Play interactive tour

Edit tour

Analysis Report CID_x64.msi

Overview

General Information

Sample Name:	CID_x64.msi
Analysis ID:	324348
MD5:	8c6536b9cb8544f82f24010596e59eeb
SHA1:	5a550a562ca964a8d29bdf0256f08276d9f65d6e
SHA256:	4faf7350538d1c24997871634ecc9b99b51ad69341af0710f6eeeb2796ec2529
Most interesting Screenshot:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Checks for available system drives (often done to infect USB drives)

Drops PE files

Found dropped PE file which has not been started or loaded

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Startup

System is w10x64

msiexec.exe (PID: 4020 cmdline: 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CID_x64.msi' MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 5056 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 7C2160B8C719111621BBF907BA5D9B1C C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 5364 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 67B6CF52D8EDBBB744EA0BA0249B0181 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globals
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: msiexec.exe, 00000000.00000002.469784631.0000023764110000.00000004.00000001.sdmp, CID_x64.msi	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/g
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: CID_x64.msi	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3oc
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp, CID_x64.msi	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: CID_x64.msi	String found in binary or memory: https://www.globalsign.com/repository/0
Source: msiexec.exe, 00000000.00000002.469784631.0000023764110000.00000004.00000001.sdmp, CID_x64.msi	String found in binary or memory: https://www.globalsign.com/repository/06

Source: CID_x64.msi

Binary or memory string: OriginalFilenameDPCA.DLL^ vs CID_x64.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: classification engine

Classification label: clean3.winMSI@3/4@0/0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSI5735.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: msiexec.exe, 00000000.00000002.470111091.0000023764710000.00000002.00000001.sdmp

Binary or memory string: SELECT `Directory`, `DefaultDir` FROM `Directory` WHERE `Directory_Parent` = '%s'Software\Microsoft\NET Framework Setup\NDP\v3.%lu%sSOFTWARE\Microsoft\NET Framework Setup\DotNetClient\v3.5Software\Microsoft\NET Framework Setup\NDPSELECT * FROM `%s`Custom action not implemented.ToggleNearestAppRoot.kernel32IsWow64ProcessProcess call was successful.The error indicates that IIS is in 64 bit mode, while this application is a 32 bit application and thus not compatible.The error indicates that IIS is in 32 bit mode, while this application is a 64 bit application and thus not compatible.The error indicates that this version of ASP.NET must first be registered on the machine.Unknown Error.The call to aspnet_regiis.exe was failed. Path: '%s'Process Call Result Code: '%ld'Process Exit Code: '%ld'.Create Process failed.Running process '%s' with parameters '%s' silently...Access denied.CoInitializeEx - COM initialization Free Threaded.FAILED:%ldCoInitializeEx - COM initialization Apartment Threaded...Attach Debugger To MeVSCADEBUGATTACHSetTARGETSITETargetVersion%s\v%d\%sGatherWebSitesGatherAppPoolsSetTARGETAPPPOOLTARGETIISPATHRoot//LM/TARGETVDIRTARGETSITESetTARGETIISPATHaspnet_regiis.exeRESULTPath = PathUsing 64 bit registry key...Reading registry value Path from key 'HKLM\%s'...Software\Microsoft\ASP.NET\%sProductNameRunning show message with fUseMessageBox = %sFALSETRUEVSDINVALIDURLMSGHideFatalErrorFormopenExecuting URL '%s' with source directory '%s'...SourceDirRESULT:Condition is false.RESULT:Condition is true. Nothing more to do.Evaluating condition '%s'...Getting the condition to evaluate...A launch condition has already fired. My work is done here.Checking a launch condition..."/><supportedRuntime version=";VSDFxConfigFile

Source: CID_x64.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 90.64%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe 'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CID_x64.msi'
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 7C2160B8C719111621BBF907BA5D9B1C C
Source: unknown	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 67B6CF52D8EDBBB744EA0BA0249B0181

Source: C:\Windows\SysWOW64\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32

Jump to behavior

Source: CID_x64.msi

Static PE information: certificate valid

Source: CID_x64.msi

Static file information: File size 2429952 > 1048576

Source:	Binary string: DPCA.pdb source: msiexec.exe, 00000000.00000002.470111091.0000023764710000.00000002.00000001.sdmp, CID_x64.msi
Source:	Binary string: DPCA.pdb<0 source: msiexec.exe, 00000000.00000002.470111091.0000023764710000.00000002.00000001.sdmp, CID_x64.msi

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI5735.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSI58FB.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI58FB.tmp

Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: msiexec.exe, 00000000.00000002.468247204.0000023761FD0000.00000002.00000001.sdmp, msiexec.exe, 00000001.00000002.468238994.0000000002D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\msiexec.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Windows Management Instrumentation	DLL Side-Loading1	Process Injection2	Process Injection2	OS Credential Dumping	Query Registry1	Replication Through Removable Media1	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	DLL Side-Loading1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Peripheral Device Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CID_x64.msi	3%	Virustotal		Browse
CID_x64.msi	2%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSI5735.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI5735.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSI5735.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI58FB.tmp	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\MSI58FB.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSI58FB.tmp	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://crl.globals	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.globals	msiexec.exe, 00000000.00000002.467504090.0000023761AD0000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	324348
Start date:	29.11.2020
Start time:	12:21:44
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CID_x64.msi
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean3.winMSI@3/4@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .msi
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\MSI58FB.tmp	gRF9gjcjua.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MSI5735.tmp	gRF9gjcjua.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\CFG58EA.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.772296691735276
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHjKboe+RAW4QIMOov:TMV0kI002V7VQ7V2boeuAW4QIm
MD5:	3C3D11B78E4C077C083F0B6B527D146E
SHA1:	C210C08BB3BDA4D775AA4F23BD177DBEF0BC1378
SHA-256:	55DB6CC3FCF27F20362198F28B652889F7808FFA206E2140D3F3AB3ECE879EB9
SHA-512:	03A2F82C58A640314D90070375D6AD6193E705AC63E3463511EBDDE5B727463BBD3D98C9E163A6A21C76A723E28DC9B8D94574DC2D2ECFC8CDB18CB9188C27AF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v4.0"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\CFG660A.tmp Download File
Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	117
Entropy (8bit):	4.772296691735276
Encrypted:	false
SSDEEP:	3:vFWWMNHUz/cIMOoT02V7VKXRAmIRMNHjKboe+RAW4QIMOov:TMV0kI002V7VQ7V2boeuAW4QIm
MD5:	3C3D11B78E4C077C083F0B6B527D146E
SHA1:	C210C08BB3BDA4D775AA4F23BD177DBEF0BC1378
SHA-256:	55DB6CC3FCF27F20362198F28B652889F7808FFA206E2140D3F3AB3ECE879EB9
SHA-512:	03A2F82C58A640314D90070375D6AD6193E705AC63E3463511EBDDE5B727463BBD3D98C9E163A6A21C76A723E28DC9B8D94574DC2D2ECFC8CDB18CB9188C27AF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	<?xml version="1.0"?>..<configuration>...<startup><supportedRuntime version="v4.0"/>...</startup>..</configuration>..

C:\Users\user\AppData\Local\Temp\MSI5735.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236872
Entropy (8bit):	6.42500790517661
Encrypted:	false
SSDEEP:	3072:Z7PyQaeLAxV9EcU95qWCn7B1kkJQGGhKTWAvdEhMqmc1wtI6M/CoKpixBrnQYaeW:8n3Nn7ByILdEODlcOnlpOuodL+8Y
MD5:	0A2626FC9E4E0CA18386C029E9EFFFD9
SHA1:	AC5576497AFAC2456F485CDB14BF52D895769651
SHA-256:	97A55524E0BF06419143B1B71778C0EC867716079AB477E8404A0F3125DA7DC3
SHA-512:	40B25E507E64B5634E13E83D4BC420196B1294D533E60B01DAE8898A8EED939417AEC8341B409F59A722D14FB63884C24C5A31985DA63933B761F1FC3ACB24DA
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: gRF9gjcjua.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S/...N...N...N..0....N..p8E..N...6l..N..x8D.+N..x8q..N..x8E.N...6\|..N...N..FO..p8D..N..p8t..N..p8u..N..p8r..N..Rich.N..........PE..L......K.........."!..... ..........~........0.....A.................................U....@..........................,..#...D ..........8...............H........ ......................................@............................................text............ .................. ..`.data....H...0.......$..............@....rsrc...8............>..............@..@.reloc...@.......B...D..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSI58FB.tmp Download File
Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	236872
Entropy (8bit):	6.42500790517661
Encrypted:	false
SSDEEP:	3072:Z7PyQaeLAxV9EcU95qWCn7B1kkJQGGhKTWAvdEhMqmc1wtI6M/CoKpixBrnQYaeW:8n3Nn7ByILdEODlcOnlpOuodL+8Y
MD5:	0A2626FC9E4E0CA18386C029E9EFFFD9
SHA1:	AC5576497AFAC2456F485CDB14BF52D895769651
SHA-256:	97A55524E0BF06419143B1B71778C0EC867716079AB477E8404A0F3125DA7DC3
SHA-512:	40B25E507E64B5634E13E83D4BC420196B1294D533E60B01DAE8898A8EED939417AEC8341B409F59A722D14FB63884C24C5A31985DA63933B761F1FC3ACB24DA
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: gRF9gjcjua.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S/...N...N...N..0....N..p8E..N...6l..N..x8D.+N..x8q..N..x8E.N...6\|..N...N..FO..p8D..N..p8t..N..p8u..N..p8r..N..Rich.N..........PE..L......K.........."!..... ..........~........0.....A.................................U....@..........................,..#...D ..........8...............H........ ......................................@............................................text............ .................. ..`.data....H...0.......$..............@....rsrc...8............>..............@..@.reloc...@.......B...D..............@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {ED3668BC-F332-48C8-A8C2-23BD2F353508}, Title: CID, Author: ILANTUS Technologies, Number of Words: 2, Last Saved Time/Date: Wed Oct 7 06:41:24 2020, Last Printed: Wed Oct 7 06:41:24 2020
Entropy (8bit):	7.791882250085863
TrID:	Microsoft Windows Installer (77509/1) 90.64% Generic OLE2 / Multistream Compound File (8008/1) 9.36%
File name:	CID_x64.msi
File size:	2429952
MD5:	8c6536b9cb8544f82f24010596e59eeb
SHA1:	5a550a562ca964a8d29bdf0256f08276d9f65d6e
SHA256:	4faf7350538d1c24997871634ecc9b99b51ad69341af0710f6eeeb2796ec2529
SHA512:	f98775688e402b83bd0b9eeb53521cbcdcb614d662c578a61b99fa4b926f6c925a52cc936b8652dd995d2504941a8104a494c33ba642765d6c5f48dfd9c44103
SSDEEP:	49152:Y163Nn7BxwutBUrCA7qiNGk3u0HPYaJ6RxlWWK9bBTIQrCA7qiNGk3u0HXGn4rCY:Pdn7Bxwu8rCsGqHPYAcxghBhrCsGqH5L
File Content Preview:	........................>...................&...............8...................e...f...g...h...........[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...{..............................

File Icon


Icon Hash:	a2a0b496b2caca72

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	9/13/2019 7:03:54 AM 12/27/2020 1:49:30 AM
Subject Chain	CN=Ilantus Technologies Private Limited, O=Ilantus Technologies Private Limited, STREET="Novel Business Park, 57, 13th Cross Gajendra Nagar Baldwin's College road", L=Bengaluru, S=Karnataka, C=IN, OID.1.3.6.1.4.1.311.60.2.1.2=Karnataka, OID.1.3.6.1.4.1.311.60.2.1.3=IN, SERIALNUMBER=U72900KA2000PTC027338, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	2ACE4A9B419194C685C3E4EAC8705A05
Thumbprint SHA-1:	480B2FFCB5C94B0D92740AB9880F610CA87E11BE
Thumbprint SHA-256:	FD01E3DABB5F2C95F74976F26BF32CD49FC4378BE49DAF50C3381CB90FFFA9BB
Serial:	24F1C5406329D5E76175936D

OLE File "CID_x64.msi"

Indicators
Has Summary Info:	True
Application Name:	Windows Installer
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1252
Title:	CID
Subject:
Author:	ILANTUS Technologies
Keywords:
Comments:
Template:	x64;1033
Revion Number:	{ED3668BC-F332-48C8-A8C2-23BD2F353508}
Last Printed:	2020-10-07 05:41:24.343000
Create Time:	1999-06-21 07:00:00
Last Saved Time:	2020-10-07 05:41:24.343000
Number of Pages:	200
Number of Words:	2
Creating Application:	Windows Installer
Security:	1

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6655

General
Stream Path:	\x5DigitalSignature
File Type:	data
Stream Size:	6655
Entropy:	7.36955217941
Base64 Encoded:	True
Data ASCII:	0 . . . . . * . H . . . . . . . . . . 0 . . . . . . 1 . 0 . . . + . . . . . . 0 g . . + . . . . . 7 . . . . Y 0 W 0 2 . . + . . . . . 7 . . . 0 $ . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . 0 ! 0 . . . + . . . . . . . . 6 q R r ` C . Y . y . . . < \| . d Z . . . . . . 0 . . . 0 . . . . . . . . . . H . j . . B L . . . . . . . 0 . . . * . H . . . . . . . . 0 L 1 0 . . . U . . . . G l o b a l S i g n R o o t C A - R 3 1 . 0 . . . U . . . . G l o b a l S i g n 1 . 0 . . . U
Data Raw:	30 82 19 fb 06 09 2a 86 48 86 f7 0d 01 07 02 a0 82 19 ec 30 82 19 e8 02 01 01 31 0b 30 09 06 05 2b 0e 03 02 1a 05 00 30 67 06 0a 2b 06 01 04 01 82 37 02 01 04 a0 59 30 57 30 32 06 0a 2b 06 01 04 01 82 37 02 01 1e 30 24 02 01 02 04 10 f1 10 0c 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 01 00 02 01 00 02 01 00 02 01 00 02 01 00 30 21 30 09 06 05 2b 0e 03 02 1a 05 00 04 14 36 71 52 72

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20

General
Stream Path:	\x5MsiDigitalSignatureEx
File Type:	data
Stream Size:	20
Entropy:	4.32192809489
Base64 Encoded:	False
Data ASCII:	. t p . . . . . 3 . . . _ . . : W b < .
Data Raw:	19 74 70 e8 e9 a0 e5 c6 33 a7 ab bb 5f e2 9a 3a 57 62 3c 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 420

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	420
Entropy:	3.9312803785
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . H . . . . . . . T . . . . . . . \\ . . . . . . . h . . . @ . . . . . . . . . . . . . . . . . . . W i n d o w s I n s t a l l e r . . . . . . . . . . . . . . . . . . . . . . . . . . . x 6 4 ; 1 0 3 3 . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 74 01 00 00 0f 00 00 00 0c 00 00 00 80 00 00 00 12 00 00 00 8c 00 00 00 13 00 00 00 a8 00 00 00 01 00 00 00 b0 00 00 00 07 00 00 00 b8 00 00 00 0e 00 00 00 cc 00 00 00 09 00 00 00 d4 00 00 00 02 00 00 00 04 01 00 00 03 00 00 00 10 01 00 00

Stream Path: \x15295\x15047\x14734\x14471\x15049\x14988\x15119\x14470\x15109\x14464\x15181\x14404\x15301\x15113\x14468\x15108\x18444, File Type: Microsoft Cabinet archive data, 1966548 bytes, 5 files, Stream Size: 1966548

General
Stream Path:	\x15295\x15047\x14734\x14471\x15049\x14988\x15119\x14470\x15109\x14464\x15181\x14404\x15301\x15113\x14468\x15108\x18444
File Type:	Microsoft Cabinet archive data, 1966548 bytes, 5 files
Stream Size:	1966548
Entropy:	7.99876848548
Base64 Encoded:	True
Data ASCII:	M S C F . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . } . . . . . . . . O . . . . . . . [ . . . . . . . . G Q @ Y . . _ 5 8 D 6 4 B 7 3 A C B 7 4 9 E D 8 D 4 3 4 F 8 E B E E F 7 A 4 5 . ; . . . . . . . . . G Q k Y . . _ 7 3 2 C F 1 9 C 6 1 4 A 4 3 5 6 9 C E 4 6 A C 4 C A A 4 3 A 5 8 . . . . . ; . . . . . G Q k Y . . _ C B C 9 3 D 7 2 4 8 3 B 4 1 9 8 8 5 7 D C E 4 A C D 8 C 6 6 7 A . . . . . . . . . . . G Q k Y . . _ D 7 8 6 6 8 2 7 2 0 0 4 4 C 2 C A 6 9 D E
Data Raw:	4d 53 43 46 00 00 00 00 d4 01 1e 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 04 00 05 00 00 00 00 00 00 00 3e 01 00 00 1d 00 01 00 0b b2 07 00 1c 00 01 00 7d 01 0f 00 1c 00 01 00 fa 4f 16 00 1d 00 01 00 f0 5b 0e 00 00 00 00 00 00 00 47 51 40 59 00 00 5f 35 38 44 36 34 42 37 33 41 43 42 37 34 39 45 44 38 44 34 33 34 46 38 45 42 45 45 46 37 41 34 35 00 3b 01 00 00 00 00 00 00 01 00

Stream Path: \x17163\x16689\x18229\x15230\x17000\x16651\x17521\x17768\x17163\x17463\x17636, File Type: PC bitmap, Windows 3.x format, 500 x 70 x 24, Stream Size: 105056

General
Stream Path:	\x17163\x16689\x18229\x15230\x17000\x16651\x17521\x17768\x17163\x17463\x17636
File Type:	PC bitmap, Windows 3.x format, 500 x 70 x 24
Stream Size:	105056
Entropy:	0.48937496512
Base64 Encoded:	False
Data ASCII:	B M ` . . . . . . . 6 . . . ( . . . . . . . F . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	42 4d 60 9a 01 00 00 00 00 00 36 00 00 00 28 00 00 00 f4 01 00 00 46 00 00 00 01 00 18 00 00 00 00 00 2a 9a 01 00 12 0b 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Stream Path: \x17163\x16689\x18229\x15806\x16348\x15179\x15129\x15178\x15701, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 236872

General
Stream Path:	\x17163\x16689\x18229\x15806\x16348\x15179\x15129\x15178\x15701
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	236872
Entropy:	6.42500790518
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . S / . . . N . . . N . . . N . . 0 . . . . N . . p 8 E . . N . . . 6 l . . N . . x 8 D . + N . . x 8 q . . N . . x 8 E . . N . . . 6 \| . . N . . . N . . F O . . p 8 D . . N . . p 8 t . . N . . p 8 u . . N . . p 8 r . . N . . R i c h . N . . . . . . . . . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17359\x17767\x17867\x18481, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088\x17359\x17767\x17867\x18481
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.67842013261
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { { { { { . . . . . . . . . . . { { { { { . . . . . . . . . . . { { { { { . . . . . . . . . . . p { { { { . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16318\x15347\x16879\x15093\x17527, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x16318\x15347\x16879\x15093\x17527
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.6217926687
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { { { { { . . . . . . . . . . . { . { { { . . . . . . . . . . . . . . { { . . . . . . . . . . . { . { { { . . . . . . . . . . { { { x . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16382\x15196\x15255\x15133\x15375, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 11247

General
Stream Path:	\x17163\x16689\x18229\x16382\x15196\x15255\x15133\x15375
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Stream Size:	11247
Entropy:	5.13177845424
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " ? > . . < c o n f i g u r a t i o n > . . . < s t a r t u p > < s u p p o r t e d R u n t i m e v e r s i o n = " v . N E T F r a m e w o r k 4 C l i e n t P r o f i l e " / > < / s t a r t u p > . . . < r u n t i m e > . . . . < a s s e m b l y B i n d i n g x m l n s = " u r n : s c h e m a s - m i c r o s o f t - c o m : a s m . v 1 " a p p l i e s T o = " v 1 . 0 . 3 7 0 5 " > . . . . . < d e p e n d e n t A s s e m b l y > . . . . . . < a s s e m b l
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3f 3e 0d 0a 3c 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 3e 0d 0a 09 3c 73 74 61 72 74 75 70 3e 3c 73 75 70 70 6f 72 74 65 64 52 75 6e 74 69 6d 65 20 76 65 72 73 69 6f 6e 3d 22 76 2e 4e 45 54 20 46 72 61 6d 65 77 6f 72 6b 20 34 20 43 6c 69 65 6e 74 20 50 72 6f 66 69 6c 65 22 2f 3e 3c 2f 73 74 61 72 74 75 70 3e 0d 0a 09 3c 72 75

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 3328

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	3328
Entropy:	5.28709721402
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . % . % . % . ' . ' . ' . + . + . + . , . , . , . - . - . - . . . . . . . . . . . . . . . 7 . 7 . 8 . 8 . = . = . = . = . = . = . = . = . = . B . B . B . B . P . P . P . P . P . P . P . P . T . T . X . X . Z . Z . Z . Z . Z . Z . Z . Z . _ . ` . ` . d . d . d . d . d . d . d . d . d . d . d . d . d . m . m . m . m . m . m . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 1f 00 1f 00 1f 00 25 00 25 00 25 00 27 00 27 00 27 00 2b 00 2b 00 2b 00 2c 00 2c 00 2c 00 2d 00 2d 00 2d 00 2e 00 2e 00 2e 00 2e 00 2e 00 2e 00 2e 00 37 00 37 00 38 00 38 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 42 00 42 00 42 00 42 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 54 00 54 00 58 00 58 00

Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 204

General
Stream Path:	\x18496\x15518\x16925\x17915
File Type:	data
Stream Size:	204
Entropy:	4.53620853375
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . " . $ . % . & . ( . * . , . . . 0 . 2 . 4 . 6 . 8 . : . < . > . @ . B . D . F . H . J . L . N . P . R . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . # . % . & . ' . ) . + . - . / . 1 . 3 . 5 . 7 . 9 . ; . = . ? . A . C . E . G . I . K . M . O . Q .
Data Raw:	f3 03 f5 03 f7 03 f9 03 fb 03 fd 03 ff 03 01 04 03 04 05 04 07 04 09 04 0b 04 0d 04 0f 04 11 04 13 04 15 04 17 04 19 04 1b 04 1d 04 1e 04 20 04 21 04 22 04 24 04 25 04 26 04 28 04 2a 04 2c 04 2e 04 30 04 32 04 34 04 36 04 38 04 3a 04 3c 04 3e 04 40 04 42 04 44 04 46 04 48 04 4a 04 4c 04 4e 04 50 04 52 04 f2 03 f4 03 f6 03 f8 03 fa 03 fc 03 fe 03 00 04 02 04 04 04 06 04 08 04 0a 04

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: ASCII text, with very long lines, with CRLF line terminators, Stream Size: 42691

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	ASCII text, with very long lines, with CRLF line terminators
Stream Size:	42691
Entropy:	4.99585872456
Base64 Encoded:	True
Data ASCII:	N a m e T a b l e T y p e C o l u m n _ V a l i d a t i o n I d e n t i f i e r N S t r i n g c a t e g o r y T e x t ; F o r m a t t e d ; T e m p l a t e ; C o n d i t i o n ; G u i d ; P a t h ; V e r s i o n ; L a n g u a g e ; I d e n t i f i e r ; B i n a r y ; U p p e r C a s e ; L o w e r C a s e ; F i l e n a m e ; P a t h s ; A n y P a t h ; W i l d C a r d F i l e n a m e ; R e g P a t h ; K e y F o r m a t t e d ; C u s t o m S o u r c e ; P r o p e r t y ; C a b i n e t ; S h o r t c u t ; U
Data Raw:	4e 61 6d 65 54 61 62 6c 65 54 79 70 65 43 6f 6c 75 6d 6e 5f 56 61 6c 69 64 61 74 69 6f 6e 49 64 65 6e 74 69 66 69 65 72 4e 53 74 72 69 6e 67 20 63 61 74 65 67 6f 72 79 54 65 78 74 3b 46 6f 72 6d 61 74 74 65 64 3b 54 65 6d 70 6c 61 74 65 3b 43 6f 6e 64 69 74 69 6f 6e 3b 47 75 69 64 3b 50 61 74 68 3b 56 65 72 73 69 6f 6e 3b 4c 61 6e 67 75 61 67 65 3b 49 64 65 6e 74 69 66 69 65 72 3b

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 4648

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	4648
Entropy:	3.53568669665
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . T . . . . . . . j . . . . . . . B . . . . . + . . . . . . . . . o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . . . . . ( . . . . . . . 5 . . . . . . . . . . . . . . . O . . .
Data Raw:	e4 04 00 00 04 00 14 00 05 00 06 00 00 00 00 00 04 00 0c 00 06 00 02 00 0b 00 15 00 0a 00 99 00 01 00 07 01 0f 00 01 00 ca 00 01 00 01 00 ae 00 0b 00 1a 00 03 00 02 00 08 00 02 00 09 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 08 00 02 00 0e 00 01 00 04 00 81 00 15 00 01 00 24 00 01 00 36 00 01 00 15 00 01 00 15 00 01 00 05 00 01 00 1e 00 01 00 20 00 01 00 0d 00 01 00 0a 00 07 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 176

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	176
Entropy:	4.87443979456
Base64 Encoded:	False
Data ASCII:	. . . . % . ' . + . , . - . . . 7 . 8 . = . B . P . T . X . Z . _ . ` . d . m . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . 5 . 6 . 7 . < . ? . B . F . Q . b . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . : . J . [ . e . m . p . } . . .
Data Raw:	06 00 1f 00 25 00 27 00 2b 00 2c 00 2d 00 2e 00 37 00 38 00 3d 00 42 00 50 00 54 00 58 00 5a 00 5f 00 60 00 64 00 6d 00 7a 00 7f 00 81 00 87 00 8c 00 94 00 9d 00 a2 00 a7 00 ae 00 b5 00 b8 00 d5 00 dd 00 e6 00 eb 00 ef 00 f4 00 f7 00 07 01 16 01 19 01 1b 01 21 01 2e 01 35 01 36 01 37 01 3c 01 3f 01 42 01 46 01 51 01 62 01 64 01 80 01 8b 01 91 01 94 01 99 01 a1 01 a8 01 ad 01 b0 01

Stream Path: \x18496\x16383\x16886\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 6

General
Stream Path:	\x18496\x16383\x16886\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
File Type:	data
Stream Size:	6
Entropy:	1.79248125036
Base64 Encoded:	False
Data ASCII:	. . . . . .
Data Raw:	a8 02 a7 02 a6 02

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 10248

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	10248
Entropy:	2.83594526926
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . % . % . % . ' . ' . ' . + . + . + . , . , . , . - . - . - . . . . . . . . . . . . . . . 7 . 7 . 8 . 8 . = . = . = . = . = . = . = . = . = . B . B . B . B . P . P . P . P . P . P . P . P . T . T . X . X . Z . Z . Z . Z . Z . Z . Z . Z . _ . ` . ` . d . d . d . d . d . d . d . d . d . d . d . d . d . m . m . m . m . m . m . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 06 00 1f 00 1f 00 1f 00 25 00 25 00 25 00 27 00 27 00 27 00 2b 00 2b 00 2b 00 2c 00 2c 00 2c 00 2d 00 2d 00 2d 00 2e 00 2e 00 2e 00 2e 00 2e 00 2e 00 2e 00 37 00 37 00 38 00 38 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 3d 00 42 00 42 00 42 00 42 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 50 00 54 00 54 00 58 00 58 00

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 72

General
Stream Path:	\x18496\x16667\x17191\x15090\x17912\x17591\x18481
File Type:	data
Stream Size:	72
Entropy:	3.38712473846
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . u . . . u . . . . . . . . . . . . . . . . . \\ . \\ . \\ . \\ . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	bf 03 bf 03 80 04 80 04 01 80 02 80 01 80 02 80 be 03 75 02 be 03 75 02 00 80 00 80 00 80 00 80 00 80 12 80 00 80 12 80 5c 81 5c 81 5c 81 5c 81 11 80 11 80 11 80 11 80 de 03 df 03 de 03 df 03 00 00 00 00 00 00 00 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 54

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	54
Entropy:	3.95560491959
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . < .
Data Raw:	a1 02 de 02 df 02 e2 02 e4 02 e5 02 01 03 1a 03 1b 03 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee 82 20 83 84 83 e8 83 78 85 dc 85 a0 8f c8 99 3c 8f

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 72

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	72
Entropy:	4.42651128706
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . 2 . 3 . 4 . 5 . T . V . . . . . . . . . . . . . . . . . . . 0 . . . Z . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	a1 02 de 02 df 02 e2 02 1c 03 32 03 33 03 34 03 35 03 54 04 56 04 81 04 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 2e 03 30 03 00 00 5a 04 00 00 ee 82 20 83 84 83 e8 83 14 85 fe 7f fd 7f e7 83 e6 83 13 85 e9 83 ff 7f

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 96

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	96
Entropy:	4.26345939513
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . j . r . . . . . \\ . . . $ . 8 . . . . . . .
Data Raw:	a1 02 de 02 e2 02 e4 02 e5 02 e8 02 e9 02 04 03 05 03 06 03 07 03 08 03 15 03 16 03 17 03 1a 03 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee 82 20 83 e8 83 78 85 dc 85 6a 98 72 86 94 91 f8 91 5c 92 c0 92 24 93 38 98 9c 98 00 99 c8 99

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 32

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	32
Entropy:	2.25
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	84 02 84 02 84 02 84 02 84 02 84 02 84 02 84 02 87 02 8d 02 91 02 95 02 99 02 cc 02 d1 02 d6 02

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	16
Entropy:	2.17742128383
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . .
Data Raw:	84 02 00 00 00 00 00 00 02 80 01 80 83 02 00 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 12

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	12
Entropy:	2.12581458369
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . .
Data Raw:	01 80 05 80 00 00 89 04 00 00 00 00

Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: data, Stream Size: 36

General
Stream Path:	\x18496\x16923\x17194\x17910\x18229
File Type:	data
Stream Size:	36
Entropy:	3.22439444541
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	cf 02 d4 02 d8 02 01 80 01 80 01 80 ce 02 d3 02 d3 02 00 00 00 00 d7 02 cd 02 d2 02 00 00 cc 02 d1 02 d6 02

Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 36

General
Stream Path:	\x18496\x16925\x17915\x17884\x17404\x18472
File Type:	data
Stream Size:	36
Entropy:	2.70193235354
Base64 Encoded:	False
Data ASCII:	^ . _ . . . ] . ] . ] . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	5e 03 5f 03 f0 03 5d 03 5d 03 5d 03 09 80 0c 80 09 80 00 00 00 80 00 00 00 80 00 00 00 80 00 80 01 80 00 80

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 20

General
Stream Path:	\x18496\x17163\x16689\x18229
File Type:	data
Stream Size:	20
Entropy:	2.82321967234
Base64 Encoded:	False
Data ASCII:	. . . . G . b . d . . . . . . . . . . .
Data Raw:	a9 02 b2 02 47 03 62 03 64 03 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 18

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	18
Entropy:	2.46132014021
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . .
Data Raw:	83 02 9c 02 9e 02 00 00 83 02 83 02 9f 02 9b 02 9d 02

Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 484

General
Stream Path:	\x18496\x17165\x17380\x17074
File Type:	data
Stream Size:	484
Entropy:	4.01246371302
Base64 Encoded:	False
Data ASCII:	+ . - . / . 1 . 2 . 3 . 4 . 5 . < . W . a . l . q . { . . . . . . . T . V . a . u . . . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . u . u . u . u . u . u . u . u . u . . . J . . . i . i . 9 . u . u . u . u . u . u . u . . . . . . . . . . . . . . . . . . . N . e . N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	2b 03 2d 03 2f 03 31 03 32 03 33 03 34 03 35 03 3c 03 57 03 61 03 6c 03 71 03 7b 03 86 03 c2 03 e1 03 54 04 56 04 61 04 75 04 81 04 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80

Stream Path: \x18496\x17167\x16943, File Type: GPG encrypted data, Stream Size: 90

General
Stream Path:	\x18496\x17167\x16943
File Type:	GPG encrypted data
Stream Size:	90
Entropy:	4.02421640311
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [ . . ; . . . . . . . . . . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	85 02 8b 02 8f 02 93 02 97 02 87 02 8d 02 91 02 95 02 99 02 8a 02 8e 02 92 02 96 02 9a 02 f0 5b 0e 80 3b 01 00 80 f0 f9 0d 80 f0 f9 0d 80 f0 5b 0e 80 89 02 00 00 89 02 89 02 89 02 88 02 00 00 88 02 88 02 88 02 00 82 00 82 00 82 00 82 00 82 01 80 02 80 03 80 04 80 05 80

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 420

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	420
Entropy:	5.21806511231
Base64 Encoded:	False
Data ASCII:	7 . X . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	37 00 58 00 5f 00 a1 02 ab 02 b4 02 c7 02 da 02 db 02 dc 02 dd 02 de 02 df 02 e1 02 e2 02 e3 02 e4 02 e5 02 e6 02 e7 02 e8 02 e9 02 ea 02 eb 02 ed 02 ee 02 ef 02 f0 02 f1 02 f2 02 f3 02 f4 02 f5 02 f6 02 f7 02 f8 02 f9 02 fa 02 fb 02 fc 02 fd 02 fe 02 ff 02 00 03 01 03 02 03 03 03 04 03 05 03 06 03 07 03 08 03 09 03 0a 03 0b 03 0c 03 0d 03 0e 03 0f 03 10 03 11 03 12 03 13 03 14 03

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 132

General
Stream Path:	\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	132
Entropy:	4.90257883497
Base64 Encoded:	False
Data ASCII:	7 . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . + . - . / . 1 . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . 0 . . . . . Z . d . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	37 00 5f 00 a1 02 ab 02 b4 02 ca 02 da 02 db 02 dc 02 dd 02 de 02 df 02 e1 02 e2 02 1c 03 2b 03 2d 03 2f 03 31 03 3c 03 c2 03 e1 03 00 00 b5 02 a2 02 00 00 b5 02 cb 02 00 00 b5 02 b5 02 00 00 00 00 00 00 e0 02 00 00 00 00 00 00 2c 03 2e 03 30 03 00 00 00 00 5a 04 64 80 f4 81 ee 82 01 80 8f 81 05 80 c8 80 90 81 58 82 bc 82 20 83 84 83 b6 83 e8 83 14 85 fe 7f fd 7f e7 83 e6 83 13 85

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 96

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	data
Stream Size:	96
Entropy:	3.40794631967
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	87 02 8d 02 91 02 95 02 99 02 cc 02 d1 02 d6 02 86 02 8c 02 90 02 94 02 98 02 d0 02 d5 02 d9 02 83 02 83 02 83 02 83 02 83 02 83 02 83 02 83 02 00 81 00 81 00 81 00 81 00 81 04 81 04 81 04 81 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 85 02 8b 02 8f 02 93 02 97 02 cf 02 d4 02 d8 02

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: data, Stream Size: 480

General
Stream Path:	\x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522
File Type:	data
Stream Size:	480
Entropy:	3.54700027059
Base64 Encoded:	False
Data ASCII:	+ . + . + . + . - . - . - . - . 2 . 2 . 2 . 2 . 3 . 3 . 3 . 3 . < . < . < . < . < . < . < . < . q . q . q . q . { . { . { . { . . . . . . . . . . . . . . . . . T . T . T . T . T . T . T . T . V . V . V . V . a . a . u . u . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . L . L . N . N . P . P . R . R . u . u . w . w . . . . . . . . . k . k . . . . . . . . . 8 . 8 . L . L . N . N . P . P . R . R . 8 . 8 . . . . . 8 . 8 . 8 . 8 . k . k . . . . . T . V . T . V . T . V . T . V .
Data Raw:	2b 03 2b 03 2b 03 2b 03 2d 03 2d 03 2d 03 2d 03 32 03 32 03 32 03 32 03 33 03 33 03 33 03 33 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 71 03 71 03 71 03 71 03 7b 03 7b 03 7b 03 7b 03 c2 03 c2 03 c2 03 c2 03 c2 03 c2 03 e1 03 e1 03 54 04 54 04 54 04 54 04 54 04 54 04 54 04 54 04 56 04 56 04 56 04 56 04 61 04 61 04 75 04 75 04 81 04 81 04 81 04 81 04 c6 03 c6 03 cd 03 cd 03

Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 840

General
Stream Path:	\x18496\x17548\x17905\x17589\x15279\x16953\x17905
File Type:	data
Stream Size:	840
Entropy:	4.28863678448
Base64 Encoded:	False
Data ASCII:	+ . - . / . / . / . / . / . / . 1 . 1 . 2 . 3 . 4 . 4 . 4 . 4 . 4 . 4 . 5 . 5 . < . W . W . a . a . a . a . a . a . a . l . l . l . l . q . { . { . { . . . . . . . . . . . . . . . . . . . . . . . T . V . V . V . V . a . a . a . a . a . a . a . a . a . a . a . u . u . u . u . . . . . . . ; . . . . . . . . . . . ; . . . . . . . ; . . . . . . . . . . . ; . . . ; . f . h . . . . . . . . . . . . . . . f . f . h . h . p . z . \| . ~ . ; . ; . p . p . . . . . . . 8 . ; . > . > . ; . 8 . ; . > . > . 8 . ; . > . > .
Data Raw:	2b 03 2d 03 2f 03 2f 03 2f 03 2f 03 2f 03 2f 03 31 03 31 03 32 03 33 03 34 03 34 03 34 03 34 03 34 03 34 03 35 03 35 03 3c 03 57 03 57 03 61 03 61 03 61 03 61 03 61 03 61 03 61 03 6c 03 6c 03 6c 03 6c 03 71 03 7b 03 7b 03 7b 03 86 03 86 03 86 03 86 03 86 03 86 03 c2 03 e1 03 e1 03 e1 03 e1 03 54 04 56 04 56 04 56 04 56 04 61 04 61 04 61 04 61 04 61 04 61 04 61 04 61 04 61 04 61 04

Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 4784

General
Stream Path:	\x18496\x17548\x17905\x17589\x18479
File Type:	data
Stream Size:	4784
Entropy:	4.43726345693
Base64 Encoded:	False
Data ASCII:	+ . + . + . + . + . + . + . + . + . - . - . - . - . - . - . - . - . - . / . / . / . / . / . / . / . / . / . 1 . 1 . 1 . 1 . 1 . 1 . 1 . 1 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 3 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . 4 . 5 . 5 . 5 . 5 . 5 . 5 . 5 . 5 . < . < . < . < . < . < . < . < . < . < . < . < . W . W . W . a . a . a . a . a . a . a . a . l . l . l . q . q . q . q . { . { . { . { . { . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	2b 03 2b 03 2b 03 2b 03 2b 03 2b 03 2b 03 2b 03 2b 03 2d 03 2d 03 2d 03 2d 03 2d 03 2d 03 2d 03 2d 03 2d 03 2f 03 2f 03 2f 03 2f 03 2f 03 2f 03 2f 03 2f 03 2f 03 31 03 31 03 31 03 31 03 31 03 31 03 31 03 31 03 32 03 32 03 32 03 32 03 32 03 32 03 32 03 32 03 32 03 33 03 33 03 33 03 33 03 33 03 33 03 33 03 33 03 33 03 34 03 34 03 34 03 34 03 34 03 34 03 34 03 34 03 34 03 35 03 35 03

Stream Path: \x18496\x17558\x17959\x16943\x17180\x17514\x17892\x17784\x18472, File Type: data, Stream Size: 66

General
Stream Path:	\x18496\x17558\x17959\x16943\x17180\x17514\x17892\x17784\x18472
File Type:	data
Stream Size:	66
Entropy:	3.05564029829
Base64 Encoded:	False
Data ASCII:	. . 6 . ` . . . . . . . S . U . ` . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	1e 03 36 03 60 03 bd 03 e0 03 ef 03 53 04 55 04 60 04 74 04 7f 04 09 84 09 84 09 84 09 84 09 84 09 84 09 84 09 84 09 84 09 84 09 84 1d 03 1d 03 1d 03 1d 03 1d 03 1d 03 1d 03 1d 03 1d 03 1d 03 1d 03

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32

General
Stream Path:	\x18496\x17630\x17770\x16868\x18472
File Type:	data
Stream Size:	32
Entropy:	2.1983911108
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ba 02 ba 02 00 00 bb 02 bb 02 00 00 00 00 00 00 00 00 00 80 02 01 00 80 00 00 00 00 c2 02 c4 02

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: data, Stream Size: 108

General
Stream Path:	\x18496\x17753\x17650\x17768\x18231
File Type:	data
Stream Size:	108
Entropy:	4.4638353437
Base64 Encoded:	False
Data ASCII:	w . . . . . . . . . . . . . . . . . . . . . . " . $ . & . ( . * . a . c . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . # . % . ' . ) . a . b . d . . . . . . . a . V . u . a .
Data Raw:	77 02 ad 02 af 02 b1 02 b7 02 b9 02 bc 02 be 02 bf 02 c1 02 c3 02 20 03 22 03 24 03 26 03 28 03 2a 03 61 03 63 03 65 03 bf 03 f1 03 80 04 85 04 86 04 87 04 88 04 ba 02 ac 02 ae 02 b0 02 b6 02 b8 02 bb 02 bd 02 bd 02 c0 02 c5 02 1f 03 21 03 23 03 25 03 27 03 29 03 61 03 62 03 64 03 be 03 f0 03 be 03 61 04 56 04 75 04 61 04

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 40

General
Stream Path:	\x18496\x17932\x17910\x17458\x16778\x17207\x17522
File Type:	data
Stream Size:	40
Entropy:	3.56928518649
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	a1 02 ab 02 b4 02 c7 02 ca 02 33 81 01 80 01 80 13 80 13 80 83 02 a9 02 a9 02 00 00 00 00 a0 02 aa 02 b3 02 c6 02 c9 02

Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 192

General
Stream Path:	\x18496\x17998\x17512\x15799\x17636\x17203\x17073
File Type:	data
Stream Size:	192
Entropy:	3.04340343258
Base64 Encoded:	False
Data ASCII:	< . < . < . < . < . < . < . < . < . < . < . < . T . T . T . T . T . T . T . T . T . T . T . T . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . C . . . . . . . . . . . . . . . . . . . . . [ . \\ . . . . . . . . . . . . . . . . . . . . . [ . \\ . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z . Z .
Data Raw:	3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 3c 03 54 04 54 04 54 04 54 04 54 04 54 04 54 04 54 04 54 04 54 04 54 04 54 04 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 43 03 ed 02 ee 02 f4 02 fd 02 00 03 01 03 09 03 0a 03 12 03 1b 03 5b 03 5c 03 ed 02 ee 02 f4 02 fd 02

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: msiexec.exe PID: 4020 Parent PID: 5760

General

Start time:	12:22:31
Start date:	29/11/2020
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\msiexec.exe' /i 'C:\Users\user\Desktop\CID_x64.msi'
Imagebase:	0x7ff6ac640000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 5056 Parent PID: 3440

General

Start time:	12:22:33
Start date:	29/11/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 7C2160B8C719111621BBF907BA5D9B1C C
Imagebase:	0xd60000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: msiexec.exe PID: 5364 Parent PID: 3440

General

Start time:	12:22:36
Start date:	29/11/2020
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 67B6CF52D8EDBBB744EA0BA0249B0181
Imagebase:	0xd60000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report CID_x64.msi

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Spreading:

Networking:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

Authenticode Signature

OLE File "CID_x64.msi"

Indicators

Summary

Streams

Stream Path: \x5DigitalSignature, File Type: data, Stream Size: 6655

General

Stream Path: \x5MsiDigitalSignatureEx, File Type: data, Stream Size: 20

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 420

General

Stream Path: \x15295\x15047\x14734\x14471\x15049\x14988\x15119\x14470\x15109\x14464\x15181\x14404\x15301\x15113\x14468\x15108\x18444, File Type: Microsoft Cabinet archive data, 1966548 bytes, 5 files, Stream Size: 1966548

General

Stream Path: \x17163\x16689\x18229\x15230\x17000\x16651\x17521\x17768\x17163\x17463\x17636, File Type: PC bitmap, Windows 3.x format, 500 x 70 x 24, Stream Size: 105056

General

Stream Path: \x17163\x16689\x18229\x15806\x16348\x15179\x15129\x15178\x15701, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 236872

General

Stream Path: \x17163\x16689\x18229\x15870\x18088\x17359\x17767\x17867\x18481, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General

Stream Path: \x17163\x16689\x18229\x16318\x15347\x16879\x15093\x17527, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General

Stream Path: \x17163\x16689\x18229\x16382\x15196\x15255\x15133\x15375, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 11247

General

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 3328