Malware analysis /4.x/windows/wazuh-agent-4.12.0-1.msi Malicious activity

Add for printing

download:	/4.x/windows/wazuh-agent-4.12.0-1.msi
Full analysis:	https://app.any.run/tasks/0f422bdf-b436-4106-9b61-caa29bf1cc6b
Verdict:	Malicious activity
Analysis date:	July 18, 2025, 09:25:57
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc mimikatz tools
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring, Author: Wazuh, Inc., Keywords: Installer, Comments: wazuh-agent, Template: Intel;1033, Revision Number: {8D57269C-2008-4289-AD64-3C477FEA0843}, Create Time/Date: Mon Mar 31 11:06:00 2025, Last Saved Time/Date: Mon Mar 31 11:06:00 2025, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:	CF4EB5E35B9821BE0B1FF08970E5F838
SHA1:	91D34A8F912AB1423D72F53E452FA49EC76A0841
SHA256:	69FE54ADDDBB0340B013B1F0DA6DA9E531E674A360590B4DF212984B50FCEC5B
SSDEEP:	98304:HtjFmVWUqWYsJ3hCSGpxjMQrNsbZfDEy4iRLiVRjnuhZbaNRxAHicx7iD6XNyF4d:H9EzeWMOL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Accesses system services(Win32_Service) via WMI (SCRIPT)
  - msiexec.exe (PID: 2148)
- Opens a text file (SCRIPT)
  - msiexec.exe (PID: 6620)
- Executing a file with an untrusted certificate
  - wazuh-agent.exe (PID: 6140)
  - restart-wazuh.exe (PID: 6488)
  - wazuh-agent.exe (PID: 1388)
  - win32ui.exe (PID: 5712)
  - win32ui.exe (PID: 7108)
- Starts NET.EXE for service management
  - powershell.exe (PID: 6860)
  - net.exe (PID: 3788)
  - cmd.exe (PID: 2612)
  - net.exe (PID: 6544)
  - cmd.exe (PID: 1592)
  - net.exe (PID: 788)
- Starts NET.EXE to view/change login properties
  - wazuh-agent.exe (PID: 6140)
  - net.exe (PID: 4528)
  - net.exe (PID: 3908)
  - net.exe (PID: 480)
  - net.exe (PID: 6312)
  - net.exe (PID: 6940)
  - net.exe (PID: 2604)
  - net.exe (PID: 6488)
  - net.exe (PID: 1480)
  - net.exe (PID: 6068)
  - net.exe (PID: 4264)
  - net.exe (PID: 7064)
  - net.exe (PID: 440)
  - net.exe (PID: 1712)
  - net.exe (PID: 5652)
  - net.exe (PID: 4120)
  - wazuh-agent.exe (PID: 1388)
  - net.exe (PID: 828)
  - net.exe (PID: 2168)
  - net.exe (PID: 4676)
- Starts NET.EXE to view/add/change user profiles
  - wazuh-agent.exe (PID: 6140)
  - net.exe (PID: 5432)
  - net.exe (PID: 5140)
  - net.exe (PID: 6620)
  - net.exe (PID: 5240)
  - net.exe (PID: 5928)
  - net.exe (PID: 5300)
  - net.exe (PID: 2328)
  - net.exe (PID: 1624)
  - wazuh-agent.exe (PID: 1388)
  - net.exe (PID: 2704)
  - net.exe (PID: 6912)
- MIMIKATZ has been detected (YARA)
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 2148)
  - msiexec.exe (PID: 6620)
  - msiexec.exe (PID: 6680)
  - msiexec.exe (PID: 3968)
  - msiexec.exe (PID: 188)
  - win32ui.exe (PID: 5712)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 6256)
- Uses TASKKILL.EXE to kill process
  - msiexec.exe (PID: 6620)
  - msiexec.exe (PID: 6680)
- Creates an object to access WMI (SCRIPT)
  - msiexec.exe (PID: 2148)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6256)
- Executes WMI query (SCRIPT)
  - msiexec.exe (PID: 2148)
  - msiexec.exe (PID: 6620)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - msiexec.exe (PID: 2148)
  - msiexec.exe (PID: 6620)
- Reads data from a binary Stream object (SCRIPT)
  - msiexec.exe (PID: 6620)
- Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)
  - msiexec.exe (PID: 6620)
- Uses ICACLS.EXE to modify access control lists
  - msiexec.exe (PID: 6620)
- Runs shell command (SCRIPT)
  - msiexec.exe (PID: 6620)
  - msiexec.exe (PID: 6680)
- Executes as Windows Service
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - msiexec.exe (PID: 6620)
- Checks whether a specific file exists (SCRIPT)
  - msiexec.exe (PID: 6620)
- Writes binary data to a Stream object (SCRIPT)
  - msiexec.exe (PID: 6620)
- Connects to unusual port
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Manipulates environment variables
  - powershell.exe (PID: 3964)
  - powershell.exe (PID: 6876)
- Searches for installed software
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Starts POWERSHELL.EXE for commands execution
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Probably obfuscated PowerShell command line is found
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Starts CMD.EXE for commands execution
  - restart-wazuh.exe (PID: 6488)
INFO
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 640)
- The sample compiled with english language support
  - msiexec.exe (PID: 640)
  - msiexec.exe (PID: 6256)
- Create files in a temporary directory
  - msiexec.exe (PID: 640)
  - msiexec.exe (PID: 3760)
- Checks proxy server information
  - msiexec.exe (PID: 640)
  - powershell.exe (PID: 6860)
  - slui.exe (PID: 7124)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 640)
- Checks supported languages
  - msiexec.exe (PID: 6256)
  - msiexec.exe (PID: 6620)
  - msiexec.exe (PID: 2148)
  - wazuh-agent.exe (PID: 6140)
  - restart-wazuh.exe (PID: 6488)
  - wazuh-agent.exe (PID: 1388)
  - msiexec.exe (PID: 6680)
  - msiexec.exe (PID: 3968)
  - win32ui.exe (PID: 5712)
  - msiexec.exe (PID: 188)
- Reads the software policy settings
  - msiexec.exe (PID: 640)
  - msiexec.exe (PID: 6256)
  - wazuh-agent.exe (PID: 6140)
  - restart-wazuh.exe (PID: 6488)
  - slui.exe (PID: 7124)
  - wazuh-agent.exe (PID: 1388)
  - win32ui.exe (PID: 5712)
- Reads the computer name
  - msiexec.exe (PID: 6256)
  - msiexec.exe (PID: 6620)
  - msiexec.exe (PID: 2148)
  - wazuh-agent.exe (PID: 6140)
  - restart-wazuh.exe (PID: 6488)
  - wazuh-agent.exe (PID: 1388)
  - msiexec.exe (PID: 3968)
  - msiexec.exe (PID: 6680)
  - win32ui.exe (PID: 5712)
  - msiexec.exe (PID: 188)
- Disables trace logs
  - powershell.exe (PID: 6860)
- Checks current location (POWERSHELL)
  - powershell.exe (PID: 6860)
- Manual execution by a user
  - powershell.exe (PID: 6860)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 6256)
  - wazuh-agent.exe (PID: 6140)
  - restart-wazuh.exe (PID: 6488)
  - wazuh-agent.exe (PID: 1388)
  - win32ui.exe (PID: 5712)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6256)
  - msiexec.exe (PID: 640)
- Creates a software uninstall entry
  - msiexec.exe (PID: 6256)
- Process checks computer location settings
  - msiexec.exe (PID: 6620)
  - msiexec.exe (PID: 6680)
  - msiexec.exe (PID: 188)
- Creates files in the program directory
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Reads product name
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Reads CPU info
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Reads the time zone
  - net1.exe (PID: 3960)
  - net1.exe (PID: 6704)
  - net1.exe (PID: 3964)
  - net1.exe (PID: 5724)
  - net1.exe (PID: 1508)
  - net1.exe (PID: 7108)
  - net1.exe (PID: 6356)
  - net1.exe (PID: 2876)
  - net1.exe (PID: 6232)
  - net1.exe (PID: 4120)
- Reads Environment values
  - wazuh-agent.exe (PID: 6140)
  - wazuh-agent.exe (PID: 1388)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 3964)
  - powershell.exe (PID: 6876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring
Author:	Wazuh, Inc.
Keywords:	Installer
Comments:	wazuh-agent
Template:	Intel;1033
RevisionNumber:	{8D57269C-2008-4289-AD64-3C477FEA0843}
CreateDate:	2025:04:30 11:06:00
ModifyDate:	2025:04:30 11:06:00
Pages:	200
Words:	2
Software:	Windows Installer XML Toolset (3.11.2.4516)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

407

Monitored processes

256

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

188

C:\Windows\syswow64\MsiExec.exe -Embedding 277033DFD53E0399D702F02A0103E9F0 C

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

440

net.exe accounts

C:\Windows\SysWOW64\net.exe

—

wazuh-agent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

480

net.exe accounts

C:\Windows\SysWOW64\net.exe

—

wazuh-agent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

480

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

auditpol.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

504

auditpol.exe /get /subcategory:"Group Membership"

C:\Windows\SysWOW64\auditpol.exe

—

wazuh-agent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Audit Policy Program

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\auditpol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

640

"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\wazuh-agent-4.12.0-1.msi

C:\Windows\System32\msiexec.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

788

C:\WINDOWS\system32\net.exe start Wazuh

C:\Windows\SysWOW64\net.exe

—

cmd.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

828

net.exe accounts

C:\Windows\SysWOW64\net.exe

—

wazuh-agent.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll

856

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

auditpol.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

856

C:\WINDOWS\system32\net1 accounts

C:\Windows\SysWOW64\net1.exe

—

net.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Net Command

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

Add for printing

Total events

67 007

Read events

66 771

Write events

225

Delete events

Modification events


(PID) Process:	(2148) msiexec.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:	write	Name:	JITDebug
Value: 0
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3885C51CBF007D147B6E358CCB0367F1
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\manage_agents.exe
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7997E4406B218714DB009B5000BD5AF3
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\wazuh-agent.exe
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CD6AECC543487314496855EA939462B6
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value:
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1085FE02B9632CE4782A95CD5E36809D
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\vista_sec.txt
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F6CBCA7E0A8DB0148B2DA29D5F51B20A
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\win32ui.exe
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B9326353D220B9A47A8FF246311251DE
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BC470A12BFB32D540ACE5D293959D09D
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\help.txt
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4F17569289426FC42B682B5C440376E8
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\VERSION.json
(PID) Process:	(6256) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3778FBAE9B758DC48A26780B0E06BD8F
Operation:	write	Name:	DE7D7B08736A3F6469CFF2E94AF48968
Value: C:\Program Files (x86)\ossec-agent\wpk_root.pem

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6860	powershell.exe	C:\Users\admin\AppData\Local\Temp\wazuh-agent		—
		MD5:—	SHA256:—
6256	msiexec.exe	C:\Windows\Installer\19c28b.msi		—
		MD5:—	SHA256:—
640	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:45EDFA0F1848F696AE86E8BB228BEDDD	SHA256:2CFCA4FC9213B0E614BEAECB70C8DA46CBCA0BCFC39801B72F59AC089901CAF6
6256	msiexec.exe	C:\Program Files (x86)\ossec-agent\active-response\active-responses.log		—
		MD5:—	SHA256:—
640	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:CE8B2D7AC0471DFA0C96BF02FEFE34C2	SHA256:CEAF87E48FD9FC0ED141A32772B58971CFFCB615E21376B233C2F27BCF88F8AA
6256	msiexec.exe	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log		text
		MD5:D7A59DB57451A3ADF23898B50339581B	SHA256:F30A8A874CA02D6BA5258DD5D1D506FDB1B282E1535B1501DDE15507AA6530D7
6860	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt		text
		MD5:EA7A2C6B3DEE4E918A89B8F2E1B0681C	SHA256:06E6A78E9FAB0076DAE98B6D6C980F0471E20ED23EBA88FEB3E5843E40E3C845
6860	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF191bcb.TMP		binary
		MD5:00A03B286E6E0EBFF8D9C492365D5EC2	SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
640	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_4CAFA09964FFF678458D56D5ABF1D678		binary
		MD5:3C3E67C8864E1075A26EFD41EE1037EE	SHA256:C8BB07D77343AF6C70A503495407D8BE0FDF858A1C0207F16E3C72FFF3032BDA
6860	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CXM6LAX9QWM23CLLHELR.temp		binary
		MD5:C21B4BA52CEA1DB7DA61D399924E3EB3	SHA256:FCA4C83039B6277F40887D05DE9D0465BEF1E02808F5393E06EF34EAC1A00AE7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
640	msiexec.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
640	msiexec.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
640	msiexec.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4sUPeSVHoAfRnTvgHTO6k%3D	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5328	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4892	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5328	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
2596	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2596	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5944	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1352	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
640	msiexec.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5328	SearchApp.exe	2.16.241.201:443	www.bing.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208 40.127.240.158	whitelisted
google.com	142.250.184.238	whitelisted
ocsp.digicert.com	2.17.190.73 184.30.131.245	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
www.bing.com	2.16.241.201 2.16.241.223 2.16.241.204 2.16.241.225 2.16.241.219 2.16.241.200 2.16.241.218 2.16.241.224 2.16.241.222	whitelisted
login.live.com	40.126.31.0 40.126.31.71 20.190.159.130 40.126.31.69 20.190.159.73 20.190.159.23 40.126.31.1 40.126.31.128	whitelisted
fp.msedge.net	204.79.197.222	whitelisted
th.bing.com	92.123.104.58 92.123.104.62 92.123.104.47 92.123.104.7 92.123.104.49 92.123.104.46 92.123.104.53 92.123.104.61 92.123.104.52	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

/4.x/windows/wazuh-agent-4.12.0-1.msi

CF4EB5E35B9821BE0B1FF08970E5F838

91D34A8F912AB1423D72F53E452FA49EC76A0841

69FE54ADDDBB0340B013B1F0DA6DA9E531E674A360590B4DF212984B50FCEC5B

98304:HtjFmVWUqWYsJ3hCSGpxjMQrNsbZfDEy4iRLiVRjnuhZbaNRxAHicx7iD6XNyF4d:H9EzeWMOL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Accesses system services(Win32_Service) via WMI (SCRIPT)

Opens a text file (SCRIPT)

Executing a file with an untrusted certificate

Starts NET.EXE for service management

Starts NET.EXE to view/change login properties

Starts NET.EXE to view/add/change user profiles

MIMIKATZ has been detected (YARA)

SUSPICIOUS

Reads security settings of Internet Explorer

The process creates files with name similar to system file names

Uses TASKKILL.EXE to kill process

Creates an object to access WMI (SCRIPT)

Reads the Windows owner or organization settings

Executes WMI query (SCRIPT)

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Reads data from a binary Stream object (SCRIPT)

Accesses OperatingSystem(Win32_OperatingSystem) via WMI (SCRIPT)

Uses ICACLS.EXE to modify access control lists

Runs shell command (SCRIPT)

Executes as Windows Service

Creates FileSystem object to access computer's file system (SCRIPT)

Checks whether a specific file exists (SCRIPT)

Writes binary data to a Stream object (SCRIPT)

Connects to unusual port

Manipulates environment variables

Searches for installed software

Starts POWERSHELL.EXE for commands execution

Probably obfuscated PowerShell command line is found

Starts CMD.EXE for commands execution

INFO

Reads security settings of Internet Explorer

The sample compiled with english language support

Create files in a temporary directory

Checks proxy server information

Creates files or folders in the user directory

Checks supported languages

Reads the software policy settings

Reads the computer name

Disables trace logs

Checks current location (POWERSHELL)

Manual execution by a user

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Creates a software uninstall entry

Process checks computer location settings

Creates files in the program directory

Reads product name

Reads CPU info

Reads the time zone

Reads Environment values

Uses string split method (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information