General Info

File name

59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b.msi

Full analysis
https://app.any.run/tasks/976d6ce1-eb9c-4029-b002-8f834077a71e
Verdict
Malicious activity
Analysis date
15/01/2022, 00:16:12
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F4F1A063-F85C-44FB-889E-0A184A11BD00}, Number of Words: 10, Subject: Carregando.., Author: FDSDRFGSEWRR, Name of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Carregando..., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5

c86c9cc460da0b7d5a09c8096500c4ad

SHA1

6414d036e3963f0844311329fa921d58a9e7bedf

SHA256

59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b

SSDEEP

12288:zW1xfYBowv43bqKlRH1Vq9iyX9AQ4NqlASvGD7lASvGDw:zW1JYBowvitjVqoA9AOuTD7uTDw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Drops executable file immediately after starts
  • msiexec.exe (PID: 2060)
Application was dropped or rewritten from another process
  • 332�3�AYB�G�EZXJ2V�U.exe (PID: 3436)
Reads the Windows organization settings
  • msiexec.exe (PID: 3432)
  • msiexec.exe (PID: 2060)
Reads Windows owner or organization settings
  • msiexec.exe (PID: 3432)
  • msiexec.exe (PID: 2060)
Executed as Windows Service
  • msiexec.exe (PID: 2060)
Application launched itself
  • msiexec.exe (PID: 2060)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 2060)
  • MsiExec.exe (PID: 1568)
Drops a file that was compiled in debug mode
  • msiexec.exe (PID: 2060)
  • MsiExec.exe (PID: 1568)
Checks supported languages
  • 332�3�AYB�G�EZXJ2V�U.exe (PID: 3436)
Checks for external IP
  • 332�3�AYB�G�EZXJ2V�U.exe (PID: 3436)
Reads the computer name
  • 332�3�AYB�G�EZXJ2V�U.exe (PID: 3436)
Drops a file with a compile date too recent
  • MsiExec.exe (PID: 1568)
Creates files in the program directory
  • 332�3�AYB�G�EZXJ2V�U.exe (PID: 3436)
Reads the computer name
  • msiexec.exe (PID: 3432)
  • msiexec.exe (PID: 2060)
  • MsiExec.exe (PID: 1568)
Checks supported languages
  • msiexec.exe (PID: 3432)
  • msiexec.exe (PID: 2060)
  • MsiExec.exe (PID: 1568)
Reads settings of System Certificates
  • MsiExec.exe (PID: 1568)
  • 332�3�AYB�G�EZXJ2V�U.exe (PID: 3436)
Checks Windows Trust Settings
  • MsiExec.exe (PID: 1568)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2020:09:18 14:06:51
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{F4F1A063-F85C-44FB-889E-0A184A11BD00}
Words:
10
Subject:
Carregando..
Author:
FDSDRFGSEWRR
LastModifiedBy:
null
Software:
Advanced Installer 18.1 build 4fb1edbd
Template:
;1046
Comments:
A base dados do instalador contêm a lógica e os dados necessários para instalar o Carregando...
Title:
Installation Database
Keywords:
Installer, MSI, Database
Pages:
200

Screenshots

Processes

Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe 332�3�ayb�g�ezxj2v�u.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3432
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows� installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netutils.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sfc.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winspool.drv
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\propsys.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\shlwapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\user32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wkscli.dll
c:\windows\apppatch\aclayers.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc_os.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\sxs.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

PID
2060
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows� installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sfc.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sechost.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\usp10.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\userenv.dll
c:\windows\system32\devobj.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msi.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\iertutil.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\mpr.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wininet.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\oleaut32.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msctf.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

PID
1568
CMD
C:\Windows\system32\MsiExec.exe -Embedding CF47F1A838B2B60E8624249F038157F3
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows� installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msi.dll
c:\windows\system32\msacm32.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\userenv.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\netutils.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\nsi.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\version.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\imm32.dll
c:\windows\installer\msi2d08.tmp
c:\windows\system32\mpr.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\installer\msi2cc8.tmp
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sfc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\winmm.dll
c:\windows\installer\msi2d28.tmp
c:\windows\system32\winspool.drv
c:\windows\apppatch\acgenral.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\user32.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\msdart.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcrypt.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\jscript.dll
c:\windows\system32\sxs.dll
c:\windows\system32\secur32.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptnet.dll
c:\users\public\documents\332�3�ayb�g�ezxj2v�u.exe

PID
3436
CMD
C:\Users\Public\Documents\332�3�AYB�G�EZXJ2V�U.exe
Path
C:\Users\Public\Documents\332�3�AYB�G�EZXJ2V�U.exe
Indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Caphyon LTD
Description
Advanced Installer Intune Tool
Version
18.1.0.0
Modules
Image
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\ws2_32.dll
c:\users\public\documents\332�3�ayb�g�ezxj2v�u.exe
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\webio.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\userenv.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\magnification.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\users\public\documents\zlibai.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\imm32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\msi.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\winspool.drv
c:\windows\system32\winhttp.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\compstui.dll
c:\windows\system32\imageres.dll
c:\windows\system32\inetres.dll
c:\windows\system32\colorui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devobj.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cscui.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mscms.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\slc.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\idndl.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\wship6.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winsta.dll
c:\windows\system32\mlang.dll

Registry activity

Total events
9514
Read events
0
Write events
63
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2060
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2060
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
0C0800001F15F91CA509D801
2060
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
91E40F45B692B7EF1B87297F022D1C2C3D71F49EEFC089ACC54B645522A4B810
2060
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
(default)
C:\Windows\Installer\e2c6d.ipi
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionTime
59E86D1DA509D801
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecision
0
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadNetworkName
Network 4
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362E934C-743B-4588-8259-D2482DB771A8}
WpadDecisionReason
1
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
59E86D1DA509D801
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
1568
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
1568
MsiExec.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
3436
332�3�AYB�G�EZXJ2V�U.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
332�3�AYB�G�EZXJ2V�U.exe
3436
332�3�AYB�G�EZXJ2V�U.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US

Files activity

Executable files
8
Suspicious files
6
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
1568
MsiExec.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\TRYRETFDGFHGDSF[1].png
executable
MD5: 7854d9da27486d8a529fd49afdf30351
SHA256: 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440
1568
MsiExec.exe
C:\Users\Public\Documents\zlibai.dll
executable
MD5: 7854d9da27486d8a529fd49afdf30351
SHA256: 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440
1568
MsiExec.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\FGREWAGTRETWRE[1].png
executable
MD5: 4a38459b989c45af4bf89f1aad516942
SHA256: c041c7795f16058e366a95e4c6929f9453f00ba8367e7a3afe1026a09c84e6a6
1568
MsiExec.exe
C:\Users\Public\Documents\332�3�AYB�G�EZXJ2V�U.exe
executable
MD5: 4a38459b989c45af4bf89f1aad516942
SHA256: c041c7795f16058e366a95e4c6929f9453f00ba8367e7a3afe1026a09c84e6a6
2060
msiexec.exe
C:\Windows\Installer\e2c6b.msi
executable
MD5: c86c9cc460da0b7d5a09c8096500c4ad
SHA256: 59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b
2060
msiexec.exe
C:\Windows\Installer\MSI2D08.tmp
executable
MD5: e12c5bcc254c953b1a46d1434804f4d2
SHA256: 5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
2060
msiexec.exe
C:\Windows\Installer\MSI2D28.tmp
executable
MD5: e12c5bcc254c953b1a46d1434804f4d2
SHA256: 5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
2060
msiexec.exe
C:\Windows\Installer\MSI2CC8.tmp
executable
MD5: e12c5bcc254c953b1a46d1434804f4d2
SHA256: 5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
der
MD5: 29ab245ea76101a81872c15d2c54a651
SHA256: 866eabacad14e4c7cdca070f621364c563313d8a7661849225d7f2354a6b1bba
3436
332�3�AYB�G�EZXJ2V�U.exe
C:\ProgramData\admin\conect
text
MD5: 708b1a7e5a34086654af1947e4e4ca85
SHA256: d7d00669a2915a53b9b9255e862219bec30208678ff56c339f689c0e288a821a
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0255CEC2C51D081EFF40366512890989_76C19BA11C72361998CF4C34B60D39D2
binary
MD5: e467f5a3fe0ed5618724f020820628cf
SHA256: 001dae1cbeee5c1f7fb35029a1df1e9717451cba9355449be37e20a0f3281913
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
der
MD5: d03ab18331b1dc62e284df6894ec5e6b
SHA256: bea9c460f75b2495164979f6e00ac455b09f0763603e3e61680af677a7c16db4
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
binary
MD5: 3794352e0d30d2f99b19b777cf40dd1a
SHA256: 512dd5d9a558664d2507dee26974684530e5690ba465705b16c66911e5fe7f75
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0255CEC2C51D081EFF40366512890989_76C19BA11C72361998CF4C34B60D39D2
der
MD5: 96084a59337ead501978342ad08c09e8
SHA256: ff5fd254daac413948000c1d4ab9c103d549d1fdb63342155eecb17f19919cd2
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
compressed
MD5: f7dcb24540769805e5bb30d193944dce
SHA256: 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
binary
MD5: 8b75bd2301d8fd7d2c3fc467d196345b
SHA256: fedd05dcc264e750ca7e7aafec05728afb99b25722bc4f3be8bfed155dc68606
1568
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
binary
MD5: 3b85b1944b0acde218776c423665bba5
SHA256: c16bdbca3aa3d1b37f8e0bf4aaf204c51fe883650f84f21b59054e066efc2058
2060
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF9A163BFD125EF8F8.TMP
gmc
MD5: ea239f9b9554ae1616f915e7dc5b0c76
SHA256: 95e17b6434a4b40a72e003c61d7349ef96cf484f5a8a620aa047b646aed3234e
2060
msiexec.exe
C:\Windows\Installer\e2c6d.ipi
binary
MD5: f817270c6f18b8baf64c3c2efe7e34e1
SHA256: 07ffb289a4020a664dbd334f926d07c8c08b8b6760944ab46aaf2e144a1d8a03

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
7
DNS requests
6
Threats
4

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1568 MsiExec.exe GET 200 2.16.106.186:80 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5bfc30d7aa1dfb07 unknown
compressed
whitelisted
1568 MsiExec.exe GET 200 104.18.31.182:80 http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D US
der
shared
1568 MsiExec.exe GET 200 104.18.31.182:80 http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY US
der
shared
1568 MsiExec.exe GET 200 104.18.31.182:80 http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEQDJ99nHmXsm6UCfPUeS28Zn US
der
shared
3436 332�3�AYB�G�EZXJ2V�U.exe GET 200 208.95.112.1:80 http://ip-api.com/json/ unknown
binary
shared
3436 332�3�AYB�G�EZXJ2V�U.exe GET 200 208.95.112.1:80 http://ip-api.com/json/ unknown
binary
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1568 MsiExec.exe 5.9.147.237:443 Hetzner Online GmbH DE unknown
1568 MsiExec.exe 2.16.106.186:80 Akamai International B.V. –– whitelisted
1568 MsiExec.exe 104.18.31.182:80 Cloudflare Inc US suspicious
3436 332�3�AYB�G�EZXJ2V�U.exe 104.23.98.190:443 Cloudflare Inc US malicious
3436 332�3�AYB�G�EZXJ2V�U.exe 208.95.112.1:80 IBURST –– malicious

DNS requests

Domain IP Reputation
3dgq1431.simple.az 5.9.147.237
unknown
ctldl.windowsupdate.com 2.16.106.186
2.16.106.171
whitelisted
ocsp.comodoca.com 104.18.31.182
104.18.30.182
shared
pastebin.com 104.23.98.190
104.23.99.190
shared
ip-api.com 208.95.112.1
shared

Threats

PID Process Class Message
3436 332�3�AYB�G�EZXJ2V�U.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
3436 332�3�AYB�G�EZXJ2V�U.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3436 332�3�AYB�G�EZXJ2V�U.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
3436 332�3�AYB�G�EZXJ2V�U.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)

Debug output strings

Process Message
–– Invalid parameter passed to C runtime function.
–– Invalid parameter passed to C runtime function.