File name:

PDFFlex-v4.102.1215.0.msi

Full analysis: https://app.any.run/tasks/3d1a8347-4dcd-467b-96c8-0688bb8b8190
Verdict: Malicious activity
Analysis date: June 18, 2024, 20:31:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: PDFFlex, Author: PDFFlex.io, Keywords: Installer, MSI, Database, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o PDFFlex., Create Time/Date: Mon May 27 08:55:12 2024, Name of Creating Application: PDFFlex, Security: 0, Template: ;1033, Last Saved By: ;1046, Revision Number: {A101E974-EF6E-40A4-8532-07B644806946}4.102.1215.0;{A101E974-EF6E-40A4-8532-07B644806946}4.102.1215.0;{50C54027-847F-4B86-849A-9C02C888EE0B}, Number of Pages: 450, Number of Characters: 63
MD5:

F1C8A85FCE3AEC53C4B2BB45452D453A

SHA1:

9476A698165F4C3E89D370BD3135108D8D3DD476

SHA256:

2F9F2BB7999A0FA67A92203A5AE4E7DF47818835845BC170C50063CE333FE92B

SSDEEP:

98304:r9ISotSpkqN/2Wgx0xaAW9o+9DE+mzSE5lIP4GASazPtiG6CPUF0csMof+iZZjDJ:iNGPJx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2100)
      • powershell.exe (PID: 2676)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2032)
      • powershell.exe (PID: 240)
      • powershell.exe (PID: 1200)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2164)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 2732)

  • SUSPICIOUS

    • Reads the Internet Settings

      • msiexec.exe (PID: 3344)
      • powershell.exe (PID: 2256)
      • powershell.exe (PID: 2032)
      • msiexec.exe (PID: 2164)
      • powershell.exe (PID: 240)
      • msiexec.exe (PID: 2528)

    • The process executes Powershell scripts

      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 2256)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3728)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 2528)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 2732)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 2732)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 2528)

  • INFO

    • Reads the software policy settings

      • msiexec.exe (PID: 3344)
      • msiexec.exe (PID: 3616)
      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 2552)
      • msiexec.exe (PID: 2528)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3344)
      • powershell.exe (PID: 2100)
      • msiexec.exe (PID: 3616)
      • powershell.exe (PID: 2676)
      • msiexec.exe (PID: 3688)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2032)
      • msiexec.exe (PID: 2552)
      • powershell.exe (PID: 240)
      • powershell.exe (PID: 1200)

    • An automatically generated document

      • msiexec.exe (PID: 3344)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3344)
      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2164)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3344)
      • msiexec.exe (PID: 3192)
      • powershell.exe (PID: 2100)
      • msiexec.exe (PID: 2880)
      • powershell.exe (PID: 2676)
      • msiexec.exe (PID: 2364)
      • powershell.exe (PID: 3112)
      • msiexec.exe (PID: 2164)
      • powershell.exe (PID: 2032)
      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)
      • powershell.exe (PID: 1200)
      • powershell.exe (PID: 240)

    • Checks supported languages

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • Reads the computer name

      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 2528)
      • msiexec.exe (PID: 1944)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3344)
      • msiexec.exe (PID: 3616)
      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 2732)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 2552)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3344)
      • msiexec.exe (PID: 3616)
      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 2552)

    • Application launched itself

      • msiexec.exe (PID: 2732)

    • Reads Environment values

      • msiexec.exe (PID: 3192)
      • msiexec.exe (PID: 2880)
      • msiexec.exe (PID: 2364)
      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 1944)
      • msiexec.exe (PID: 2528)

    • Manual execution by a user

      • msiexec.exe (PID: 3616)
      • explorer.exe (PID: 3696)
      • powershell.exe (PID: 2256)
      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 2552)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2100)
      • powershell.exe (PID: 2676)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 2032)
      • powershell.exe (PID: 1200)
      • powershell.exe (PID: 240)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 2256)

    • Disables trace logs

      • powershell.exe (PID: 2032)
      • powershell.exe (PID: 240)

    • Checks proxy server information

      • msiexec.exe (PID: 2164)
      • msiexec.exe (PID: 2528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {7832C14D-212E-47F1-A394-F04540F58CE1}
Words: 10
Subject: PDFFlex
Author: PDFFlex.io
LastModifiedBy: -
Software: PDFFlex
Template: ;1033,1046,3082,1055
Comments: PDFFlex 4.102.1215.0
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:05:27 08:55:29
ModifyDate: 2024:05:27 08:55:29
LastPrinted: 2024:05:27 08:55:29
Pages: 450
Characters: 63
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
22
Malicious processes
2
Suspicious processes
6

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs powershell.exe no specs explorer.exe no specs msiexec.exe msiexec.exe no specs powershell.exe no specs powershell.exe no specs msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs powershell.exe no specs msiexec.exe powershell.exe msiexec.exe msiexec.exe no specs powershell.exe no specs msiexec.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
240 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss49F1.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi49DE.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr49DF.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr49E0.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1200 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pss27C3.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msi27B0.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scr27B1.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scr27B2.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1944C:\Windows\system32\MsiExec.exe -Embedding B6053ABA6D2E8C92DCA9276E5A5887A1 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2032 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssEA61.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msiEA4E.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scrEA4F.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scrEA50.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2100 -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssE6A6.ps1" -propFile "C:\Users\admin\AppData\Local\Temp\msiE684.txt" -scriptFile "C:\Users\admin\AppData\Local\Temp\scrE694.ps1" -scriptArgsFile "C:\Users\admin\AppData\Local\Temp\scrE695.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2164C:\Windows\system32\MsiExec.exe -Embedding E1DA0333FDDF57B1DE1BB29926767C71C:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2256"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2364C:\Windows\system32\MsiExec.exe -Embedding D0597DA0BED7325FF481F185E9295274 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2528C:\Windows\system32\MsiExec.exe -Embedding F6471DDAAD3C85AAB74E9F19C8C1DFABC:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2552"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\PDFFlex-v4.102.1215.0.msi" C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
63 080
Read events
62 313
Write events
696
Delete events
71

Modification events

(PID) Process:(3344) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3616) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2256) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2256) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2256) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2256) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2256) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2732) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000FF27F7DABEC1DA01AC0A0000B00D0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2732) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000598AF9DABEC1DA01AC0A0000B00D0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2732) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
Executable files
45
Suspicious files
68
Text files
27
Unknown types
1

Dropped files

PID
Process
Filename
Type
3192msiexec.exeC:\Users\admin\AppData\Local\Temp\msiE684.txt
MD5:
SHA256:
3192msiexec.exeC:\Users\admin\AppData\Local\Temp\scrE694.ps1
MD5:
SHA256:
3192msiexec.exeC:\Users\admin\AppData\Local\Temp\scrE695.txt
MD5:
SHA256:
3192msiexec.exeC:\Users\admin\AppData\Local\Temp\pssE6A6.ps1
MD5:
SHA256:
3344msiexec.exeC:\Users\admin\AppData\Local\Temp\CabE386.tmpcompressed
MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
SHA256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
2880msiexec.exeC:\Users\admin\AppData\Local\Temp\msiC9DF.txt
MD5:
SHA256:
2880msiexec.exeC:\Users\admin\AppData\Local\Temp\scrC9E0.ps1
MD5:
SHA256:
2880msiexec.exeC:\Users\admin\AppData\Local\Temp\scrC9E1.txt
MD5:
SHA256:
2880msiexec.exeC:\Users\admin\AppData\Local\Temp\pssC9F2.ps1
MD5:
SHA256:
3344msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:12FB3C1EF138D7F7D86684D2663B212B
SHA256:6444E3FCFBD3631B3AC7027DBCDA0A7FE7D02AA93A95FC57377B1845B0CC499D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
22
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3344
msiexec.exe
GET
200
173.222.108.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a7f78792b87af211
unknown
unknown
1372
svchost.exe
GET
304
2.16.100.168:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
3344
msiexec.exe
GET
200
104.18.21.226:80
http://secure.globalsign.com/cacert/codesigningrootr45.crt
unknown
unknown
1372
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1060
svchost.exe
GET
304
2.19.126.163:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8f69642324cc87bd
unknown
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2032
powershell.exe
POST
200
13.227.211.105:80
http://d1jorhhovk7rc8.cloudfront.net/
unknown
unknown
2164
msiexec.exe
GET
200
13.226.163.189:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEjgLnWaIozse2b%2BczaaODg8%3D
unknown
unknown
2164
msiexec.exe
GET
200
18.239.15.174:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
unknown
2164
msiexec.exe
GET
200
13.226.163.189:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2564
svchost.exe
239.255.255.250:3702
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
3344
msiexec.exe
104.18.21.226:80
secure.globalsign.com
CLOUDFLARENET
shared
4
System
192.168.100.255:137
whitelisted
3344
msiexec.exe
173.222.108.210:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
2.16.100.168:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
1372
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
secure.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ctldl.windowsupdate.com
  • 173.222.108.210
  • 173.222.108.226
  • 2.16.100.168
  • 88.221.110.65
  • 88.221.110.67
  • 2.19.126.163
  • 2.19.126.137
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
d1jorhhovk7rc8.cloudfront.net
  • 13.227.211.105
  • 13.227.211.160
  • 13.227.211.26
  • 13.227.211.154
  • 13.32.11.9
  • 13.32.11.84
  • 13.32.11.15
  • 13.32.11.156
unknown
dn0diw4x4ljz4.cloudfront.net
  • 18.239.47.57
  • 18.239.47.143
  • 18.239.47.111
  • 18.239.47.169
  • 18.66.92.74
  • 18.66.92.89
  • 18.66.92.91
  • 18.66.92.169
unknown
o.ss2.us
  • 18.239.15.174
  • 18.239.15.14
  • 18.239.15.192
  • 18.239.15.186
whitelisted
ocsp.rootg2.amazontrust.com
  • 13.226.163.189
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.226.163.189
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PDFFlex-v4.102.1215.0.msi