Windows Analysis Report
ProSheets.msi

Source: global traffic

HTTP traffic detected: GET /api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationError&ParentApp=ProSheets&ParentAppVersion=1.2.10.0&App=ProSheets&AppVersion=1.2.10.0&Platform=Revit&PlatformVersion=2021&Description= HTTP/1.1Content-Type: text/xmlAuthorization: nUAJZu_kbGMIcdAdgLySIsBYQ0Q5794aHODddzHqldZwMF0_DggUvCd-ynHCbZaAHost: api.diroots.comConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: unknown

DNS traffic detected: queries for: api.diroots.com

Source: rundll32.exe, 00000003.00000002.1727380887.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.diroots.com
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ProSheets.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ProSheets.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ProSheets.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: ProSheets.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ProSheets.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ProSheets.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: ProSheets.msi	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: ProSheets.msi	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ProSheets.msi	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: ProSheets.msi	String found in binary or memory: http://ocsp.digicert.com0X
Source: rundll32.exe, 00000003.00000002.1727380887.0000000004981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.diroot
Source: rundll32.exe, 00000003.00000002.1727380887.0000000004981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.diroots.com
Source: SetUpTrackerSelection.dll.3.dr	String found in binary or memory: https://api.diroots.com/api/v1/tracker
Source: rundll32.exe, 00000003.00000002.1727380887.0000000004981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationErro
Source: ProSheets.msi	String found in binary or memory: https://diroots.com/privacy-policy/
Source: ProSheets.msi	String found in binary or memory: https://diroots.com/terms-and-conditions
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, ProSheets.msi, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443

Source: unknown

HTTPS traffic detected: 217.182.69.200:443 -> 192.168.2.4:49731 version: TLS 1.2

Source: ProSheets.msi	Binary or memory string: OriginalFilenamelzmaextractor.dllF vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameRollBackDllsFolder.dllF vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenamePrinterSettings.dll@ vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenamePrereq.dllF vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameRemovePreviousVersion.dllL vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameExternalUICleaner.dllF vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameCleanLocalAppDataFolder.dllP vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameSetUpTrackerSelection.dllL vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameSilentInstallationConfig.dllR vs ProSheets.msi
Source: ProSheets.msi	Binary or memory string: OriginalFilenameCleanDataCustomAction.dllL vs ProSheets.msi

Source: classification engine

Classification label: mal48.evad.winMSI@6/12@1/1

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Source: C:\Windows\SysWOW64\rundll32.exe

Mutant created: NULL

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIF237.tmp

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBBF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5573593 24 SetUpTrackerSelection!SetUpTrackerSelection.CustomActions.SendInstallErrorMsg

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ProSheets.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DE2667B8AFF59C1FD16112738283BE86 C
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBBF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5573593 24 SetUpTrackerSelection!SetUpTrackerSelection.CustomActions.SendInstallErrorMsg
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DE2667B8AFF59C1FD16112738283BE86 C	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBBF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5573593 24 SetUpTrackerSelection!SetUpTrackerSelection.CustomActions.SendInstallErrorMsg	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ProSheets.msi

Static file information: File size 3558400 > 1048576

Source:	Binary string: SetUpTrackerSelection.pdb source: ProSheets.msi, MSIBBF.tmp.0.dr
Source:	Binary string: CleanLocalAppDataFolder.pdb source: ProSheets.msi
Source:	Binary string: CleanLocalAppDataFolder.pdb source: ProSheets.msi
Source:	Binary string: RollBackDllsFolder.pdb source: ProSheets.msi
Source:	Binary string: D:\Laboratories\RnD_AdvancedInstaller\AdvIns_Test_4 (NormalIns)\PS\CleanDataCustomAction\SetUpTrackerSelection\obj\x86\Debug\SetUpTrackerSelection.pdb\|O source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, SetUpTrackerSelection.dll.3.dr
Source:	Binary string: SilentInstallationConfig.pdb source: ProSheets.msi
Source:	Binary string: SetUpTrackerSelection.pdb source: ProSheets.msi, MSIBBF.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ExternalUICleaner.pdb0 source: ProSheets.msi
Source:	Binary string: SilentInstallationConfig.pdb source: ProSheets.msi
Source:	Binary string: RemovePreviousVersion.pdb source: ProSheets.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ExternalUICleaner.pdb source: ProSheets.msi
Source:	Binary string: CleanDataCustomAction.pdb source: ProSheets.msi
Source:	Binary string: PrinterSettings.pdb source: ProSheets.msi
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF237.tmp.0.dr
Source:	Binary string: D:\Laboratories\RnD_AdvancedInstaller\AdvIns_Test_4 (NormalIns)\PS\CleanDataCustomAction\SetUpTrackerSelection\obj\x86\Debug\SetUpTrackerSelection.pdb source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, SetUpTrackerSelection.dll.3.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: RemovePreviousVersion.pdb source: ProSheets.msi
Source:	Binary string: CleanDataCustomAction.pdb source: ProSheets.msi
Source:	Binary string: RollBackDllsFolder.pdb source: ProSheets.msi
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdbm source: ProSheets.msi, MSIF373.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\Prereq.pdb source: ProSheets.msi, MSIF373.tmp.0.dr
Source:	Binary string: ISETUPT~1.PDBSetUpTrackerSelection.pdbLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTLISTI source: rundll32.exe, 00000003.00000002.1726795884.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ProSheets.msi, MSIBBF.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF237.tmp.0.dr
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.pdbrh8 source: rundll32.exe, 00000003.00000002.1726795884.0000000000B2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\lzmaextractor.pdb source: ProSheets.msi
Source:	Binary string: PrinterSettings.pdb source: ProSheets.msi

Source: SetUpTrackerSelection.dll.3.dr	Static PE information: real checksum: 0x0 should be: 0x75ea
Source: MSIBBF.tmp.0.dr	Static PE information: real checksum: 0x32353 should be: 0x49bbb

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06D01EFB pushfd ; iretd	3_3_06D01F01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06D02610 push edi; iretd	3_3_06D02612
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06D02477 push ebp; iretd	3_3_06D02482
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06D023A9 push esp; iretd	3_3_06D023AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_3_06D023AB push ebx; iretd	3_3_06D023B2

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF373.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF315.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF237.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF2F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF2B5.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF373.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF315.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF237.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF2F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF2B5.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe TID: 4176

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: rundll32.exe, 00000003.00000002.1726795884.0000000000B77000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 217.182.69.200 443

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIF237.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF237.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIF2B5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF2B5.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIF2F4.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF2F4.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIF315.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF315.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSIF373.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF373.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
api.diroots.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://diroots.com/privacy-policy/	0%	Avira URL Cloud	safe
https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationError&ParentApp=ProSheets&ParentAppVersion=1.2.10.0&App=ProSheets&AppVersion=1.2.10.0&Platform=Revit&PlatformVersion=2021&Description=	0%	Avira URL Cloud	safe
https://diroots.com/terms-and-conditions	0%	Avira URL Cloud	safe
https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationErro	0%	Avira URL Cloud	safe
http://api.diroots.com	0%	Avira URL Cloud	safe
https://api.diroot	0%	Avira URL Cloud	safe
https://api.diroots.com/api/v1/tracker	0%	Avira URL Cloud	safe
https://api.diroots.com	0%	Avira URL Cloud	safe
https://diroots.com/privacy-policy/	0%	Virustotal		Browse
http://api.diroots.com	0%	Virustotal		Browse
https://api.diroots.com	0%	Virustotal		Browse
https://api.diroots.com/api/v1/tracker	0%	Virustotal		Browse
https://diroots.com/terms-and-conditions	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.diroots.com	217.182.69.200	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationError&ParentApp=ProSheets&ParentAppVersion=1.2.10.0&App=ProSheets&AppVersion=1.2.10.0&Platform=Revit&PlatformVersion=2021&Description=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://diroots.com/terms-and-conditions	ProSheets.msi	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://wixtoolset.org/releases/	rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	false		high
https://api.diroots.com/api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationErro	rundll32.exe, 00000003.00000002.1727380887.0000000004981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://api.diroots.com	rundll32.exe, 00000003.00000002.1727380887.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://wixtoolset.org	rundll32.exe, 00000003.00000003.1696793079.00000000047E2000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	false		high
https://www.thawte.com/cps0/	ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	false		high
https://diroots.com/privacy-policy/	ProSheets.msi	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.thawte.com/repository0W	ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	false		high
http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v	rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	false		high
https://www.advancedinstaller.com	ProSheets.msi, MSIF2F4.tmp.0.dr, MSIF2B5.tmp.0.dr, MSIF315.tmp.0.dr, MSIF373.tmp.0.dr, MSIF237.tmp.0.dr	false		high
https://api.diroot	rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://wixtoolset.org/news/	rundll32.exe, 00000003.00000003.1696793079.00000000047B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.3.dr	false		high
https://api.diroots.com/api/v1/tracker	SetUpTrackerSelection.dll.3.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rundll32.exe, 00000003.00000002.1727380887.0000000004981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.diroots.com	rundll32.exe, 00000003.00000002.1727380887.0000000004981000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.1727380887.00000000049EE000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.182.69.200	api.diroots.com	France		16276	OVHFR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430939
Start date and time:	2024-04-24 12:01:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ProSheets.msi
Detection:	MAL
Classification:	mal48.evad.winMSI@6/12@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 2004 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:02:30	API Interceptor	1x Sleep call for process: rundll32.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	bomgar-scc-w0eec30gdg6gx6wy8y6j8ddehxi7i1x5fwfex5jc40jc90.exe	Get hash	malicious	Unknown	Browse	54.38.11.197
	bomgar-scc-w0eec30gdg6gx6wy8y6j8ddehxi7i1x5fwfex5jc40jc90.exe	Get hash	malicious	Unknown	Browse	54.38.11.197
	v2cDqXmZtv.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	Wd2T9v9ZMT.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	7T1vOaCJto.elf	Get hash	malicious	Mirai	Browse	51.79.217.59
	Price request N#U00b0DEM23000199.js	Get hash	malicious	AsyncRAT, PureLog Stealer, RedLine	Browse	51.254.27.105
	SecuriteInfo.com.Python.Stealer.1437.14994.32063.exe	Get hash	malicious	Python Stealer	Browse	151.80.29.83
	SecuriteInfo.com.Win64.TrojanX-gen.22735.27744.exe	Get hash	malicious	Xmrig	Browse	54.37.232.103
	_file____C__Users_hp_Downloads_C__Users_moodyt_AppData_Local_Temp_2_RemittanceAdvice17-Apr-2024.html	Get hash	malicious	Unknown	Browse	51.222.241.106
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	51.222.241.100

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION_APRQTRA031244#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	217.182.69.200
	DHL EXPRESS.exe	Get hash	malicious	AgentTesla	Browse	217.182.69.200
	Zapytanie ofertowe Fl#U00e4ktGroup 04232024.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	217.182.69.200
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	217.182.69.200
	17139463270174bbf69f15eda1f7b69a4b102fdecfdf8a3128c52442f9358945f33688d60f824.dat-decoded.exe	Get hash	malicious	AgentTesla	Browse	217.182.69.200
	Umulighed.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	217.182.69.200
	load_startup.txt.ps1	Get hash	malicious	Unknown	Browse	217.182.69.200
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	217.182.69.200
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	217.182.69.200
	F#U0130YAT TEKL#U0130F.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	217.182.69.200

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	AdobeAcrobat2.1.2.msi	Get hash	malicious	AteraAgent	Browse
	440e4d.msi	Get hash	malicious	AteraAgent	Browse
	OPSWAT NetWall OSI-Pi Service (Blue).msi	Get hash	malicious	Unknown	Browse
	OPSWAT_OPCDA_RED_Service.msi	Get hash	malicious	Unknown	Browse
	digitalform.msi	Get hash	malicious	AteraAgent	Browse
	OPSWAT NetWall OSI-Pi Service (Red).msi	Get hash	malicious	Unknown	Browse
	OPSWAT NetWall OSI-Pi Service (Red).msi	Get hash	malicious	Unknown	Browse
	Salary.msi	Get hash	malicious	AteraAgent	Browse
	MSIx64.msi	Get hash	malicious	Unknown	Browse
	MSIx64.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\MSIF237.tmp	Step 3 - Setup_Install_Game.exe	Get hash	malicious	Xmrig	Browse
	VMBHNCF{68111D07-1E25-4791-835A-CA847E8E5AA0}#U00aevnfc.msi	Get hash	malicious	Unknown	Browse
	VIRCFO-{ABC4DB18-37AD-4243-A6FD-D54436354C9E}#U00aexrtkjl.msi	Get hash	malicious	Unknown	Browse
	Step 3 - Setup_Install_Game.exe	Get hash	malicious	Xmrig	Browse
	Step 3 - Setup_Install_Game.exe	Get hash	malicious	Unknown	Browse
	huorong.exe	Get hash	malicious	Unknown	Browse
	huorong.exe	Get hash	malicious	Unknown	Browse
	Tenorshare UltData for iOS 9.4.14.6 Multilingual.zip	Get hash	malicious	Unknown	Browse
	Sgnd_NF-esViaClientDofXrtx_#UfffdANXRTS.msi	Get hash	malicious	Unknown	Browse
	Seg.ViaimpressoemAnexo#U00aeXLSBLTR.msi	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\MSI4f38f.LOG

Process:	C:\Windows\System32\msiexec.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	198
Entropy (8bit):	3.3949497762780183
Encrypted:	false
SSDEEP:	3:QxtP6nElClDg+OjmlH/wlRlX+PpJlmnmf2KXMFS+lNLlFl83fPlXlNWlVlwlYl1:QOnElClDHOjSfwRmlv2K8c+a3UlPwlYH
MD5:	818647D9C14E7CE44FED4531D2F02DB8
SHA1:	807387F631FD888511C5F56D0908CDAAA916E45E
SHA-256:	C8133442ED4F9DE725F1C08F54D35A8FA98A72B10B1EB107D6721EF5404AE997
SHA-512:	952BC9EF9431C26D24FF7E3249148ADEF83B3E95A18EEDB579C3B3CAE9E845342641014410F7BB38DDD6312A2B1306B60DFD28A69C4ACC215C0BC11E5CCD8CBB
Malicious:	false
Reputation:	low
Preview:	..T.h.i.s. .p.a.c.k.a.g.e. .c.a.n. .o.n.l.y. .b.e. .r.u.n. .f.r.o.m. .a. .b.o.o.t.s.t.r.a.p.p.e.r.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .2.4./.0.4./.2.0.2.4. . .1.2.:.0.2.:.3.0. .=.=.=.....

C:\Users\user\AppData\Local\Temp\MSIBBF.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
Category:	dropped
Size (bytes):	261842
Entropy (8bit):	6.312124413073159
Encrypted:	false
SSDEEP:	3072:RArbg5BxgracGnEnRQOl9WGPot4fQx9uYoiRUXXM8Q2KcDa283IKCrKl+E8S2:RArbtraBqLlAGwF6XPOcufC2lqS2
MD5:	4B3F6805C572F1427704FDB3B2B73612
SHA1:	F0B29EF3255A4EEC5CD0F7A8055BAA4C0406681C
SHA-256:	12D3F60DAEB73B707BE8FF23BA234B096995640A11EAAC9CC992D206903B4CC6
SHA-512:	B4B84A97C87BC4F4D7B6B5683036F48A321952F9AC8497C15A2CE129CA14C10773A5AAC64FB5F8E00140A86E58CAB771284C1F2C9CF71892E78DFB2C17149B64
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...\|.......L.......`......................................S#....@.........................0}...*......x.......$.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...$...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\CustomAction.config

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1461
Entropy (8bit):	4.6832580781878015
Encrypted:	false
SSDEEP:	24:2dRNmho2sPY6Ide7LzK6GAcWvlThl7j+ZiNr8GwjDhi:cOC2V5Q7XwWvFD7dr8GwM
MD5:	8C22D283225F3BDB8E36522C359796F9
SHA1:	CEC5168B62BC7D39930E0843A0A285C3D89ED23E
SHA-256:	5D6FD5049F33AC6B16EC0431787FA61C66630BA1916BB4C70F3F6B5844B74ECB
SHA-512:	826550987A6140B870894C02C20F1C890E187C5919FC60F5FE3FE962FC87BFCC3879EE1DE6141D679AA85F6CF52F8BE88A9B23A8D43B8561B6B70BAF138ADA3E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0" encoding="utf-8" ?>.<configuration>. <startup useLegacyV2RuntimeActivationPolicy="true">.. . Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that. the custom action should run on. If no versions are specified, the chosen version of the runtime. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify. only the version(s) of the .NET Framework runtime that you have tested against... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies. by using the latest supported runti

C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	184240
Entropy (8bit):	5.876033362692288
Encrypted:	false
SSDEEP:	3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
MD5:	1A5CAEA6734FDD07CAA514C3F3FB75DA
SHA1:	F070AC0D91BD337D7952ABD1DDF19A737B94510C
SHA-256:	CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
SHA-512:	A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: AdobeAcrobat2.1.2.msi, Detection: malicious, Browse Filename: 440e4d.msi, Detection: malicious, Browse Filename: OPSWAT NetWall OSI-Pi Service (Blue).msi, Detection: malicious, Browse Filename: OPSWAT_OPCDA_RED_Service.msi, Detection: malicious, Browse Filename: digitalform.msi, Detection: malicious, Browse Filename: OPSWAT NetWall OSI-Pi Service (Red).msi, Detection: malicious, Browse Filename: OPSWAT NetWall OSI-Pi Service (Red).msi, Detection: malicious, Browse Filename: Salary.msi, Detection: malicious, Browse Filename: MSIx64.msi, Detection: malicious, Browse Filename: MSIx64.msi, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.dll

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.223720598514532
Encrypted:	false
SSDEEP:	384:f7kjVmfYHnFOFnXarS4D7TqZ05sADcMnDDMfZOeg:6HKqrRTG0GADcMnDDMfZZ
MD5:	8491FE819E742D1BB6D2A35ECB1685E4
SHA1:	57EB8B366AD453A273A469C254D6756DEC9E3F02
SHA-256:	CB5CC106911058BF7BA78B6B82162E328DDF212C970FA4F9F36D0657D3162A00
SHA-512:	7878A89E7BB0D1FA300338720202977E1963AA58AFC402BCF46E67907D39DD9A1217AEB2144D3021C13C8157A97E0FB5BC3C6E36ED817FEAF8F4D34D7A6BCD6D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eb.........." ..0..0...........O... ...`....... ....................................`.................................TO..O....`...............................N............................................... ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............6..............@..B.................O......H........+..H"...........................................................0............(.....(.....o.......+.....0...........(.....o......(.......+.....0..%.........r...pr...po....r...pr...po.....+......0..%.........r...pr...po....r...pr...po.....+..".(........0..k.........r...po......r7..po....rS..p(....-.r[..p+.rg..p..rq..po.....r...p..#(.....(......(........9.......(........(........9.......(........o ...(...+.o".......o ...~....%-.&~.........s#...%.....(...+.........

C:\Users\user\AppData\Local\Temp\MSIBBF.tmp-\SetUpTrackerSelection.pdb

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	MSVC program database ver 7.00, 512*91 bytes
Category:	dropped
Size (bytes):	46592
Entropy (8bit):	3.5614750043895826
Encrypted:	false
SSDEEP:	768:MsXN+ZAaqHnaRaJwb22LIffG8mwhma7KrT9haHLNb+6H0YP/sjw7:fua7mTyH
MD5:	C92DAEB2AA1A0CE088773B9477811ED8
SHA1:	18678BF484FD4BCACA19A819633CE92C47273D61
SHA-256:	657C075FA9B3E07658F34F4601F251D1DB28A436382B798F99EEA50FEDF55CED
SHA-512:	17FEF803B4FD38885EFE53BDCBA9D1EF591769847BB648155D4D09BAD2F31BDFAB770B7D3CE19D5598F24BC966B0C78D0DBD93989561955A20E032EA61715B83
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS...........[...........X...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF237.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Step 3 - Setup_Install_Game.exe, Detection: malicious, Browse Filename: VMBHNCF{68111D07-1E25-4791-835A-CA847E8E5AA0}#U00aevnfc.msi, Detection: malicious, Browse Filename: VIRCFO-{ABC4DB18-37AD-4243-A6FD-D54436354C9E}#U00aexrtkjl.msi, Detection: malicious, Browse Filename: Step 3 - Setup_Install_Game.exe, Detection: malicious, Browse Filename: Step 3 - Setup_Install_Game.exe, Detection: malicious, Browse Filename: huorong.exe, Detection: malicious, Browse Filename: huorong.exe, Detection: malicious, Browse Filename: Tenorshare UltData for iOS 9.4.14.6 Multilingual.zip, Detection: malicious, Browse Filename: Sgnd_NF-esViaClientDofXrtx_#UfffdANXRTS.msi, Detection: malicious, Browse Filename: Seg.ViaimpressoemAnexo#U00aeXLSBLTR.msi, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF2B5.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF2F4.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF315.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	446944
Entropy (8bit):	6.4046361691542355
Encrypted:	false
SSDEEP:	6144:nLqkVr003gT0stWobv9lQK0T4JGufLIe3HP3LAOu3HjKkMeaZeOJp:LqS0Yg3v9lQK5zRL83PM/ZX
MD5:	5788EFA607D26332D6D7F5E6A1F6BD6F
SHA1:	E7749843CC3E89BC81649087DE4AD44C93D48BC6
SHA-256:	9FC2608C9E5EF5A88DD91C82660FA297144BA6BBF4602140D638DE7233A4625D
SHA-512:	CE472CA4F956DA4160CFD9B9051455974E24DD8B23A0B7B197AFD1F7552E37980809E523BEDC0D4C2F4C9CB6EF300B221E6404E6E6A1B789B67756550DDD2104
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0...c...c...c$..b...c$..bP..c...b...c...b...c...b...c$..b...c$..b...c$..b...c...c...cM..b...cM..b...cM.3c...c..[c...cM..b...cRich...c................PE..L....v.a.........."!.....t...P......v...............................................}L....@.........................PK......$S..........0........................L......p...............................@...............4............................text...6s.......t.................. ..`.rdata..@............x..............@..@.data....!...p.......R..............@....rsrc...0............d..............@..@.reloc...L.......N...j..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF373.tmp

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	589280
Entropy (8bit):	6.442916052553395
Encrypted:	false
SSDEEP:	12288:GTZWopAhAszJd6r1rikyf7yHJ7TKQ7liv2WOSCtEo5eYSQZOjX0N:LopA/ZQ7TK2ivxdfYVZOjX0N
MD5:	8C1A778E0754301C97A660DBF3E8303B
SHA1:	F489C45CDE796DE0D23EE862948F5E50379DEE60
SHA-256:	000B773A448B107CBF3268FEA3A0EEC388DAA71C5F911979C5D21F0CD8D6DA54
SHA-512:	010E76ED659F73CC263CE9B2D2635D775B296C10E53BA133FBA6AACDE02ED409B19F4C4E2BA6DF7730DDC8669C818E99773F25854A1916CCF8ACF9E459482FEA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......?.~.{..@{..@{..@...Av..@...A..@)..Aj..@)..Al..@...Ab..@)..A/..@...Az..@...Al..@{..@?..@...A=..@...Az..@...@z..@{..@z..@...Az..@Rich{..@........................PE..L..._w.a.........."!.....f.......... K....................................... ......\|t....@..........................w.......x..........h........................X......p...........................h...@...................\|u..@....................text....e.......f.................. ..`.rdata...............j..............@..@.data................v..............@....rsrc...h...........................@..@.reloc...X.......Z..................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F6295B92-0736-49E6-B20A-DDD980CE5611}, Number of Words: 2, Subject: ProSheets, Author: DiRoots Ltd., Name of Creating Application: ProSheets, Template: ;1033, Comments: This installer database contains the logic and data required to install ProSheets., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	6.446403369935835
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	ProSheets.msi
File size:	3'558'400 bytes
MD5:	04c1d52cd29d6933bd13a2236633442a
SHA1:	303deeac5514427d2e6e10f467c666cd2d8b2a22
SHA256:	8a19b38afc3ed60641efcea3be3519fae675b4de583609fb797693514c6ff7a8
SHA512:	1c090166ad43d4ba6ab6b9bc5839539c49b5b9fcf3f17f1c25d98b5b5e196ea28c3caf7d96c2b25898aa573a8a03f930dec03e05457ccb15b43ab40636404fe7
SSDEEP:	49152:ci2lXpoL1BFhv8RRYGZX3si3QVZOjX0N/oT5xrVi4GubXQ+L1TOYbk:gDo7b0RGFiuo/xiduTQ+L1TOYb
TLSH:	DCF59C107299C436E5BE0A302928D66A597E7EB04B7184DFA3C87A2EDEF05C05735F63
File Content Preview:	........................>...................7...........................................l.......T...............................................................W...X...Y...Z...[...\...]...^..._...............................8...9...:...;...)...*...+...,..

File Icon


Icon Hash:	2d2e3797b32b2b99

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 12:02:28.680051088 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:28.680147886 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:28.680231094 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:28.698081970 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:28.698116064 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:29.342179060 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:29.342315912 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:29.344805956 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:29.344831944 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:29.345052004 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:29.386400938 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:29.389257908 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:29.432198048 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:31.181794882 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:31.181852102 CEST	443	49731	217.182.69.200	192.168.2.4
Apr 24, 2024 12:02:31.182087898 CEST	49731	443	192.168.2.4	217.182.69.200
Apr 24, 2024 12:02:31.193017960 CEST	49731	443	192.168.2.4	217.182.69.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 12:02:28.426749945 CEST	57873	53	192.168.2.4	1.1.1.1
Apr 24, 2024 12:02:28.662619114 CEST	53	57873	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 12:02:28.426749945 CEST	192.168.2.4	1.1.1.1	0x4a8d	Standard query (0)	api.diroots.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 12:02:28.662619114 CEST	1.1.1.1	192.168.2.4	0x4a8d	No error (0)	api.diroots.com		217.182.69.200	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.diroots.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	217.182.69.200	443	2004	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 10:02:29 UTC	376	OUT	GET /api/v1/tracker?User=90a4c0a8dc9fe6c0587a2d645e893988&Action=InstallationError&ParentApp=ProSheets&ParentAppVersion=1.2.10.0&App=ProSheets&AppVersion=1.2.10.0&Platform=Revit&PlatformVersion=2021&Description= HTTP/1.1 Content-Type: text/xml Authorization: nUAJZu_kbGMIcdAdgLySIsBYQ0Q5794aHODddzHqldZwMF0_DggUvCd-ynHCbZaA Host: api.diroots.com Connection: Keep-Alive
2024-04-24 10:02:31 UTC	184	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 10:02:31 GMT Server: Kestrel Content-Type: text/plain; charset=utf-8 Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-04-24 10:02:31 UTC	17	IN	Data Raw: 37 0d 0a 53 75 63 63 65 73 73 0d 0a 30 0d 0a 0d 0a Data Ascii: 7Success0

Target ID:	0
Start time:	12:02:20
Start date:	24/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ProSheets.msi"
Imagebase:	0x7ff74c790000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	12:02:20
Start date:	24/04/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff74c790000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	12:02:20
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding DE2667B8AFF59C1FD16112738283BE86 C
Imagebase:	0x420000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	12:02:27
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\AppData\Local\Temp\MSIBBF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5573593 24 SetUpTrackerSelection!SetUpTrackerSelection.CustomActions.SendInstallErrorMsg
Imagebase:	0xdf0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true