File name:	2cee9b72969beb59dd8441a637fdc8275afe13dfb6356e24a1daa1f77c555639.bin
Full analysis:	https://app.any.run/tasks/b201a1f9-2ca7-40a6-81fe-a92f8de01e9d
Verdict:	Malicious activity
Analysis date:	June 21, 2025, 06:46:41
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	generated-doc g0njxa
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Module, Author: Aurelia Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Module., Template: Intel;1033, Revision Number: {FC289CCF-5EA6-487A-B815-0F36A5DE0CED}, Create Time/Date: Thu Jun 12 13:23:30 2025, Last Saved Time/Date: Thu Jun 12 13:23:30 2025, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:	117C07E910B87719CB9DE98E5A2384F8
SHA1:	12E415851E676CCD90FDDC770D2171A7AD84D8ED
SHA256:	2CEE9B72969BEB59DD8441A637FDC8275AFE13DFB6356E24A1DAA1F77C555639
SSDEEP:	98304:xUk2zSad/lcnfl/7/zPYohm3ImZ5wL/8ykYCUNz1Temrm5f5fyHz5haUcwC6Wxu7:7AZeq4JIZiOdO0

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Microsoft Module
Author:	Aurelia Corporation
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Microsoft Module.
Template:	Intel;1033
RevisionNumber:	{FC289CCF-5EA6-487A-B815-0F36A5DE0CED}
CreateDate:	2025:06:12 13:23:30
ModifyDate:	2025:06:12 13:23:30
Pages:	200
Words:	10
Software:	Windows Installer XML Toolset (3.14.1.8722)
Security:	Read-only recommended


(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000CFDB034378E2DB01DC09000070080000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000343F064378E2DB01DC09000070080000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000343F064378E2DB01DC09000070080000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000007403EC4278E2DB01DC09000070080000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000007403EC4278E2DB01DC09000070080000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000FEA2084378E2DB01DC09000070080000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 15
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000D078BB4378E2DB01DC09000070080000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2524) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000D078BB4378E2DB01DC090000B81B0000E8030000010000000000000000000000732F47DA438ADB47BB16D2AD5B4AC86F00000000000000000000000000000000
(PID) Process:	(2260) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 48000000000000000BDCBD4378E2DB01D4080000641A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
2524	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
2524	msiexec.exe	C:\Windows\Installer\13593f.msi		—
		MD5:—	SHA256:—
6516	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A3BC571CEDB19D334A71A78584F39433		binary
		MD5:BE4962329A2B3524F5CF2F96E5B7096B	SHA256:91135920338170B8DFE0019C160BAB4030D7EDCBC9E1CA5D3A1E2229FA859745
6516	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157		binary
		MD5:2988862F218686246A1B67CED888CB6B	SHA256:E40E85593D4B299C9B8FDDBD2C8BAFC70C604C5A8DB56347BBCFF914904B0B45
6516	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E		binary
		MD5:FEABF39FCE53406FB7819E08CC96ACDE	SHA256:419290E20C537E2C9AA3FBC4C94FE404A15F9988B0FFC31173B219B17CCBC6F0
6516	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A3BC571CEDB19D334A71A78584F39433		binary
		MD5:605B84FE473628FE448E19064B4F908E	SHA256:A0AB7F7BC27558BB3ED93EC7620FE4EA0CED72695D7A8D5C9756D80C834AC269
2524	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{da472f73-8a43-47db-bb16-d2ad5b4ac86f}_OnDiskSnapshotProp		binary
		MD5:93C9AFD300D462FEC0C9333DB60D52D2	SHA256:AC2A05ABCD44A11ECD3C631A6CE226E49979165B0FA5EB204091A97ABA82903B
2524	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:93C9AFD300D462FEC0C9333DB60D52D2	SHA256:AC2A05ABCD44A11ECD3C631A6CE226E49979165B0FA5EB204091A97ABA82903B
2524	msiexec.exe	C:\Windows\Temp\~DFD54617B288E99EE4.TMP		binary
		MD5:D686CFCB3A6C6844F3CA73E79A35D07C	SHA256:637E893247AAF89990FC150C5B1F7008801679638AAC5444D591EF9606099613
2524	msiexec.exe	C:\Users\admin\AppData\Local\Temp\Aurelia\Aurelia.ps1		text
		MD5:1B00AC331D49F27DEF00A9D727B19536	SHA256:502AA7D5204F92B1870713B5DCC5B172F9F011DC7B98ED29FA775982D6A71E3F

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6516	msiexec.exe	GET	304	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ac71be36583aca24	unknown	—	—	whitelisted
6516	msiexec.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D	unknown	—	—	whitelisted
6516	msiexec.exe	GET	200	151.101.130.133:80	http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEZj2CC%2BdF7NAXtz%2FA%3D%3D	unknown	—	—	whitelisted
2840	svchost.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6f06946a73e04111	unknown	—	—	whitelisted
2840	svchost.exe	GET	304	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed7b700c691d6b92	unknown	—	—	whitelisted
2840	svchost.exe	GET	200	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?1c1cc131d70a004a	unknown	—	—	whitelisted
—	—	GET	200	52.123.129.14:443	https://ecs.office.com/config/v2/Office/officeclicktorun/16.0.16626.20134/Production/CC?&Clientid=%7b80C2A92B-EDEE-479E-8470-DBC6C547F2FB%7d&Application=officeclicktorun&Platform=win32&Version=16.0.16626.20134&MsoVersion=16.0.16626.20134&ProcessName=officec2rclient.exe&Audience=Production&Build=ship&Architecture=x64&OsVersion=10.0&OsBuild=22000&Channel=CC&InstallType=C2R&SessionId=%7b60A5070C-2922-4FD8-9451-9AE30AFE88A0%7d&LabMachine=false	unknown	binary	355 Kb	whitelisted
1524	svchost.exe	GET	200	2.18.64.212:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
—	—	GET	200	13.107.6.156:443	https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v1/C2RTargetAudienceData?omid=97560490bafb0d49bca6f8f0df91025d&susid=c408ee57-2103-4c34-9e6f-30bdf6c87e50&audienceFFN=492350f6-3a01-4f97-b9c0-c7c6ddf67d60&tid=&osver=Client%7C10.0.22000&offver=16.0.16626.20134&ring=Production&aud=Production&ch=CC&osarch=x64&manstate=6	unknown	—	—	—
—	—	POST	—	20.190.160.4:443	https://login.live.com/RST2.srf	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
3956	rundll32.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5420	OfficeC2RClient.exe	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1524	svchost.exe	2.18.64.200:80	www.msftconnecttest.com	Administracion Nacional de Telecomunicaciones	UY	whitelisted
5404	firefox.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
5320	pingsender.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
—	—	13.89.179.10:443	v10.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6516	msiexec.exe	199.232.210.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted
6516	msiexec.exe	151.101.130.133:80	ocsp.globalsign.com	FASTLY	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 4.231.128.59	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
www.msftconnecttest.com	2.18.64.200 2.18.64.212	whitelisted
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
v10.events.data.microsoft.com	13.89.179.10	whitelisted
google.com	142.250.185.174	whitelisted
ctldl.windowsupdate.com	199.232.210.172 199.232.214.172	whitelisted
ocsp.globalsign.com	151.101.130.133 151.101.194.133 151.101.2.133 151.101.66.133	whitelisted
ecs.office.com	52.123.129.14 52.123.128.14	whitelisted

PID	Process	Class	Message
1524	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

2cee9b72969beb59dd8441a637fdc8275afe13dfb6356e24a1daa1f77c555639.bin

117C07E910B87719CB9DE98E5A2384F8

12E415851E676CCD90FDDC770D2171A7AD84D8ED

2CEE9B72969BEB59DD8441A637FDC8275AFE13DFB6356E24A1DAA1F77C555639

98304:xUk2zSad/lcnfl/7/zPYohm3ImZ5wL/8ykYCUNz1Temrm5f5fyHz5haUcwC6Wxu7:7AZeq4JIZiOdO0

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

SUSPICIOUS

Reads the Internet Settings

Executes as Windows Service

Starts process via Powershell

Reads the Windows owner or organization settings

Starts POWERSHELL.EXE for commands execution

The process executes Powershell scripts

Application launched itself

Executes script without checking the security policy

Base64-obfuscated command line is found

The process bypasses the loading of PowerShell profile settings

BASE64 encoded PowerShell command has been detected

Executed via WMI

Converts a specified value to a byte (POWERSHELL)

The process creates files with name similar to system file names

INFO

Checks proxy server information

The sample compiled with english language support

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Reads the software policy settings

Manages system restore points

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the machine GUID from the registry

Reads the computer name

Disables trace logs

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections