Malware analysis CommunityClipsSetup_1813.msi Malicious activity

Add for printing

download:	CommunityClipsSetup_1813.msi
Full analysis:	https://app.any.run/tasks/7e7038f2-1e01-4af6-a533-973bfddd5448
Verdict:	Malicious activity
Analysis date:	October 09, 2019, 14:03:47
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {A5766F94-C04B-48F4-9219-A2CA61F01DC0}, Title: Community Clips, Author: Microsoft, Number of Words: 2, Last Saved Time/Date: Thu Jun 19 22:53:38 2008, Last Printed: Thu Jun 19 22:53:38 2008
MD5:	2349E63E0690385B7579F3CD16FD6915
SHA1:	E6056AB3DE0B86D96C03CF76546860E122E05B9E
SHA256:	2BCDF7918E439556268AAF457A6895F5DBF274C888F272932E18809BB4C48341
SSDEEP:	196608:SVaOOtokclkc00tE+xeO3yRxDmGmgVyoLzaMUgGcQUrjHj5nasvU3hW0cd4Gn:SVzk6vVtE+o6sw24fkj5ruav

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: on
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: on
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - CommunityClips.exe (PID: 2500)
  - WMEncoder.exe (PID: 2868)
  - WMEncoder.exe (PID: 2900)
  - settmp.exe (PID: 2932)
  - wmasfdist.exe (PID: 4088)
  - wmstypelib.exe (PID: 2168)
  - WMFDist.exe (PID: 3140)
  - settmp.exe (PID: 3580)
  - WMEncAgt.exe (PID: 2064)
  - wmenc.exe (PID: 2820)
- Loads dropped or rewritten executable
  - WMEncoder.exe (PID: 2868)
  - CommunityClips.exe (PID: 2500)
  - wmstypelib.exe (PID: 2168)
  - rundll32.exe (PID: 3516)
  - rundll32.exe (PID: 3224)
  - wmasfdist.exe (PID: 4088)
  - MsiExec.exe (PID: 3436)
  - MsiExec.exe (PID: 4056)
  - MsiExec.exe (PID: 2480)
  - MsiExec.exe (PID: 2244)
  - MsiExec.exe (PID: 1300)
  - MsiExec.exe (PID: 568)
  - MsiExec.exe (PID: 3344)
  - MsiExec.exe (PID: 3932)
  - MsiExec.exe (PID: 3356)
  - MsiExec.exe (PID: 3296)
  - MsiExec.exe (PID: 4000)
SUSPICIOUS
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2612)
  - WMEncoder.exe (PID: 2868)
  - wmasfdist.exe (PID: 4088)
  - rundll32.exe (PID: 3224)
  - DrvInst.exe (PID: 3308)
  - wmstypelib.exe (PID: 2168)
  - DrvInst.exe (PID: 2964)
  - rundll32.exe (PID: 3516)
  - msiexec.exe (PID: 3064)
- Executed via COM
  - DrvInst.exe (PID: 2100)
  - DrvInst.exe (PID: 968)
  - DrvInst.exe (PID: 3308)
  - DrvInst.exe (PID: 2964)
- Executed as Windows Service
  - vssvc.exe (PID: 3156)
- Starts Microsoft Installer
  - WMEncoder.exe (PID: 2868)
- Uses RUNDLL32.EXE to load library
  - wmasfdist.exe (PID: 4088)
  - wmstypelib.exe (PID: 2168)
- Creates files in the Windows directory
  - DrvInst.exe (PID: 3308)
  - wmasfdist.exe (PID: 4088)
  - wmstypelib.exe (PID: 2168)
  - DrvInst.exe (PID: 2964)
  - msiexec.exe (PID: 3064)
- Creates files in the driver directory
  - DrvInst.exe (PID: 3308)
  - DrvInst.exe (PID: 2964)
- Removes files from Windows directory
  - DrvInst.exe (PID: 3308)
  - wmasfdist.exe (PID: 4088)
  - DrvInst.exe (PID: 2964)
  - wmstypelib.exe (PID: 2168)
- Modifies the open verb of a shell class
  - msiexec.exe (PID: 3064)
- Creates COM task schedule object
  - MsiExec.exe (PID: 3776)
  - MsiExec.exe (PID: 3436)
  - MsiExec.exe (PID: 4056)
  - MsiExec.exe (PID: 2244)
  - MsiExec.exe (PID: 568)
  - MsiExec.exe (PID: 1300)
  - MsiExec.exe (PID: 3344)
  - MsiExec.exe (PID: 3932)
  - MsiExec.exe (PID: 2480)
  - MsiExec.exe (PID: 3356)
  - msiexec.exe (PID: 3064)
  - MsiExec.exe (PID: 3296)
INFO
- Application launched itself
  - msiexec.exe (PID: 3064)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3064)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 2212)
  - msiexec.exe (PID: 3064)
  - MsiExec.exe (PID: 2508)
  - MsiExec.exe (PID: 3096)
  - MsiExec.exe (PID: 2688)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 3156)
- Dropped object may contain Bitcoin addresses
  - msiexec.exe (PID: 3064)
- Creates files in the program directory
  - MsiExec.exe (PID: 2212)
  - msiexec.exe (PID: 3064)
- Changes settings of System certificates
  - DrvInst.exe (PID: 3308)
- Application was dropped or rewritten from another process
  - MSIC799.tmp (PID: 2180)
- Starts application with an unusual extension
  - msiexec.exe (PID: 3064)
- Searches for installed software
  - msiexec.exe (PID: 3064)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (93.3)
.pps/ppt	\|	Microsoft PowerPoint document (5.2)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CreateDate:	1999:06:21 07:00:00
Software:	Windows Installer
Security:	Password protected
CodePage:	Windows Latin 1 (Western European)
Template:	Intel;1033
Pages:	200
RevisionNumber:	{A5766F94-C04B-48F4-9219-A2CA61F01DC0}
Title:	Community Clips
Subject:	-
Author:	Microsoft
Keywords:	-
Comments:	-
Words:	2
ModifyDate:	2008:06:19 21:53:38
LastPrinted:	2008:06:19 21:53:38

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

568

"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Windows Media Components\Encoder\WMexfmwp.dll"

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

968

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot23" "" "" "631c88d3b" "00000000" "00000564" "000005AC"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1096

msiexec.exe /i "C:\Windows\Installer\WMEncoder.msi" /qb

C:\Windows\system32\msiexec.exe

—

WMEncoder.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1300

"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Windows Media Components\Encoder\wmprevu.dll"

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2064

"C:\Program Files\Windows Media Components\Encoder\WMEncAgt.exe" /regserver

C:\Program Files\Windows Media Components\Encoder\WMEncAgt.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Media Encoder Agent

Exit code:

Version:

9.00.00.2980

Modules

Images
c:\program files\windows media components\encoder\wmencagt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2100

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000394" "000003D0"

C:\Windows\system32\DrvInst.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2168

wmstypelib.exe /Q:A /R:N

C:\Program Files\Windows Media Components\Encoder\wmstypelib.exe

settmp.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Win32 Cabinet Self-Extractor

Exit code:

Version:

6.00.2600.0000

Modules

Images
c:\program files\windows media components\encoder\wmstypelib.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2180

"C:\Windows\Installer\MSIC799.tmp" /ShutDown

C:\Windows\Installer\MSIC799.tmp

—

msiexec.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\windows\installer\msic799.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2212

C:\Windows\system32\MsiExec.exe -Embedding 81D974ADDBBAC722A7C0AF17EFA1B73C M Global\MSI0000

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2244

"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Windows Media Components\Encoder\wmesrcwp.dll"

C:\Windows\system32\MsiExec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

3 717

Read events

1 136

Write events

2 524

Delete events

Modification events


(PID) Process:	(2612) msiexec.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(3064) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4000000000000000323A8F86AA7ED501F80B0000F40A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3064) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 40000000000000008C9C9186AA7ED501F80B0000F40A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000080ACE286AA7ED501540C000048080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000080ACE286AA7ED501540C0000800D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000080ACE286AA7ED501540C0000F00B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 400000000000000080ACE286AA7ED501540C000030080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 40000000000000003471E786AA7ED501540C000048080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 40000000000000008ED3E986AA7ED501540C0000800D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3156) vssvc.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 4000000000000000E835EC86AA7ED501540C000030080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

335

Unknown types

Dropped files

PID	Process	Filename		Type
2612	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI7E06.tmp		—
		MD5:—	SHA256:—
3064	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3064	msiexec.exe	C:\Windows\Installer\193917.msi		—
		MD5:—	SHA256:—
3064	msiexec.exe	C:\Windows\Installer\MSI3D4E.tmp		—
		MD5:—	SHA256:—
3064	msiexec.exe	C:\Users\admin\AppData\Local\Temp\~DFD4F99371F735BD77.TMP		—
		MD5:—	SHA256:—
3156	vssvc.exe	C:		—
		MD5:—	SHA256:—
3064	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:—	SHA256:—
3064	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{78a34cdb-6f0e-4357-9c4f-88e90e003a63}_OnDiskSnapshotProp		binary
		MD5:—	SHA256:—
2100	DrvInst.exe	C:\Windows\INF\setupapi.ev3		binary
		MD5:—	SHA256:—
2100	DrvInst.exe	C:\Windows\INF\setupapi.ev1		binary
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain	IP	Reputation
www.officelabs.com	—	unknown
dns.msftncsi.com	131.107.255.255	shared

Threats

No threats detected

Add for printing

Process	Message
rundll32.exe	MSOOBCI: DoInstall failed with error: 0x80070002
rundll32.exe	MSOOBCI: DoInstall failed with error: 0x80070002

General Info

CommunityClipsSetup_1813.msi

2349E63E0690385B7579F3CD16FD6915

E6056AB3DE0B86D96C03CF76546860E122E05B9E

2BCDF7918E439556268AAF457A6895F5DBF274C888F272932E18809BB4C48341

196608:SVaOOtokclkc00tE+xeO3yRxDmGmgVyoLzaMUgGcQUrjHj5nasvU3hW0cd4Gn:SVzk6vVtE+o6sw24fkj5ruav

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Executable content was dropped or overwritten

Executed via COM

Executed as Windows Service

Starts Microsoft Installer

Uses RUNDLL32.EXE to load library

Creates files in the Windows directory

Creates files in the driver directory

Removes files from Windows directory

Modifies the open verb of a shell class

Creates COM task schedule object

INFO

Application launched itself

Creates a software uninstall entry

Loads dropped or rewritten executable

Low-level read access rights to disk partition

Dropped object may contain Bitcoin addresses

Creates files in the program directory

Changes settings of System certificates

Application was dropped or rewritten from another process

Starts application with an unusual extension

Searches for installed software

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings