Malware analysis CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe Malicious activity

Add for printing

File name:	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe
Full analysis:	https://app.any.run/tasks/ddac0159-a23b-4320-8c10-2ae6b7fc7743
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 12:57:41
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	advancedinstaller
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	2CCE73E0CEE58A9D23F8220D51381D5A
SHA1:	D69485CA89C6ED800449089109A25FE260755F93
SHA256:	68A90734AEFF22127DA684D19A202A3A077DFCF8A6644F4DFD7C7CA8B3C5EF3C
SSDEEP:	98304:JX+GhR6a/byOt64g+U+/YwFFXXFFFDDDEEP/a4GyrNeME2OVhZzVvMO+GVQXziWw:nFmUbEBdsyY/toaCCxu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- ADVANCEDINSTALLER mutex has been found
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Process drops legitimate windows executable
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
  - msiexec.exe (PID: 7928)
- Detects AdvancedInstaller (YARA)
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Executable content was dropped or overwritten
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Reads the Windows owner or organization settings
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Executes as Windows Service
  - CargoWise.ApplicationManager.Service.exe (PID: 3272)
  - VSSVC.exe (PID: 4120)
- Reads security settings of Internet Explorer
  - CargoWise.ApplicationManager.Service.exe (PID: 3272)
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Restarts service on failure
  - sc.exe (PID: 3156)
- Suspicious use of NETSH.EXE
  - cmd.exe (PID: 4200)
- Executing commands from a ".bat" file
  - MSI598D.tmp (PID: 7980)
- Starts CMD.EXE for commands execution
  - MSI598D.tmp (PID: 7980)
INFO
- Checks supported languages
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
  - msiexec.exe (PID: 7928)
  - msiexec.exe (PID: 8168)
  - CargoWise.ApplicationManager.Service.exe (PID: 3272)
  - msiexec.exe (PID: 5416)
- The sample compiled with english language support
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
  - msiexec.exe (PID: 7928)
- Reads the software policy settings
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
  - msiexec.exe (PID: 7928)
  - msiexec.exe (PID: 6468)
- Reads the computer name
  - msiexec.exe (PID: 7928)
  - msiexec.exe (PID: 8168)
  - msiexec.exe (PID: 5416)
  - CargoWise.ApplicationManager.Service.exe (PID: 3272)
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Creates files in the program directory
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Create files in a temporary directory
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Process checks computer location settings
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 7928)
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
  - CargoWise.ApplicationManager.Service.exe (PID: 3272)
- Checks proxy server information
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 7928)
- Creates a software uninstall entry
  - msiexec.exe (PID: 7928)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 6468)
- Manages system restore points
  - SrTasks.exe (PID: 5136)
- Starts application with an unusual extension
  - msiexec.exe (PID: 7928)
- Reads Environment values
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)
- Creates files or folders in the user directory
  - CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe (PID: 7676)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 EXE PECompact compressed (generic) (20.7)
.exe	\|	Win64 Executable (generic) (13.7)
.dll	\|	Win32 Dynamic Link Library (generic) (3.2)
.exe	\|	Win32 Executable (generic) (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:11:03 11:08:28+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	2135040
InitializedDataSize:	901632
UninitializedDataSize:	-
EntryPoint:	0x190f74
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	4.15.4.0
ProductVersionNumber:	4.15.4.0
FileFlagsMask:	0x003f
FileFlags:	Debug
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	WiseTech Global
FileDescription:	CargoWise Remote Desktop Services Installer
FileVersion:	4.15.4
InternalName:	CargoWiseRemoteDesktopServicesSetup
LegalCopyright:	Copyright (C) 2025 WiseTech Global
OriginalFileName:	CargoWiseRemoteDesktopServicesSetup.exe
ProductName:	CargoWise Remote Desktop Services
ProductVersion:	4.15.4

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

968

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3156

"C:\Windows\System32\sc.exe" failure ediAppMgr reset= 0 actions= restart/180000/restart/180000/restart/180000

C:\Windows\SysWOW64\sc.exe

—

CargoWise.ApplicationManager.Service.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

3192

netsh http add urlacl url=http://127.0.0.1:80/CargowiseOne/Authorize/ sddl="D:(A;;GX;;;S-1-1-0)"

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

3272

"C:\Program Files (x86)\WiseTech Global\CargoWise Application Manager\CargoWise.ApplicationManager.Service.exe"

C:\Program Files (x86)\WiseTech Global\CargoWise Application Manager\CargoWise.ApplicationManager.Service.exe

—

services.exe

User:

SYSTEM

Company:

WiseTech Global

Integrity Level:

SYSTEM

Description:

CargoWise Application Manager

Version:

25.2.26.2

Modules

Images
c:\program files (x86)\wisetech global\cargowise application manager\cargowise.applicationmanager.service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

3956

C:\Windows\syswow64\MsiExec.exe -Embedding 0FD60BA3115659A15C4868B1F2C6D953

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3968

netsh http add urlacl url=http://127.0.0.1:80/CargowiseOne/SystemToSystemTrust/ sddl="D:(A;;GX;;;S-1-1-0)"

C:\Windows\SysWOW64\netsh.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

4120

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4200

"C:\WINDOWS\System32\cmd.exe" /C ""C:\Program Files\WiseTech Global\CargoWise Remote Desktop Services\AddOIDCUrlAcl.bat" "

C:\Windows\SysWOW64\cmd.exe

—

MSI598D.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

4528

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4724

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

16 698

Read events

16 204

Write events

464

Delete events

Modification events


(PID) Process:	(7676) CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:	write	Name:	Msi.Package
Value:
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2E4F8ECB0CB541944906B9F31F14FAF5
Operation:	write	Name:	383FDA5853216B54C89418E9EEA27F80
Value: 02:\SOFTWARE\CargoWise edi\ediAppMgr\CurrentVersion
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Program Files (x86)\WiseTech Global\CargoWise Application Manager\
Value:
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Program Files (x86)\WiseTech Global\
Value:
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CargoWise edi\ediAppMgr
Operation:	write	Name:	CurrentVersion
Value: 2.3.0
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: F81E000067C8B30799C5DB01
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: E897851A343A196227EA09DA104CAEECB87EC9543708145C9F28C364788CE481
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(7928) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\117a40.rbs
Value: 31180185

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\ProgramData\WiseTech Global\CargoWise Remote Desktop Services\install\holder0.aiph		—
		MD5:—	SHA256:—
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:97D6AA0548376650FC96A0078EBFCBE2	SHA256:3BF36A86AA76BCD8EF26E1B8692F9D600C89EA99731B333FE60E245C03FD236A
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\ProgramData\WiseTech Global\CargoWise Remote Desktop Services\install\CargoWiseRemoteDesktopServicesSetup.x64.msi		executable
		MD5:E2E0D991099D5566800FB8FC253D2AF7	SHA256:4969D5B6DBBD5E8C64FEC7EE06D409CB9142512D7B409E3748B6FFC73E4E29C2
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E5A9465EA7BB4555729C5BB4F1840EB5		binary
		MD5:1F8EB574BDDDBAF583F98A962E01FF39	SHA256:F2BB3828FAB3213F30911CD55DC3DDEF493581C1B05FECE6C46877A03A6DD3DE
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\ProgramData\WiseTech Global\CargoWise Remote Desktop Services\install\CargoWiseRemoteDesktopServicesSetup.msi		executable
		MD5:A13B2CA9BDE7F1282C5DB99F3EED272A	SHA256:C4AEA7646AE5CD8C1A15214BAC3681745D7F96F5014CCD367DAA9F5C862E0D06
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:FE6B2405A20E659A52B61ED29C26457C	SHA256:B824E2D5298B02E93B4B871C4A2D69DCA2FC9EE662CB648BCAC731345EC9B0EF
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\Local\Temp\shi5FA1.tmp		executable
		MD5:84A34BF3486F7B9B7035DB78D78BDD1E	SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:17E2B2A469E808CCF53962688375233A	SHA256:60E140C32611BA40803163331E396C2C26E9E75AAC2C67D33EC4A5B358B539D0
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7676\folderlogoicon		image
		MD5:F840598DD74703C754A3ECED7DD18987	SHA256:42F2ED4B7CC97751980B359980E220E5B4AF623ADF97E2F6B4AF9DC46DB2F03C
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7676\background		image
		MD5:34363136D896A1DE743489E2AFF7D849	SHA256:AE4355BC29FC0B409605FAF5C69664A97A44C914E855B474B24281D17B7DCB15

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.179:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA8cDtb6z38Q1UZQENiDBuY%3D	unknown	—	—	whitelisted
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
7944	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7944	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.179:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6544	svchost.exe	40.126.32.134:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
—	—	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7676	CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 40.127.240.158	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	23.48.23.179 23.48.23.183 23.48.23.181 23.48.23.191 23.48.23.187 23.48.23.186 23.48.23.137 23.48.23.184 23.48.23.178	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	40.126.32.134 20.190.160.128 20.190.160.17 20.190.160.14 20.190.160.66 40.126.32.68 20.190.160.22 20.190.160.67	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

CargoWiseRemoteDesktopServicesSetup 2025-05-14.exe

2CCE73E0CEE58A9D23F8220D51381D5A

D69485CA89C6ED800449089109A25FE260755F93

68A90734AEFF22127DA684D19A202A3A077DFCF8A6644F4DFD7C7CA8B3C5EF3C

98304:JX+GhR6a/byOt64g+U+/YwFFXXFFFDDDEEP/a4GyrNeME2OVhZzVvMO+GVQXziWw:nFmUbEBdsyY/toaCCxu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

ADVANCEDINSTALLER mutex has been found

Process drops legitimate windows executable

Detects AdvancedInstaller (YARA)

Executable content was dropped or overwritten

Reads the Windows owner or organization settings

Executes as Windows Service

Reads security settings of Internet Explorer

Restarts service on failure

Suspicious use of NETSH.EXE

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

INFO

Checks supported languages

The sample compiled with english language support

Reads the software policy settings

Reads the computer name

Creates files in the program directory

Create files in a temporary directory

Process checks computer location settings

Reads the machine GUID from the registry

Checks proxy server information

Executable content was dropped or overwritten

Creates a software uninstall entry

Reads security settings of Internet Explorer

Manages system restore points

Starts application with an unusual extension

Reads Environment values

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats