General Info

File name

59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b.msi

Full analysis
https://app.any.run/tasks/d5be0005-2f79-4c73-8b2c-cdb54b14ef85
Verdict
Malicious activity
Analysis date
14/01/2022, 19:22:07
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F4F1A063-F85C-44FB-889E-0A184A11BD00}, Number of Words: 10, Subject: Carregando.., Author: FDSDRFGSEWRR, Name of Creating Application: Advanced Installer 18.1 build 4fb1edbd, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Carregando..., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5

c86c9cc460da0b7d5a09c8096500c4ad

SHA1

6414d036e3963f0844311329fa921d58a9e7bedf

SHA256

59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b

SSDEEP

12288:zW1xfYBowv43bqKlRH1Vq9iyX9AQ4NqlASvGD7lASvGDw:zW1JYBowvitjVqoA9AOuTD7uTDw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
off

Software preset

  • Internet Explorer 11.0.9600.19596 KB4534251
  • Adobe Acrobat Reader DC (20.013.20064)
  • Adobe Flash Player 32 ActiveX (32.0.0.453)
  • Adobe Flash Player 32 NPAPI (32.0.0.453)
  • Adobe Flash Player 32 PPAPI (32.0.0.453)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.74)
  • FileZilla Client 3.51.0 (3.51.0)
  • Google Chrome (86.0.4240.198)
  • Google Update Helper (1.3.36.31)
  • Java 8 Update 271 (8.0.2710.9)
  • Java Auto Updater (2.8.271.9)
  • Microsoft .NET Framework 4.5.2 (4.5.51209)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 83.0 (x86 en-US) (83.0)
  • Mozilla Maintenance Service (83.0.0.7621)
  • Notepad++ (32-bit x86) (7.9.1)
  • Opera 12.15 (12.15.1748)
  • QGA (2.14.33)
  • Skype version 8.29 (8.29)
  • VLC media player (3.0.11)
  • WinRAR 5.91 (32-bit) (5.91.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506212
  • KB2506928
  • KB2532531
  • KB2533552
  • KB2533623
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2564958
  • KB2574819
  • KB2579686
  • KB2585542
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2639308
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2660075
  • KB2667402
  • KB2676562
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2731771
  • KB2732059
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813347
  • KB2813430
  • KB2820331
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2857650
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2872035
  • KB2884256
  • KB2891804
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2923545
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2984976
  • KB2984976 SP1
  • KB2985461
  • KB2991963
  • KB2992611
  • KB2999226
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3020388
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3061518
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075226
  • KB3078667
  • KB3080149
  • KB3086255
  • KB3092601
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3102429
  • KB3102810
  • KB3107998
  • KB3108371
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3118401
  • KB3122648
  • KB3123479
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3150513
  • KB3155178
  • KB3156016
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3170735
  • KB3172605
  • KB3179573
  • KB3184143
  • KB3185319
  • KB4019990
  • KB4040980
  • KB4474419
  • KB4490628
  • KB4524752
  • KB4532945
  • KB4536952
  • KB4567409
  • KB958488
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 21 for KB2984976
  • Package 38 for KB2984976
  • Package 45 for KB2984976
  • Package 59 for KB2984976
  • Package 7 for KB2984976
  • Package 76 for KB2984976
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RDP BlueIP Package TopLevel
  • RDP WinIP Package TopLevel
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel
  • WinMan WinIP Package TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Drops executable file immediately after starts
  • msiexec.exe (PID: 3304)
Application was dropped or rewritten from another process
  • DGWWP�GEC�U3E4U��D�H.exe (PID: 2072)
Reads Windows owner or organization settings
  • msiexec.exe (PID: 3024)
  • msiexec.exe (PID: 3304)
Reads the Windows organization settings
  • msiexec.exe (PID: 3024)
  • msiexec.exe (PID: 3304)
Executed as Windows Service
  • msiexec.exe (PID: 3304)
Application launched itself
  • msiexec.exe (PID: 3304)
Executable content was dropped or overwritten
  • msiexec.exe (PID: 3304)
  • MsiExec.exe (PID: 3796)
Drops a file that was compiled in debug mode
  • msiexec.exe (PID: 3304)
  • MsiExec.exe (PID: 3796)
Drops a file with a compile date too recent
  • MsiExec.exe (PID: 3796)
Reads the computer name
  • DGWWP�GEC�U3E4U��D�H.exe (PID: 2072)
Checks supported languages
  • DGWWP�GEC�U3E4U��D�H.exe (PID: 2072)
Creates files in the program directory
  • DGWWP�GEC�U3E4U��D�H.exe (PID: 2072)
Checks for external IP
  • DGWWP�GEC�U3E4U��D�H.exe (PID: 2072)
Reads the computer name
  • msiexec.exe (PID: 3024)
  • MsiExec.exe (PID: 3796)
  • msiexec.exe (PID: 3304)
Checks supported languages
  • msiexec.exe (PID: 3024)
  • msiexec.exe (PID: 3304)
  • MsiExec.exe (PID: 3796)
Reads settings of System Certificates
  • MsiExec.exe (PID: 3796)
  • DGWWP�GEC�U3E4U��D�H.exe (PID: 2072)
Checks Windows Trust Settings
  • MsiExec.exe (PID: 3796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2020:09:18 14:06:51
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{F4F1A063-F85C-44FB-889E-0A184A11BD00}
Words:
10
Subject:
Carregando..
Author:
FDSDRFGSEWRR
LastModifiedBy:
null
Software:
Advanced Installer 18.1 build 4fb1edbd
Template:
;1046
Comments:
A base dados do instalador contêm a lógica e os dados necessários para instalar o Carregando...
Title:
Installation Database
Keywords:
Installer, MSI, Database
Pages:
200

Screenshots

Processes

Total processes
40
Monitored processes
4
Malicious processes
2
Suspicious processes
1

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe msiexec.exe dgwwp�gec�u3e4u��d�h.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3024
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows� installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\netutils.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sfc.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wininet.dll
c:\windows\system32\sxs.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msctf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\mscoree.dll
c:\windows\apppatch\acgenral.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\normaliz.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\winspool.drv
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\imm32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\netapi32.dll

PID
3304
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows� installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\apphelp.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\samcli.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\user32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msctf.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mpr.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\wininet.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msi.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\winspool.drv
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\sxs.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\bcrypt.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wldap32.dll

PID
3796
CMD
C:\Windows\system32\MsiExec.exe -Embedding D0A15CF2120076324D5154CE5781A8A7
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows� installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\jscript.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\imm32.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\iphlpapi.dll
c:\windows\installer\msi360b.tmp
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\winnsi.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\usp10.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\installer\msi362b.tmp
c:\windows\system32\msiexec.exe
c:\windows\system32\shlwapi.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\mpr.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sfc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\cryptbase.dll
c:\windows\installer\msi35db.tmp
c:\windows\system32\sechost.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\lpk.dll
c:\windows\system32\samcli.dll
c:\windows\system32\devobj.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\msdart.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wship6.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\msasn1.dll
c:\windows\system32\sxs.dll
c:\windows\system32\netprofm.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\gpapi.dll
c:\users\public\documents\dgwwp�gec�u3e4u��d�h.exe

PID
2072
CMD
C:\Users\Public\Documents\DGWWP�GEC�U3E4U��D�H.exe
Path
C:\Users\Public\Documents\DGWWP�GEC�U3E4U��D�H.exe
Indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Caphyon LTD
Description
Advanced Installer Intune Tool
Version
18.1.0.0
Modules
Image
c:\windows\system32\ws2_32.dll
c:\users\public\documents\dgwwp�gec�u3e4u��d�h.exe
c:\windows\system32\version.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wininet.dll
c:\windows\system32\webio.dll
c:\windows\system32\psapi.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\usp10.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\users\public\documents\zlibai.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\magnification.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\secur32.dll
c:\windows\system32\security.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\colorui.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\inetres.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\compstui.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\imageres.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\slc.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\propsys.dll
c:\windows\system32\idndl.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winsta.dll
c:\windows\system32\mlang.dll

Registry activity

Total events
9508
Read events
0
Write events
63
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3304
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
(default)
C:\Windows\Installer\193570.ipi
3304
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
5958448E0EB8240715FDBD5D03A508EF9AD93B04EAD20F9CA87EE8A0C66EB74E
3304
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
3304
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
E80C00002002110E7C09D801
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
WpadDecision
0
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionReason
1
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecision
0
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-36-3e-ff
WpadDecisionTime
F24B7C0E7C09D801
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
WpadDecisionReason
1
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
WpadNetworkName
Network 3
3796
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCC67766-6201-4AD1-A6B8-2F4553C93D47}
WpadDecisionTime
F24B7C0E7C09D801
3796
MsiExec.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US
2072
DGWWP�GEC�U3E4U��D�H.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
DGWWP�GEC�U3E4U��D�H.exe
2072
DGWWP�GEC�U3E4U��D�H.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
LanguageList
en-US

Files activity

Executable files
8
Suspicious files
6
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
3796
MsiExec.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\FGREWAGTRETWRE[1].png
executable
MD5: 4a38459b989c45af4bf89f1aad516942
SHA256: c041c7795f16058e366a95e4c6929f9453f00ba8367e7a3afe1026a09c84e6a6
3796
MsiExec.exe
C:\Users\Public\Documents\zlibai.dll
executable
MD5: 7854d9da27486d8a529fd49afdf30351
SHA256: 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440
3796
MsiExec.exe
C:\Users\Public\Documents\DGWWP�GEC�U3E4U��D�H.exe
executable
MD5: 4a38459b989c45af4bf89f1aad516942
SHA256: c041c7795f16058e366a95e4c6929f9453f00ba8367e7a3afe1026a09c84e6a6
3796
MsiExec.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\TRYRETFDGFHGDSF[1].png
executable
MD5: 7854d9da27486d8a529fd49afdf30351
SHA256: 479f313cc0ac2c56b837caf43ee298ff5782f8fd5de814841228888b8c16a440
3304
msiexec.exe
C:\Windows\Installer\19356e.msi
executable
MD5: c86c9cc460da0b7d5a09c8096500c4ad
SHA256: 59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b
3304
msiexec.exe
C:\Windows\Installer\MSI35DB.tmp
executable
MD5: e12c5bcc254c953b1a46d1434804f4d2
SHA256: 5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
3304
msiexec.exe
C:\Windows\Installer\MSI362B.tmp
executable
MD5: e12c5bcc254c953b1a46d1434804f4d2
SHA256: 5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
3304
msiexec.exe
C:\Windows\Installer\MSI360B.tmp
executable
MD5: e12c5bcc254c953b1a46d1434804f4d2
SHA256: 5316cfae8b4d28ab7cbc5cab60e27b0c0f5a3210a921a4b0560769c5021c911b
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0255CEC2C51D081EFF40366512890989_76C19BA11C72361998CF4C34B60D39D2
der
MD5: 96084a59337ead501978342ad08c09e8
SHA256: ff5fd254daac413948000c1d4ab9c103d549d1fdb63342155eecb17f19919cd2
2072
DGWWP�GEC�U3E4U��D�H.exe
C:\ProgramData\admin\conect
text
MD5: 708b1a7e5a34086654af1947e4e4ca85
SHA256: d7d00669a2915a53b9b9255e862219bec30208678ff56c339f689c0e288a821a
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0255CEC2C51D081EFF40366512890989_76C19BA11C72361998CF4C34B60D39D2
binary
MD5: c7363139971d90a628e0304a01d09aa3
SHA256: 2b28edf0b078cbe473f2a93d909d4bf25cd9cc94439c96b8fba69d92319b8677
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
der
MD5: 29ab245ea76101a81872c15d2c54a651
SHA256: 866eabacad14e4c7cdca070f621364c563313d8a7661849225d7f2354a6b1bba
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA
binary
MD5: 207ec28e1696b1ce35e8db0d54a96783
SHA256: a15550fe0a7b56da9b7f3041aacb8be44df5ab7371c681fcf68682675ab72a86
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
binary
MD5: bd9bff4b40fc98eda9d23e73455c7fb5
SHA256: 0a0c6ad39946975f4f5de117fd66b64b32743e44ab920dd31e83ff60a0158c56
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691
der
MD5: d03ab18331b1dc62e284df6894ec5e6b
SHA256: bea9c460f75b2495164979f6e00ac455b09f0763603e3e61680af677a7c16db4
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
binary
MD5: 0fccbc83205f2aa9a315572cbe9b2be3
SHA256: 1276c72e9d3deba3788e08458940f1452a8eb225b8a84daeca5f843150a458d5
3304
msiexec.exe
C:\Windows\Installer\193570.ipi
binary
MD5: 6aba0ef5158767e161fa0aa3b0d6f3bf
SHA256: 999850d3e4979a5e759eca4ece219421fa69bcde28b42fe4d37bf87cddf057aa
3796
MsiExec.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
compressed
MD5: f7dcb24540769805e5bb30d193944dce
SHA256: 6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea
3304
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF8089EA92D82A8DB8.TMP
gmc
MD5: b5e3fa2b04ce1e68df5e29c386e4268b
SHA256: 1e345b53271d4ace48247b3282076888fe879604aba51be470a21153fcd6e88f

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
7
DNS requests
5
Threats
4

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3796 MsiExec.exe GET 200 209.197.3.8:80 http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5b7785a346fb93ee US
compressed
whitelisted
3796 MsiExec.exe GET 200 104.18.30.182:80 http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEGfe9D7xe9riT%2FWUBgbSwIQ%3D US
der
shared
3796 MsiExec.exe GET 200 104.18.30.182:80 http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY US
der
shared
3796 MsiExec.exe GET 200 104.18.30.182:80 http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSTufqHinruS%2FP9Wi1XSjRRzoTLfAQUfgNaZUFrp34K4bidCOodjh1qx2UCEQDJ99nHmXsm6UCfPUeS28Zn US
der
shared
2072 DGWWP�GEC�U3E4U��D�H.exe GET 200 208.95.112.1:80 http://ip-api.com/json/ unknown
binary
shared
2072 DGWWP�GEC�U3E4U��D�H.exe GET 200 208.95.112.1:80 http://ip-api.com/json/ unknown
binary
shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3796 MsiExec.exe 5.9.147.237:443 Hetzner Online GmbH DE unknown
3796 MsiExec.exe 209.197.3.8:80 Highwinds Network Group, Inc. US suspicious
3796 MsiExec.exe 104.18.30.182:80 Cloudflare Inc US suspicious
2072 DGWWP�GEC�U3E4U��D�H.exe 104.23.98.190:443 Cloudflare Inc US malicious
2072 DGWWP�GEC�U3E4U��D�H.exe 208.95.112.1:80 IBURST –– malicious

DNS requests

Domain IP Reputation
3dgq1431.simple.az 5.9.147.237
unknown
ctldl.windowsupdate.com 209.197.3.8
whitelisted
ocsp.comodoca.com 104.18.30.182
104.18.31.182
shared
pastebin.com 104.23.98.190
104.23.99.190
shared
ip-api.com 208.95.112.1
shared

Threats

PID Process Class Message
2072 DGWWP�GEC�U3E4U��D�H.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
2072 DGWWP�GEC�U3E4U��D�H.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
2072 DGWWP�GEC�U3E4U��D�H.exe Potential Corporate Privacy Violation ET POLICY External IP Lookup ip-api.com
2072 DGWWP�GEC�U3E4U��D�H.exe Potential Corporate Privacy Violation AV POLICY Internal Host Retrieving External IP Address (ip-api. com)

Debug output strings

Process Message
–– Invalid parameter passed to C runtime function.
–– Invalid parameter passed to C runtime function.