Malware analysis 81b73.msi Malicious activity | ANY.RUN

Add for printing

File name:	81b73.msi
Full analysis:	https://app.any.run/tasks/1aa7f6e6-3b96-4db0-8185-f74df89d599d
Verdict:	Malicious activity
Analysis date:	November 14, 2023, 06:32:01
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {3EC57D06-013F-4180-9922-FE5C74B65FE6}, Number of Words: 10, Subject: Browser Assistant, Author: Realistic Media Inc., Name of Creating Application: Advanced Installer 15.8 build b14c769f44, Template: ;1033, Comments: This installer database contains the logic and data required to install Browser Assistant., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:	1528B593F65BCBCA9A88663AC528510F
SHA1:	2528591984935CC3290AAC4931CDBA8DCA580BFB
SHA256:	69925C370A71B0BC37EB5D6381E8FC3309A7E71A7BDADE54233214C73C728170
SSDEEP:	196608://Jwrsfnmos+6n03JMfFCoyIfiyKmZ2AbyILoGeHwXVECuX:nJwrsfmZ05MMoamZ22yILoGfXJuX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Bypass execution policy to execute commands
  - powershell.exe (PID: 1584)
  - powershell.exe (PID: 2412)
  - powershell.exe (PID: 2992)
- Changes powershell execution policy (Bypass)
  - msiexec.exe (PID: 2784)
- Drops the executable file immediately after the start
  - msiexec.exe (PID: 1088)
  - 7za.exe (PID: 2840)
SUSPICIOUS
- Reads the Internet Settings
  - msiexec.exe (PID: 2700)
  - powershell.exe (PID: 1584)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 1088)
- Executes as Windows Service
  - VSSVC.exe (PID: 2952)
- The process executes Powershell scripts
  - msiexec.exe (PID: 2784)
- The process hide an interactive prompt from the user
  - msiexec.exe (PID: 2784)
- The process bypasses the loading of PowerShell profile settings
  - msiexec.exe (PID: 2784)
- Starts POWERSHELL.EXE for commands execution
  - msiexec.exe (PID: 2784)
- Uses TASKKILL.EXE to kill process
  - powershell.exe (PID: 2412)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 1088)
- Drops 7-zip archiver for unpacking
  - msiexec.exe (PID: 1088)
- Unusual connection from system programs
  - powershell.exe (PID: 1584)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 1088)
INFO
- Reads the computer name
  - msiexec.exe (PID: 1088)
  - msiexec.exe (PID: 2784)
  - 7za.exe (PID: 2840)
- Checks supported languages
  - msiexec.exe (PID: 1088)
  - msiexec.exe (PID: 2784)
  - 7za.exe (PID: 2840)
- Create files in a temporary directory
  - msiexec.exe (PID: 2700)
  - msiexec.exe (PID: 2784)
  - powershell.exe (PID: 1584)
  - powershell.exe (PID: 2412)
  - msiexec.exe (PID: 1088)
  - powershell.exe (PID: 2992)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 1088)
  - msiexec.exe (PID: 2784)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 2700)
  - msiexec.exe (PID: 1088)
  - 7za.exe (PID: 2840)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 2700)
  - powershell.exe (PID: 1584)
  - powershell.exe (PID: 2412)
  - powershell.exe (PID: 2992)
- Reads Environment values
  - msiexec.exe (PID: 2784)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (81.9)
.mst	\|	Windows SDK Setup Transform Script (9.2)
.msp	\|	Windows Installer Patch (7.6)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

LastPrinted:	2009:12:11 11:47:44
CreateDate:	2009:12:11 11:47:44
ModifyDate:	2009:12:11 11:47:44
Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{3EC57D06-013F-4180-9922-FE5C74B65FE6}
Words:	10
Subject:	Browser Assistant
Author:	Realistic Media Inc.
LastModifiedBy:	-
Software:	Advanced Installer 15.8 build b14c769f44
Template:	;1033
Comments:	This installer database contains the logic and data required to install Browser Assistant.
Title:	Installation Database
Keywords:	Installer, MSI, Database
Pages:	200

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1088

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1584

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssD7F9.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2412

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssE1E0.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2448

"C:\Windows\system32\taskkill.exe" /F /pid

C:\Windows\SysWOW64\taskkill.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Terminates Processes

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2700

"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\81b73.msi"

C:\Windows\System32\msiexec.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2784

C:\Windows\syswow64\MsiExec.exe -Embedding A1BB27B6F358590E246C17DF05DBC1FC

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2840

"C:\Users\admin\AppData\Roaming/Browser Assistant/7za.exe" x Data2.7z -y -p1.41.1302.28794

C:\Users\admin\AppData\Roaming\Browser Assistant\7za.exe

—

powershell.exe

User:

admin

Company:

Igor Pavlov

Integrity Level:

MEDIUM

Description:

