.dll.1.dr	String found in binary or memory: https://github.com/chalk/supports-color
Source: node.dll.1.dr	String found in binary or memory: https://github.com/chromium/chromium/blob/master/third_party/blink/public/platform/web_crypto_algori
Source: node.dll.1.dr	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: node.dll.1.dr	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: node.dll.1.dr	String found in binary or memory: https://github.com/google/caja/blob/master/src/com/google/caja/ses/repairES5.js
Source: node.dll.1.dr	String found in binary or memory: https://github.com/google/caja/blob/master/src/com/google/caja/ses/startSES.js
Source: node.dll.1.dr	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: node.dll.1.dr	String found in binary or memory: https://github.com/isaacs/color-support.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: node.dll.1.dr	String found in binary or memory: https://github.com/mafintosh/pump
Source: node.dll.1.dr	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/31074
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/32020
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: node.dll.1.dr	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/ecma262/blob/master/LICENSE.md
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: node.dll.1.dr	String found in binary or memory: https://goo.gl/t5IS6M).
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: node.dll.1.dr	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: node.dll.1.dr	String found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: v.1.6.3__x64__.msi	String found in binary or memory: https://key-crack.com/licenseUser.phpDoAppSearchExAI_SET_RESUMEAI_SET_INSTALLSendCollectedDataAI_Ext
Source: node.dll.1.dr	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: node.dll.1.dr	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: node.dll.1.dr	String found in binary or memory: https://no-color.org/
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/api/fs.html
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/node-v15.9.0-headers.tar.gz
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/node-v15.9.0.tar.gz
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/node-v15.9.0.tar.gzhttps://nodejs.org/download/release/v
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/win-x64/node.lib
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: node.dll.1.dr	String found in binary or memory: https://sourcemaps.info/spec.html
Source: node.dll.1.dr	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: node.dll.1.dr	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: node.dll.1.dr	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: node.dll.1.dr	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: node.dll.1.dr	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: node.dll.1.dr	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: node.dll.1.dr	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: node.dll.1.dr	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: node.dll.1.dr	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: libEGL.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: node.dll.1.dr	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: node.dll.1.dr	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807

Source: unknown

HTTPS traffic detected: 172.67.221.87:443 -> 192.168.2.4:49807 version: TLS 1.2

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\549968.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA148.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA206.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA264.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA303.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA342.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI96EA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI972A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9825.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9864.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA035.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIA148.tmp

Jump to behavior

PE file contains more sections than normal

Source: git.exe0.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-cmd.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: bash.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-bash.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: avutil-58.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: gitk.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: swresample-4.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: sh.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: scalar.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: swscale-7.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: zlib.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: git-gui.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: git.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: avformat-60.dll.1.dr	Static PE information: Number of sections : 12 > 10

PE file does not import any functions

Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: v.1.6.3__x64__.msi	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameMsiTempFiles.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs v.1.6.3__x64__.msi

Source: classification engine

Classification label: mal56.troj.winMSI@4/125@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLA0C6.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI5c630.LOG

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\v.1.6.3__x64__.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 12E499341769C229580CC44839D4DDCA
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 12E499341769C229580CC44839D4DDCA	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: v.1.6.3__x64__.msi

Static file information: File size 53926912 > 1048576

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: v.1.6.3__x64__.msi, MSI9825.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb- source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git-bash.pdb source: git-bash.exe.1.dr
Source:	Binary string: obs.pdb~~ source: obs.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: libEGL.dll.pdb source: libEGL.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git-gui.pdb source: git-gui.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: obs.pdb source: obs.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: v.1.6.3__x64__.msi, MSIA1C6.tmp.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git.pdb source: git.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Binary contains a suspicious time stamp

Source: w32-pthreads.dll.1.dr

Static PE information: 0xB1915111 [Tue May 27 05:11:45 2064 UTC]

PE file contains sections with non-standard names

Source: avutil-58.dll.1.dr	Static PE information: section name: .xdata
Source: swresample-4.dll.1.dr	Static PE information: section name: .xdata
Source: swscale-7.dll.1.dr	Static PE information: section name: .xdata
Source: zlib.dll.1.dr	Static PE information: section name: .xdata
Source: avformat-60.dll.1.dr	Static PE information: section name: .xdata
Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.1.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.1.dr	Static PE information: section name: .gehcont
Source: libGLESv2.dll.1.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.1.dr	Static PE information: section name: .gehcont
Source: node.dll.1.dr	Static PE information: section name: .00cfg
Source: smartgit-updater.exe.1.dr	Static PE information: section name: .xdata
Source: bash.exe.1.dr	Static PE information: section name: .xdata
Source: bash.exe.1.dr	Static PE information: section name: .debug
Source: git.exe.1.dr	Static PE information: section name: .xdata
Source: git.exe.1.dr	Static PE information: section name: .debug
Source: sh.exe.1.dr	Static PE information: section name: .xdata
Source: sh.exe.1.dr	Static PE information: section name: .debug
Source: git-gui.exe.1.dr	Static PE information: section name: .xdata
Source: git-gui.exe.1.dr	Static PE information: section name: .debug
Source: git.exe0.1.dr	Static PE information: section name: .xdata
Source: git.exe0.1.dr	Static PE information: section name: .debug
Source: gitk.exe.1.dr	Static PE information: section name: .xdata
Source: gitk.exe.1.dr	Static PE information: section name: .debug
Source: scalar.exe.1.dr	Static PE information: section name: .xdata
Source: scalar.exe.1.dr	Static PE information: section name: .debug
Source: git-bash.exe.1.dr	Static PE information: section name: .xdata
Source: git-bash.exe.1.dr	Static PE information: section name: .debug
Source: git-cmd.exe.1.dr	Static PE information: section name: .xdata
Source: git-cmd.exe.1.dr	Static PE information: section name: .debug
Source: UnRAR.exe.1.dr	Static PE information: section name: _RDATA
Source: MSIA2B3.tmp.1.dr	Static PE information: section name: .didat
Source: MSI9825.tmp.1.dr	Static PE information: section name: .didat

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA342.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\gitk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit-updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-cmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\node.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\scalar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI96EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs-ffmpeg-mux.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avutil-58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI972A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avformat-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA206.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git-gui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9825.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA303.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\w32-pthreads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\sh.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA264.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swresample-4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgitc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA206.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI96EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA264.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA342.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9825.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI972A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA303.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA342.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\gitk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit-updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-cmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\scalar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\node.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI96EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs-ffmpeg-mux.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avutil-58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI972A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avformat-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA206.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git-gui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9825.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA2B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA303.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\w32-pthreads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\sh.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA264.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swresample-4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgitc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: v.1.6.3__x64__.msi	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: node.dll.1.dr	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected LegionLoader

Source: Yara match	File source: v.1.6.3__x64__.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\549968.msi, type: DROPPED

Remote Access Functionality

Yara detected LegionLoader

Source: Yara match	File source: v.1.6.3__x64__.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\549968.msi, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.221.87	key-crack.com	United States		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
key-crack.com	172.67.221.87	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://key-crack.com/licenseUser.php	true		unknown

Source: unknown

HTTPS traffic detected: 172.67.221.87:443 -> 192.168.2.4:49807 version: TLS 1.2

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: v.1.6.3__x64__.msi, MSI9825.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb- source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git-bash.pdb source: git-bash.exe.1.dr
Source:	Binary string: obs.pdb~~ source: obs.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: libEGL.dll.pdb source: libEGL.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git-gui.pdb source: git-gui.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: obs.pdb source: obs.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: v.1.6.3__x64__.msi, MSIA1C6.tmp.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git.pdb source: git.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49807 -> 172.67.221.87:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: key-crack.com

Source: unknown

Source: node.dll.1.dr	String found in binary or memory: http://.css
Source: node.dll.1.dr	String found in binary or memory: http://.jpg
Source: v.1.6.3__x64__.msi	String found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: libEGL.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: node.dll.1.dr	String found in binary or memory: http://code.google.com/p/closure-compiler/wiki/SourceMaps
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: obs.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: libEGL.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: avformat-60.dll.1.dr	String found in binary or memory: http://dashif.org/guidelines/trickmode
Source: node.dll.1.dr	String found in binary or memory: http://html4/loose.dtd
Source: node.dll.1.dr	String found in binary or memory: http://narwhaljs.org)
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr, libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: libEGL.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://s.symcd.com06
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: node.dll.1.dr	String found in binary or memory: http://src.chromium.org/viewvc/blink/trunk/Source/devtools/front_end/SourceMap.js
Source: avformat-60.dll.1.dr	String found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-DASH_schema_files/DASH-MPD.xsd
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: node.dll.1.dr	String found in binary or memory: http://userguide.icu-project.org/strings/properties
Source: node.dll.1.dr	String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: node.dll.1.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: avformat-60.dll.1.dr, zlib.dll.1.dr, swresample-4.dll.1.dr, obs.dll.1.dr, libEGL.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: libEGL.dll.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: node.dll.1.dr	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: node.dll.1.dr	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: zlib.dll.1.dr	String found in binary or memory: http://www.zlib.net/D
Source: node.dll.1.dr	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10201
Source: node.dll.1.dr	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=10704
Source: node.dll.1.dr	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
Source: node.dll.1.dr	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=745678
Source: node.dll.1.dr	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#clear
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#console-namespace
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#count
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#count-map
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#countreset
Source: node.dll.1.dr	String found in binary or memory: https://console.spec.whatwg.org/#table
Source: node.dll.1.dr	String found in binary or memory: https://crbug.com/v8/7848
Source: node.dll.1.dr	String found in binary or memory: https://cs.chromium.org/chromium/src/v8/tools/SourceMap.js?rcl=dd10454c1d
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0.
Source: node.dll.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API
Source: node.dll.1.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Equality_comparisons_and_sameness#Loose_equa
Source: node.dll.1.dr	String found in binary or memory: https://encoding.spec.whatwg.org
Source: node.dll.1.dr	String found in binary or memory: https://encoding.spec.whatwg.org/#textdecoder
Source: node.dll.1.dr	String found in binary or memory: https://encoding.spec.whatwg.org/#textencoder
Source: node.dll.1.dr	String found in binary or memory: https://esdiscuss.org/topic/isconstructor#content-11
Source: node.dll.1.dr	String found in binary or memory: https://gist.github.com/XVilka/8346728#gistcomment-2823421
Source: node.dll.1.dr	String found in binary or memory: https://github.com/acornjs/acorn/blob/master/acorn/src/identifier.js#L23
Source: node.dll.1.dr	String found in binary or memory: https://github.com/acornjs/acorn/issues/575
Source: node.dll.1.dr	String found in binary or memory: https://github.com/antirez/linenoise
Source: node.dll.1.dr	String found in binary or memory: https://github.com/chalk/ansi-regex/blob/master/index.js
Source: node.dll.1.dr	String found in binary or memory: https://github.com/chalk/supports-color
Source: node.dll.1.dr	String found in binary or memory: https://github.com/chromium/chromium/blob/master/third_party/blink/public/platform/web_crypto_algori
Source: node.dll.1.dr	String found in binary or memory: https://github.com/da-x/rxvt-unicode/tree/v9.22-with-24bit-color
Source: node.dll.1.dr	String found in binary or memory: https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral
Source: node.dll.1.dr	String found in binary or memory: https://github.com/google/caja/blob/master/src/com/google/caja/ses/repairES5.js
Source: node.dll.1.dr	String found in binary or memory: https://github.com/google/caja/blob/master/src/com/google/caja/ses/startSES.js
Source: node.dll.1.dr	String found in binary or memory: https://github.com/google/closure-compiler/wiki/Source-Maps
Source: node.dll.1.dr	String found in binary or memory: https://github.com/isaacs/color-support.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/libuv/libuv/pull/1501.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/mafintosh/end-of-stream
Source: node.dll.1.dr	String found in binary or memory: https://github.com/mafintosh/pump
Source: node.dll.1.dr	String found in binary or memory: https://github.com/mysticatea/abort-controller
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node-v0.x-archive/issues/2876.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/commit/ec2822adaad76b126b5cccdeaa1addf2376c9aa6
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/commit/f7620fb96d339f704932f9bb9a0dceb9952df2d4
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/10673
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/13435
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/19009
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/2006
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/2119
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/31074
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/32020
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/3392
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/35475
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/35862
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/issues/35981
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/12342
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/12607
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/13870#discussion_r124515293
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/1771#issuecomment-119351671
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/21313
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/26334.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/30380#issuecomment-552948364
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/30958
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/33661
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/3394
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/34010
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/34103#issuecomment-652002364
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/34375
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/35949#issuecomment-722496598
Source: node.dll.1.dr	String found in binary or memory: https://github.com/nodejs/node/pull/36061#discussion_r533718029
Source: node.dll.1.dr	String found in binary or memory: https://github.com/standard-things/esm/issues/821.
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/ecma262/blob/master/LICENSE.md
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/ecma262/issues/1209
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/proposal-ses/blob/e5271cc42a257a05dcae2fd94713ed2f46c08620/shim/src/freeze.j
Source: node.dll.1.dr	String found in binary or memory: https://github.com/tc39/proposal-weakrefs
Source: node.dll.1.dr	String found in binary or memory: https://goo.gl/t5IS6M).
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#define-the-operations
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#dfn-class-string
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#dfn-default-iterator-object
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#dfn-iterator-prototype-object
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-interfaces
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-iterable-entries
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-iterators
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-namespaces
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-operations
Source: node.dll.1.dr	String found in binary or memory: https://heycam.github.io/webidl/#es-stringifier
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#ascii-serialisation-of-an-origin
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/browsers.html#concept-origin-opaque
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/timers-and-user-prompts.html#dom-setinterval
Source: node.dll.1.dr	String found in binary or memory: https://html.spec.whatwg.org/multipage/webappapis.html#windoworworkerglobalscope
Source: node.dll.1.dr	String found in binary or memory: https://invisible-island.net/ncurses/terminfo.ti.html#toc-_Specials
Source: node.dll.1.dr	String found in binary or memory: https://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: v.1.6.3__x64__.msi	String found in binary or memory: https://key-crack.com/licenseUser.phpDoAppSearchExAI_SET_RESUMEAI_SET_INSTALLSendCollectedDataAI_Ext
Source: node.dll.1.dr	String found in binary or memory: https://linux.die.net/man/1/dircolors).
Source: node.dll.1.dr	String found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: node.dll.1.dr	String found in binary or memory: https://no-color.org/
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode).
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/api/fs.html
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/node-v15.9.0-headers.tar.gz
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/node-v15.9.0.tar.gz
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/node-v15.9.0.tar.gzhttps://nodejs.org/download/release/v
Source: node.dll.1.dr	String found in binary or memory: https://nodejs.org/download/release/v15.9.0/win-x64/node.lib
Source: git-gui.exe.1.dr, git-bash.exe.1.dr, git.exe.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: node.dll.1.dr	String found in binary or memory: https://sourcemaps.info/spec.html
Source: node.dll.1.dr	String found in binary or memory: https://stackoverflow.com/a/5501711/3561
Source: node.dll.1.dr	String found in binary or memory: https://tc39.es/ecma262/#sec-%typedarray%-intrinsic-object
Source: node.dll.1.dr	String found in binary or memory: https://tc39.es/ecma262/#sec-IsHTMLDDA-internal-slot
Source: node.dll.1.dr	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%iteratorprototype%-object
Source: node.dll.1.dr	String found in binary or memory: https://tc39.github.io/ecma262/#sec-%typedarray%.of
Source: node.dll.1.dr	String found in binary or memory: https://tc39.github.io/ecma262/#sec-object.prototype.tostring
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc2397#section-2
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc3492#section-3.4
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc3986#section-3.2.2
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.2
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7230#section-3.2.6
Source: node.dll.1.dr	String found in binary or memory: https://tools.ietf.org/html/rfc7540#section-8.1.2.5
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#cannot-have-a-username-password-port
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-url
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-url-origin
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-byte-serializer
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-parser
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#concept-urlencoded-serializer
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#special-scheme
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#url
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#url-serializing
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams
Source: node.dll.1.dr	String found in binary or memory: https://url.spec.whatwg.org/#urlsearchparams-stringification-behavior
Source: node.dll.1.dr	String found in binary or memory: https://v8.dev/blog/v8-release-89
Source: node.dll.1.dr	String found in binary or memory: https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute
Source: node.dll.1.dr	String found in binary or memory: https://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: libEGL.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-line-terminators
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-timeclip
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/5.1/#sec-15.1.3.4
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Atom
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape
Source: node.dll.1.dr	String found in binary or memory: https://www.ecma-international.org/ecma-262/8.0/#sec-term
Source: smartgitc.exe.1.dr, smartgit-updater.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: node.dll.1.dr	String found in binary or memory: https://www.iana.org/assignments/tls-extensiontype-values
Source: node.dll.1.dr	String found in binary or memory: https://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt

Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807

Source: unknown

HTTPS traffic detected: 172.67.221.87:443 -> 192.168.2.4:49807 version: TLS 1.2

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\549968.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA148.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA206.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA264.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA303.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA342.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI96EA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI972A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9825.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9864.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA035.tmp	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIA148.tmp

Jump to behavior

PE file contains more sections than normal

Source: git.exe0.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-cmd.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: bash.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: git-bash.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: avutil-58.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: gitk.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: swresample-4.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: sh.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: scalar.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: swscale-7.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: zlib.dll.1.dr	Static PE information: Number of sections : 12 > 10
Source: git-gui.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: git.exe.1.dr	Static PE information: Number of sections : 13 > 10
Source: avformat-60.dll.1.dr	Static PE information: Number of sections : 12 > 10

PE file does not import any functions

Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: v.1.6.3__x64__.msi	Binary or memory string: tLegalCopyrightCopyright (c) Microsoft Corporation. All rights reserved.L$OriginalFilenameVC_redist.x64.exe vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameMsiTempFiles.dllF vs v.1.6.3__x64__.msi
Source: v.1.6.3__x64__.msi	Binary or memory string: OriginalFilenameDataUploader.dllF vs v.1.6.3__x64__.msi

Source: classification engine

Classification label: mal56.troj.winMSI@4/125@1/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CMLA0C6.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI5c630.LOG

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\v.1.6.3__x64__.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 12E499341769C229580CC44839D4DDCA
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 12E499341769C229580CC44839D4DDCA	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: v.1.6.3__x64__.msi

Static file information: File size 53926912 > 1048576

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
Source:	Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: D:\code88\chromium_git\chromium\src\out\Release_x64\node.dll.pdb source: node.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: v.1.6.3__x64__.msi, MSI9825.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: v.1.6.3__x64__.msi, MSI9864.tmp.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb- source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git-bash.pdb source: git-bash.exe.1.dr
Source:	Binary string: obs.pdb~~ source: obs.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: libEGL.dll.pdb source: libEGL.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git-gui.pdb source: git-gui.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: v.1.6.3__x64__.msi
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source:	Binary string: obs.pdb source: obs.dll.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: v.1.6.3__x64__.msi, MSIA1C6.tmp.1.dr
Source:	Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\cmd\git.pdb source: git.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: v.1.6.3__x64__.msi, 54996a.rbs.1.dr, MSIA035.tmp.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Binary contains a suspicious time stamp

Source: w32-pthreads.dll.1.dr

Static PE information: 0xB1915111 [Tue May 27 05:11:45 2064 UTC]

PE file contains sections with non-standard names

Source: avutil-58.dll.1.dr	Static PE information: section name: .xdata
Source: swresample-4.dll.1.dr	Static PE information: section name: .xdata
Source: swscale-7.dll.1.dr	Static PE information: section name: .xdata
Source: zlib.dll.1.dr	Static PE information: section name: .xdata
Source: avformat-60.dll.1.dr	Static PE information: section name: .xdata
Source: vcruntime140.dll.1.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.1.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.1.dr	Static PE information: section name: .gehcont
Source: libGLESv2.dll.1.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.1.dr	Static PE information: section name: .gehcont
Source: node.dll.1.dr	Static PE information: section name: .00cfg
Source: smartgit-updater.exe.1.dr	Static PE information: section name: .xdata
Source: bash.exe.1.dr	Static PE information: section name: .xdata
Source: bash.exe.1.dr	Static PE information: section name: .debug
Source: git.exe.1.dr	Static PE information: section name: .xdata
Source: git.exe.1.dr	Static PE information: section name: .debug
Source: sh.exe.1.dr	Static PE information: section name: .xdata
Source: sh.exe.1.dr	Static PE information: section name: .debug
Source: git-gui.exe.1.dr	Static PE information: section name: .xdata
Source: git-gui.exe.1.dr	Static PE information: section name: .debug
Source: git.exe0.1.dr	Static PE information: section name: .xdata
Source: git.exe0.1.dr	Static PE information: section name: .debug
Source: gitk.exe.1.dr	Static PE information: section name: .xdata
Source: gitk.exe.1.dr	Static PE information: section name: .debug
Source: scalar.exe.1.dr	Static PE information: section name: .xdata
Source: scalar.exe.1.dr	Static PE information: section name: .debug
Source: git-bash.exe.1.dr	Static PE information: section name: .xdata
Source: git-bash.exe.1.dr	Static PE information: section name: .debug
Source: git-cmd.exe.1.dr	Static PE information: section name: .xdata
Source: git-cmd.exe.1.dr	Static PE information: section name: .debug
Source: UnRAR.exe.1.dr	Static PE information: section name: _RDATA
Source: MSIA2B3.tmp.1.dr	Static PE information: section name: .didat
Source: MSI9825.tmp.1.dr	Static PE information: section name: .didat

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA342.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\gitk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit-updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-cmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\node.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\scalar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI96EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs-ffmpeg-mux.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avutil-58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI972A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avformat-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA206.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git-gui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9825.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA303.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\w32-pthreads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\sh.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA264.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swresample-4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgitc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA206.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI96EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA264.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA342.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9825.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI972A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA2B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA303.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA342.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\gitk.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit-updater.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swscale-7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-cmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140_1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\scalar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\node.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI96EA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs-ffmpeg-mux.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avutil-58.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI972A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\zlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1C6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\bash.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avformat-60.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA206.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git-gui.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9825.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA2B3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA303.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libGLESv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\w32-pthreads.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\sh.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA148.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA264.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swresample-4.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgitc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libEGL.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: v.1.6.3__x64__.msi	Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: node.dll.1.dr	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected LegionLoader

Source: Yara match	File source: v.1.6.3__x64__.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\549968.msi, type: DROPPED

Remote Access Functionality

Yara detected LegionLoader

Source: Yara match	File source: v.1.6.3__x64__.msi, type: SAMPLE
Source: Yara match	File source: C:\Windows\Installer\549968.msi, type: DROPPED

ID:	1532356
Product:	CloudBasic
Start time:	01:40:37
Start date:	13.10.2024
Sample:	v.1.6.3__x64__.msi
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0ba05fd48cf928447ecf3ce8fbed1544
SHA1:	e3e57c4adf4719a85ec2b15f1605d47f501a348a
SHA256:	da6cd7e37214c30e69a8b2817e1f361cff10bec40645785af3f01593debeac64
Filetype:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Config.Msi\54996a.rbs	data	C37F1254894070BD40492E74B1EA2CA4	B7A4BDC3239B40AF47617A8F4711736FC0A6E5CC	DCCD793462B48A6D482213FE4BD53D4AE65D7550DF1AB4C75E41FD00DE383370
C:\Users\user\AppData\Local\Temp\MSI5c630.LOG	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\box-add-remove.svg	SVG Scalable Vector Graphics image	E4233A59C354B105D6A2C0E1C2BEA05A	85DE6D31D2428535344753A4A13EFE1162BE3FCF	A933EACC4A326A88BE0EB49C6D1A1775ADD2ECC3CA777409DF5124355B5B674E
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\box-custom.svg	SVG Scalable Vector Graphics image	A0A6276BAB21E14FE618DB774B52D3BD	488923D19D0DBAABC3A4732E9318003C2AA353F4	83B8B86445C41B8B832BEA1A4F80A51E42A7B810E7F30E6E41F22F279CDB88B0
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\box-remove.svg	SVG Scalable Vector Graphics image	B51E84774C92901C3E1A49F8F5B18A96	56D4D2F94659D78710DE25698689CEDB7770503A	BC63A6B83A8D1E01A893928993C9F5B78E858ED296EB54A1D6F2307B1661AC2D
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\box-repair.svg	SVG Scalable Vector Graphics image	AD66115932D13485A903559A84480CC9	375A953AC6EA44DF55201BDD35492A3B41C031A9	D27AC020D37E20DF41F2E9CC8B6BE836FA2F9D9B7223EF516981674AFCBE3138
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\box.svg	SVG Scalable Vector Graphics image	F7F3379FF3A90C3BA70CA47E579C17EE	267FBE1FBE06B5927A2662F546764E7A3426206F	B169D8F11915957D649537E2940640ACD970F09154E37047A7A90C84380CA3D0
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\client.png	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	0B032D476A15E3AD6B7C2AF32DF30AC3	516548A73154E5D7CE00D1675F6189DCB387349C	70D37345D5BD33B4CA94967AC61C076483EB08B5B04F5E47DD5D5D27DA723DF7
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\client_server.png	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	60599D91309C3B10CD32466B4ADB6ED5	8AE7FCFEC7A98A8EA8539AAB7D7F998089D1812A	73AB28B0A5645771DE997A98ADE3035C8A89F71C6A423151CF340C1107EB30C5
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\common.js	ASCII text	6FD78642C7ACC8F3B9FF84A4EB025D0D	AE3E6ED196ED04791EAB9376123B815F44CE6EC3	4AA199C837F68EFA9C87C335ECCE80021D70428EB9BEA1C5AB0AC56679C53A27
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\customize.html	HTML document, ASCII text	39CF7DF8CDEDEEC28C1D7B655E71BD25	DE3E869800795270FBFCB566A3378B729171C8D6	0128132AA9E0883FD743245CEFF4709B87EC41976ACDA73221B76D20F8D16796
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\diskcost.html	HTML document, ASCII text	EB958A7CA48566DC3E07741FD2FBBF65	A28FFAEAE1565121C87692EA7D0FB87B25709574	28D467446EDF18B240F8A027B1EFC1AD0B37088B0484F1C2F583E4849B06B2BF
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\exit.html	HTML document, ASCII text	730AB3B96EF0973F474B48A4C19323E0	DE4768E07749B2D399E2941CD644E30C105D2D11	5D78C6FD1B68EDD9B64F839DF40299ADF34F94E8D00A1617A8483304C8C8FA6D
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\fatalerror.html	HTML document, ASCII text	57126AA48593F77C24561C16AA16E7D7	BED90CD32D122FBC579749B3B679C7A61E013359	239BE5ABD30921EFA432667A06D71031337EBC89E4B6861BFC5FD05A6950F6BF
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\fileinuse.html	HTML document, ASCII text	6511105E765CE94971884F48417C529E	44FF77BF86E089D925458E0133221D69DA59598B	89CB1F857DA87A327EBD76D90F597236EBA53874020D429F4863425456703EC6
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\folder.html	HTML document, ASCII text	F98734B05585021B999FD7C08CDF862B	188C454789F394632A04CF8685AEA3EBAEF0006C	10DB02ACE8789FBDA8AE69D3C2BBE8A1ED183F9BFB2E48F33A98675F86632BD2
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\jquery-1.3.2.js	ASCII text	1CD76A83827E0D47B80EBCBBC8CD9262	AA1BABB2D7C3E9DFFC0FB2A1DB939CB948E784DB	1191EB52C0B19D7A8738B128AB3EC531BDE862D94F07E6F7F6267F7D6E7C94D5
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\maintwelcome.html	HTML document, ASCII text	E0ECBFC1FB725F4A2A3A616DF1FD2B2F	24D6B16ECF1F69A28A767349C778F4AC8B3CA748	D372D272372832274295CA3ECE0D1D40F2799461C34B533AA5CE8A336AF5485D
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\maintype.html	HTML document, ASCII text	A618BBFA9B14D73B93DA0A4166A5C6C6	BDB58533EBF5B431259D779E9BB6350CEF254C47	25787D8A23C653E73ADCBF31A2B09D378A6E8A7DEC9547DE35482D2BEA335B90
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\outofdisk.html	HTML document, ASCII text	E1A03DB0EA99EB0CF13E7B371F7047BB	253860F507AB65AC253C3485C95A9F821079C7CB	BF443CD03FBC66E6D9CC3F466449E764B19F62257BFFB0DDAF5587FFA1B3EB67
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\outofrbdisk.html	HTML document, ASCII text	656360A7744929E298FCDD7E2A08EE5A	91A4088D5C6DAC24E18C54534FED7A512F39B7C7	6AA4B72CE9DBE46C11972BAB7E424D7AC178F565D1BEC3B07B545EECF32FA793
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\prepare.html	HTML document, ASCII text	7AAD09B92691FEABC1D45BF368C15099	FF8633BA6ECFD532717F8ACC3427096072235C61	2D04B2ABEC491A6ECA4D16CBFB88D1D0C67D39A5FB242F90C6FB6A68200DC7F2
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\progress.html	HTML document, Unicode text, UTF-8 (with BOM) text	AC02EE32364FF47DAD57C1EC35BE36C5	94ABEFBD12AA7C8315389186698CFFA547BB2F6F	5CFE0F66AC72A5E7213458D0D287CB20B58AABF955762156E487CA4B95D43D70
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\progress\progressbar.css	ASCII text	0A524F0B0D68025A96F12BBE88DC510C	887E797D68554757929006F268908586CC030905	B479BDB9A553199D3F9FCCB056F8561C0D1FB5FEAAE99B7C737D092B9BEEA480
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\progress\progressbar.js	ASCII text	90A92BA5F9E40BB04EAA1471CADBBF3F	959203C9521355CCF825D86967F4C89E5C14013D	E59211E9B9E308ED6EEA793CCCD10D435314E3E74300F80854551099F3E07017
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\resume.html	HTML document, ASCII text	3D4BF82C2CB40B28475092CD6EA62BDD	7A776117A38CCA9F560838CB6DC5862DDFB3D171	A62426392F0211FB150DD847777DC1B80D5B1CF9B1D18E7EFA8B6F2476D5B637
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\rmfiles.html	HTML document, ASCII text	3D02AD5C47CDF4A8EF90DEE9A2FB1DA8	03EE5D0D5D513F3293D33913794F595FC743723A	08C2848B100D517260C302EC72FE45035555A41319FC6E70EC6DDE6B7DE2E8DB
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\server.png	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	6AC10775BA1AFAA92725F3D4FB03B3C1	C1C1643564E9F6BE0CBEE0F4CED82DE78A7DAE7E	9195B25266CD23D482B62A733DFEE43ABA9FB7ADB5070F4F8000E2417F89F6C3
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\setuptype.html	HTML document, ASCII text	B55A3465AD478AAC218B877FC28DA88D	A8CD53A9C03276D0BA46BE78466CCA819B41A7D2	8DD32C7875548D3D24C52E86DD1B58C35DA4DC5607669FA4A0FDC028444135E9
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\style.css	ASCII text	B5E0FE5490EF396EB32C0E49C0A42391	F5586452B2341D2E0F3F822F4E8DBCDB1A268465	6E28C48732CA73D291476C23EA526D7D8704623D3EC60F2C084BF70D7B3BEF75
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\userexit.html	HTML document, ASCII text	5E9B75D44EF5266A95BE1F4DE94DFA25	80591ACAE81559096AEF0800CA4565699A9DBEDF	19BC049533D7A8F24538BF0AE24A1959FE67488337B9464F66980884DAE4C848
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\varstyle.css	ASCII text	A60EBB9E7D8494B04C97F1902C782ED4	7ECFA3EE6D564C0409561F1F396F9E3451059F3E	42F7ABF8D2F192465E7B732B40B882B0092105547AFD104049408F64423CF8AE
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\verifyready.html	HTML document, ASCII text	4155A0C45CC141BECBCC7E333B57AB54	DFF62F9BC259E1CE1AB1D6EE99E31F9924F636D4	44275C6087F0961DCAAD8CC6D164F0AF647B40017725C6264C3D41E928132A11
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\verifyremove.html	HTML document, ASCII text	DD9A03C9636F97165842A00B858C4A31	66D8EB6BD56FBA05948C6ED9032787CC91BBFE7E	9D9FD5C27987194EA7CD9B4E91C05DE65225458B51E554B194BB822B0DDF269E
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\verifyrepair.html	HTML document, ASCII text	9A34E23D1D3EF88960349988A51B5F4D	6E8EB7EB0BE77DD2BBD30A6D1A3E14F036ADA985	6F2FAF557212E9839002CA7D73AF981E63530F84B73CEC6DB5A9110E692A9988
C:\Users\user\AppData\Local\Temp\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\Spring.742DA8B7\welcome.html	HTML document, ASCII text	406175F55851187D71E50DD78B429EF8	7EB3709BBEFE192C074FFE97F537ECA6BEF13CFE	90AF6D1907FCBD0197683CB2B98FB793AE46E30B62B4D1D8078C8B1A7E518072
C:\Users\user\AppData\Roaming\Microsoft\Installer\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\icon_29.exe	MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel	3C94AC12FA6E74B45A9C2737006E543B	13BABD3DE5D0E49889900B43F729EC6E69428561	BBF0475BDA48CA75BBF22FBA74A75823AC407B45D6B87D6C0D1086B6B1E67EA3
C:\Users\user\AppData\Roaming\Microsoft\Installer\{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}\icon_33.exe	MS Windows icon resource - 9 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel	A83A13934150EE37B486B842B5335D9D	EAB88F5C76A754455CDD5ACC023A703533CB2232	31D3403B05A9D5F947D21521C043C2809B7B506424043D7985430640CC5911A4
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\avsfaq.rar	ASCII text, with very long lines (65536), with no line terminators	C452698B1A50960F3CA922E1A4808A0D	0EE7A0AF93E745DF44367EC9EA7DC44A8C24E05B	7516C47AA000B6306B67FACF437AF931CACFDFE970D8C46DC912E608C4353431
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\classes.jsa	data	8A13CBE402E0BBF3DA56315F0EBA7F8E	EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA	7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.naming.jmod	Java jmod module version 1.0	B396D42998F877CBDE5B93A1B238B5C5	ED864130A63A807EFC16CE9F97F8C24750A14C35	734130C3E9D7A12A75BBB194C9FD29DFC85FD802B42B3CCD2C617C86FC905473
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.net.http.jmod	Java jmod module version 1.0	5A11C4A6D94E1C67F84D2D22B7012B11	273C3A253F6845441C6B4D0AA000BD0860574EA8	AF1946B6683575D724430220DB7C948AF2598E69091F74459CCA1F97A15C2A54
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.prefs.jmod	Java jmod module version 1.0	224D8C26B9454FFE244D354BC030CAB9	E531A7BAF213D72964CE4DD83A11AEEAE5713F00	43622935A7EF06E30D1BDA7E77CB76488DA9E721728AE0B8ACDB1F9C7B91C943
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.rmi.jmod	Java jmod module version 1.0	C4BF3C85D5A2B5A2482D29682F937339	2ACCDEEAD4904C6EC919771CE49943C9D6E8A9E9	25FDC4D19B9F9BFF599212307C35ADE3C5B14D8FA326352837E2AC1919A27679
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.scripting.jmod	Java jmod module version 1.0	A64194B2F7AD00E12C9E5AE260B57B3E	2617AE8B733B5E7B31180A3EED1DDFFD1B5CF631	BC08974AF0D13B1B362A651329036C24CC54028F1D0B3EB327350B51E2270FA5
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.se.jmod	Java jmod module version 1.0	3B4DCB7D28ED3DA5F09ADE9FDE137D3B	0EEDA129FA837E4D5E54F678249C7265C96BE4FA	4BD4726EB7772FD1A202DF3EEF6367ED66688E0603C4B970D22AC8EB560F2A04
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.security.jgss.jmod	Java jmod module version 1.0	372B6F9949895C86164FDF3A1E99CAC6	B9D3ECAFAE368E7ACDADCC347DE6FFC08D031CE8	934114BA650D81262CFE3CFBA0D5A190520C05CDDDCD9A7A875E3E1D951AD71D
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.security.sasl.jmod	Java jmod module version 1.0	BDD7FCA80A0E7436DC46FADE0C8CD511	C491F4A649B8DB593F26D25133DD104D8985AE60	F783A14F1FD9E804553F54E8B97E38A5BEB8C25ADF096FD380FC1BEE391153AA
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.smartcardio.jmod	Java jmod module version 1.0	4C54BF6DD5C142E6C8C1A360C985167C	7449C89D087ADC871E26218F6AD82FD1FF5BC01D	0AF33A68F7B71F12FA3B7F27BC69B80A86633F25EB82830076ACFC3170538EC0
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\java.sql.jmod	Java jmod module version 1.0	E910C6B0413AB8D4CD0A5EBCCDA387EF	6782B1D03ED398C4AA558C219294C6367F7C8479	2A24C132034F0894A0AA38A2DFA546F6D20113783B791EDCC9831DFC144256FA
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\jvm.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	B97B7AAB1F877A7B3A426A434ED5562D	12D88F7C2FE3D3908BFEDD415CF3C6590CEB42CB	B30ACCB880B398FC9743A51831A741CE22364FE091AFF9846CF457A772BBE2A2
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\Required\trup_si.rar	RAR archive data, v5	538C3ED5EC5D7C9E743930EB5FC746DC	16012A0E9D1DF61158691A8CB3F9128E4D4DD0B1	68508105CD9D141EFAA1A73BE198317AAB836CF14D461B482F22210FEACA0B29
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\UnRAR.exe	PE32+ executable (console) x86-64, for MS Windows	98CCD44353F7BC5BAD1BC6BA9AE0CD68	76A4E5BF8D298800C886D29F85EE629E7726052D	E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-profile-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	0233F97324AAAA048F705D999244BC71	5427D57D0354A103D4BB8B655C31E3189192FC6A	42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-rtlsupport-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	E1BA66696901CF9B456559861F92786E	D28266C7EDE971DC875360EB1F5EA8571693603E	02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-string-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	7A15B909B6B11A3BE6458604B2FF6F5E	0FEB824D22B6BEEB97BCE58225688CB84AC809C7	9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6C3FCD71A6A1A39EAB3E5C2FD72172CD	15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F	A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-synch-l1-2-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	D175430EFF058838CEE2E334951F6C9C	7F17FBDCEF12042D215828C1D6675E483A4C62B1	1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-sysinfo-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	9D43B5E3C7C529425EDF1183511C29E4	07CE4B878C25B2D9D1C48C462F1623AE3821FCEF	19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-timezone-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	43E1AE2E432EB99AA4427BB68F8826BB	EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B	3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-core-util-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	735636096B86B761DA49EF26A1C7F779	E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58	5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-conio-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	031DC390780AC08F498E82A5604EF1EB	CF23D59674286D3DC7A3B10CD8689490F583F15F	B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-convert-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	285DCD72D73559678CFD3ED39F81DDAD	DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A	6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-environment-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	5CCE7A5ED4C2EBAF9243B324F6618C0E	FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3	AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-filesystem-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	41FBBB054AF69F0141E8FC7480D7F122	3613A572B462845D6478A92A94769885DA0843AF	974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-heap-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	212D58CEFB2347BD694B214A27828C83	F0E98E2D594054E8A836BD9C6F68C3FE5048F870	8166321F14D5804CE76F172F290A6F39CE81373257887D9897A6CF3925D47989
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-locale-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	242829C7BE4190564BECEE51C7A43A7E	663154C1437ACF66480518068FBC756F5CABB72F	EDC1699E9995F98826DF06D2C45BEB9E02AA7817BAE3E61373096AE7F6FA06E0
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-math-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	FB79420EC05AA715FE76D9B89111F3E2	15C6D65837C9979AF7EC143E034923884C3B0DBD	F6A93FE6B57A54AAC46229F2ED14A0A979BF60416ADB2B2CFC672386CCB2B42E
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-multibyte-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	A5B920F24AEA5C2528FE539CD7D20105	3FAE25B81DC65923C1911649ED19F193ADC7BDDE	5B3E29116383BA48A2F46594402246264B4CB001023237EBBF28E7E9292CDB92
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-private-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	5C2004DAF398620211F0AD9781FF4EC2	E43DD814E90330880EE75259809EEE7B91B4FFA6	55BC91A549D22B160AE4704485E19DEE955C7C2534E7447AFB84801EE629639B
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-process-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	DD899C6FFECCE1DCA3E1C3B9BA2C8DA2	2914B84226F5996161EB3646E62973B1E6C9E596	191F53988C7F02DD888C4FBF7C1D3351570F3B641146FAE6D60ACDAE544771AE
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-runtime-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	883120F9C25633B6C688577D024EFD12	E4FA6254623A2B4CDEA61712CDFA9C91AA905F18	4390C389BBBF9EC7215D12D22723EFD77BEB4CD83311C75FFE215725ECFD55DC
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-stdio-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	29680D7B1105171116A137450C8BB452	492BB8C231AAE9D5F5AF565ABB208A706FB2B130	6F6F6E857B347F70ECC669B4DF73C32E42199B834FE009641D7B41A0B1C210AF
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-string-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F816666E3FC087CD24828943CB15F260	EAE814C9C41E3D333F43890ED7DAFA3575E4C50E	45E0835B1D3B446FE2C347BD87922C53CFB6DD826499E19A1D977BF4C11B0E4A
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\api-ms-win-crt-time-l1-1-0.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	143A735134CD8C889EC7D7B85298705B	906AC1F3A933DD57798AE826BBEFA3096C20D424	B48310B0837027F756D62C37EA91AF988BAA403CBCBD01CB26B6FDAE21EA96A2
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avformat-60.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	01589E66D46ABCD9ACB739DA4B542CE4	6BF1BD142DF68FA39EF26E2CAE82450FED03ECB6	9BB4A5F453DA85ACD26C35969C049592A71A7EF3060BFA4EB698361F2EDB37A3
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\avutil-58.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	3AAF57892F2D66F4A4F0575C6194F0F8	D65C9143603940EDE756D7363AB6750F6B45AB4E	9E0D0A05B798DA5D6C38D858CE1AD855C6D68BA2F9822FA3DA16E148E97F9926
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\bash.exe	PE32+ executable (console) x86-64, for MS Windows	7D6ADFFD5CC9B08558FD0FB58AE70C27	2925A2752BF33481EB0FBB9DED1F4C612F7160FB	5C983E1130FCDA060B343E6AFE0BD5DAF2976AD394819994740874CC05F8B0DC
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\git.exe	PE32+ executable (console) x86-64, for MS Windows	B943F5BAF5DD586DEC08D4AED0113E1A	7572017CC664CF320315047C689B39C72DBE9C66	287359E8A1E8A016A600915E62119BB3EF927CAFFCD548B29C791329DCC1FC53
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\bin\sh.exe	PE32+ executable (console) x86-64, for MS Windows	7D6ADFFD5CC9B08558FD0FB58AE70C27	2925A2752BF33481EB0FBB9DED1F4C612F7160FB	5C983E1130FCDA060B343E6AFE0BD5DAF2976AD394819994740874CC05F8B0DC
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git-gui.exe	PE32+ executable (GUI) x86-64, for MS Windows	BCABCB8AB2BE055F7C3DA8E8737765A0	B6C1BD83B8EC94EF431CC2A066319B27C4BBE321	CB1839DD8608CACDDACA1C72798D3423D50AFF38ECDA3C9F76EC7A4314ED6535
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\git.exe	PE32+ executable (console) x86-64, for MS Windows	B943F5BAF5DD586DEC08D4AED0113E1A	7572017CC664CF320315047C689B39C72DBE9C66	287359E8A1E8A016A600915E62119BB3EF927CAFFCD548B29C791329DCC1FC53
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\gitk.exe	PE32+ executable (GUI) x86-64, for MS Windows	DE724541A0485CF73DF1C7D1DEDAEC3F	3CA666EBD65EB77400F4D89C6484165C0B5FFD52	1106F9B25E48B108361E2FDBB0F5D7703F89A3221B61EDABD03A2B461098E016
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\cmd\scalar.exe	PE32+ executable (console) x86-64, for MS Windows	B943F5BAF5DD586DEC08D4AED0113E1A	7572017CC664CF320315047C689B39C72DBE9C66	287359E8A1E8A016A600915E62119BB3EF927CAFFCD548B29C791329DCC1FC53
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-bash.exe	PE32+ executable (GUI) x86-64, for MS Windows	16C9E7021C2A0B4C7F2C9DF843E6F5EB	348B4D4A45C24D91C081F73471D677B55518761E	624155444368D5159736E9CCA825850E278D4C0FFA3BBFCB8099ACC318A05B3D
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\git\git-cmd.exe	PE32+ executable (console) x86-64, for MS Windows	8E48E14F5F139D256047726E1A85BD1B	C59D3646A335CD961C6385C65C75D7A03FE1143E	ABC826E4BA8F6ECDD5C0D41DD82265850C8869ACBA14D5D7812E2DB04873A51E
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\kafkjo.rar	RAR archive data, v5	FEAF016D6F40B71B45E031E33ACBB7FA	FCAE4C4324A6F75A2C509189BF54EE4688A8D23F	E4CAC2AEA90879AF564905A583D01EC02D144002556D9804D311295279FBD69D
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libEGL.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	916402208DD64CAD670EF6836765CF79	BFC7389109ACDFD046C0413AD5D3093FC89F519E	A152B9CD1AB52D196C9E24940643499008A097ABB070A0A977E8AC4182AB5A71
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\libGLESv2.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	B2A109C0EEC49B8E7535EC9AC05DF3EC	902681A468DEBA475D2B30EC98962D39680F41F5	B03B0AED99EB789BB75FFEC82ED96DAE3A4BA84B56338CB53CF266400F4F79AB
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\msvcp140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	6DA7F4530EDB350CF9D967D969CCECF8	3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9	9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\node.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	CF9CEC49B348BC0DDA63992CE68ACA20	E67ADEA111190BB7284A013B5644AD9CC9D49670	BD10B2457FDC98CB4B4E1A6D6DAC03CA84B442631FCEB85C0BB319905122F745
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs-ffmpeg-mux.exe	PE32+ executable (console) x86-64, for MS Windows	D3CAC4D7B35BACAE314F48C374452D71	95D2980786BC36FEC50733B9843FDE9EAB081918	4233600651FB45B9E50D2EC8B98B9A76F268893B789A425B4159675B74F802AA
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\obs.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	BE1D3A3E696A488E3A8B91729DC17F11	482E98F34363A285DBD1D6DFE169DF98373DDF55	D8CC88696FCBE76E2E1208361D575F1609F7D94545B09FA25855830B915E4581
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit-updater.exe	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows	7F557BAFF029D4B724BA74DBA9564647	1D441CF1D331D49DAA4805C178EEF67C72BE7753	6708FA90D5C1543D3C42E2EFB274BECD2E97C450FA9669FD3780EF293A9F1E1A
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.exe	PE32+ executable (GUI) x86-64, for MS Windows	846CCE051E8E1EECBF7AF5FBB6D254A7	CDF4675FD842FFDDC2564A9139B7A9A6E0BC75E5	DEF3EBA3D76A81DA41DFFE07B2359D420D83D535B39B71755CF622DFAE82FE3F
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.launcher	ASCII text, with CRLF line terminators	239B9A6251AFE30CF6857FCC6188CFAB	E01778A9A32BD3A71C48BFB73CDAC551659E996E	40D578EF9E577365581206179D24A03FD51B3F4FF74DE45FEB11129231660F3A
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Mon Apr 22 14:09:26 2024, mtime=Sat Oct 12 22:42:46 2024, atime=Mon Apr 22 14:09:26 2024, length=460144, window=hide	97AF0CBD662240654AAB871D985A1912	F98B29ADF6062E92FC28BDF98EE2C3C67D81E7B0	FCD8813A69B69E63FB4D94833E6EA0CAF40DEE25CC35E2A569A743DDA8B84EB3
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgit.vmoptions	ASCII text, with CRLF line terminators	CB8C35B8866AEDD658051CC877AAD3E0	AD3539A61621B497878DC3B584FB3333D6057D39	1EE29CB6AF2E933E1828DD2C2752343963648E72D77CC8A66E9CA76B5D2593AD
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\smartgitc.exe	PE32+ executable (console) x86-64, for MS Windows	B15D67987E131B813C35BE5719AA4C20	07F51B1A56AD583972B3E700D50DA2247564455A	477480D485177A62AEDDC5FC15DDA4F77C32C4FA8D281AC3A6E8348D38761603
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swresample-4.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	7FB892E2AC9FF6981B6411FF1F932556	861B6A1E59D4CD0816F4FEC6FD4E31FDE8536C81	A45A29AECB118FC1A27ECA103EAD50EDD5343F85365D1E27211FE3903643C623
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\swscale-7.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	1144E36E0F8F739DB55A7CF9D4E21E1B	9FA49645C0E3BAE0EDD44726138D7C72EECE06DD	65F8E4D76067C11F183C0E1670972D81E878E6208E501475DE514BC4ED8638FD
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	F34EB034AA4A9735218686590CBA2E8B	2BC20ACDCB201676B77A66FA7EC6B53FA2644713	9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\vcruntime140_1.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	135359D350F72AD4BF716B764D39E749	2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7	34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\w32-pthreads.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	E1EEBD44F9F4B52229D6E54155876056	052CEA514FC3DA5A23DE6541F97CD4D5E9009E58	D96F2242444A334319B4286403D4BFADAF3F9FCCF390F3DD40BE32FB48CA512A
C:\Users\user\AppData\Roaming\Tiqs Via Q\KcozApp\zlib.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	3A0DBC5701D20AA87BE5680111A47662	BC581374CA1EBE8565DB182AC75FB37413220F03	D53BC4348AD6355C20F75ED16A2F4F641D24881956A7AE8A0B739C0B50CF8091
C:\Windows\Installer\549968.msi	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {7C966DCE-3EF1-417E-A97B-D3DC00249CD3}, Number of Words: 10, Subject: KcozApp, Author: Tiqs Via Q, Name of Creating Application: KcozApp, Template: x64;2057, Comments: This installer database contains the logic and data required to install KcozApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Oct 12 16:04:29 2024, Last Saved Time/Date: Sat Oct 12 16:04:29 2024, Last Printed: Sat Oct 12 16:04:29 2024, Number of Pages: 450	0BA05FD48CF928447ECF3CE8FBED1544	E3E57C4ADF4719A85EC2B15F1605D47F501A348A	DA6CD7E37214C30E69A8B2817E1F361CFF10BEC40645785AF3F01593DEBEAC64
C:\Windows\Installer\MSI96EA.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B158D8D605571EA47A238DF5AB43DFAA	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
C:\Windows\Installer\MSI972A.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	61123CBC153CB7F178DDBB318A7EA000	0CFB1FAA4C166D2A335EE62B05DD62B730DED9D6	E5E0183DFD9F65406042762C0427BBCFF010402B9934DADD2BDDBB6C382D625C
C:\Windows\Installer\MSI9825.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6119E62D8047032A715BA0670FC476C5	52E639024460BF111C469E95FB011C07D6FC89E8	BC31F85266DF2CDFDBE22149937105388FA3ADC17E3646FA4A167736E819AF77
C:\Windows\Installer\MSI9864.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	54D74546C6AFE67B3D118C3C477C159A	957F08BEB7E27E657CD83D8EE50388B887935FAE	F9956417AF079E428631A6C921B79716D960C3B4917C6B7D17FF3CB945F18611
C:\Windows\Installer\MSIA035.tmp	data	76928CA8F783E5BA48A6CD30FE020EB8	458AE92BA5FF777953F12577D202511E8D60B581	47A5A5B2423DB57B39608F89F7AF63747CACB2AE1FD0AA41C0EABCC91F2F6C63
C:\Windows\Installer\MSIA148.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B158D8D605571EA47A238DF5AB43DFAA	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
C:\Windows\Installer\MSIA1C6.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B158D8D605571EA47A238DF5AB43DFAA	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
C:\Windows\Installer\MSIA206.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B158D8D605571EA47A238DF5AB43DFAA	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
C:\Windows\Installer\MSIA264.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B158D8D605571EA47A238DF5AB43DFAA	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
C:\Windows\Installer\MSIA2B3.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	6119E62D8047032A715BA0670FC476C5	52E639024460BF111C469E95FB011C07D6FC89E8	BC31F85266DF2CDFDBE22149937105388FA3ADC17E3646FA4A167736E819AF77
C:\Windows\Installer\MSIA303.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1A2B237796742C26B11A008D0B175E29	CFD5AFFCFB3B6FD407E58DFC7187FAD4F186EA18	81E0DF47BCB2B3380FB0FB58B0D673BE4EF1B0367FD2B0D80AB8EE292FC8F730
C:\Windows\Installer\MSIA342.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B158D8D605571EA47A238DF5AB43DFAA	BB91AE1F2F7142B9099E3CC285F4F5B84DE568E4	CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
C:\Windows\Installer\SourceHash{135C4CDB-FF51-44E4-9478-7C0FB9B5D071}	Composite Document File V2 Document, Cannot read section info	E2DC67FE3C2A4C2B970CF8E91A9F5E95	7665962FA14A664293AE4552483E5083CC40A62D	EC8712B382109116413BAE00999FC1BC39C7D5C0EDFD7865962BF5C7353EE4C0
C:\Windows\Installer\inprogressinstallinfo.ipi	Composite Document File V2 Document, Cannot read section info	A7757D31A4F9154D0F86DF08BC39608D	8C12E76B620C13B516206298DE11D3F644784E96	0DD4C4D5D87E402EAEB879D687CD56BED29DFDDF16BF1E5C5C4B7BE1F2008196
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0997419F042162D8E54FB5FC885CE57C	6B76E94EB8289429D94F1756E3C483BB458BA095	DF878585CD67D6929E19036270AB8F7D566E72DB767CA531A987DFC0EADEB054
C:\Windows\Temp\~DF0E429BDD48A82D5C.TMP	data	B1F5888FDF152122E410940CEF3BC5D0	89EF6CE4F154DE51EFE5ADC930E38B11DE85FD36	4340009611767974CECE04C93144365FA5FC578C05F9A7230ADEFBB930785895
C:\Windows\Temp\~DF3EAB5EF6824B8668.TMP	data	9DEFE63A8C1CB005D23D5EB4B9526F00	2E52B55B2842FD6DCE7A983D0C8CAFD878D32714	0C173C60C24CAEDA7D95D86490EBA880AEE788EEDA613F81E48DF8971356BBA4
C:\Windows\Temp\~DF5450961170C8C9E4.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Windows\Temp\~DFBB6285DF3414010F.TMP	Composite Document File V2 Document, Cannot read section info	A7757D31A4F9154D0F86DF08BC39608D	8C12E76B620C13B516206298DE11D3F644784E96	0DD4C4D5D87E402EAEB879D687CD56BED29DFDDF16BF1E5C5C4B7BE1F2008196

Windows Analysis Report
v.1.6.3x64.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report v.1.6.3__x64__.msi

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
v.1.6.3x64.msi

Malware Threat Intel
Provided by