Malware analysis CargoWiseCitrixServicesSetup-2025-05-14.exe Malicious activity

Add for printing

File name:	CargoWiseCitrixServicesSetup-2025-05-14.exe
Full analysis:	https://app.any.run/tasks/09f71c00-b0b8-45f0-b904-a87f26a8dd15
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 13:55:56
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	advancedinstaller
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	9B6CED10208BDFA521AA6D7B518315DA
SHA1:	01B83112A83257B634BC42D3418D24CF7121183A
SHA256:	F956D38B7926C444AD3BF656719E08CAB271B00B6AD194BA9E83F8981536AC45
SSDEEP:	98304:WX+GhR6a/byOt64g+U+/YwFFXXFFFDDDEEPHCa2YdNeM7m8z2zkU+2OVCavPGkA6:mzrfN8TOj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- ADVANCEDINSTALLER mutex has been found
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Reads the Windows owner or organization settings
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - msiexec.exe (PID: 7820)
- Reads security settings of Internet Explorer
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - CargoWise.ApplicationManager.Service.exe (PID: 3192)
- Executable content was dropped or overwritten
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Process drops legitimate windows executable
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Restarts service on failure
  - sc.exe (PID: 7616)
- Detects AdvancedInstaller (YARA)
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - msiexec.exe (PID: 7820)
- There is functionality for taking screenshot (YARA)
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Executes as Windows Service
  - VSSVC.exe (PID: 5376)
  - CargoWise.ApplicationManager.Service.exe (PID: 3192)
INFO
- The sample compiled with english language support
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - msiexec.exe (PID: 7820)
- Checks proxy server information
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Reads the software policy settings
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - msiexec.exe (PID: 7820)
  - msiexec.exe (PID: 2148)
- Reads Environment values
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Creates files or folders in the user directory
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Reads the computer name
  - msiexec.exe (PID: 7820)
  - msiexec.exe (PID: 7932)
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - CargoWise.ApplicationManager.Service.exe (PID: 3192)
  - msiexec.exe (PID: 5392)
- Checks supported languages
  - msiexec.exe (PID: 7932)
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - msiexec.exe (PID: 7820)
  - CargoWise.ApplicationManager.Service.exe (PID: 3192)
  - msiexec.exe (PID: 5392)
- Create files in a temporary directory
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Creates files in the program directory
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 7820)
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
  - CargoWise.ApplicationManager.Service.exe (PID: 3192)
- Process checks computer location settings
  - CargoWiseCitrixServicesSetup-2025-05-14.exe (PID: 7708)
- Creates a software uninstall entry
  - msiexec.exe (PID: 7820)
- Manages system restore points
  - SrTasks.exe (PID: 7996)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 7820)
- Starts application with an unusual extension
  - msiexec.exe (PID: 7820)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 EXE PECompact compressed (generic) (20.7)
.exe	\|	Win64 Executable (generic) (13.7)
.dll	\|	Win32 Dynamic Link Library (generic) (3.2)
.exe	\|	Win32 Executable (generic) (2.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:11:03 11:08:28+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	2135040
InitializedDataSize:	901632
UninitializedDataSize:	-
EntryPoint:	0x190f74
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	2.3.2.0
ProductVersionNumber:	2.3.2.0
FileFlagsMask:	0x003f
FileFlags:	Debug
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	WiseTech Global
FileDescription:	CargoWise Citrix Services Installer
FileVersion:	2.3.2
InternalName:	CargoWiseCitrixServicesSetup
LegalCopyright:	Copyright (C) 2025 WiseTech Global
OriginalFileName:	CargoWiseCitrixServicesSetup.exe
ProductName:	CargoWise Citrix Services
ProductVersion:	2.3.2

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

149

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2148

"C:\WINDOWS\system32\msiexec.exe" /i "C:\ProgramData\WiseTech Global\CargoWise Citrix Services 2.3.2\install\CargoWiseCitrixServicesSetup.msi" AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\CargoWiseCitrixServicesSetup-2025-05-14.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1747316267 " SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\" AI_EUIMSI=""

C:\Windows\SysWOW64\msiexec.exe

—

CargoWiseCitrixServicesSetup-2025-05-14.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

1603

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3192

"C:\Program Files (x86)\WiseTech Global\CargoWise Application Manager\CargoWise.ApplicationManager.Service.exe"

C:\Program Files (x86)\WiseTech Global\CargoWise Application Manager\CargoWise.ApplicationManager.Service.exe

—

services.exe

User:

SYSTEM

Company:

WiseTech Global

Integrity Level:

SYSTEM

Description:

CargoWise Application Manager

Version:

25.2.26.2

Modules

Images
c:\program files (x86)\wisetech global\cargowise application manager\cargowise.applicationmanager.service.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

5376

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5392

C:\Windows\syswow64\MsiExec.exe -Embedding 84B5899C53522D8C7B82C28A07625AE9 C

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6640

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7380

"C:\WINDOWS\Installer\MSI58B0.tmp" 3 wfica32

C:\Windows\Installer\MSI58B0.tmp

—

msiexec.exe

User:

admin

Company:

WiseTech Global

Integrity Level:

HIGH

Description:

Remote Desktop Services Session Killer

Exit code:

Version:

25.5.13.4

Modules

Images
c:\windows\installer\msi58b0.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

7616

"C:\Windows\System32\sc.exe" failure ediAppMgr reset= 0 actions= restart/180000/restart/180000/restart/180000

C:\Windows\SysWOW64\sc.exe

—

CargoWise.ApplicationManager.Service.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

7632

"C:\Users\admin\AppData\Local\Temp\CargoWiseCitrixServicesSetup-2025-05-14.exe"

C:\Users\admin\AppData\Local\Temp\CargoWiseCitrixServicesSetup-2025-05-14.exe

—

explorer.exe

User:

admin

Company:

WiseTech Global

Integrity Level:

MEDIUM

Description:

CargoWise Citrix Services Installer

Exit code:

3221226540

Version:

2.3.2

Modules

Images
c:\users\admin\appdata\local\temp\cargowisecitrixservicessetup-2025-05-14.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7644

C:\Windows\syswow64\MsiExec.exe -Embedding 147AEA1B9DDE1CC46FBFF2B7A6BAD40B

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

7708

"C:\Users\admin\AppData\Local\Temp\CargoWiseCitrixServicesSetup-2025-05-14.exe"

C:\Users\admin\AppData\Local\Temp\CargoWiseCitrixServicesSetup-2025-05-14.exe

explorer.exe

User:

admin

Company:

WiseTech Global

Integrity Level:

HIGH

Description:

CargoWise Citrix Services Installer

Exit code:

Version:

2.3.2

Modules

Images
c:\users\admin\appdata\local\temp\cargowisecitrixservicessetup-2025-05-14.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

14 410

Read events

14 131

Write events

256

Delete events

Modification events


(PID) Process:	(7708) CargoWiseCitrixServicesSetup-2025-05-14.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.msi\OpenWithProgids
Operation:	write	Name:	Msi.Package
Value:
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 8C1E0000DC78211FA1C5DB01
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: B5C6F09BBF5A821CBF5AD3C4C85E700BAC34AD3DA576D1390078496C53E04AE3
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CargoWise edi\ediAppMgr
Operation:	write	Name:	CurrentVersion
Value: 2.3.0
(PID) Process:	(3192) CargoWise.ApplicationManager.Service.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\ediAppMgr
Operation:	write	Name:	EventMessageFile
Value: C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\10f37c.rbs
Value: 31180193
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\10f37c.rbsLow
Value: 576971872
(PID) Process:	(7820) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F1797CE9468DD12439B1CAD8AFF2E517
Operation:	write	Name:	383FDA5853216B54C89418E9EEA27F80
Value: C:\Program Files (x86)\WiseTech Global\CargoWise Application Manager\CargoWise.ApplicationManager.Service.exe

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\ProgramData\WiseTech Global\CargoWise Citrix Services 2.3.2\install\holder0.aiph		—
		MD5:—	SHA256:—
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:B204F4859303D1F758578C9450FEEB6F	SHA256:35229F80F1E3F05FF270303621DA95DFC41BB823493AD8DED71B4A07B2AD5C88
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:1A757C78494DFFB718BB50207C3045C2	SHA256:DEFBC31B74DD900056516C48BC5E6B638A8C00261EBA8E0EB65C3B86EFA7BFF2
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\ProgramData\WiseTech Global\CargoWise Citrix Services 2.3.2\install\CargoWiseCitrixServicesSetup.msi		executable
		MD5:04B685C7B58CC91D89D7C30DAFC47D84	SHA256:080A0E2E314B3E3E3710EDBFAE32918560F653B19CA4EA0324EEEBB83254C5BD
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:97D6AA0548376650FC96A0078EBFCBE2	SHA256:3BF36A86AA76BCD8EF26E1B8692F9D600C89EA99731B333FE60E245C03FD236A
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_E5A9465EA7BB4555729C5BB4F1840EB5		binary
		MD5:1F8EB574BDDDBAF583F98A962E01FF39	SHA256:F2BB3828FAB3213F30911CD55DC3DDEF493581C1B05FECE6C46877A03A6DD3DE
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:544D7DCD6694FDFF90F84827985C54FB	SHA256:8E24C50E64B761BB88D2A0517800F463FCB8553C53573660CB27852C2BB2BB8E
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7708\folderlogoicon		image
		MD5:F840598DD74703C754A3ECED7DD18987	SHA256:42F2ED4B7CC97751980B359980E220E5B4AF623ADF97E2F6B4AF9DC46DB2F03C
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_7708\whitebackground		image
		MD5:EB93C0ABAE8A7DE7AE6DC3755B12C802	SHA256:EDA260871BBA09273B71A165DC8B4F254B186046AB383722DC2D8803FA698725
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	C:\Users\admin\AppData\Local\Temp\shiF00F.tmp		executable
		MD5:84A34BF3486F7B9B7035DB78D78BDD1E	SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA8cDtb6z38Q1UZQENiDBuY%3D	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7276	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
7276	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
7708	CargoWiseCitrixServicesSetup-2025-05-14.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
6544	svchost.exe	20.190.159.130:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6544	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.184.206	whitelisted
settings-win.data.microsoft.com	20.73.194.208 40.127.240.158	whitelisted
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
login.live.com	20.190.159.130 40.126.31.130 40.126.31.131 20.190.159.128 40.126.31.3 40.126.31.71 20.190.159.75 20.190.159.129	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
go.microsoft.com	2.19.106.8	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

CargoWiseCitrixServicesSetup-2025-05-14.exe

9B6CED10208BDFA521AA6D7B518315DA

01B83112A83257B634BC42D3418D24CF7121183A

F956D38B7926C444AD3BF656719E08CAB271B00B6AD194BA9E83F8981536AC45

98304:WX+GhR6a/byOt64g+U+/YwFFXXFFFDDDEEPHCa2YdNeM7m8z2zkU+2OVCavPGkA6:mzrfN8TOj

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

ADVANCEDINSTALLER mutex has been found

Reads the Windows owner or organization settings

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Process drops legitimate windows executable

Restarts service on failure

Detects AdvancedInstaller (YARA)

There is functionality for taking screenshot (YARA)

Executes as Windows Service

INFO

The sample compiled with english language support

Checks proxy server information

Reads the software policy settings

Reads Environment values

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Create files in a temporary directory

Creates files in the program directory

Reads the machine GUID from the registry

Process checks computer location settings

Creates a software uninstall entry

Manages system restore points

Executable content was dropped or overwritten

Starts application with an unusual extension

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings