File name:

eazfuscator.net_2024.3_setup.msi

Full analysis: https://app.any.run/tasks/4c10560e-f61a-44c6-872e-eac998d6ea7b
Verdict: Malicious activity
Analysis date: April 08, 2025, 12:19:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Eazfuscator.NET, Author: Gapotchenko, Keywords: Installer, Comments: This installer database contains the logic and data required to install Eazfuscator.NET version 2024.3.580.11891., Template: Intel;1033, Revision Number: {D6DCBC06-FFAA-477C-BE61-5744B39EDBEC}, Create Time/Date: Thu Jan 16 04:47:06 2025, Last Saved Time/Date: Thu Jan 16 04:47:06 2025, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.1.2318), Security: 2
MD5:

91ADC49D67AFEA7AC42B1B5DDCC44084

SHA1:

FD204EC637764F5D7D55F59BBA526BD5E95681AF

SHA256:

33646B56131A2592B793F03FCEC00543D7698946927AA5BE60413B2E08EBE7EC

SSDEEP:

98304:wRMu4gxc85bvYGGtQy7MQHLP+puWIRuteJL1uWJLPWJm60F0uS2yqSrNU8bgSVlU:8BW4gAG/8n6QK+gAJq1SCSYJE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 8000)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7508)

    • Executable content was dropped or overwritten

      • rundll32.exe (PID: 4268)
      • rundll32.exe (PID: 4000)
      • rundll32.exe (PID: 4688)
      • rundll32.exe (PID: 4996)
      • rundll32.exe (PID: 6512)
      • rundll32.exe (PID: 7596)
      • rundll32.exe (PID: 4688)
      • rundll32.exe (PID: 6268)
      • rundll32.exe (PID: 7920)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 7508)

    • Application launched itself

      • eazfuscator.net.exe (PID: 1012)
      • eazfuscator.net.exe (PID: 7288)
      • Eazfuscator.NET Enlightenment.exe (PID: 7216)

    • Starts POWERSHELL.EXE for commands execution

      • eazfuscator.net.exe (PID: 1012)

    • The process hide an interactive prompt from the user

      • eazfuscator.net.exe (PID: 1012)

    • The process bypasses the loading of PowerShell profile settings

      • eazfuscator.net.exe (PID: 1012)

    • Possibly malicious use of IEX has been detected

      • eazfuscator.net.exe (PID: 1012)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3992)

    • Reads security settings of Internet Explorer

      • eazfuscator.net.exe (PID: 1012)
      • eazfuscator.net-assistant.exe (PID: 7596)
      • eazfuscator.net.exe (PID: 7288)
      • Eazfuscator.NET Enlightenment.exe (PID: 7956)

    • Reads the date of Windows installation

      • eazfuscator.net-assistant.exe (PID: 7596)

    • Searches for installed software

      • eazfuscator.net.exe (PID: 5596)

    • Creates a software uninstall entry

      • eazfuscator.net.exe (PID: 5596)

  • INFO

    • Reads the software policy settings

      • msiexec.exe (PID: 7352)
      • msiexec.exe (PID: 7508)
      • slui.exe (PID: 8184)

    • An automatically generated document

      • msiexec.exe (PID: 7352)

    • Checks proxy server information

      • rundll32.exe (PID: 7596)
      • msiexec.exe (PID: 7352)
      • slui.exe (PID: 8184)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 7596)
      • msiexec.exe (PID: 7352)
      • rundll32.exe (PID: 7920)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7352)
      • eazfuscator.net.exe (PID: 1012)
      • eazfuscator.net.exe (PID: 7288)

    • Reads the computer name

      • msiexec.exe (PID: 7508)
      • msiexec.exe (PID: 7552)
      • msiexec.exe (PID: 7172)
      • msiexec.exe (PID: 5360)
      • eazfuscator.net.exe (PID: 1012)
      • ngen.exe (PID: 7688)
      • ngen.exe (PID: 5772)
      • ngen.exe (PID: 6436)
      • ngen.exe (PID: 1672)
      • ngen.exe (PID: 6040)
      • ngen.exe (PID: 4152)
      • ngen.exe (PID: 6136)
      • ngen.exe (PID: 7808)
      • ngen.exe (PID: 6108)
      • ngen.exe (PID: 7764)
      • ngen.exe (PID: 7916)
      • ngen.exe (PID: 7928)
      • ngen.exe (PID: 5024)
      • ngen.exe (PID: 4212)
      • ngen.exe (PID: 7656)
      • ngen.exe (PID: 7824)
      • ngen.exe (PID: 7904)
      • ngen.exe (PID: 7804)
      • ngen.exe (PID: 2084)
      • ngen.exe (PID: 7624)
      • ngen.exe (PID: 3396)
      • ngen.exe (PID: 5232)
      • ngen.exe (PID: 2980)
      • ngen.exe (PID: 456)
      • ngen.exe (PID: 7844)
      • ngen.exe (PID: 8036)
      • ngen.exe (PID: 7864)
      • ngen.exe (PID: 7204)
      • ngen.exe (PID: 5048)
      • eazfuscator.net.exe (PID: 7472)
      • ngen.exe (PID: 3760)
      • eazfuscator.net.exe (PID: 7288)
      • eazfuscator.net.exe (PID: 2268)
      • eazfuscator.net-assistant.exe (PID: 7596)
      • ngen.exe (PID: 2288)
      • ngen.exe (PID: 6700)
      • eazfuscator.net.exe (PID: 5596)
      • Eazfuscator.NET Enlightenment.exe (PID: 7216)
      • Eazfuscator.NET Enlightenment.exe (PID: 7956)

    • Checks supported languages

      • msiexec.exe (PID: 7552)
      • msiexec.exe (PID: 7172)
      • msiexec.exe (PID: 5360)
      • eazfuscator.net.exe (PID: 1012)
      • msiexec.exe (PID: 7508)
      • ngen.exe (PID: 7656)
      • ngen.exe (PID: 7688)
      • ngen.exe (PID: 5772)
      • ngen.exe (PID: 6436)
      • ngen.exe (PID: 6040)
      • ngen.exe (PID: 4152)
      • ngen.exe (PID: 6136)
      • ngen.exe (PID: 6108)
      • ngen.exe (PID: 7808)
      • ngen.exe (PID: 7764)
      • ngen.exe (PID: 7916)
      • ngen.exe (PID: 7928)
      • ngen.exe (PID: 6700)
      • ngen.exe (PID: 5024)
      • ngen.exe (PID: 4212)
      • ngen.exe (PID: 7824)
      • ngen.exe (PID: 2288)
      • ngen.exe (PID: 7904)
      • ngen.exe (PID: 7804)
      • ngen.exe (PID: 2084)
      • ngen.exe (PID: 1672)
      • ngen.exe (PID: 7624)
      • ngen.exe (PID: 2980)
      • ngen.exe (PID: 3396)
      • ngen.exe (PID: 5232)
      • ngen.exe (PID: 7844)
      • ngen.exe (PID: 456)
      • ngen.exe (PID: 7864)
      • ngen.exe (PID: 8036)
      • ngen.exe (PID: 7204)
      • eazfuscator.net.exe (PID: 7472)
      • ngen.exe (PID: 5048)
      • ngen.exe (PID: 3760)
      • eazfuscator.net.exe (PID: 7288)
      • eazfuscator.net-assistant.exe (PID: 7596)
      • eazfuscator.net.exe (PID: 2268)
      • Eazfuscator.NET Enlightenment.exe (PID: 7216)
      • Eazfuscator.NET Enlightenment.exe (PID: 7956)
      • eazfuscator.net.exe (PID: 5596)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7508)
      • eazfuscator.net.exe (PID: 1012)
      • eazfuscator.net.exe (PID: 7472)
      • eazfuscator.net-assistant.exe (PID: 7596)
      • eazfuscator.net.exe (PID: 7288)
      • eazfuscator.net.exe (PID: 2268)
      • Eazfuscator.NET Enlightenment.exe (PID: 7216)
      • Eazfuscator.NET Enlightenment.exe (PID: 7956)
      • eazfuscator.net.exe (PID: 5596)

    • Manages system restore points

      • SrTasks.exe (PID: 920)

    • Create files in a temporary directory

      • rundll32.exe (PID: 4268)
      • rundll32.exe (PID: 4688)
      • rundll32.exe (PID: 4000)
      • rundll32.exe (PID: 4996)
      • rundll32.exe (PID: 6512)
      • rundll32.exe (PID: 7596)
      • rundll32.exe (PID: 4688)
      • rundll32.exe (PID: 6268)
      • rundll32.exe (PID: 7920)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7508)
      • msiexec.exe (PID: 7352)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7508)

    • Creates files in the program directory

      • rundll32.exe (PID: 7596)
      • eazfuscator.net.exe (PID: 1012)
      • eazfuscator.net-assistant.exe (PID: 7596)
      • eazfuscator.net.exe (PID: 5596)

    • NGen native .NET image generation

      • ngen.exe (PID: 7656)
      • ngen.exe (PID: 7688)
      • ngen.exe (PID: 5772)
      • ngen.exe (PID: 6436)
      • ngen.exe (PID: 1672)
      • ngen.exe (PID: 6040)
      • ngen.exe (PID: 4152)
      • ngen.exe (PID: 6136)
      • ngen.exe (PID: 6108)
      • ngen.exe (PID: 7808)
      • ngen.exe (PID: 7764)
      • ngen.exe (PID: 7916)
      • ngen.exe (PID: 7928)
      • ngen.exe (PID: 5024)
      • ngen.exe (PID: 6700)
      • ngen.exe (PID: 4212)
      • ngen.exe (PID: 7824)
      • ngen.exe (PID: 7904)
      • ngen.exe (PID: 7804)
      • ngen.exe (PID: 2084)
      • ngen.exe (PID: 7624)
      • ngen.exe (PID: 3396)
      • ngen.exe (PID: 5232)
      • ngen.exe (PID: 456)
      • ngen.exe (PID: 2980)
      • ngen.exe (PID: 7844)
      • ngen.exe (PID: 8036)
      • ngen.exe (PID: 7204)
      • ngen.exe (PID: 7864)
      • ngen.exe (PID: 5048)
      • ngen.exe (PID: 3760)
      • ngen.exe (PID: 2288)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • rundll32.exe (PID: 7596)

    • Reads Environment values

      • eazfuscator.net.exe (PID: 7472)
      • eazfuscator.net.exe (PID: 2268)
      • eazfuscator.net-assistant.exe (PID: 7596)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3992)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3992)

    • Process checks computer location settings

      • eazfuscator.net-assistant.exe (PID: 7596)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Eazfuscator.NET
Author: Gapotchenko
Keywords: Installer
Comments: This installer database contains the logic and data required to install Eazfuscator.NET version 2024.3.580.11891.
Template: Intel;1033
RevisionNumber: {D6DCBC06-FFAA-477C-BE61-5744B39EDBEC}
CreateDate: 2025:01:16 04:47:06
ModifyDate: 2025:01:16 04:47:06
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.1.2318)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
65
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs rundll32.exe vssvc.exe no specs slui.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs rundll32.exe rundll32.exe rundll32.exe rundll32.exe rundll32.exe msiexec.exe no specs eazfuscator.net.exe no specs conhost.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs ngen.exe no specs eazfuscator.net.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs rundll32.exe rundll32.exe eazfuscator.net.exe no specs conhost.exe no specs eazfuscator.net.exe no specs conhost.exe no specs eazfuscator.net-assistant.exe no specs eazfuscator.net.exe no specs conhost.exe no specs rundll32.exe eazfuscator.net enlightenment.exe no specs eazfuscator.net enlightenment.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Eazfuscator.NET.Assistant.Options.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silentC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeeazfuscator.net.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Common Language Runtime native compiler
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
c:\windows\system32\rpcrt4.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeeazfuscator.net.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\spp.dll
1012"C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /installer_VZP1lntvzc0 mode install upgrade "" parameters ""C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exemsiexec.exe
User:
SYSTEM
Company:
Gapotchenko
Integrity Level:
SYSTEM
Description:
Eazfuscator.NET
Exit code:
0
Version:
2024.3.580.11891
Modules
Images
c:\program files (x86)\gapotchenko\eazfuscator.net\eazfuscator.net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1672"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Vendor\ICSharpCode.SharpZipLib.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silentC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeeazfuscator.net.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Common Language Runtime native compiler
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
2084"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Ceip.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silentC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeeazfuscator.net.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Common Language Runtime native compiler
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2268"C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" --install-user uH0I5fAL25I C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exeeazfuscator.net.exe
User:
admin
Company:
Gapotchenko
Integrity Level:
MEDIUM
Description:
Eazfuscator.NET
Exit code:
0
Version:
2024.3.580.11891
Modules
Images
c:\program files (x86)\gapotchenko\eazfuscator.net\eazfuscator.net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2288"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silentC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeeazfuscator.net.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Common Language Runtime native compiler
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2980"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\Components\Gapotchenko.Eazfuscator.NET.Deployment.Installer.dll" "/ExeConfig:C:\Program Files (x86)\Gapotchenko\Eazfuscator.NET\eazfuscator.net.exe" /queue:3 /nologo /silentC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeeazfuscator.net.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Common Language Runtime native compiler
Exit code:
0
Version:
4.8.9093.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3016\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 369
Read events
23 876
Write events
465
Delete events
28

Modification events

(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000040D04BB080A8DB01541D0000341F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000040D04BB080A8DB01541D0000341F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000091699CB080A8DB01541D0000341F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000091699CB080A8DB01541D0000341F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000082CD9EB080A8DB01541D0000341F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
48000000000000006D5E05B180A8DB01541D0000341F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000A031A1B080A8DB01541D0000341F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(8000) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000ACA113B180A8DB01401F0000C01F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(8000) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000ACA113B180A8DB01401F0000601F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
414
Suspicious files
35
Text files
67
Unknown types
0

Dropped files

PID
Process
Filename
Type
7352msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fbinary
MD5:3CA86302C6385C43A142B3574AABEA7F
SHA256:E767F910125180F60CD2E2E31A94B577467AD218867AF619BF90A8BDE3460158
7596rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIECB3.tmp-\Eazfuscator.NET.Setup.Logic.dllexecutable
MD5:BB859A1BAB5624DF7736D24A9A43F917
SHA256:E5B0363BDA2FAC92B461B55D136778698DE73DEA6FF258A6B43A0D05714D8750
7352msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIECB3.tmpexecutable
MD5:7DCF696BB8DF75B7AAC984EF47F3B653
SHA256:FFCFEEC2C989848AB529DDF8095B975A3ED71FB6E58BE2FC24DEE78022523376
7352msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225Fbinary
MD5:11FC620A1B70727DC7DA94FC487EFB26
SHA256:9F2693B8F610AA123D73D8874B2C718928DCBFDCD3405ED3B036157CE43F75B0
7352msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBbinary
MD5:AAB207664D42DF0268F69531A0BEE26B
SHA256:B70AB2B5BA7E449A0BE623534BC169C5C39C3BE921299189C79A0F64B4464106
7352msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_BA8586B8095B7E058E5F956C87818EB6binary
MD5:2E1C6651C860C630D85DDBC07B469B34
SHA256:D1F25F66D71893AAD501B81284717EE70028E3D8B0CAC13675E820FE672491BD
7596rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIECB3.tmp-\Gapotchenko.FX.Diagnostics.CommandLine.dllexecutable
MD5:7BFAA0329CF0AC56DF45B89520FE6A42
SHA256:2D0B5C4E0FBAD4EA83E8637DF5EA589EDA79C64F48C0A7F3EBCE7528502FAD35
7596rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIECB3.tmp-\Gapotchenko.FX.dllexecutable
MD5:E551BE7DD53E440DA584AD3718761890
SHA256:5B6B6AEB76B38D04AD0ED7CD12950B353DFC38444A3B29C542D85BBB922E5FC9
7352msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBbinary
MD5:C53BC585F5F93D3300F21D2D1C2E6560
SHA256:161ACBD422834C7D42C923B9F62251043EDA81AB55A107B1155F91EFFDEF562D
7596rundll32.exeC:\Users\admin\AppData\Local\Temp\MSIECB3.tmp-\Gapotchenko.FX.Math.dllexecutable
MD5:04B61F62C4B6BCB0AB80D1CB84D3CC95
SHA256:F0B85F0BA14B047EE8CC234D0898A9C21D371E39EEF0F396F929BD68FF3B9A2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
62
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7352
msiexec.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D
unknown
whitelisted
7352
msiexec.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEGIdbQxSAZ47kHkVIIkhHAo%3D
unknown
whitelisted
7352
msiexec.exe
GET
200
172.64.149.23:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQVD%2BnGf79Hpedv3mhy6uKMVZkPCQQUDyrLIIcouOxvSK4rVKYpqhekzQwCEQD7zD8YXP%2Febgn%2Bvb7wbmZ1
unknown
whitelisted
7800
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7800
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7800
SIHClient.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7800
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7800
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7800
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7352
msiexec.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.132
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.67
  • 20.190.160.130
  • 20.190.160.17
  • 20.190.160.65
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
google.com
  • 216.58.206.46
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.sectigo.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eazfuscator.net_2024.3_setup.msi