File name:

djpdpoolinstaller.exe

Full analysis: https://app.any.run/tasks/cf802b6a-a983-45ce-a880-8914a93708df
Verdict: Malicious activity
Analysis date: August 26, 2024, 12:20:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

43ABDF24EE5A8420CD4492047FB1B079

SHA1:

2FBEFD6C2AB5A06B0D7EBD108552E2CE064FB8DA

SHA256:

43636CD71616BD53F23D46CF26F23FC266D3CBDCF8386D08C9DA8E95CED61A02

SSDEEP:

786432:7B4lxq4UiulMOnfyfu6WR+1VpjPGzZhSTVli:7B4ls4iTfyW6WR+1VhPSrSxk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Detects Cygwin installation

      • msiexec.exe (PID: 4088)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 4088)

    • Drops the executable file immediately after the start

      • djpdpoolinstaller.exe (PID: 6996)
      • msiexec.exe (PID: 4088)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4088)

    • Executable content was dropped or overwritten

      • djpdpoolinstaller.exe (PID: 6996)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 4088)

    • The process drops C-runtime libraries

      • djpdpoolinstaller.exe (PID: 6996)

    • Creates or modifies Windows services

      • msiexec.exe (PID: 7080)

    • Executes as Windows Service

      • launcher-x64.exe (PID: 1752)
      • netbird.exe (PID: 6140)

    • Process drops python dynamic module

      • djpdpoolinstaller.exe (PID: 6996)

    • Starts CMD.EXE for commands execution

      • djpdpoolinstaller.exe (PID: 6996)

    • Process drops legitimate windows executable

      • djpdpoolinstaller.exe (PID: 6996)

  • INFO

    • Checks supported languages

      • djpdpoolinstaller.exe (PID: 6996)
      • msiexec.exe (PID: 4088)
      • msiexec.exe (PID: 2820)
      • msiexec.exe (PID: 892)
      • launcher-x64.exe (PID: 1752)

    • Reads the computer name

      • msiexec.exe (PID: 4088)
      • djpdpoolinstaller.exe (PID: 6996)
      • msiexec.exe (PID: 2820)
      • launcher-x64.exe (PID: 1752)
      • msiexec.exe (PID: 892)

    • Create files in a temporary directory

      • djpdpoolinstaller.exe (PID: 6996)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4088)

    • Reads the software policy settings

      • msiexec.exe (PID: 4088)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4088)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4088)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4088)

    • Application launched itself

      • msiexec.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:30 16:55:19+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 26624
InitializedDataSize: 139776
UninitializedDataSize: 2048
EntryPoint: 0x3665
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.4.0.0
ProductVersionNumber: 2.4.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: DJPD
FileVersion: 2.4
LegalCopyright: Copyright 2024 DJPD
ProductName: DJPD Pool
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
14
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start djpdpoolinstaller.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe launcher-x64.exe no specs conhost.exe no specs msiexec.exe no specs netbird.exe no specs cmd.exe no specs conhost.exe no specs djpdpoolinstaller.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
892C:\Windows\syswow64\MsiExec.exe -Embedding AD2CEBC88445E170CCD86FDF8FB5BAFE E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exelauncher-x64.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1752"C:\Program Files (x86)\WinFsp\SxS\sxs.20240826T122054Z\bin\launcher-x64.exe"C:\Program Files (x86)\WinFsp\SxS\sxs.20240826T122054Z\bin\launcher-x64.exeservices.exe
User:
SYSTEM
Company:
Navimatics LLC
Integrity Level:
SYSTEM
Description:
Windows File System Proxy
Version:
2.1.24051.9a65718
Modules
Images
c:\program files (x86)\winfsp\sxs\sxs.20240826t122054z\bin\launcher-x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1776msiexec /i sshfs.msi /quietC:\Windows\SysWOW64\msiexec.exedjpdpoolinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
2820C:\Windows\syswow64\MsiExec.exe -Embedding D7C96824DA64055EC5188400801AB834C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4088C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4404cmd.exe /c "netbird login -m https://nb.djpd.pl:443 & netbird up"C:\Windows\SysWOW64\cmd.exedjpdpoolinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
4876"C:\Users\admin\Desktop\djpdpoolinstaller.exe" C:\Users\admin\Desktop\djpdpoolinstaller.exeexplorer.exe
User:
admin
Company:
DJPD
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
2.4
Modules
Images
c:\users\admin\desktop\djpdpoolinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6140"C:\Program Files\Netbird\netbird.exe" service run config C:\ProgramData\Netbird\config.json log-level infoC:\Program Files\Netbird\netbird.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Version:
0.28.8.0
6396msiexec /i netbirdinstaller.msi /quietC:\Windows\SysWOW64\msiexec.exedjpdpoolinstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Total events
8 008
Read events
7 731
Write events
260
Delete events
17

Modification events

(PID) Process:(4088) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
F80F0000DF1DF461B2F7DA01
(PID) Process:(4088) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
5144119E09EE1E4BA84D7DA56016CE7C70964BC61D21A5A70A664EF819757A89
(PID) Process:(4088) msiexec.exeKey:HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\1313fa.rbs
Value:
31127474
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\1313fa.rbsLow
Value:
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\36C54643732BB2B47B20E8BB6A626D40
Operation:writeName:0D75C008A43F55740A285ABBD3FE5878
Value:
22:\Software\SSHFS-Win\InstallDir
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E245303D9042DD851970108EA693FCAA
Operation:writeName:0D75C008A43F55740A285ABBD3FE5878
Value:
C:\Program Files\SSHFS-Win\License.txt
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\66979FE3E94EB0A46BD8E52BDB6AC112
Operation:writeName:0D75C008A43F55740A285ABBD3FE5878
Value:
22:\Software\WOW6432Node\WinFsp\Services\sshfs\Executable
(PID) Process:(4088) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED2A1E8F1602DA2408F533FBF057CD53
Operation:writeName:0D75C008A43F55740A285ABBD3FE5878
Value:
22:\Software\WOW6432Node\WinFsp\Services\sshfs.r\Executable
Executable files
84
Suspicious files
63
Text files
933
Unknown types
6

Dropped files

PID
Process
Filename
Type
6996djpdpoolinstaller.exeC:\Users\admin\AppData\Local\Temp\sshfs.msi
MD5:
SHA256:
4088msiexec.exeC:\Windows\Installer\1313f8.msi
MD5:
SHA256:
4088msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44Dbinary
MD5:F72AF7689238CE1EB2124E4F9F39931D
SHA256:B4BCAFCBC51D21292DC5166E9C363FC51C0106A4CCC3CAE315263FC9D620F8B7
4088msiexec.exeC:\Program Files\SSHFS-Win\bin\sshfs.exeexecutable
MD5:B4C22EBE5131FE1E7F47DC09C6F984F6
SHA256:704B7DB5DFCC1E45CF895E81A37270E8AB6B6B59C0EAC73CEF0C49111740545D
4088msiexec.exeC:\Windows\Temp\~DFD048CCABDCDDD1F5.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
4088msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_8E0CE67692F4A2065EA56AD27F041788binary
MD5:DF9E4DA3ABE1544D2D4DF1B9DEBF5FE4
SHA256:32DF3C67F09B0EA3BC042E6605BAF8EE8FE8F7ABE35973FC875C3F983A06F814
4088msiexec.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logtext
MD5:40400196F32D33CB1DEB75C179795820
SHA256:D8724BAB33EF12B8AA3B04B8724F2FDB1236F30245384D1DFEBFFBC12ADA00F2
4088msiexec.exeC:\Windows\Installer\MSI1C55.tmpbinary
MD5:9BE346D851D10C906F0FBF5AD0448033
SHA256:C31CE70E12A52B0ECA519C8FA5D26FBEA7F7C0827D6CE26CC697382A99889320
4088msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44Dbinary
MD5:C3A36974240204FB6D778B69AF8D56F7
SHA256:CD54E6B78090573CF706F4AE371B778C9A4AE6065D9BA7C0086D48F0931BEEB1
4088msiexec.exeC:\Program Files\SSHFS-Win\bin\cygcrypto-1.1.dllexecutable
MD5:0FD20A79633B3D4025B60F8ADB48A47F
SHA256:75342DC85872041292B35F94E4C9DDD1B15F209DA38D06C8D7E2875D6DCE1F0B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4088
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D
unknown
whitelisted
4088
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEA%2B4p0C5FY0DUUO8WdnwQCk%3D
unknown
whitelisted
GET
200
18.239.36.80:80
http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl
unknown
whitelisted
4088
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSE67Nbq3jfQQg8yXEpbmqLTNn7XwQUm1%2BwNrqdBq4ZJ73AoCLAi4s4d%2B0CEAytC0uc8lY%2BJbW8KgNyN8w%3D
unknown
whitelisted
4088
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA1LmzteDNDk8DmcEJinVIQ%3D
unknown
whitelisted
GET
200
100.24.223.135:80
http://ocsps.ssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQg3SSkKA74hABkhmlBtJTz8w3hlAQU%2BWC71OPVNPa49QaAJadz20ZpqJ4CEEJLalPOx2YUHCpjsaUcQQQ%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
239.255.255.250:1900
whitelisted
4088
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
100.24.223.135:80
ocsps.ssl.com
AMAZON-AES
US
whitelisted
18.239.36.80:80
crls.ssl.com
US
whitelisted
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ocsps.ssl.com
  • 100.24.223.135
  • 52.6.97.148
  • 34.237.184.165
whitelisted
crls.ssl.com
  • 18.239.36.80
  • 18.239.36.85
  • 18.239.36.47
  • 18.239.36.9
whitelisted

Threats

No threats detected
Process
Message
msiexec.exe
FspFsctlRegister = 0
msiexec.exe
FspNpRegister = 0
msiexec.exe
FspEventLogRegister = 0
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
djpdpoolinstaller.exe