Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1944b321.msi

Overview

General Information

Sample name:1944b321.msi
Analysis ID:1546437
MD5:f2f3a908a18ef6b45b50e1105326b833
SHA1:d01c20894cff8efa96e3394fcb54a8f4cea0f764
SHA256:ef896df89c6088517c117552424e932d590ebd483decc3c9f444a18ce88179fd
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Disables DEP (Data Execution Prevention) for certain images
Modifies the windows firewall
PE file has nameless sections
Uses netsh to modify the Windows network and firewall settings
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion NT Autorun Keys Modification
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7268 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1944b321.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7312 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • mpk_emni_mpk.exe (PID: 7464 cmdline: "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt" MD5: E67464707F7D14131BEDE9DB845A6A0A)
      • mpk_emni_mpk.tmp (PID: 7480 cmdline: "C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp" /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt" MD5: 5ABA2917CE54882DFFA1635380313097)
        • _setup64.tmp (PID: 7496 cmdline: helper 105 0x3DC MD5: 526426126AE5D326D0A24706C77D8C5C)
          • conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7564 cmdline: "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • netsh.exe (PID: 7608 cmdline: netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
        • MPKInst.exe (PID: 7640 cmdline: "C:\ProgramData\MPK\MPKInst.exe" /i /dr /cp MD5: 20BC08D7652B652811DF5F403C9C6DFA)
          • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • lsynchost.exe (PID: 7696 cmdline: c:\programdata\mpk\\lsynchost.exe /install /silent MD5: 1A902E39120A8CCAA56163B91601E63A)
  • lsynchost.exe (PID: 7716 cmdline: c:\programdata\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService MD5: 1A902E39120A8CCAA56163B91601E63A)
    • lsynchost.exe (PID: 7748 cmdline: "c:\programdata\mpk\lsynchost.exe" /runsrv MD5: 1A902E39120A8CCAA56163B91601E63A)
      • lsynchost.exe (PID: 7772 cmdline: "c:\programdata\mpk\lsynchost.exe" /runsrv \MID:D MD5: 1A902E39120A8CCAA56163B91601E63A)
  • svchost.exe (PID: 8088 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\MPK\is-7IT87.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
    C:\ProgramData\MPK\is-URL53.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000A.00000000.2093241826.0000000000401000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
        0000000C.00000000.2094922926.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          10.0.MPKInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            12.0.lsynchost.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion NT Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: c:\windows\system32\userinit.exe,, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp, ProcessId: 7480, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 8088, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T22:10:30.806667+010020229301A Network Trojan was detected20.109.210.53443192.168.2.564622TCP
              2024-10-31T22:11:09.825649+010020229301A Network Trojan was detected20.109.210.53443192.168.2.564805TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\ProgramData\MPK\is-EQREG.tmpAvira: detection malicious, Label: APPL/MonitorTool.Gen
              Source: C:\ProgramData\MPK\is-NK5I1.tmpAvira: detection malicious, Label: APPL/MonitorTool.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\MPK\MPK.dll (copy)ReversingLabs: Detection: 53%
              Source: C:\ProgramData\MPK\MPK.exe (copy)ReversingLabs: Detection: 62%
              Source: C:\ProgramData\MPK\MPK64.dll (copy)ReversingLabs: Detection: 44%
              Source: C:\ProgramData\MPK\MPKInst.exe (copy)ReversingLabs: Detection: 40%
              Source: C:\ProgramData\MPK\MpkHCA.dll (copy)ReversingLabs: Detection: 64%
              Source: C:\ProgramData\MPK\MpkL64.exe (copy)ReversingLabs: Detection: 45%
              Source: C:\ProgramData\MPK\is-5U9RI.tmpReversingLabs: Detection: 24%
              Source: C:\ProgramData\MPK\is-7IT87.tmpReversingLabs: Detection: 44%
              Source: C:\ProgramData\MPK\is-EQREG.tmpReversingLabs: Detection: 62%
              Source: C:\ProgramData\MPK\is-H68I0.tmpReversingLabs: Detection: 44%
              Source: C:\ProgramData\MPK\is-M13BC.tmpReversingLabs: Detection: 45%
              Source: C:\ProgramData\MPK\is-NK5I1.tmpReversingLabs: Detection: 64%
              Source: C:\ProgramData\MPK\is-RJO8C.tmpReversingLabs: Detection: 53%
              Source: C:\ProgramData\MPK\is-URL53.tmpReversingLabs: Detection: 40%
              Source: C:\ProgramData\MPK\lsynchost.exe (copy)ReversingLabs: Detection: 44%
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeReversingLabs: Detection: 51%
              Source: C:\ProgramData\MPK\unins000.exe (copy)ReversingLabs: Detection: 24%
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpReversingLabs: Detection: 24%
              Multi AV Scanner detection for submitted file
              Source: 1944b321.msiReversingLabs: Detection: 33%
              Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdbl source: is-3LL6A.tmp.4.dr
              Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdb source: is-3LL6A.tmp.4.dr
              Source: Binary string: Inspect.pdb source: is-ARHTI.tmp.4.dr
              Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\ssleay32.pdb source: is-SUMV4.tmp.4.dr
              Source: Binary string: CHARTOOEMBUFFl\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002CAD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029B4000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr
              Source: Binary string: D:\asf\httpd-2.2\srclib\zlib\zlib1.pdb source: is-GH6IU.tmp.4.dr
              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeFile opened: c:Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:64622
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.5:64805
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.drString found in binary or memory: http://sf.symcb.com/sf.crl0f
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.drString found in binary or memory: http://sf.symcb.com/sf.crt0
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.drString found in binary or memory: http://sf.symcd.com0&
              Source: mpk_emni_mpk.exe, 00000003.00000003.2059670958.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2103847115.00000000021DC000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000228B000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002258000.00000004.00001000.00020000.00000000.sdmp, unins000.msg.4.drString found in binary or memory: http://www.dk-soft.org/
              Source: mpk_emni_mpk.exe, 00000003.00000003.2103847115.00000000021BF000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.dk-soft.org/0
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002258000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.google-analytics.com/collect
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060281542.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000000.2061522413.0000000000401000.00000020.00000001.01000000.00000004.sdmp, mpk_emni_mpk.tmp.3.drString found in binary or memory: http://www.innosetup.com/
              Source: mpk_emni_mpk.exe, 00000003.00000000.2058969608.0000000000401000.00000020.00000001.01000000.00000003.sdmp, mpk_emni_mpk.exe.1.drString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/$QuickHelpMainLabel
              Source: mpk_emni_mpk.exe, 00000003.00000003.2059670958.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/(http://www.mipko.ru/(http://www.mipko.ru/(
              Source: mpk_emni_mpk.exe, 00000003.00000003.2103847115.0000000002241000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002311000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/1
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002243000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/employee-monitor/tutorial-msi.php?reffrominfo=INSTALL&refverinfo=0
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0a
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0q
              Source: mpk_emni_mpk.exe, 00000003.00000003.2103847115.0000000002241000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002311000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/q
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/register.php?reffrominfo=INSTALL&refverinfo=0
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/uninstall.htm?reffrominfo=INSTALL&refverinfo=0
              Source: mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.mipko.ru/uninstall.htm?reffrominfo=INSTALL&refverinfo=09
              Source: is-3LL6A.tmp.4.dr, is-SUMV4.tmp.4.drString found in binary or memory: http://www.openssl.org/V
              Source: is-3LL6A.tmp.4.drString found in binary or memory: http://www.openssl.org/support/faq.html
              Source: is-3LL6A.tmp.4.drString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060281542.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000000.2061522413.0000000000401000.00000020.00000001.01000000.00000004.sdmp, mpk_emni_mpk.tmp.3.drString found in binary or memory: http://www.remobjects.com/ps
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FE41000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060281542.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000002.2102814872.000000000018F000.00000004.00000010.00020000.00000000.sdmp, 1944b321.msi, 4e7f65.msi.1.dr, is-EQREG.tmp.4.dr, mpk_emni_mpk.exe.1.dr, is-RJO8C.tmp.4.dr, 4e7f67.msi.1.dr, mpk_emni_mpk.tmp.3.drString found in binary or memory: https://d.symcb.com/rpa0

              System Summary

              barindex
              PE file has nameless sections
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4e7f65.msiJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{9EBEE94E-B80E-4DDF-961B-A35BE6877C22}Jump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI83EA.tmpJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4e7f67.msiJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\4e7f67.msiJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Windows\SysWOW64\is-ARHTI.tmpJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\PeerDistRepubJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\4e7f67.msiJump to behavior
              Source: mpk_emni_mpk.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: mpk_emni_mpk.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: is-5U9RI.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
              Source: is-5U9RI.tmp.4.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
              Source: is-JS61I.tmp.4.drStatic PE information: Number of sections : 19 > 10
              Source: is-EQREG.tmp.4.drStatic PE information: Number of sections : 12 > 10
              Source: is-EQREG.tmp.4.drStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
              Source: is-EQREG.tmp.4.drStatic PE information: Section: ZLIB complexity 1.000859375
              Source: is-EQREG.tmp.4.drStatic PE information: Section: ZLIB complexity 1.0005542652027026
              Source: is-EQREG.tmp.4.drStatic PE information: Section: ZLIB complexity 1.0008445945945945
              Source: is-EQREG.tmp.4.drStatic PE information: Section: ZLIB complexity 1.0107421875
              Source: classification engineClassification label: mal84.evad.winMSI@25/66@0/0
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MPK_MUTEX_42587B64572B06762F7D7E70674A777103
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
              Source: C:\ProgramData\MPK\lsynchost.exeMutant created: \BaseNamedObjects\Global\MPK_MUTEX_42587B64572B06762F1A757B76
              Source: C:\ProgramData\MPK\lsynchost.exeMutant created: \BaseNamedObjects\Global\MPK_MUTEX_23587B645730146A376D7E607B2B617D687C6D2F
              Source: C:\ProgramData\MPK\lsynchost.exeMutant created: \BaseNamedObjects\Global\MPK_MUTEX_23587B64572B07753D7A736B7C376607036170
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
              Source: C:\ProgramData\MPK\lsynchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MPK_MUTEX_42587B64572B07753D7A736B7C376607036170
              Source: C:\ProgramData\MPK\lsynchost.exeMutant created: \BaseNamedObjects\Global\MPK_MUTEX_20587B64572B07753D7A736B7C376607036170
              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFEDA63B10F1214E09.TMPJump to behavior
              Source: Yara matchFile source: 10.0.MPKInst.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 12.0.lsynchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000000.2093241826.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000000.2094922926.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\ProgramData\MPK\is-7IT87.tmp, type: DROPPED
              Source: Yara matchFile source: C:\ProgramData\MPK\is-URL53.tmp, type: DROPPED
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
              Source: 1944b321.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
              Source: 1944b321.msiReversingLabs: Detection: 33%
              Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmpEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-67
              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1944b321.msi"
              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\ProgramData\MPK\mpk_emni_mpk.exe "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp "C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp" /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp helper 105 0x3DC
              Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmpProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\ProgramData\MPK\MPKInst.exe "C:\ProgramData\MPK\MPKInst.exe" /i /dr /cp
              Source: C:\ProgramData\MPK\MPKInst.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\ProgramData\MPK\MPKInst.exeProcess created: C:\ProgramData\MPK\lsynchost.exe c:\programdata\mpk\\lsynchost.exe /install /silent
              Source: unknownProcess created: C:\ProgramData\MPK\lsynchost.exe c:\programdata\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService
              Source: C:\ProgramData\MPK\lsynchost.exeProcess created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv
              Source: C:\ProgramData\MPK\lsynchost.exeProcess created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv \MID:D
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\ProgramData\MPK\mpk_emni_mpk.exe "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"Jump to behavior
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeProcess created: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp "C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp" /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp helper 105 0x3DCJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\ProgramData\MPK\MPKInst.exe "C:\ProgramData\MPK\MPKInst.exe" /i /dr /cpJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yesJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeProcess created: C:\ProgramData\MPK\lsynchost.exe c:\programdata\mpk\\lsynchost.exe /install /silentJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeProcess created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrvJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeProcess created: C:\ProgramData\MPK\lsynchost.exe "c:\programdata\mpk\lsynchost.exe" /runsrv \MID:DJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: explorerframe.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpSection loaded: sfc_os.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmpSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmpSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: winsta.dllJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeSection loaded: avrt.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: winsta.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: avrt.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: winsta.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: avrt.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: winsta.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: avrt.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: version.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: winsta.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpWindow found: window name: TMainFormJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: 1944b321.msiStatic file information: File size 5255168 > 1048576
              Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdbl source: is-3LL6A.tmp.4.dr
              Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\libeay32.pdb source: is-3LL6A.tmp.4.dr
              Source: Binary string: Inspect.pdb source: is-ARHTI.tmp.4.dr
              Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.0.1l\out32dll\ssleay32.pdb source: is-SUMV4.tmp.4.dr
              Source: Binary string: CHARTOOEMBUFFl\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002CAD000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029B4000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.00000000021E0000.00000004.00001000.00020000.00000000.sdmp, _isdecmp.dll.4.dr
              Source: Binary string: D:\asf\httpd-2.2\srclib\zlib\zlib1.pdb source: is-GH6IU.tmp.4.dr
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name:
              Source: is-EQREG.tmp.4.drStatic PE information: section name: .adata
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /4
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /19
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /35
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /51
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /63
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /77
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /89
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /102
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /113
              Source: is-JS61I.tmp.4.drStatic PE information: section name: /124
              Source: is-7IT87.tmp.4.drStatic PE information: section name: .didata
              Source: is-URL53.tmp.4.drStatic PE information: section name: .didata
              Source: is-EQREG.tmp.4.drStatic PE information: section name: entropy: 7.984789371171089
              Source: is-EQREG.tmp.4.drStatic PE information: section name: entropy: 7.994840224102401
              Source: is-EQREG.tmp.4.drStatic PE information: section name: entropy: 7.990943201012819
              Source: is-EQREG.tmp.4.drStatic PE information: section name: entropy: 7.815634775197806
              Source: is-EQREG.tmp.4.drStatic PE information: section name: .rsrc entropy: 7.93730555835485
              Source: is-EQREG.tmp.4.drStatic PE information: section name: .data entropy: 7.925340424958526
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\Vorbis.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-89R70.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\sqlite3.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-I4L15.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\ogg.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-3LL6A.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\unins000.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-BV3PJ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-URL53.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\lsynchost.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-H68I0.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-NK5I1.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MpkL64.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_isdecmp.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-EQREG.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Windows\SysWOW64\inspect.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MpkHCA.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-SUMV4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-5U9RI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_shfoldr.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-9EF5L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\zlib1.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-JS61I.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\vorbisfile.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-M13BC.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-RJO8C.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-7IT87.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPK.dll (copy)Jump to dropped file
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeFile created: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\libeay32.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\ssleay32.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPK.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPKInst.exe (copy)Jump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\MPK\mpk_emni_mpk.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPK64.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\vorbisenc.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-GH6IU.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Windows\SysWOW64\is-ARHTI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\Vorbis.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-89R70.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\sqlite3.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-I4L15.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\ogg.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-3LL6A.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\unins000.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-BV3PJ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-URL53.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\lsynchost.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-H68I0.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-NK5I1.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MpkL64.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-EQREG.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MpkHCA.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-SUMV4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-5U9RI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-9EF5L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\zlib1.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-JS61I.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\vorbisfile.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-M13BC.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-RJO8C.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-7IT87.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPK.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\libeay32.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\ssleay32.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPK.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPKInst.exe (copy)Jump to dropped file
              Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\MPK\mpk_emni_mpk.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\MPK64.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\vorbisenc.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\ProgramData\MPK\is-GH6IU.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Windows\SysWOW64\inspect.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpFile created: C:\Windows\SysWOW64\is-ARHTI.tmpJump to dropped file

              Boot Survival

              barindex
              Creates an undocumented autostart registry key
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
              Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 BlobJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\mpk_emni_mpk.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\Vorbis.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-89R70.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\sqlite3.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\ogg.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-I4L15.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-3LL6A.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-BV3PJ.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-NK5I1.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-H68I0.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\MpkL64.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_isdecmp.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\inspect.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-EQREG.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\MpkHCA.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-SUMV4.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_shfoldr.dllJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-9EF5L.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\zlib1.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-JS61I.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\vorbisfile.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-M13BC.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-RJO8C.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\MPK.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\libeay32.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\ssleay32.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\MPK.exe (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\MPK64.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\vorbisenc.dll (copy)Jump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\ProgramData\MPK\is-GH6IU.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpDropped PE file which has not been started: C:\Windows\SysWOW64\is-ARHTI.tmpJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
              Source: C:\ProgramData\MPK\MPKInst.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
              Source: C:\ProgramData\MPK\lsynchost.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: mpk_emni_mpk.tmp, 00000004.00000002.2103218386.0000000000745000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeProcess created: C:\ProgramData\MPK\mpk_emni_mpk.exe "C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp helper 105 0x3DCJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yesJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yesJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmpCode function: 5_2_0000000140001000 GetNamedSecurityInfoW,AllocateAndInitializeSid,SetEntriesInAclW,SetNamedSecurityInfoW,LocalFree,FreeSid,LocalFree,GetLastError,5_2_0000000140001000
              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Disables DEP (Data Execution Prevention) for certain images
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers DisableNXShowUIJump to behavior
              Modifies the windows firewall
              Source: C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
              Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 BlobJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure1
              Replication Through Removable Media              		2
              Command and Scripting Interpreter              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		21
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Modify Registry              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Disable or Modify Tools              		Security Account Manager11
              Peripheral Device Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS2
              System Owner/User Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials22
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              File Deletion              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546437 Sample: 1944b321.msi Startdate: 31/10/2024 Architecture: WINDOWS Score: 84 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 PE file has nameless sections 2->65 9 msiexec.exe 77 29 2->9         started        12 lsynchost.exe 2->12         started        14 svchost.exe 2->14         started        16 msiexec.exe 5 2->16         started        process3 file4 57 C:\ProgramData\MPK\mpk_emni_mpk.exe, PE32 9->57 dropped 18 mpk_emni_mpk.exe 2 9->18         started        22 lsynchost.exe 12->22         started        process5 file6 47 C:\Users\user\AppData\...\mpk_emni_mpk.tmp, PE32 18->47 dropped 67 Multi AV Scanner detection for dropped file 18->67 24 mpk_emni_mpk.tmp 9 37 18->24         started        28 lsynchost.exe 22->28         started        signatures7 process8 file9 49 C:\Windows\SysWOW64\is-ARHTI.tmp, PE32 24->49 dropped 51 C:\Windows\SysWOW64\inspect.exe (copy), PE32 24->51 dropped 53 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->53 dropped 55 34 other files (31 malicious) 24->55 dropped 69 Multi AV Scanner detection for dropped file 24->69 71 Creates an undocumented autostart registry key 24->71 73 Disables DEP (Data Execution Prevention) for certain images 24->73 75 Modifies the windows firewall 24->75 30 cmd.exe 1 24->30         started        33 MPKInst.exe 1 24->33         started        35 _setup64.tmp 1 24->35         started        signatures10 process11 signatures12 77 Uses netsh to modify the Windows network and firewall settings 30->77 37 conhost.exe 30->37         started        39 netsh.exe 2 30->39         started        41 lsynchost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        process13

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              1944b321.msi33%ReversingLabsWin32.PUA.RefogKeylogging

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\MPK\is-EQREG.tmp100%AviraAPPL/MonitorTool.Gen
              C:\ProgramData\MPK\is-NK5I1.tmp100%AviraAPPL/MonitorTool.Gen
              C:\ProgramData\MPK\MPK.dll (copy)53%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\MPK.exe (copy)62%ReversingLabsWin32.Spyware.Refog
              C:\ProgramData\MPK\MPK64.dll (copy)45%ReversingLabsWin64.PUA.RefogKeylogging
              C:\ProgramData\MPK\MPKInst.exe (copy)40%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\MpkHCA.dll (copy)65%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\MpkL64.exe (copy)45%ReversingLabsWin64.Spyware.Refog
              C:\ProgramData\MPK\Vorbis.dll (copy)0%ReversingLabs
              C:\ProgramData\MPK\is-3LL6A.tmp2%ReversingLabs
              C:\ProgramData\MPK\is-5U9RI.tmp24%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\is-7IT87.tmp45%ReversingLabsWin32.Spyware.Refog
              C:\ProgramData\MPK\is-89R70.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-9EF5L.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-BV3PJ.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-EQREG.tmp62%ReversingLabsWin32.Spyware.Refog
              C:\ProgramData\MPK\is-GH6IU.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-H68I0.tmp45%ReversingLabsWin64.PUA.RefogKeylogging
              C:\ProgramData\MPK\is-I4L15.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-JS61I.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-M13BC.tmp45%ReversingLabsWin64.Spyware.Refog
              C:\ProgramData\MPK\is-NK5I1.tmp65%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\is-RJO8C.tmp53%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\is-SUMV4.tmp0%ReversingLabs
              C:\ProgramData\MPK\is-URL53.tmp40%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\libeay32.dll (copy)2%ReversingLabs
              C:\ProgramData\MPK\lsynchost.exe (copy)45%ReversingLabsWin32.Spyware.Refog
              C:\ProgramData\MPK\mpk_emni_mpk.exe52%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\ogg.dll (copy)0%ReversingLabs
              C:\ProgramData\MPK\sqlite3.dll (copy)0%ReversingLabs
              C:\ProgramData\MPK\ssleay32.dll (copy)0%ReversingLabs
              C:\ProgramData\MPK\unins000.exe (copy)24%ReversingLabsWin32.PUA.RefogKeylogging
              C:\ProgramData\MPK\vorbisenc.dll (copy)0%ReversingLabs
              C:\ProgramData\MPK\vorbisfile.dll (copy)0%ReversingLabs
              C:\ProgramData\MPK\zlib1.dll (copy)0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp24%ReversingLabsWin32.PUA.RefogKeylogging
              C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_isdecmp.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_shfoldr.dll0%ReversingLabs
              C:\Windows\SysWOW64\inspect.exe (copy)0%ReversingLabs
              C:\Windows\SysWOW64\is-ARHTI.tmp0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.innosetup.com/0%URL Reputationsafe
              http://www.remobjects.com/ps0%URL Reputationsafe
              http://www.openssl.org/support/faq.html0%URL Reputationsafe
              http://www.dk-soft.org/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.dk-soft.org/0mpk_emni_mpk.exe, 00000003.00000003.2103847115.00000000021BF000.00000004.00001000.00020000.00000000.sdmpfalse
                		unknown
                http://www.innosetup.com/mpk_emni_mpk.exe, 00000003.00000003.2060281542.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000000.2061522413.0000000000401000.00000020.00000001.01000000.00000004.sdmp, mpk_emni_mpk.tmp.3.drfalse
                • URL Reputation: safe
                		unknown
                http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNGis-3LL6A.tmp.4.drfalse
                  		unknown
                  http://www.mipko.ru/mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.mipko.ru/register.php?reffrominfo=INSTALL&refverinfo=0mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.openssl.org/Vis-3LL6A.tmp.4.dr, is-SUMV4.tmp.4.drfalse
                        		unknown
                        http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUmpk_emni_mpk.exe, 00000003.00000000.2058969608.0000000000401000.00000020.00000001.01000000.00000003.sdmp, mpk_emni_mpk.exe.1.drfalse
                          		unknown
                          http://www.mipko.ru/uninstall.htm?reffrominfo=INSTALL&refverinfo=0mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0qmpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.mipko.ru/(http://www.mipko.ru/(http://www.mipko.ru/(mpk_emni_mpk.exe, 00000003.00000003.2059670958.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.mipko.ru/uninstall.htm?reffrominfo=INSTALL&refverinfo=09mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.mipko.ru/1mpk_emni_mpk.exe, 00000003.00000003.2103847115.0000000002241000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002311000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.mipko.ru/qmpk_emni_mpk.exe, 00000003.00000003.2103847115.0000000002241000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002311000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.mipko.ru/$QuickHelpMainLabelmpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.remobjects.com/psmpk_emni_mpk.exe, 00000003.00000003.2060281542.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2060667547.000000007FD30000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000000.2061522413.0000000000401000.00000020.00000001.01000000.00000004.sdmp, mpk_emni_mpk.tmp.3.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.mipko.ru/helponline.php?reffrominfo=INSTALL&refverinfo=0ampk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000224A000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.openssl.org/support/faq.htmlis-3LL6A.tmp.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.dk-soft.org/mpk_emni_mpk.exe, 00000003.00000003.2059670958.0000000002390000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.exe, 00000003.00000003.2103847115.00000000021DC000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.000000000228B000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002258000.00000004.00001000.00020000.00000000.sdmp, unins000.msg.4.drfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.mipko.ru/employee-monitor/tutorial-msi.php?reffrominfo=INSTALL&refverinfo=0mpk_emni_mpk.tmp, 00000004.00000003.2062536481.00000000029A0000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101400325.0000000002C3D000.00000004.00001000.00020000.00000000.sdmp, mpk_emni_mpk.tmp, 00000004.00000003.2101887413.0000000002243000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              No contacted IP infos

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1546437
                                              Start date and time:2024-10-31 22:09:22 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 5m 32s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:19
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:1944b321.msi
                                              Detection:MAL
                                              Classification:mal84.evad.winMSI@25/66@0/0
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:
                                              • Successful, ratio: 88%
                                              • Number of executed functions: 3
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .msi

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, fe3cr.delivery.mp.microsoft.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • VT rate limit hit for: 1944b321.msi

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              No context

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Config.Msi\4e7f66.rbs

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):7730
                                              Entropy (8bit):5.511606428476331
                                              Encrypted:false
                                              SSDEEP:96:3VtMfewQGIU2CtCsThq7U2CtC6jcDtlThqtHEg5ODWxARYCipljVrAp+C:3fceWnPwILPwHuohip0
                                              MD5:C316E035CBB1039600EEA6AE0EA5ED5E
                                              SHA1:7287825B32A8974CF85C0B23F8E4D351176CDEE7
                                              SHA-256:37B4687207A84935C1BE3904CC3D8B35791D04529340A225D9708486CBDAFD88
                                              SHA-512:D7135ACBB4A88F4DFA77DB26D80CF025D8D38B68DBCA431DEC2ACB6F301CBF3095C3D27765A0469B9633B3D484ED2BB7FA830BB1720B2316C432378E4D66A870
                                              Malicious:false
                                              Preview:...@IXOS.@.....@H._Y.@.....@.....@.....@.....@.....@......&.{9EBEE94E-B80E-4DDF-961B-A35BE6877C22}..MPK_EM..1944b321.msi.@.....@.....@.....@........&.{13B3FD70-0ECC-42BA-8BCE-4711A2312FB6}.....@.....@.....@.....@.......@.....@.....@.......@......MPK_EM......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F9FFC604-2CE5-4252-B031-34223392D3E4}&.{9EBEE94E-B80E-4DDF-961B-A35BE6877C22}.@......&.{2BE243B0-33A6-4A41-B727-70254936D3E0}&.{9EBEE94E-B80E-4DDF-961B-A35BE6877C22}.@........CreateFolders..Creating folders..Folder: [1]"...C:\ProgramData\.@.............. .......,.............................x......................................... ... ....................................... ...!................... ...!.......InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]....C:\ProgramData\MPK\....#.C:\ProgramData\MPK\mpk_emni_mpk.exe....RegisterProduct..Registering product..[1]...

                                              C:\ProgramData\MPK\MPK.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):629504
                                              Entropy (8bit):4.886934785875236
                                              Encrypted:false
                                              SSDEEP:6144:elEenOB3t7nPQBgyD7IjOHKEZa7Y1qqZbUn3JxDxqTJNOI:93t7ZyD7iOHKEZF1xZbc3EOI
                                              MD5:CCCC6EE4E855BB19581AB7CB61A86055
                                              SHA1:D67E92E3AD3B7AF42FBEAB2A98647B3894B4658A
                                              SHA-256:B21437682A17616CEE9BDC7034A3FE45679AFC69A810BB9FFAAFB6B4BDFDBAAB
                                              SHA-512:9709F878CE2D1F2F80BC26D5D03C18C0072821750A1FCF6FE1C1C115073E4277F2B6759FF83E8FC2A967A3C260E7AEBE1BF3E9B3043C75C768A4804DB6054D91
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 53%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{$VQ?E8.?E8.?E8.....E8....0E8....QE8...U.:E8...C.;E8.6=...E8.?E9..E8.Y....E8.Y...>E8.Y...>E8.?E..>E8.Y...>E8.Rich?E8.........PE..L......T...........!................l!...............................................a....@..................................p.......... ........................:..................................0...@............u...............................text...o........................... ..`.rdata...O.......P..................@..@.data... 3...0......................@....idata..J....p......................@....rsrc... ............8..............@..@.reloc..:D.......F...@..............@..B................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\MPK.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1848064
                                              Entropy (8bit):7.9914250784592245
                                              Encrypted:true
                                              SSDEEP:49152:hSWaDZti/jOiGYkHW2VQ8HXibJ8CVjeHGB:QWa1ti/KR2h8CEW
                                              MD5:1F88A27A865B8E6C69CCA354B9B68445
                                              SHA1:313A3547382C192DB10EC314A2030C706B9E734C
                                              SHA-256:DEA8CA52EBCFFC6962DE7B65F39392BDF806DB56563CE6A7941EE1E04C00B0BD
                                              SHA-512:F0B44AA925958E6F4413775C86DF4B5304601F8C65878A41FECD1FFEBE7504EA15E9E4AA4BE8F051EEDF76319E765A261B364B20F35B47CF3AC3C79FD2957B0E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 62%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................$C..................@C...@..........................`].....0............@..........................|.X.D.....S.......................................................X...............................................................B.........................@.................B..2..................@............@...@C.....................@.................D.....................@............`... M..J..................@.................M.....................@.................M.....................@.................M.....................@............P....M.....................@....rsrc.........S.....................@....data....@....X..<..................@....adata.......P].....................@...................

                                              C:\ProgramData\MPK\MPK64.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):696064
                                              Entropy (8bit):4.562266096083011
                                              Encrypted:false
                                              SSDEEP:6144:Ueyz3C7heuffqf6CANY/ja9DzNTxZKjJ1Btm0v2CfU+nlm/pBZBRM+6p+m:NheuffsiY/GyiCfU+nE/3yN
                                              MD5:5C601EEA1F8C0013F207CA53EB2E4166
                                              SHA1:4AEC386FAB7515FAC4ED523E2A92D0205E213691
                                              SHA-256:8AFB2EC5A4168F8782D5F54D282CFE1D41E91619C8BDEFEC8613747235CF84BC
                                              SHA-512:86769ABEA91A7B03E9B1B8982675A8B9804051A5127BD0F0A8C6EEF24510D17EF43D23A1D4A95E939758B5133E70F1268E3FEE88568D666F52CB69F8EEA008D2
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&..b...b...b...ER..f...ER..f...Rm.O...Rl.....Ro.k...k.%.c...k.1.s...b.......zm.s....zh.c....zk.c...b.5.c....zn.c...Richb...................PE..d...-..T.........." ................d ...............................................^....`............................................................. ....`..l-..................................................P...p...........0...P............................text...'........................... ..`.rdata..............................@..@.data...........~..................@....pdata...3...`...4..................@..@.idata...!......."...F..............@....rsrc... ............h..............@..@.reloc...............p..............@..B........................................................................................................................................................................................

                                              C:\ProgramData\MPK\MPKInst.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1499392
                                              Entropy (8bit):6.499259379210101
                                              Encrypted:false
                                              SSDEEP:24576:+YkHGqHO6pTADZVmH28IcBOSteCjRdNakuxHgb26nhr/xJ/r92OFvprq+:+LHxdQZQocISvRDxJ/r92oprq+
                                              MD5:20BC08D7652B652811DF5F403C9C6DFA
                                              SHA1:2DAF670A0909F40738849F1420A28E2ECC499C43
                                              SHA-256:DCD6A7649342DEA92532F866BA85E545974F05E9D2F5D70DC7CFD66CBB50A3E5
                                              SHA-512:F4720499EF89331E34EDCD3516376C25CA3E83C457B87C313D7A2826A4C30EB956E4563A9290C62A0A274272F8D65041D3D4FBDB7CCF07228ADF1A994341A643
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 40%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....T.................D..........(W.......`....@..............................................@..............................L;... ...Z..................................................p...............................P..^....................text....#.......$.................. ..`.itext.......@... ...(.............. ..`.data...TM...`...N...H..............@....bss.....T...............................idata..L;.......<..................@....didata.^....P......................@....tls....@....`...........................rdata.......p......................@..@.reloc.............................@..B.rsrc....Z... ...Z...r..............@..@....................................@..@........................................................

                                              C:\ProgramData\MPK\MpkHCA.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):333056
                                              Entropy (8bit):4.260070328190628
                                              Encrypted:false
                                              SSDEEP:3072:FsqQ2Sv1itXCgDrr45t/oPkekfCMvJMdKmJk82y:Fu2Svozv45erkliBJkRy
                                              MD5:70223C7999C6847DD78239415E6185B3
                                              SHA1:E3B692BF56661F91436E8711E6E3762A3CD24571
                                              SHA-256:80001E9B4054E26B7F9DC01DEC4AD28DD15806430F52F095E9833EE7CBBAB4DF
                                              SHA-512:DE6D235B3F4074729CEFDD4D05F39A2C82563C04A949AF393DCB5E6916793FCA2FD6CC3B336C17206F9038FD4528E0C8CF2601539C1ED0F353F22C956AE637E1
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 65%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.!.9.O.9.O.9.O..N4.;.O..N....O..N..7.O..N..U.O..N!.8.O.9.N.G.O.....2.O._f..2.O._f..8.O._f..8.O.9...8.O._f..8.O.Rich9.O.........PE..L......T...........!.........h...............................................P......T.....@.........................0Y..i....P..P.......p.......................|!...................................G..@...............x............................text............................... ..`.rdata..............................@..@.data........`...n...D..............@....rsrc...p...........................@..@.reloc...H.......J..................@..B........................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\MpkL64.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):79616
                                              Entropy (8bit):5.538620798160883
                                              Encrypted:false
                                              SSDEEP:1536:+6T4xQ1x132X9ba2EDww/VJdVKN8G8sWhmqsd4WlWTLyfYHh:rTwQ1xJ2X9bTEDwwdRgz4WALn
                                              MD5:4F4CC7256A1D6B7E8782CDEDDA4279EF
                                              SHA1:2BAB6C2877C0EA259FE42A7429930E5DB90432EF
                                              SHA-256:F35958CDF631ECEBF6E850C8485F8B18E9BFD2EC060C4AEB7C378ACBA694AE8B
                                              SHA-512:B7D58030CCBE928B5C8D3698D45C9E3691C04CA284FCC13D6C6F09724467163BE9569471DAFCC932D567FA077ABCAA087ACBCE52E7DFD986690730510E3F179C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..NZ.NZ.NZ.h5Z.NZ.h.Z..NZ.h.Z..NZ.h.Z.NZ...Z.NZ.OZ..NZ.@.Z.NZ.@.Z.NZ..Z.NZ.@.Z.NZRich.NZ................PE..d...3..T.........."......|..........0..........@..........................................`.................................................l...P....`..p....P.......".......p..4.......................................p............................................text....z.......|.................. ..`.rdata..>e.......f..................@..@.data....E....... ..................@....pdata.......P......................@..@.rsrc...p....`......................@..@.reloc..`....p......................@..B........................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\Vorbis.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):1168384
                                              Entropy (8bit):2.5375197488346086
                                              Encrypted:false
                                              SSDEEP:3072:w4ABLspLX5fr0Z2zvvSD2tP4gc8Q8g1I9RtuH8OrsT+qldWfF/eMw:we55YI7ti1QR4Wqqi
                                              MD5:8884A1C5DA2077CCD9D08C5D3DACF192
                                              SHA1:1813EE9EBB7FDAF7E79DD90F3E0FA36D043731F5
                                              SHA-256:6698808D9394C8267C019EEC458093CFBD8B3D5FDE517458091B603EE00C4345
                                              SHA-512:00AE8C5FCD5FB60AB22CBE1646F1903A9950EA0185CBDD3E00931E59B27FE62C6974BD87FDA6E4F8EDA8128B37A197AD435B99E3604004FA5E209DC56D476E9B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}?E...........#...8.........*.................c.........................P.......N........ .................................L............................ ..x)...................................................................................text...............................`..`.data...............................@....rdata..............................@..@.bss.... (...............................edata..............................@..@.idata..L...........................@....reloc..x)... ...*..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\cinfo.bin (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PEM certificate
                                              Category:dropped
                                              Size (bytes):1570
                                              Entropy (8bit):5.88877406553654
                                              Encrypted:false
                                              SSDEEP:48:LrQgD1RE7dXrI+TsGyxMGRIDBfaqgxR6TgQg:LrBhRE7Vzy8fLgy1g
                                              MD5:50BDA2ED4D02DBD625FA425A3FCDEB44
                                              SHA1:434A39F59FC5207543227A6B2A215570BF2D5809
                                              SHA-256:1E00A7F619A596AC9C2DE6614297A2477D15D34E255BCF947150991C24EEE0A8
                                              SHA-512:6974F9D05E42EE4856FCD7617CE1C5459C396E903BAF2B7E5135A9C26446AC0B7284E4D1464AD35DE7546B67C19C852F0EAB546CCECBF0B89E2A3DB89B7DE703
                                              Malicious:false
                                              Preview:-----BEGIN CERTIFICATE-----..MIIESDCCAzCgAwIBAgIJAJNdu/QfCMXrMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV..BAYTAlVTMQswCQYDVQQIEwJWQTETMBEGA1UEBxMKQWxleGFuZHJpYTESMBAGA1UE..ChMJUmVmb2cgSW5jMQ4wDAYDVQQDEwVSZWZvZzEgMB4GCSqGSIb3DQEJARYRc3Vw..cG9ydEByZWZvZy5jb20wHhcNMTAxMDI1MDY0NTUzWhcNMjAxMDIyMDY0NTUzWjB1..MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEzARBgNVBAcTCkFsZXhhbmRyaWEx..EjAQBgNVBAoTCVJlZm9nIEluYzEOMAwGA1UEAxMFUmVmb2cxIDAeBgkqhkiG9w0B..CQEWEXN1cHBvcnRAcmVmb2cuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB..CgKCAQEA6lQxNZ07MoOeC8Dkra2Zf9iNWnx2CwDpgfGrGOgbz+x94vEXZFmTMcxy..Y7NFgjHy5DBFcLEzVBc0LnwdRUt7KRNYdxHXIpaLveqe+vFG8eCUhOiUzPNjg5pg..G6lYCBAQPztz4CtiPktQbWGyFnxJMwwtazjG7xgbZOXI7UOCBkVrt4yQXAcg6Bvv..aRfS1EFmG/q51TYgqhmKM7H6tMUwwK1ChZOXgd+a5l0mMj7Ql1YGIlmk3SpZDJyB..1jRdY5ywiA5JL1EN8rpC2Poc08D2ET88eeGel1TolcS+QWCbgWELw8A8Weh2zYKZ..HJEVqq5fK1XGyQA1AhBJCAa2Uy1kAwIDAQABo4HaMIHXMB0GA1UdDgQWBBS4qC8I..EltnmHh2BRy/ylRl3qin/jCBpwYDVR0jBIGfMIGcgBS4qC8IEltnmHh2BRy/ylRl..3qin/qF5pHcwdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZ

                                              C:\ProgramData\MPK\is-3LL6A.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1179648
                                              Entropy (8bit):6.81374307872326
                                              Encrypted:false
                                              SSDEEP:24576:vMBQN+KpPoWxSkU6kzi9FObe+bDCvNpjvvj0poSZHMfHde:D9ntae+bDCvNxvj0poUMfHde
                                              MD5:8B043541FBB07831C731566DBC1175A9
                                              SHA1:3B8DCB6FDC48DBFDEC789BF8A7182487181D3AED
                                              SHA-256:08409174C3FFF9EB2D06F37802C7AD71C3B1C06A6FAF917AF9AB83A1BB7624D7
                                              SHA-512:E1F342DD39E2C7098DBADE5DFE8FAC1A2C2D030710A220792699CAA2F4900D34E50DAF9384414F3DE8B5210CB88BBA07CDD44A9D0407D813C14CA395F3781962
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TE..5+.5+.5+.M..5+.M..5+.5*..5+.M..5+.5+.5+.M...7+.M..5+.M..5+.M..5+.Rich.5+.........PE..L...jk.T...........!.........................................................P.......................................b..f....X..................................`....................................V..@............................................text............................... ..`.rdata..............................@..@.data............^..................@....rsrc................\..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-5U9RI.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1178880
                                              Entropy (8bit):6.409651886038298
                                              Encrypted:false
                                              SSDEEP:24576:J1VqyG3T/+ofiDIZE2kChYYmpY9a2nWEdEC6GnJJ3G7vxyxG:TQdhZgEN6GnJYb
                                              MD5:5ABA2917CE54882DFFA1635380313097
                                              SHA1:616D89410D1FF04B7D17E8EA65ADBF716A85D8E7
                                              SHA-256:6F3A8D6237EA49ECCA6A1CC979090FEF4F0FD96A42F09334D990C40875AC0045
                                              SHA-512:16F7CDF19802C53EBDDD76C8B1DAA876C58ED8AF9E67082199FC6ED5AA1179DA4AA12EF7207B2C1D0B6D7BC849ED2EA14430C396B20C967699F4D80948A6FB62
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 24%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......S..........................................@..............................................@...............................7..................................................................................t................................text............................... ..`.itext.. ........................... ..`.data...80.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............R...................rdata...............R..............@..@.rsrc................T..............@..@....................................@..@........................................................................................................................................

                                              C:\ProgramData\MPK\is-7IT87.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1561344
                                              Entropy (8bit):6.486982389571691
                                              Encrypted:false
                                              SSDEEP:24576:qa3gEom5UYKRL1Rbggj1eVFBAS5lAvSciLyoMfO2EQ2G3FoUxW/Sk8oUEARW0NPV:qo5HKRfjGFCS3w3FzxW/SPoXsWMPwe
                                              MD5:1A902E39120A8CCAA56163B91601E63A
                                              SHA1:42E92AE948D8EC97005FC474C815B2C3EA0D5688
                                              SHA-256:321DB63396B88771EAEEB15B361FB533096ADDF122E709D84FEB089EE46DDBF9
                                              SHA-512:ABB774E547D506E6CD6D95B7111A4B7A50F9A20429D556DD8644F6B0740AB32BF8AB10C5A0A2CF294C6CB2DBFDB4F2B377A46848F4AFD05F6E2DF5C9902BA71B
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MPK\is-7IT87.tmp, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....T............................l(.......0....@..........................`.......H...........@...............................=.......^...................P..t............................@......................t...l.... ..^....................text............................... ..`.itext..x........................... ..`.data....N...0...P... ..............@....bss....4U...........p...................idata...=.......>...p..............@....didata.^.... ......................@....tls....@....0...........................rdata.......@......................@..@.reloc..t....P......................@..B.rsrc....^.......^...`..............@..@.............`......................@..@........................................................

                                              C:\ProgramData\MPK\is-89R70.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):1011200
                                              Entropy (8bit):1.5301191700885959
                                              Encrypted:false
                                              SSDEEP:768:uZCopPpPMKfwW+nAEF2xxDvgFwLDbSkRcbceITgkzokrkkkl0gJukgfkkkgrkhyl:i7GfbQP1UL7JxmrNdFFl
                                              MD5:6DE80C4A49E3688C26ABC6AB788FD4D4
                                              SHA1:4D1D52CA9CFDEF96B5C4907CEF07A82CF29E1697
                                              SHA-256:BC93208756401ECC4DE27AA3082C79425EF7491FC771CB2BDC0B7FBE9831E5E9
                                              SHA-512:06D57808C9784CB08835CBB90ECFDDF4F7B0794E916BEFA5A9DCE77BB0E2557E7C09FCD7C1E02D3F0168154604187C3005AA448968F764F2E1F0003DDB80873C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}?E...........#...8.*...j...*...........@....8b.................................}........ ..................................................................$...................................................................................text....(.......*..................`..`.data...P....@......................@....rdata.......`.......B..............@..@.bss.....(...p...........................edata...............D..............@..@.idata...............F..............@....reloc...$.......&...H..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-9EF5L.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):1168384
                                              Entropy (8bit):2.5375197488346086
                                              Encrypted:false
                                              SSDEEP:3072:w4ABLspLX5fr0Z2zvvSD2tP4gc8Q8g1I9RtuH8OrsT+qldWfF/eMw:we55YI7ti1QR4Wqqi
                                              MD5:8884A1C5DA2077CCD9D08C5D3DACF192
                                              SHA1:1813EE9EBB7FDAF7E79DD90F3E0FA36D043731F5
                                              SHA-256:6698808D9394C8267C019EEC458093CFBD8B3D5FDE517458091B603EE00C4345
                                              SHA-512:00AE8C5FCD5FB60AB22CBE1646F1903A9950EA0185CBDD3E00931E59B27FE62C6974BD87FDA6E4F8EDA8128B37A197AD435B99E3604004FA5E209DC56D476E9B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}?E...........#...8.........*.................c.........................P.......N........ .................................L............................ ..x)...................................................................................text...............................`..`.data...............................@....rdata..............................@..@.bss.... (...............................edata..............................@..@.idata..L...........................@....reloc..x)... ...*..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-BV3PJ.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):15872
                                              Entropy (8bit):6.043943242879702
                                              Encrypted:false
                                              SSDEEP:192:PJCQIHVlG655ksUBfPxW0gtsiZVu9OoQk6qS7lGidz78oVh7xXh2Kn1U0SC:PCz55ksUTW0vyVu9r6TQif5xRz6
                                              MD5:82BF92B15339F0DB75552B15DD1D1573
                                              SHA1:E80099B882E17AEE846BD6D28914F13561148E6E
                                              SHA-256:2B2A426D6691998755C42A108EB1A9AFD3F33DC3F1081FB63C31C15AC8A405E0
                                              SHA-512:D80A60A1AB6F257257E4ACB4439E73B1D46B8C8B27AB1C2900A389C13425D8C74D222D2706058EE3F06A8F3EA3B13F65A5BA61BA5C7BA88AA24DA64C791238F2
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}}?E...........#...8.&...:...............@.....f.......................................... ......................p...............................................................................................................................text....%.......&..................`..`.data...0....@.......*..............@....rdata.......P.......,..............@..@.bss.........`...........................edata.......p.......2..............@..@.idata...............:..............@....reloc...............<..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-EQREG.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1848064
                                              Entropy (8bit):7.9914250784592245
                                              Encrypted:true
                                              SSDEEP:49152:hSWaDZti/jOiGYkHW2VQ8HXibJ8CVjeHGB:QWa1ti/KR2h8CEW
                                              MD5:1F88A27A865B8E6C69CCA354B9B68445
                                              SHA1:313A3547382C192DB10EC314A2030C706B9E734C
                                              SHA-256:DEA8CA52EBCFFC6962DE7B65F39392BDF806DB56563CE6A7941EE1E04C00B0BD
                                              SHA-512:F0B44AA925958E6F4413775C86DF4B5304601F8C65878A41FECD1FFEBE7504EA15E9E4AA4BE8F051EEDF76319E765A261B364B20F35B47CF3AC3C79FD2957B0E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 62%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......T.................$C..................@C...@..........................`].....0............@..........................|.X.D.....S.......................................................X...............................................................B.........................@.................B..2..................@............@...@C.....................@.................D.....................@............`... M..J..................@.................M.....................@.................M.....................@.................M.....................@............P....M.....................@....rsrc.........S.....................@....data....@....X..<..................@....adata.......P].....................@...................

                                              C:\ProgramData\MPK\is-GH6IU.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):73783
                                              Entropy (8bit):5.5930170320396355
                                              Encrypted:false
                                              SSDEEP:1536:6TNNA1f3D3JfzvQUzFz/ebA/nToIfjIOlIO+MeO:6UD3xzVzFjeuTBfFv+MeO
                                              MD5:99E402544E67C8B57BE64CAC89760F3F
                                              SHA1:67A0BF698C3A58F4B1A6E1F4C11165D494017BEF
                                              SHA-256:91CA3A9D557EA54BB7283C3DF0772F856F53F825C67AF22C59B973C31431C530
                                              SHA-512:F950D4030D541FD2767544883CDB8D10C01B4C34F85C318A020BD9BBFB5C4E15A2B1DC6EF5E0095F7C397EF798DB9A8F7B3B9CF9FBCC9F80C6766D1CAC989E1B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..Z...Z...Z......X.......[...5..._...5...Y...Z...L....+..V.......[....(..[...RichZ...........................PE..L......E...........!................:........................................ ..........................................]... ...<...................................`...................................................X............................text............................... ..`.rdata...D.......P..................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-H68I0.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):696064
                                              Entropy (8bit):4.562266096083011
                                              Encrypted:false
                                              SSDEEP:6144:Ueyz3C7heuffqf6CANY/ja9DzNTxZKjJ1Btm0v2CfU+nlm/pBZBRM+6p+m:NheuffsiY/GyiCfU+nE/3yN
                                              MD5:5C601EEA1F8C0013F207CA53EB2E4166
                                              SHA1:4AEC386FAB7515FAC4ED523E2A92D0205E213691
                                              SHA-256:8AFB2EC5A4168F8782D5F54D282CFE1D41E91619C8BDEFEC8613747235CF84BC
                                              SHA-512:86769ABEA91A7B03E9B1B8982675A8B9804051A5127BD0F0A8C6EEF24510D17EF43D23A1D4A95E939758B5133E70F1268E3FEE88568D666F52CB69F8EEA008D2
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&..b...b...b...ER..f...ER..f...Rm.O...Rl.....Ro.k...k.%.c...k.1.s...b.......zm.s....zh.c....zk.c...b.5.c....zn.c...Richb...................PE..d...-..T.........." ................d ...............................................^....`............................................................. ....`..l-..................................................P...p...........0...P............................text...'........................... ..`.rdata..............................@..@.data...........~..................@....pdata...3...`...4..................@..@.idata...!......."...F..............@....rsrc... ............h..............@..@.reloc...............p..............@..B........................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-HFVOH.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PEM certificate
                                              Category:dropped
                                              Size (bytes):1570
                                              Entropy (8bit):5.88877406553654
                                              Encrypted:false
                                              SSDEEP:48:LrQgD1RE7dXrI+TsGyxMGRIDBfaqgxR6TgQg:LrBhRE7Vzy8fLgy1g
                                              MD5:50BDA2ED4D02DBD625FA425A3FCDEB44
                                              SHA1:434A39F59FC5207543227A6B2A215570BF2D5809
                                              SHA-256:1E00A7F619A596AC9C2DE6614297A2477D15D34E255BCF947150991C24EEE0A8
                                              SHA-512:6974F9D05E42EE4856FCD7617CE1C5459C396E903BAF2B7E5135A9C26446AC0B7284E4D1464AD35DE7546B67C19C852F0EAB546CCECBF0B89E2A3DB89B7DE703
                                              Malicious:false
                                              Preview:-----BEGIN CERTIFICATE-----..MIIESDCCAzCgAwIBAgIJAJNdu/QfCMXrMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV..BAYTAlVTMQswCQYDVQQIEwJWQTETMBEGA1UEBxMKQWxleGFuZHJpYTESMBAGA1UE..ChMJUmVmb2cgSW5jMQ4wDAYDVQQDEwVSZWZvZzEgMB4GCSqGSIb3DQEJARYRc3Vw..cG9ydEByZWZvZy5jb20wHhcNMTAxMDI1MDY0NTUzWhcNMjAxMDIyMDY0NTUzWjB1..MQswCQYDVQQGEwJVUzELMAkGA1UECBMCVkExEzARBgNVBAcTCkFsZXhhbmRyaWEx..EjAQBgNVBAoTCVJlZm9nIEluYzEOMAwGA1UEAxMFUmVmb2cxIDAeBgkqhkiG9w0B..CQEWEXN1cHBvcnRAcmVmb2cuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB..CgKCAQEA6lQxNZ07MoOeC8Dkra2Zf9iNWnx2CwDpgfGrGOgbz+x94vEXZFmTMcxy..Y7NFgjHy5DBFcLEzVBc0LnwdRUt7KRNYdxHXIpaLveqe+vFG8eCUhOiUzPNjg5pg..G6lYCBAQPztz4CtiPktQbWGyFnxJMwwtazjG7xgbZOXI7UOCBkVrt4yQXAcg6Bvv..aRfS1EFmG/q51TYgqhmKM7H6tMUwwK1ChZOXgd+a5l0mMj7Ql1YGIlmk3SpZDJyB..1jRdY5ywiA5JL1EN8rpC2Poc08D2ET88eeGel1TolcS+QWCbgWELw8A8Weh2zYKZ..HJEVqq5fK1XGyQA1AhBJCAa2Uy1kAwIDAQABo4HaMIHXMB0GA1UdDgQWBBS4qC8I..EltnmHh2BRy/ylRl3qin/jCBpwYDVR0jBIGfMIGcgBS4qC8IEltnmHh2BRy/ylRl..3qin/qF5pHcwdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlZ

                                              C:\ProgramData\MPK\is-I4L15.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):24576
                                              Entropy (8bit):6.097513538868524
                                              Encrypted:false
                                              SSDEEP:384:TxUeOg43wV5Cqu7S4doKlc+LjRHeAU8mDagMSHY2bvHlqwbLl:Mg4W5CqG9oKlc+XxmDaJSbvHlqw
                                              MD5:5275F0437F319FCB0F396D40661D484C
                                              SHA1:6D98740F53C92D3650DD4CEC17E7ACA2C0E285C5
                                              SHA-256:01B3443E049B5E642A994F1549A99D3B64A3E41B75FA7062DDDF7E19BC9AA7C1
                                              SHA-512:968AA18FCFB51CC542714AED111585E2D7F42AB976ED3964F68A983401FD95FFE7592573FFA792E01138D6D8F918E4DE6F8C1BC45E2E01C7E46921B706926ADA
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}?E...........#...8.J...\...............`....Ho.................................A........ .........................\............................................................................................................................text...dH.......J..................`..`.data...0....`.......N..............@....rdata.......p.......P..............@..@.bss.....................................edata..\............R..............@..@.idata...............V..............@....reloc...............^..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-JS61I.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):600868
                                              Entropy (8bit):6.494077241753678
                                              Encrypted:false
                                              SSDEEP:12288:Sl3jNMFx7sFGtojgKNLe8GQ9g2CKyw3WUbgvKnjAcHoU:SlZU7sFGtOgKNLedQxAibnfHoU
                                              MD5:2C7B219CD45E962C49B1834083C75183
                                              SHA1:053BBBFA1250BAADD702CA3A9823552E1ED13D4D
                                              SHA-256:D1CBB5835A4B94417501F59F179A235A02F1D64ED780FA51B5D6A39A5F565C59
                                              SHA-512:132B518289358124329B3523CE561DFC23A2445D8360835F65303E11D774341B6996A29BFF8D649806A1AE579C071761BC6FB19A70C677FF68085BD6BE81DCF1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mP...........!.....@...B......X........P.....`................................A......... ...................... ..<....@...............................p...$...........................`.......................A..d............................text....>.......@..................`.0`.data...<....P.......F..............@.0..rdata..t....`.......V..............@.@@.bss..................................@..edata..<.... ......................@.0@.idata.......@......................@.0..CRT.........P......................@.0..tls.... ....`....... ..............@.0..reloc...$...p...&..."..............@.0B/4......`............H..............@.@B/19..................J..............@..B/35.....M............N..............@..B/51......C.......D...V..............@..B/63.......... ......................@..B/77..........0......................@..B/89..........@..........

                                              C:\ProgramData\MPK\is-LNEHG.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):29
                                              Entropy (8bit):4.21126073643228
                                              Encrypted:false
                                              SSDEEP:3:Mz2KpWYrAXDyn:fGIDy
                                              MD5:82B80F9814765D2D613754DBA009715C
                                              SHA1:A15301821214B8DED9FD43BF124DAE509F2E51D5
                                              SHA-256:E6E979A873ED54A1DF6A33C09997D57A98BB994776F1DEB68EEE47E78D6EBA07
                                              SHA-512:24708FA14DF8518CDA8A92BF8D07DC63A69E9897A356696EFF3BCBD8FDAF7962D48AB40F07EDFEE45E3F93F3497294D0F057BFAC9D73DED894D8C3E5D300BA95
                                              Malicious:false
                                              Preview:[MyVersion]..Value=NetTrial..

                                              C:\ProgramData\MPK\is-M13BC.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):79616
                                              Entropy (8bit):5.538620798160883
                                              Encrypted:false
                                              SSDEEP:1536:+6T4xQ1x132X9ba2EDww/VJdVKN8G8sWhmqsd4WlWTLyfYHh:rTwQ1xJ2X9bTEDwwdRgz4WALn
                                              MD5:4F4CC7256A1D6B7E8782CDEDDA4279EF
                                              SHA1:2BAB6C2877C0EA259FE42A7429930E5DB90432EF
                                              SHA-256:F35958CDF631ECEBF6E850C8485F8B18E9BFD2EC060C4AEB7C378ACBA694AE8B
                                              SHA-512:B7D58030CCBE928B5C8D3698D45C9E3691C04CA284FCC13D6C6F09724467163BE9569471DAFCC932D567FA077ABCAA087ACBCE52E7DFD986690730510E3F179C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ..NZ.NZ.NZ.h5Z.NZ.h.Z..NZ.h.Z..NZ.h.Z.NZ...Z.NZ.OZ..NZ.@.Z.NZ.@.Z.NZ..Z.NZ.@.Z.NZRich.NZ................PE..d...3..T.........."......|..........0..........@..........................................`.................................................l...P....`..p....P.......".......p..4.......................................p............................................text....z.......|.................. ..`.rdata..>e.......f..................@..@.data....E....... ..................@....pdata.......P......................@..@.rsrc...p....`......................@..@.reloc..`....p......................@..B........................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-NK5I1.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):333056
                                              Entropy (8bit):4.260070328190628
                                              Encrypted:false
                                              SSDEEP:3072:FsqQ2Sv1itXCgDrr45t/oPkekfCMvJMdKmJk82y:Fu2Svozv45erkliBJkRy
                                              MD5:70223C7999C6847DD78239415E6185B3
                                              SHA1:E3B692BF56661F91436E8711E6E3762A3CD24571
                                              SHA-256:80001E9B4054E26B7F9DC01DEC4AD28DD15806430F52F095E9833EE7CBBAB4DF
                                              SHA-512:DE6D235B3F4074729CEFDD4D05F39A2C82563C04A949AF393DCB5E6916793FCA2FD6CC3B336C17206F9038FD4528E0C8CF2601539C1ED0F353F22C956AE637E1
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 65%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.!.9.O.9.O.9.O..N4.;.O..N....O..N..7.O..N..U.O..N!.8.O.9.N.G.O.....2.O._f..2.O._f..8.O._f..8.O.9...8.O._f..8.O.Rich9.O.........PE..L......T...........!.........h...............................................P......T.....@.........................0Y..i....P..P.......p.......................|!...................................G..@...............x............................text............................... ..`.rdata..............................@..@.data........`...n...D..............@....rsrc...p...........................@..@.reloc...H.......J..................@..B........................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-RJO8C.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):629504
                                              Entropy (8bit):4.886934785875236
                                              Encrypted:false
                                              SSDEEP:6144:elEenOB3t7nPQBgyD7IjOHKEZa7Y1qqZbUn3JxDxqTJNOI:93t7ZyD7iOHKEZF1xZbc3EOI
                                              MD5:CCCC6EE4E855BB19581AB7CB61A86055
                                              SHA1:D67E92E3AD3B7AF42FBEAB2A98647B3894B4658A
                                              SHA-256:B21437682A17616CEE9BDC7034A3FE45679AFC69A810BB9FFAAFB6B4BDFDBAAB
                                              SHA-512:9709F878CE2D1F2F80BC26D5D03C18C0072821750A1FCF6FE1C1C115073E4277F2B6759FF83E8FC2A967A3C260E7AEBE1BF3E9B3043C75C768A4804DB6054D91
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 53%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......{$VQ?E8.?E8.?E8.....E8....0E8....QE8...U.:E8...C.;E8.6=...E8.?E9..E8.Y....E8.Y...>E8.Y...>E8.?E..>E8.Y...>E8.Rich?E8.........PE..L......T...........!................l!...............................................a....@..................................p.......... ........................:..................................0...@............u...............................text...o........................... ..`.rdata...O.......P..................@..@.data... 3...0......................@....idata..J....p......................@....rsrc... ............8..............@..@.reloc..:D.......F...@..............@..B................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-SUMV4.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):274432
                                              Entropy (8bit):6.427766656548579
                                              Encrypted:false
                                              SSDEEP:6144:JWXcqYW1jPqoSvWn5ytmZlOWegx8Wf22r8c4zQmrGl60ulz/Y+x89hQkBu2lre+z:JcYW17qoSvWnctmZlOZguWf2s8c4zQmK
                                              MD5:39068A91D3CFA868182AD8C4FE8CE12C
                                              SHA1:C1BC62EAE8C597C13AD458551414352EA03AF217
                                              SHA-256:0269ADA04B83DB3F2A5425BE2C1B0CF32BE682EA9AF0EE915F2D46E8059C4B4E
                                              SHA-512:EB406486A54389F2339C5209E830CA7488657146AF1D9DA3D532D238EFB45C2E4F8B830C2BDDE1D9E6C754086C572F99AD1EC79AF1E70AC85D664935FAC6223E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OE.z.E.z.E.z.L...F.z.L...G.z.L...B.z.E.{...z.L...{.z.L...D.z.L...D.z.L...D.z.RichE.z.........................PE..L...zk.T...........!.................#.......0...............................p......R..................................p$..l...P....0.......................@...#..@6..............................P...@............0.. ............................text............................... ..`.rdata..`....0......................@..@.data....1.......0..................@....rsrc........0......................@..@.reloc...$...@...&..................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\is-URL53.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1499392
                                              Entropy (8bit):6.499259379210101
                                              Encrypted:false
                                              SSDEEP:24576:+YkHGqHO6pTADZVmH28IcBOSteCjRdNakuxHgb26nhr/xJ/r92OFvprq+:+LHxdQZQocISvRDxJ/r92oprq+
                                              MD5:20BC08D7652B652811DF5F403C9C6DFA
                                              SHA1:2DAF670A0909F40738849F1420A28E2ECC499C43
                                              SHA-256:DCD6A7649342DEA92532F866BA85E545974F05E9D2F5D70DC7CFD66CBB50A3E5
                                              SHA-512:F4720499EF89331E34EDCD3516376C25CA3E83C457B87C313D7A2826A4C30EB956E4563A9290C62A0A274272F8D65041D3D4FBDB7CCF07228ADF1A994341A643
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\MPK\is-URL53.tmp, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 40%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....T.................D..........(W.......`....@..............................................@..............................L;... ...Z..................................................p...............................P..^....................text....#.......$.................. ..`.itext.......@... ...(.............. ..`.data...TM...`...N...H..............@....bss.....T...............................idata..L;.......<..................@....didata.^....P......................@....tls....@....`...........................rdata.......p......................@..@.reloc.............................@..B.rsrc....Z... ...Z...r..............@..@....................................@..@........................................................

                                              C:\ProgramData\MPK\libeay32.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1179648
                                              Entropy (8bit):6.81374307872326
                                              Encrypted:false
                                              SSDEEP:24576:vMBQN+KpPoWxSkU6kzi9FObe+bDCvNpjvvj0poSZHMfHde:D9ntae+bDCvNxvj0poUMfHde
                                              MD5:8B043541FBB07831C731566DBC1175A9
                                              SHA1:3B8DCB6FDC48DBFDEC789BF8A7182487181D3AED
                                              SHA-256:08409174C3FFF9EB2D06F37802C7AD71C3B1C06A6FAF917AF9AB83A1BB7624D7
                                              SHA-512:E1F342DD39E2C7098DBADE5DFE8FAC1A2C2D030710A220792699CAA2F4900D34E50DAF9384414F3DE8B5210CB88BBA07CDD44A9D0407D813C14CA395F3781962
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 2%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........TE..5+.5+.5+.M..5+.M..5+.5*..5+.M..5+.5+.5+.M...7+.M..5+.M..5+.M..5+.Rich.5+.........PE..L...jk.T...........!.........................................................P.......................................b..f....X..................................`....................................V..@............................................text............................... ..`.rdata..............................@..@.data............^..................@....rsrc................\..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\lsynchost.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1561344
                                              Entropy (8bit):6.486982389571691
                                              Encrypted:false
                                              SSDEEP:24576:qa3gEom5UYKRL1Rbggj1eVFBAS5lAvSciLyoMfO2EQ2G3FoUxW/Sk8oUEARW0NPV:qo5HKRfjGFCS3w3FzxW/SPoXsWMPwe
                                              MD5:1A902E39120A8CCAA56163B91601E63A
                                              SHA1:42E92AE948D8EC97005FC474C815B2C3EA0D5688
                                              SHA-256:321DB63396B88771EAEEB15B361FB533096ADDF122E709D84FEB089EE46DDBF9
                                              SHA-512:ABB774E547D506E6CD6D95B7111A4B7A50F9A20429D556DD8644F6B0740AB32BF8AB10C5A0A2CF294C6CB2DBFDB4F2B377A46848F4AFD05F6E2DF5C9902BA71B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....T............................l(.......0....@..........................`.......H...........@...............................=.......^...................P..t............................@......................t...l.... ..^....................text............................... ..`.itext..x........................... ..`.data....N...0...P... ..............@....bss....4U...........p...................idata...=.......>...p..............@....didata.^.... ......................@....tls....@....0...........................rdata.......@......................@..@.reloc..t....P......................@..B.rsrc....^.......^...`..............@..@.............`......................@..@........................................................

                                              C:\ProgramData\MPK\mpk_em_log.txt

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):9359
                                              Entropy (8bit):5.0596151713658815
                                              Encrypted:false
                                              SSDEEP:96:Kd7K+ikYvqp++7it7nXr6N2WxJhr/lZpySLlpnZelwJlcZdldO:crS+7o7uJ6O
                                              MD5:6870A4C488A0D93BB2C124A88C16DB09
                                              SHA1:04D3966F25049D2E7765914C26BBA8F0F1804F58
                                              SHA-256:D76E627E7F11D8C40704BE88BB1A7F8DEA778BF5ABECEBDB1999E29C35EF665E
                                              SHA-512:80FE38F0C17729495539502306F441609DC0D782D5F721618DFB3BC9E38513A9DCF03307EF680325F8507BCD270DFAFD13E614C0563DC1B687225C7FCB753220
                                              Malicious:false
                                              Preview:.2024-10-31 17:10:15.211 Log opened. (Time zone: UTC-04:00)..2024-10-31 17:10:15.211 Setup version: Inno Setup version 5.5.5 (u)..2024-10-31 17:10:15.211 Original Setup EXE: C:\ProgramData\MPK\mpk_emni_mpk.exe..2024-10-31 17:10:15.211 Setup command line: /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"..2024-10-31 17:10:15.211 Windows version: 6.3.9600 (NT platform: Yes)..2024-10-31 17:10:15.211 64-bit Windows: Yes..2024-10-31 17:10:15.211 Processor architecture: x64..2024-10-31 17:10:15.211 User privileges: Administrative..2024-10-31 17:10:15.227 64-bit install mode: Yes..2024-10-31 17:10:15.258 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp..2024-10-31 17:10:15.352 MsiSourceDir: C:\Users\user\Desktop\..2024-10-31 17:10:16.789 Starting the installation process...2024-10-31 17:10:16.805 Setting pe

                                              C:\ProgramData\MPK\mpk_emni_mpk.exe

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):5283576
                                              Entropy (8bit):7.993505483500863
                                              Encrypted:true
                                              SSDEEP:98304:AuV6aAZbtixCzn8cF8sl2BahFXXTNp9YTAtJBTNONA:zV6ashiSn8m8s5hFXXTJLJpX
                                              MD5:E67464707F7D14131BEDE9DB845A6A0A
                                              SHA1:CBC9A7F4D1F71EEC44C4141FE6A778765C1C4EA8
                                              SHA-256:4400A5B51971786396302AE21A0A4BA9BB55B787977E5D7BD363AF8D67F5DC1E
                                              SHA-512:3237678854EB1D00A2E0FFD83A0CDB8F41620C25F842F5C12DCF5DBF7073C143E0FE3A8B283FDD28B41571D5D0215268FC84B946CC3A344300427A63D9AAF213
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 52%
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......S..................................... ....@.................................T.Q..........@....................................................P..............................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@....................................@..@........................................................................................................................................

                                              C:\ProgramData\MPK\ogg.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):15872
                                              Entropy (8bit):6.043943242879702
                                              Encrypted:false
                                              SSDEEP:192:PJCQIHVlG655ksUBfPxW0gtsiZVu9OoQk6qS7lGidz78oVh7xXh2Kn1U0SC:PCz55ksUTW0vyVu9r6TQif5xRz6
                                              MD5:82BF92B15339F0DB75552B15DD1D1573
                                              SHA1:E80099B882E17AEE846BD6D28914F13561148E6E
                                              SHA-256:2B2A426D6691998755C42A108EB1A9AFD3F33DC3F1081FB63C31C15AC8A405E0
                                              SHA-512:D80A60A1AB6F257257E4ACB4439E73B1D46B8C8B27AB1C2900A389C13425D8C74D222D2706058EE3F06A8F3EA3B13F65A5BA61BA5C7BA88AA24DA64C791238F2
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}}?E...........#...8.&...:...............@.....f.......................................... ......................p...............................................................................................................................text....%.......&..................`..`.data...0....@.......*..............@....rdata.......P.......,..............@..@.bss.........`...........................edata.......p.......2..............@..@.idata...............:..............@....reloc...............<..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\sqlite3.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):600868
                                              Entropy (8bit):6.494077241753678
                                              Encrypted:false
                                              SSDEEP:12288:Sl3jNMFx7sFGtojgKNLe8GQ9g2CKyw3WUbgvKnjAcHoU:SlZU7sFGtOgKNLedQxAibnfHoU
                                              MD5:2C7B219CD45E962C49B1834083C75183
                                              SHA1:053BBBFA1250BAADD702CA3A9823552E1ED13D4D
                                              SHA-256:D1CBB5835A4B94417501F59F179A235A02F1D64ED780FA51B5D6A39A5F565C59
                                              SHA-512:132B518289358124329B3523CE561DFC23A2445D8360835F65303E11D774341B6996A29BFF8D649806A1AE579C071761BC6FB19A70C677FF68085BD6BE81DCF1
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....mP...........!.....@...B......X........P.....`................................A......... ...................... ..<....@...............................p...$...........................`.......................A..d............................text....>.......@..................`.0`.data...<....P.......F..............@.0..rdata..t....`.......V..............@.@@.bss..................................@..edata..<.... ......................@.0@.idata.......@......................@.0..CRT.........P......................@.0..tls.... ....`....... ..............@.0..reloc...$...p...&..."..............@.0B/4......`............H..............@.@B/19..................J..............@..B/35.....M............N..............@..B/51......C.......D...V..............@..B/63.......... ......................@..B/77..........0......................@..B/89..........@..........

                                              C:\ProgramData\MPK\ssleay32.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):274432
                                              Entropy (8bit):6.427766656548579
                                              Encrypted:false
                                              SSDEEP:6144:JWXcqYW1jPqoSvWn5ytmZlOWegx8Wf22r8c4zQmrGl60ulz/Y+x89hQkBu2lre+z:JcYW17qoSvWnctmZlOZguWf2s8c4zQmK
                                              MD5:39068A91D3CFA868182AD8C4FE8CE12C
                                              SHA1:C1BC62EAE8C597C13AD458551414352EA03AF217
                                              SHA-256:0269ADA04B83DB3F2A5425BE2C1B0CF32BE682EA9AF0EE915F2D46E8059C4B4E
                                              SHA-512:EB406486A54389F2339C5209E830CA7488657146AF1D9DA3D532D238EFB45C2E4F8B830C2BDDE1D9E6C754086C572F99AD1EC79AF1E70AC85D664935FAC6223E
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OE.z.E.z.E.z.L...F.z.L...G.z.L...B.z.E.{...z.L...{.z.L...D.z.L...D.z.L...D.z.RichE.z.........................PE..L...zk.T...........!.................#.......0...............................p......R..................................p$..l...P....0.......................@...#..@6..............................P...@............0.. ............................text............................... ..`.rdata..`....0......................@..@.data....1.......0..................@....rsrc........0......................@..@.reloc...$...@...&..................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\trial_net.ini (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):29
                                              Entropy (8bit):4.21126073643228
                                              Encrypted:false
                                              SSDEEP:3:Mz2KpWYrAXDyn:fGIDy
                                              MD5:82B80F9814765D2D613754DBA009715C
                                              SHA1:A15301821214B8DED9FD43BF124DAE509F2E51D5
                                              SHA-256:E6E979A873ED54A1DF6A33C09997D57A98BB994776F1DEB68EEE47E78D6EBA07
                                              SHA-512:24708FA14DF8518CDA8A92BF8D07DC63A69E9897A356696EFF3BCBD8FDAF7962D48AB40F07EDFEE45E3F93F3497294D0F057BFAC9D73DED894D8C3E5D300BA95
                                              Malicious:false
                                              Preview:[MyVersion]..Value=NetTrial..

                                              C:\ProgramData\MPK\unins000.dat

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:InnoSetup Log 64-bit Employee Monitor, version 0x418, 36285 bytes, 783875\37\SYSTEM\37, C:\ProgramData\MPK\376\377\377\007 \0
                                              Category:dropped
                                              Size (bytes):36285
                                              Entropy (8bit):4.417772789796529
                                              Encrypted:false
                                              SSDEEP:384:jQqhpAx46Tcn9MvqglOODbKK2EBiVZAXD5hfLgUlBnLOUC3nQkXSD+Bjcn/6euCj:jQd46TcXKD+BA/6ejK2Xol9jk3
                                              MD5:83273B2C75D88CB6D8CC3601C4509505
                                              SHA1:E3ADDBDB729A8A1D044B846CF513FC0BC465310C
                                              SHA-256:877743215CB09DD59EB493A488F16DBDED770E19E1D3E093B3E16EE205950966
                                              SHA-512:3D59765EE7B69FDA0E11B76A1188DA976B096231FE1B79DAAF19DEFE3BC683D0AE6C9E1FD033FE7DB31D7AA37446782994B0F456A5D683ABC62D3613EA3CA157
                                              Malicious:false
                                              Preview:Inno Setup Uninstall Log (b) 64-bit.............................CC40ED25-0373-4738-ACE2-010FD31A20A4............................................................................................Employee Monitor............................................................................................................................%............................................................................................................................b.5......a........7.8.3.8.7.5......S.Y.S.T.E.M......C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.P.K....................... .............IFPS....+...]...........................................................................................................................................................BOOLEAN..............TEXECWAIT.........TSTRINGLIST....TSTRINGLIST.....................TFILETIME.................................................TFINDREC.............!OPENARRAYOFCONST...............................................#.......TGUID........

                                              C:\ProgramData\MPK\unins000.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1178880
                                              Entropy (8bit):6.409651886038298
                                              Encrypted:false
                                              SSDEEP:24576:J1VqyG3T/+ofiDIZE2kChYYmpY9a2nWEdEC6GnJJ3G7vxyxG:TQdhZgEN6GnJYb
                                              MD5:5ABA2917CE54882DFFA1635380313097
                                              SHA1:616D89410D1FF04B7D17E8EA65ADBF716A85D8E7
                                              SHA-256:6F3A8D6237EA49ECCA6A1CC979090FEF4F0FD96A42F09334D990C40875AC0045
                                              SHA-512:16F7CDF19802C53EBDDD76C8B1DAA876C58ED8AF9E67082199FC6ED5AA1179DA4AA12EF7207B2C1D0B6D7BC849ED2EA14430C396B20C967699F4D80948A6FB62
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 24%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......S..........................................@..............................................@...............................7..................................................................................t................................text............................... ..`.itext.. ........................... ..`.data...80.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............R...................rdata...............R..............@..@.rsrc................T..............@..@....................................@..@........................................................................................................................................

                                              C:\ProgramData\MPK\unins000.msg

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:InnoSetup messages, version 5.5.3, 221 messages (UTF-16), &\036 ?@>3@0<<5...
                                              Category:dropped
                                              Size (bytes):24019
                                              Entropy (8bit):4.039586018574892
                                              Encrypted:false
                                              SSDEEP:192:QHt1Nsp47I7QchuW15U7f8l0nemL5lm1S4wIqhHh9lQtlyIq+SOqyNqwkrTRoCUi:QN1Nsp8b6KPntwdwzBHQSOq1dhecR5
                                              MD5:55977FF14B7755F6CB73867223818C3C
                                              SHA1:9FA757B514943431E5C44EAA4815ED027F9632CB
                                              SHA-256:1F958F5F1DFA7597719532F1193D872E8C5493C7F7B9D266D4C816391D27D7A3
                                              SHA-512:B2220D3FC50E52D98917CFDFD9249C2088D623E3CD7F312D2E2A8CBECF8AF4543685F1CEE5C3A8267FD30565EBC2370D7B47C640A594CF51E5EB4EEC6D616232
                                              Malicious:false
                                              Preview:Inno Setup Messages (5.5.3) (u)......................................]..y....2.=&... .?.@.>.3.@.0.<.<.5.........%.1.,. .2.5.@.A.8.O. .%.2.....%.3.........!.0.9.B. .%.1.:.....%.4....... .?.@.>.3.@.0.<.<.5...'.B.>.1.K. .C.A.B.0.=.>.2.8.B.L. .4.0.=.=.C.N. .?.@.>.3.@.0.<.<.C.,. ...K. .4.>.;.6.=.K. .2.K.?.>.;.=.8.B.L. .2.E.>.4. .2. .A.8.A.B.5.<.C. .:.0.:. ...4.<.8.=.8.A.B.@.0.B.>.@.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.

                                              C:\ProgramData\MPK\vorbisenc.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):1011200
                                              Entropy (8bit):1.5301191700885959
                                              Encrypted:false
                                              SSDEEP:768:uZCopPpPMKfwW+nAEF2xxDvgFwLDbSkRcbceITgkzokrkkkl0gJukgfkkkgrkhyl:i7GfbQP1UL7JxmrNdFFl
                                              MD5:6DE80C4A49E3688C26ABC6AB788FD4D4
                                              SHA1:4D1D52CA9CFDEF96B5C4907CEF07A82CF29E1697
                                              SHA-256:BC93208756401ECC4DE27AA3082C79425EF7491FC771CB2BDC0B7FBE9831E5E9
                                              SHA-512:06D57808C9784CB08835CBB90ECFDDF4F7B0794E916BEFA5A9DCE77BB0E2557E7C09FCD7C1E02D3F0168154604187C3005AA448968F764F2E1F0003DDB80873C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}?E...........#...8.*...j...*...........@....8b.................................}........ ..................................................................$...................................................................................text....(.......*..................`..`.data...P....@......................@....rdata.......`.......B..............@..@.bss.....(...p...........................edata...............D..............@..@.idata...............F..............@....reloc...$.......&...H..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\vorbisfile.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):24576
                                              Entropy (8bit):6.097513538868524
                                              Encrypted:false
                                              SSDEEP:384:TxUeOg43wV5Cqu7S4doKlc+LjRHeAU8mDagMSHY2bvHlqwbLl:Mg4W5CqG9oKlc+XxmDaJSbvHlqw
                                              MD5:5275F0437F319FCB0F396D40661D484C
                                              SHA1:6D98740F53C92D3650DD4CEC17E7ACA2C0E285C5
                                              SHA-256:01B3443E049B5E642A994F1549A99D3B64A3E41B75FA7062DDDF7E19BC9AA7C1
                                              SHA-512:968AA18FCFB51CC542714AED111585E2D7F42AB976ED3964F68A983401FD95FFE7592573FFA792E01138D6D8F918E4DE6F8C1BC45E2E01C7E46921B706926ADA
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....}?E...........#...8.J...\...............`....Ho.................................A........ .........................\............................................................................................................................text...dH.......J..................`..`.data...0....`.......N..............@....rdata.......p.......P..............@..@.bss.....................................edata..\............R..............@..@.idata...............V..............@....reloc...............^..............@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\ProgramData\MPK\zlib1.dll (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):73783
                                              Entropy (8bit):5.5930170320396355
                                              Encrypted:false
                                              SSDEEP:1536:6TNNA1f3D3JfzvQUzFz/ebA/nToIfjIOlIO+MeO:6UD3xzVzFjeuTBfFv+MeO
                                              MD5:99E402544E67C8B57BE64CAC89760F3F
                                              SHA1:67A0BF698C3A58F4B1A6E1F4C11165D494017BEF
                                              SHA-256:91CA3A9D557EA54BB7283C3DF0772F856F53F825C67AF22C59B973C31431C530
                                              SHA-512:F950D4030D541FD2767544883CDB8D10C01B4C34F85C318A020BD9BBFB5C4E15A2B1DC6EF5E0095F7C397EF798DB9A8F7B3B9CF9FBCC9F80C6766D1CAC989E1B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i..Z...Z...Z......X.......[...5..._...5...Y...Z...L....+..V.......[....(..[...RichZ...........................PE..L......E...........!................:........................................ ..........................................]... ...<...................................`...................................................X............................text............................... ..`.rdata...D.......P..................@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp

                                              Download File
                                              Process:C:\ProgramData\MPK\mpk_emni_mpk.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1178880
                                              Entropy (8bit):6.409651886038298
                                              Encrypted:false
                                              SSDEEP:24576:J1VqyG3T/+ofiDIZE2kChYYmpY9a2nWEdEC6GnJJ3G7vxyxG:TQdhZgEN6GnJYb
                                              MD5:5ABA2917CE54882DFFA1635380313097
                                              SHA1:616D89410D1FF04B7D17E8EA65ADBF716A85D8E7
                                              SHA-256:6F3A8D6237EA49ECCA6A1CC979090FEF4F0FD96A42F09334D990C40875AC0045
                                              SHA-512:16F7CDF19802C53EBDDD76C8B1DAA876C58ED8AF9E67082199FC6ED5AA1179DA4AA12EF7207B2C1D0B6D7BC849ED2EA14430C396B20C967699F4D80948A6FB62
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 24%
                                              Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......S..........................................@..............................................@...............................7..................................................................................t................................text............................... ..`.itext.. ........................... ..`.data...80.......2..................@....bss.....a...@...........................idata...7.......8..................@....tls....<............R...................rdata...............R..............@..@.rsrc................T..............@..@....................................@..@........................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_isdecmp.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):13312
                                              Entropy (8bit):5.745960477552938
                                              Encrypted:false
                                              SSDEEP:384:BXvhMwoSitz/bjx7yxnbdn+EHvbsHoOODCg:BZ7FEAbd+EDsIO
                                              MD5:A813D18268AFFD4763DDE940246DC7E5
                                              SHA1:C7366E1FD925C17CC6068001BD38EAEF5B42852F
                                              SHA-256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
                                              SHA-512:B310ED4CD2E94381C00A6A370FCB7CC867EBE425D705B69CAAAAFFDAFBAB91F72D357966916053E72E68ECF712F2AF7585500C58BB53EC3E1D539179FCB45FB4
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L......B...........!..... ..........p........0....P..........................P.......................................;.......;..(............................@.......0...............................................0...............................text............ .................. ..`.rdata.......0.......$..............@..@.reloc.......@.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                              Category:dropped
                                              Size (bytes):6144
                                              Entropy (8bit):4.363359036723334
                                              Encrypted:false
                                              SSDEEP:48:SvrzfWvPcXegCPUo1vlZQrAxoONfHFZONfH3d1xCWMBFNL2piSS4k+bkg6j0KHc:+fkcXegaJ/ZAYNzcld1xaX12pTSKvkc
                                              MD5:526426126AE5D326D0A24706C77D8C5C
                                              SHA1:68BAEC323767C122F74A269D3AA6D49EB26903DB
                                              SHA-256:B20A8D88C550981137ED831F2015F5F11517AEB649C29642D9D61DEA5EBC37D1
                                              SHA-512:A2D824FB08BF0B2B2CC0B5E4AF8B13D5BC752EA0D195C6D40FD72AEC05360A3569EADE1749BDAC81CFB075112D0D3CD030D40F629DAF7ABCC243F9D8DCA8BFBE
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`..............................................................<!.......P.......@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_shfoldr.dll

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                              Category:dropped
                                              Size (bytes):23312
                                              Entropy (8bit):4.596242908851566
                                              Encrypted:false
                                              SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                              MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                              SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                              SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                              SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\4e7f65.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MPK_EM, Author: Mipko, Keywords: Installer, Comments: This installer database contains the logic and data required to install MPK_EM., Template: Intel;1033, Revision Number: {13B3FD70-0ECC-42BA-8BCE-4711A2312FB6}, Create Time/Date: Wed Feb 18 13:48:52 2015, Last Saved Time/Date: Wed Feb 18 13:48:52 2015, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
                                              Category:dropped
                                              Size (bytes):5255168
                                              Entropy (8bit):7.9965012572516505
                                              Encrypted:true
                                              SSDEEP:98304:Bzo9xMVVnii6a2A125eRsbcTP1o1y7klqJ1p9cOSJci3IOI:xo9xUhiBAI5eyob1o1ywwJBaJcA
                                              MD5:F2F3A908A18EF6B45B50E1105326B833
                                              SHA1:D01C20894CFF8EFA96E3394FCB54A8F4CEA0F764
                                              SHA-256:EF896DF89C6088517C117552424E932D590EBD483DECC3C9F444A18CE88179FD
                                              SHA-512:99749B7C3AA1EE2DA0A63BE57027BE364E513792D1B048D95A22C97ED4FE031D6ECE28B5C417171E49CB9A63880B570B0F34358A19AC28C3B67C1AB1ECCAF9F7
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\4e7f67.msi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MPK_EM, Author: Mipko, Keywords: Installer, Comments: This installer database contains the logic and data required to install MPK_EM., Template: Intel;1033, Revision Number: {13B3FD70-0ECC-42BA-8BCE-4711A2312FB6}, Create Time/Date: Wed Feb 18 13:48:52 2015, Last Saved Time/Date: Wed Feb 18 13:48:52 2015, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
                                              Category:dropped
                                              Size (bytes):5255168
                                              Entropy (8bit):7.9965012572516505
                                              Encrypted:true
                                              SSDEEP:98304:Bzo9xMVVnii6a2A125eRsbcTP1o1y7klqJ1p9cOSJci3IOI:xo9xUhiBAI5eyob1o1ywwJBaJcA
                                              MD5:F2F3A908A18EF6B45B50E1105326B833
                                              SHA1:D01C20894CFF8EFA96E3394FCB54A8F4CEA0F764
                                              SHA-256:EF896DF89C6088517C117552424E932D590EBD483DECC3C9F444A18CE88179FD
                                              SHA-512:99749B7C3AA1EE2DA0A63BE57027BE364E513792D1B048D95A22C97ED4FE031D6ECE28B5C417171E49CB9A63880B570B0F34358A19AC28C3B67C1AB1ECCAF9F7
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\MSI83EA.tmp

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2041
                                              Entropy (8bit):5.7468830592310445
                                              Encrypted:false
                                              SSDEEP:48:TGQ6a3Bb6pP3P1EvZeUjPnidEaEVltmQrlade2vto:TV5Z6pmewidEaEP7r88KO
                                              MD5:DB78D485FA5C377FFDF2E829187FCF7A
                                              SHA1:EB15A00CFB4928C7C12062DB92E53C6DB9C6E56F
                                              SHA-256:E08111814D70262ACD685A073EFCD0CFE0800390386DFBE406BB110E7792637F
                                              SHA-512:352847CB20E5B3BEDF4701BEF73E19F176C738D67BEF1E9D58371585DDD8AD1E451CA69D090EA5E4AF8EA881877BEE3569357DC37FFFB0A569580ABBE3936DA7
                                              Malicious:false
                                              Preview:...@IXOS.@.....@G._Y.@.....@.....@.....@.....@.....@......&.{9EBEE94E-B80E-4DDF-961B-A35BE6877C22}..MPK_EM..1944b321.msi.@.....@.....@.....@........&.{13B3FD70-0ECC-42BA-8BCE-4711A2312FB6}.....@.....@.....@.....@.......@.....@.....@.......@......MPK_EM......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F9FFC604-2CE5-4252-B031-34223392D3E4}..C:\ProgramData\.@.......@.....@.....@......&.{2BE243B0-33A6-4A41-B727-70254936D3E0}#.C:\ProgramData\MPK\mpk_emni_mpk.exe.@.......@.....@.....@........CreateFolders..Creating folders..Folder: [1]"...C:\ProgramData\.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@..P..@.....@........C:\ProgramData\MPK\....1\MPK\......Please insert the disk: ..mipko_em.cab.@.....@......C:\Windows\Installer\4e7f65.msi.........@........ffuny7wq.exe|mpk_emni_mpk.exe..mpk_emni_mpk.exe..mpk_emni_mpk.exe.

                                              C:\Windows\Installer\SourceHash{9EBEE94E-B80E-4DDF-961B-A35BE6877C22}

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.1642939435942166
                                              Encrypted:false
                                              SSDEEP:12:JSbX72FjhQAGiLIlHVRpfh/7777777777777777777777777vDHFZostpwl0i8Q:JfQQI5bUEF
                                              MD5:294992128D559E93033E385DE21089FC
                                              SHA1:5EF417C0E8DBF566772CCC8CE190AFC06BCEA399
                                              SHA-256:653FCA8AA540F0F5B56740947BD4B31138EA2B055012A66326B9E01048F05D12
                                              SHA-512:8069B9E9F24A824CD8B37749C6C1D53C7BCFA9735E54165F16BD950D286D25E8FF0E0CCD01B2872259701FD40F7A91EE959CD4AC566DCFECB73410F1BB096BA3
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.4652481796855752
                                              Encrypted:false
                                              SSDEEP:48:9X8PhAuRc06WXJanT5OFqbS5hrlqbSIe0:UhA1RnTASr60
                                              MD5:DF28138C9CD1D4CDD3CD08B69D68ABD5
                                              SHA1:BA98FB259CFFAE7FD13CD4336B4612278F94CEF2
                                              SHA-256:2BC9F6A36309BB7F14BF9532AC6F37E4AB1AE89D50859ADCA18609F6C11437FE
                                              SHA-512:0C465B5BA4F0703F1BA251D88BDD9CD7D22EFD786EDA0252F370AD6DA5A814A7885EB2ECDEE28FBF0A8202FA1085297CC3AA0F334544822E62A4EDA9D170BBF6
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):364484
                                              Entropy (8bit):5.365488401892333
                                              Encrypted:false
                                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauC:zTtbmkExhMJCIpEN
                                              MD5:4EF82142C1C008261402D9FBD61B8FE7
                                              SHA1:3561F966BD91D6F3BF8F9B8E1C2DE85CBEE6CFE1
                                              SHA-256:0F2959F051255BD4020CAF46ED27B3A8E9CEA4B3265D2FDA9BB4FF56C4D82738
                                              SHA-512:AA14B54A14C2B1D71843C9A3943DC786A2B7CC27F64599039021C77B0A278590CE94A4172BC8387B0748EAA106F2B7BBF7136AE21A9E6777516544118D6FD45E
                                              Malicious:false
                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                              C:\Windows\SysWOW64\inspect.exe (copy)

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):168784
                                              Entropy (8bit):5.933402254740505
                                              Encrypted:false
                                              SSDEEP:3072:EEuO7R/vB0fMN3N+mWiRM0w8TrwDbIYcFncs75hb9o:0ORSfML+mTRM0w4rwvPsV
                                              MD5:C2E248B330F247BC8E3EEF9596227CA6
                                              SHA1:02AA51BF8AE818B8DC41FEADE5499ABD5ADF4213
                                              SHA-256:8F77023A58FC99383AFCC3417F92512B504FEE1A92A3BCDD7362BE23C965C2FE
                                              SHA-512:9E8A3C76B15E566C9042125DBC017CA33D3CF7984A2019872FA145120627A75DD9496D00C66AE664B4104CEFC5AC62851383D069739C53E32605FD126494F0A6
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........ci..ci..ci.]1...ci.]1...ci..ch..bi.]1..ci.]1..ci......ci.]1.ci.]1.ci.Rich.ci.................PE..L....`.K............................6................................................#....@...... ..........................$...........Xr...........|..P............................................s..@......................@....................text............................... ..`.data...TA.......>..................@....rsrc...Xr.......t..................@..@.reloc...$.......&...V..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\is-ARHTI.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):168784
                                              Entropy (8bit):5.933402254740505
                                              Encrypted:false
                                              SSDEEP:3072:EEuO7R/vB0fMN3N+mWiRM0w8TrwDbIYcFncs75hb9o:0ORSfML+mTRM0w4rwvPsV
                                              MD5:C2E248B330F247BC8E3EEF9596227CA6
                                              SHA1:02AA51BF8AE818B8DC41FEADE5499ABD5ADF4213
                                              SHA-256:8F77023A58FC99383AFCC3417F92512B504FEE1A92A3BCDD7362BE23C965C2FE
                                              SHA-512:9E8A3C76B15E566C9042125DBC017CA33D3CF7984A2019872FA145120627A75DD9496D00C66AE664B4104CEFC5AC62851383D069739C53E32605FD126494F0A6
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........ci..ci..ci.]1...ci.]1...ci..ch..bi.]1..ci.]1..ci......ci.]1.ci.]1.ci.Rich.ci.................PE..L....`.K............................6................................................#....@...... ..........................$...........Xr...........|..P............................................s..@......................@....................text............................... ..`.data...TA.......>..................@....rsrc...Xr.......t..................@..@.reloc...$.......&...V..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF13A8E2FACE6496FD.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF1C4FEAA2E3A3C744.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):0.07075141213311552
                                              Encrypted:false
                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOqSnZodet4Vky6lw:2F0i8n0itFzDHFZoCw
                                              MD5:6D9F80A4360464D5A975B7B4460159B1
                                              SHA1:A6C9AC41629C46CC5932AD47BBEE0B8630C2E9B7
                                              SHA-256:5D582396F46AEE052C7735E7C11D28D09BCAADE1FF2E4BB61D152D81C2497BFA
                                              SHA-512:ABA5F90D751C83E5F462A832D65E9C0D53698F131FD5CD576084D6E35FE8F690FC64B80482FFC583E661000DBA9CA08881D834EACA4527BFE0E6AA2D22EBD801
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF292CF65E628468E7.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF351EF6164E266DEF.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF39DD0387BB6EF8BA.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.4652481796855752
                                              Encrypted:false
                                              SSDEEP:48:9X8PhAuRc06WXJanT5OFqbS5hrlqbSIe0:UhA1RnTASr60
                                              MD5:DF28138C9CD1D4CDD3CD08B69D68ABD5
                                              SHA1:BA98FB259CFFAE7FD13CD4336B4612278F94CEF2
                                              SHA-256:2BC9F6A36309BB7F14BF9532AC6F37E4AB1AE89D50859ADCA18609F6C11437FE
                                              SHA-512:0C465B5BA4F0703F1BA251D88BDD9CD7D22EFD786EDA0252F370AD6DA5A814A7885EB2ECDEE28FBF0A8202FA1085297CC3AA0F334544822E62A4EDA9D170BBF6
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF41B79A2990E59A2A.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF6B24AE1C4385ECB6.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):512
                                              Entropy (8bit):0.0
                                              Encrypted:false
                                              SSDEEP:3::
                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                              Malicious:false
                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DF8CD3A19676C97F67.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.1808683807138078
                                              Encrypted:false
                                              SSDEEP:24:JIMhC3houx5iAipKP2xza2tzhAPZdagUMClXtd85qKt+skwVgbipV7VQwGklrkgE:OhouXNveFXJpT50FqbS5hrlqbSIe0
                                              MD5:EA2CA4D3DC515F16D39FA71716C6609A
                                              SHA1:0D958B162D70C99184238F4FF8490CC7E81045C7
                                              SHA-256:5826DB790A1594004EC4B07E6B43D568656E962F7A1C2163C548FE5F9A91C239
                                              SHA-512:8DE6CD9B52EB7C0FBB0631E5259C38F6F052C5C1FFF1662B6DDC13A0F15E22B702E0BD9AF84340DE8DD9BE307BF48087A57F55E6DF7FCF2BEBD84300516860FA
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFAFB44D2E754922C2.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.1808683807138078
                                              Encrypted:false
                                              SSDEEP:24:JIMhC3houx5iAipKP2xza2tzhAPZdagUMClXtd85qKt+skwVgbipV7VQwGklrkgE:OhouXNveFXJpT50FqbS5hrlqbSIe0
                                              MD5:EA2CA4D3DC515F16D39FA71716C6609A
                                              SHA1:0D958B162D70C99184238F4FF8490CC7E81045C7
                                              SHA-256:5826DB790A1594004EC4B07E6B43D568656E962F7A1C2163C548FE5F9A91C239
                                              SHA-512:8DE6CD9B52EB7C0FBB0631E5259C38F6F052C5C1FFF1662B6DDC13A0F15E22B702E0BD9AF84340DE8DD9BE307BF48087A57F55E6DF7FCF2BEBD84300516860FA
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFBB43AE07B76BD267.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):20480
                                              Entropy (8bit):1.4652481796855752
                                              Encrypted:false
                                              SSDEEP:48:9X8PhAuRc06WXJanT5OFqbS5hrlqbSIe0:UhA1RnTASr60
                                              MD5:DF28138C9CD1D4CDD3CD08B69D68ABD5
                                              SHA1:BA98FB259CFFAE7FD13CD4336B4612278F94CEF2
                                              SHA-256:2BC9F6A36309BB7F14BF9532AC6F37E4AB1AE89D50859ADCA18609F6C11437FE
                                              SHA-512:0C465B5BA4F0703F1BA251D88BDD9CD7D22EFD786EDA0252F370AD6DA5A814A7885EB2ECDEE28FBF0A8202FA1085297CC3AA0F334544822E62A4EDA9D170BBF6
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFCF6D3EA99DEBE3A6.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):32768
                                              Entropy (8bit):1.1808683807138078
                                              Encrypted:false
                                              SSDEEP:24:JIMhC3houx5iAipKP2xza2tzhAPZdagUMClXtd85qKt+skwVgbipV7VQwGklrkgE:OhouXNveFXJpT50FqbS5hrlqbSIe0
                                              MD5:EA2CA4D3DC515F16D39FA71716C6609A
                                              SHA1:0D958B162D70C99184238F4FF8490CC7E81045C7
                                              SHA-256:5826DB790A1594004EC4B07E6B43D568656E962F7A1C2163C548FE5F9A91C239
                                              SHA-512:8DE6CD9B52EB7C0FBB0631E5259C38F6F052C5C1FFF1662B6DDC13A0F15E22B702E0BD9AF84340DE8DD9BE307BF48087A57F55E6DF7FCF2BEBD84300516860FA
                                              Malicious:false
                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\Temp\~DFEDA63B10F1214E09.TMP

                                              Download File
                                              Process:C:\Windows\System32\msiexec.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):69632
                                              Entropy (8bit):0.10350804523799162
                                              Encrypted:false
                                              SSDEEP:24:ZfxJpwVgbipVEwVgbipV7VQwGklrkgx+s6K:BxJ6qbSLqbS5hrx
                                              MD5:21FA18D53D3CAD398213FCB312E57D25
                                              SHA1:2F6E92FFCCE54A983A8AB44832ABA642E556790C
                                              SHA-256:FDDA532E03073E72C2CD1882116F38571571340160A7CB3BFC616A974CF06DD0
                                              SHA-512:89D999EDFE8A2D82CE1CC08F148C3282909FCF723006D509846B028804D54521498309A997AC68BD844623CE782DA92CB06395BE425B80282692DE7F5636A15A
                                              Malicious:false
                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                              \Device\ConDrv

                                              Download File
                                              Process:C:\Windows\SysWOW64\netsh.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):7
                                              Entropy (8bit):2.2359263506290326
                                              Encrypted:false
                                              SSDEEP:3:t:t
                                              MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                              SHA1:D750F8260312A40968458169B496C40DACC751CA
                                              SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                              SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                              Malicious:false
                                              Preview:Ok.....

                                              Static File Info

                                              General

                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MPK_EM, Author: Mipko, Keywords: Installer, Comments: This installer database contains the logic and data required to install MPK_EM., Template: Intel;1033, Revision Number: {13B3FD70-0ECC-42BA-8BCE-4711A2312FB6}, Create Time/Date: Wed Feb 18 13:48:52 2015, Last Saved Time/Date: Wed Feb 18 13:48:52 2015, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.1224.0), Security: 2
                                              Entropy (8bit):7.9965012572516505
                                              TrID:
                                              • Microsoft Windows Installer (60509/1) 88.31%
                                              • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
                                              File name:1944b321.msi
                                              File size:5'255'168 bytes
                                              MD5:f2f3a908a18ef6b45b50e1105326b833
                                              SHA1:d01c20894cff8efa96e3394fcb54a8f4cea0f764
                                              SHA256:ef896df89c6088517c117552424e932d590ebd483decc3c9f444a18ce88179fd
                                              SHA512:99749b7c3aa1ee2da0a63be57027be364e513792d1b048d95a22c97ed4fe031d6ece28b5c417171e49cb9a63880b570b0f34358a19ac28c3b67c1ab1eccaf9f7
                                              SSDEEP:98304:Bzo9xMVVnii6a2A125eRsbcTP1o1y7klqJ1p9cOSJci3IOI:xo9xUhiBAI5eyob1o1ywwJBaJcA
                                              TLSH:C7363399966CDB15CC454AF1AC924777082CBEC88700E64FFDAEFA52087AB8CF9745C1
                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:2d2e3797b32b2b99

                                              Network Behavior

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 31, 2024 22:10:28.929764986 CET53512381.1.1.1192.168.2.5

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:17:10:12
                                              Start date:31/10/2024
                                              Path:C:\Windows\System32\msiexec.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\1944b321.msi"
                                              Imagebase:0x7ff6161a0000
                                              File size:69'632 bytes
                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:1
                                              Start time:17:10:12
                                              Start date:31/10/2024
                                              Path:C:\Windows\System32\msiexec.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                              Imagebase:0x7ff6161a0000
                                              File size:69'632 bytes
                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:3
                                              Start time:17:10:14
                                              Start date:31/10/2024
                                              Path:C:\ProgramData\MPK\mpk_emni_mpk.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"
                                              Imagebase:0x400000
                                              File size:5'283'576 bytes
                                              MD5 hash:E67464707F7D14131BEDE9DB845A6A0A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Antivirus matches:
                                              • Detection: 52%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:17:10:15
                                              Start date:31/10/2024
                                              Path:C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\is-EVFO2.tmp\mpk_emni_mpk.tmp" /SL5="$3049C,4852295,119296,C:\ProgramData\MPK\mpk_emni_mpk.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SDIR "C:\Users\user\Desktop\" /LOG="C:\ProgramData\MPK\mpk_em_log.txt"
                                              Imagebase:0x400000
                                              File size:1'178'880 bytes
                                              MD5 hash:5ABA2917CE54882DFFA1635380313097
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Antivirus matches:
                                              • Detection: 24%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:17:10:16
                                              Start date:31/10/2024
                                              Path:C:\Users\user\AppData\Local\Temp\is-TDMRE.tmp\_isetup\_setup64.tmp
                                              Wow64 process (32bit):false
                                              Commandline:helper 105 0x3DC
                                              Imagebase:0x140000000
                                              File size:6'144 bytes
                                              MD5 hash:526426126AE5D326D0A24706C77D8C5C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 0%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:17:10:17
                                              Start date:31/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:17:10:17
                                              Start date:31/10/2024
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\SysWOW64\cmd.exe" /c netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
                                              Imagebase:0x790000
                                              File size:236'544 bytes
                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:17:10:17
                                              Start date:31/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:17:10:17
                                              Start date:31/10/2024
                                              Path:C:\Windows\SysWOW64\netsh.exe
                                              Wow64 process (32bit):true
                                              Commandline:netsh advfirewall firewall add rule name="TCP\IP" dir=in action=allow program="C:\ProgramData\MPK\mpk.exe" enable=yes
                                              Imagebase:0x1080000
                                              File size:82'432 bytes
                                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:17:10:18
                                              Start date:31/10/2024
                                              Path:C:\ProgramData\MPK\MPKInst.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\ProgramData\MPK\MPKInst.exe" /i /dr /cp
                                              Imagebase:0x400000
                                              File size:1'499'392 bytes
                                              MD5 hash:20BC08D7652B652811DF5F403C9C6DFA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000000.2093241826.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:17:10:18
                                              Start date:31/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff6d64d0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:17:10:18
                                              Start date:31/10/2024
                                              Path:C:\ProgramData\MPK\lsynchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:c:\programdata\mpk\\lsynchost.exe /install /silent
                                              Imagebase:0x400000
                                              File size:1'561'344 bytes
                                              MD5 hash:1A902E39120A8CCAA56163B91601E63A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Yara matches:
                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000C.00000000.2094922926.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:17:10:18
                                              Start date:31/10/2024
                                              Path:C:\ProgramData\MPK\lsynchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:c:\programdata\mpk\lsynchost.exe /startedbyscm:E4233B4F-40E3FE91-MPKService
                                              Imagebase:0x400000
                                              File size:1'561'344 bytes
                                              MD5 hash:1A902E39120A8CCAA56163B91601E63A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:17:10:18
                                              Start date:31/10/2024
                                              Path:C:\ProgramData\MPK\lsynchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\programdata\mpk\lsynchost.exe" /runsrv
                                              Imagebase:0x400000
                                              File size:1'561'344 bytes
                                              MD5 hash:1A902E39120A8CCAA56163B91601E63A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:15
                                              Start time:17:10:18
                                              Start date:31/10/2024
                                              Path:C:\ProgramData\MPK\lsynchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:"c:\programdata\mpk\lsynchost.exe" /runsrv \MID:D
                                              Imagebase:0x400000
                                              File size:1'561'344 bytes
                                              MD5 hash:1A902E39120A8CCAA56163B91601E63A
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:18
                                              Start time:17:10:57
                                              Start date:31/10/2024
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                              Imagebase:0x7ff7e52b0000
                                              File size:55'320 bytes
                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:56.4%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:33.3%
                                                Total number of Nodes:33
                                                Total number of Limit Nodes:5
                                                execution_graph 64 1400014e0 67 1400012a4 8 API calls 64->67 68 140001317 GetLastError 67->68 69 140001329 67->69 70 140001330 ExitProcess 68->70 69->70 71 14000133a StrToIntW 69->71 71->70 72 140001353 StrToInt64ExW 71->72 72->70 79 140001372 72->79 73 140001468 ReadFile 74 140001490 GetLastError 73->74 73->79 76 1400014aa CloseHandle 74->76 77 14000149b GetLastError 74->77 75 1400014be 75->76 76->70 77->76 78 140001438 WriteFile 80 1400014c5 GetLastError 78->80 83 1400013d3 78->83 79->73 79->75 79->78 79->83 84 140001000 79->84 80->76 83->73 83->75 83->78 95 1400011dc LoadTypeLib 83->95 85 14000104b GetNamedSecurityInfoW 84->85 86 140001041 84->86 85->86 87 140001088 85->87 86->83 88 14000111d SetEntriesInAclW 87->88 89 1400010a8 AllocateAndInitializeSid 87->89 90 140001172 88->90 91 14000113e SetNamedSecurityInfoW LocalFree 88->91 89->87 92 1400011c5 GetLastError 89->92 93 140001197 LocalFree 90->93 94 140001187 FreeSid 90->94 91->90 92->90 93->86 94->90 96 140001276 95->96 97 14000120f 95->97 96->83 98 140001218 RegisterTypeLib 97->98 99 14000122b 97->99 98->96 99->96 100 140001241 UnRegisterTypeLib 99->100 100->96

                                                Callgraph

                                                • Executed
                                                • Not Executed
                                                • Opacity -> Relevance
                                                • Disassembly available
                                                callgraph 0 Function_00000001400012A4 1 Function_00000001400011DC 0->1 4 Function_0000000140001000 0->4 2 Function_000000014000129C 3 Function_00000001400014E0 3->0

                                                Executed Functions

                                                Function 0000000140001000 Relevance: 12.1, APIs: 8, Instructions: 120memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2100907608.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 00000005.00000002.2100885026.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2100933131.0000000140002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2100956168.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2101007888.0000000140025000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_140000000__setup64.jbxd
                                                Similarity
                                                • API ID: Free$InfoLocalNamedSecurity$AllocateEntriesErrorInitializeLast
                                                • String ID:
                                                • API String ID: 1336570144-0
                                                • Opcode ID: b35f34b64a9d6aa6b81e16b13b2f1c0d38c8c3b1546899b34faa1a97c6582e21
                                                • Instruction ID: 9ad65f9ffd8baecdb197e09b536dbb51b96e9a581e15e5332d3d6b3fb358d4f4
                                                • Opcode Fuzzy Hash: b35f34b64a9d6aa6b81e16b13b2f1c0d38c8c3b1546899b34faa1a97c6582e21
                                                • Instruction Fuzzy Hash: A35147B2614B8186E765CF12F88078EB7E6F7887D4F504425EB8943B64DF38D9A5CB00
                                                Function 00000001400012A4 Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 135COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                • MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 000000014000141C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2100907608.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 00000005.00000002.2100885026.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2100933131.0000000140002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2100956168.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2101007888.0000000140025000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_140000000__setup64.jbxd
                                                Similarity
                                                • API ID: Error$CommandDirectoryLastLine$ArgvCloseConsoleCtrlCurrentHandleHandlerModeParametersProcessShutdownSystem
                                                • String ID: MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                • API String ID: 1351133944-1036520142
                                                • Opcode ID: 9d6e473d000c958ab654ea6524e99b93636dd2550909cc2fdf2d0baeb0bae34d
                                                • Instruction ID: bed22989135500286ff082a5b8534ee6a98307118f748591786f601728a80f93
                                                • Opcode Fuzzy Hash: 9d6e473d000c958ab654ea6524e99b93636dd2550909cc2fdf2d0baeb0bae34d
                                                • Instruction Fuzzy Hash: 435106B160464686EB13DF27F8843E963A1F78C7C5F904125FB4A476B5CB3C8989CB50
                                                Function 00000001400014E0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 52 1400014e0-1400014eb call 1400012a4 ExitProcess
                                                APIs
                                                  • Part of subcall function 00000001400012A4: #17.COMCTL32(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012AF
                                                  • Part of subcall function 00000001400012A4: SetErrorMode.KERNELBASE(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012BA
                                                  • Part of subcall function 00000001400012A4: GetSystemDirectoryW.KERNEL32(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012CC
                                                  • Part of subcall function 00000001400012A4: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012D9
                                                  • Part of subcall function 00000001400012A4: SetProcessShutdownParameters.KERNEL32(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012E6
                                                  • Part of subcall function 00000001400012A4: SetConsoleCtrlHandler.KERNEL32(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012F5
                                                  • Part of subcall function 00000001400012A4: GetCommandLineW.KERNEL32(?,?,?,?,?,?,00000001400014E9), ref: 00000001400012FB
                                                  • Part of subcall function 00000001400012A4: CommandLineToArgvW.SHELL32(?,?,?,?,?,?,00000001400014E9), ref: 0000000140001309
                                                  • Part of subcall function 00000001400012A4: GetLastError.KERNEL32(?,?,?,?,?,?,00000001400014E9), ref: 0000000140001317
                                                • ExitProcess.KERNEL32 ref: 00000001400014EB
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.2100907608.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                • Associated: 00000005.00000002.2100885026.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2100933131.0000000140002000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2100956168.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                • Associated: 00000005.00000002.2101007888.0000000140025000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_140000000__setup64.jbxd
                                                Similarity
                                                • API ID: CommandDirectoryErrorLineProcess$ArgvConsoleCtrlCurrentExitHandlerLastModeParametersShutdownSystem
                                                • String ID:
                                                • API String ID: 596749235-0
                                                • Opcode ID: d409c78e300c7577bde50c236e3745e62975251c616abf16af35a2c2feadab5b
                                                • Instruction ID: 20a652f16b87ba7830b4ae42eb4563c7e1ed9e0c7b0ce7c62722bbd31286e835
                                                • Opcode Fuzzy Hash: d409c78e300c7577bde50c236e3745e62975251c616abf16af35a2c2feadab5b
                                                • Instruction Fuzzy Hash: CEA001B0E2168282EA0ABBB6695A3D911626FD8781F540414A242872A2DD7884698612