7-Zip Standalone Console

Exit code:

Version:

19.00

Modules

Images
c:\users\admin\appdata\roaming\browser assistant\7za.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2952

C:\Windows\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2992

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\pssEE58.tmp.ps1"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

Add for printing

Total events

7 277

Read events

7 229

Write events

Delete events

Modification events


(PID) Process:	(2700) msiexec.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000C42CD6BE4EB0D9014C0F0000380F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000C42CD6BE4EB0D9014C0F0000380F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 66
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 480000000000000080A00ABF4EB0D9014C0F0000380F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Leave)
Value: 4800000000000000A4CA79C04EB0D9014C0F0000380F0000D30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppAddInterestingComponents (Enter)
Value: 4800000000000000A4CA79C04EB0D9014C0F0000380F0000D40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppAddInterestingComponents (Leave)
Value: 4800000000000000CE3F8FC04EB0D9014C0F0000380F0000D40700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Leave)
Value: 48000000000000000CAEE5C24EB0D9014C0F0000380F0000D00700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1088) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Leave)
Value: 48000000000000006610E8C24EB0D9014C0F0000380F0000D50700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

2 085

Unknown types

Dropped files

PID	Process	Filename		Type
1088	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
1088	msiexec.exe	C:\Windows\Installer\19d3b1.msi		—
		MD5:—	SHA256:—
2784	msiexec.exe	C:\Users\admin\AppData\Local\Temp\msiD7E7.tmp.txt		—
		MD5:—	SHA256:—
2784	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pssD7E8.tmp.ps1		—
		MD5:—	SHA256:—
2784	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pssD7F9.tmp.ps1		—
		MD5:—	SHA256:—
2784	msiexec.exe	C:\Users\admin\AppData\Local\Temp\msiE1CF.tmp.txt		—
		MD5:—	SHA256:—
2784	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pssE1DF.tmp.ps1		—
		MD5:—	SHA256:—
2784	msiexec.exe	C:\Users\admin\AppData\Local\Temp\pssE1E0.tmp.ps1		—
		MD5:—	SHA256:—
1088	msiexec.exe	C:\Windows\Installer\MSIE76C.tmp		executable
		MD5:3144225F1A2DCCFDA435970964158357	SHA256:A99D2C6FD1667942A085F01784BD599762182FCE8A8F866FA12AC93F52AE2ED1
1584	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:446DD1CF97EABA21CF14D03AEBC79F27	SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2700	msiexec.exe	GET	200	23.32.238.178:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?16a5120acdc97ea5	DE	compressed	61.6 Kb	unknown
1584	powershell.exe	POST	200	13.32.118.218:80	http://d1ph3c47yby10w.cloudfront.net/	US	binary	19 b	unknown
2700	msiexec.exe	GET	200	34.229.33.15:80	http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt	US	binary	1.48 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2700	msiexec.exe	34.229.33.15:80	www.ssl.com	AMAZON-AES	US	unknown
2700	msiexec.exe	23.32.238.178:80	ctldl.windowsupdate.com	Akamai International B.V.	DE	unknown
1584	powershell.exe	13.32.118.218:80	d1ph3c47yby10w.cloudfront.net	AMAZON-02	US	unknown

DNS requests

Domain	IP	Reputation
www.ssl.com	34.229.33.15 18.205.123.191	unknown
ctldl.windowsupdate.com	23.32.238.178 23.32.238.232 23.32.238.224 23.32.238.171 23.32.238.240 23.32.238.226 23.32.238.219 23.32.238.169 23.32.238.241	whitelisted
d1ph3c47yby10w.cloudfront.net	13.32.118.218 13.32.118.131 13.32.118.75 13.32.118.166	unknown

Threats

No threats detected

Add for printing

No debug info

General Info

81b73.msi

1528B593F65BCBCA9A88663AC528510F

2528591984935CC3290AAC4931CDBA8DCA580BFB

69925C370A71B0BC37EB5D6381E8FC3309A7E71A7BDADE54233214C73C728170

196608://Jwrsfnmos+6n03JMfFCoyIfiyKmZ2AbyILoGeHwXVECuX:nJwrsfmZ05MMoamZ22yILoGfXJuX

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Changes powershell execution policy (Bypass)

Drops the executable file immediately after the start

SUSPICIOUS

Reads the Internet Settings

Checks Windows Trust Settings

Executes as Windows Service

The process executes Powershell scripts

The process hide an interactive prompt from the user

The process bypasses the loading of PowerShell profile settings

Starts POWERSHELL.EXE for commands execution

Uses TASKKILL.EXE to kill process

Process drops legitimate windows executable

Drops 7-zip archiver for unpacking

Unusual connection from system programs

The process drops C-runtime libraries

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

Reads the machine GUID from the registry

Creates files or folders in the user directory

Reads security settings of Internet Explorer

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings