File name:

ptools.msi

Full analysis: https://app.any.run/tasks/8efac477-35b1-4b31-84f3-44d9453f2a51
Verdict: Malicious activity
Analysis date: October 24, 2018, 23:01:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Last Saved By: InstallShield , Number of Characters: 0, Security: 1, Number of Words: 0, Title: Installation Database, Keywords: Installer,MSI,Database, Author: InstallShield Software Corporation, Number of Pages: 200, Name of Creating Application: InstallShield Developer 8.0, Revision Number: {C0875B62-BA53-40B4-8762-A52B36B1C6ED}, Last Saved Time/Date: Fri Sep 15 02:58:11 2017, Create Time/Date: Fri Sep 15 02:58:11 2017, Last Printed: Fri Sep 15 02:58:11 2017, Code page: 1252, Template: Intel;1033, Subject: Cisco WebEx Productivity Tools, Comments: Version 11.1.33100.550
MD5:

AEF91A39FB65073C529F7F8FF67695C1

SHA1:

F5972423DE07FE9ADF911F44770CC28B6D1F3E75

SHA256:

922ED5BB8CEE355D954491A34162448E996E488CBA7EE534BDA7AEBACFB63A9E

SSDEEP:

196608:GAi4Bsl6L9PuiYtiAxoiSqVm3lenKFjXgTzpITZnNhi0fWqjM:GALBsl6LJuiMuw6fZ3OqI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ptoneclk.exe (PID: 3600)
      • ptSrv.exe (PID: 2056)

    • Loads dropped or rewritten executable

      • ptoneclk.exe (PID: 3600)
      • ptSrv.exe (PID: 2056)

    • Changes the autorun value in the registry

      • ptoneclk.exe (PID: 3600)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 664)
      • MsiExec.exe (PID: 2528)

    • Creates COM task schedule object

      • msiexec.exe (PID: 664)

    • Creates files in the user directory

      • MsiExec.exe (PID: 2528)

    • Reads internet explorer settings

      • ptoneclk.exe (PID: 3600)

  • INFO

    • Creates or modifies windows services

      • msiexec.exe (PID: 664)
      • vssvc.exe (PID: 3760)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3760)

    • Searches for installed software

      • msiexec.exe (PID: 664)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2528)

    • Application launched itself

      • msiexec.exe (PID: 664)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 664)

    • Creates files in the program directory

      • msiexec.exe (PID: 664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (82)
.mst | Windows SDK Setup Transform Script (9.2)
.pps/ppt | Microsoft PowerPoint document (4.6)
.doc | Microsoft Word document (old ver.) (2.8)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastModifiedBy: InstallShield
Characters: -
Security: Password protected
Words: -
Title: Installation Database
Keywords: Installer,MSI,Database
Author: InstallShield Software Corporation
Pages: 200
Software: InstallShield? Developer 8.0
RevisionNumber: {C0875B62-BA53-40B4-8762-A52B36B1C6ED}
ModifyDate: 2017:09:15 01:58:11
CreateDate: 2017:09:15 01:58:11
LastPrinted: 2017:09:15 01:58:11
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
Subject: Cisco WebEx Productivity Tools
Comments: Version 11.1.33100.550
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe ptoneclk.exe ptsrv.exe

Process information

PID
CMD
Path
Indicators
Parent process
600"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\ptools.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
664C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1908DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000060" "000004AC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2056C:\PROGRA~1\WebEx\PRODUC~1\ptSrv.exe -EmbeddingC:\PROGRA~1\WebEx\PRODUC~1\ptSrv.exe
svchost.exe
User:
admin
Company:
Cisco WebEx LLC
Integrity Level:
MEDIUM
Description:
WebEx Productivity Tools
Exit code:
0
Version:
102, 2013, 9, 21
Modules
Images
c:\progra~1\webex\produc~1\ptsrv.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\progra~1\webex\produc~1\libeay32.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
2528C:\Windows\system32\MsiExec.exe -Embedding A1DFC0ADF51BDD32B21858E1CE5785B2C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3600"C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe" /INSTALL /USERMAIL="" /SITEURL="" /USERNAME="" /PASSWORD="" /BUILDNUMBER="11.1.33100-550" /PASSTYPE="1" /WBXSSO="-1"C:\Program Files\WebEx\Productivity Tools\ptoneclk.exe
msiexec.exe
User:
admin
Company:
Cisco WebEx LLC
Integrity Level:
MEDIUM
Description:
WebEx Productivity Tools
Exit code:
0
Version:
27, 2017, 3, 24
Modules
Images
c:\program files\webex\productivity tools\ptoneclk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3760C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3992C:\Windows\system32\MsiExec.exe -Embedding CF5203F8B10F91F3A45E88A7516396C2 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 210
Read events
605
Write events
588
Delete events
17

Modification events

(PID) Process:(600) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000A41052B5ED6BD40198020000F00A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000A41052B5ED6BD40198020000F00A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
20
(PID) Process:(664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000765ABDB5ED6BD40198020000F00A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000D0BCBFB5ED6BD40198020000B80A0000E803000001000000000000000000000049BEC389148DFF439996F7E678B710DA0000000000000000
(PID) Process:(3760) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000000859DCB5ED6BD401B00E00002C090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3760) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000000859DCB5ED6BD401B00E000000060000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3760) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000000859DCB5ED6BD401B00E0000D00B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3760) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000000859DCB5ED6BD401B00E0000480A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
70
Suspicious files
8
Text files
86
Unknown types
7

Dropped files

PID
Process
Filename
Type
600msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA2A9.tmp
MD5:
SHA256:
600msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA3F2.tmp
MD5:
SHA256:
600msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA402.tmp
MD5:
SHA256:
3992MsiExec.exeC:\Users\admin\AppData\Local\Temp\WbxMsi.dll
MD5:
SHA256:
600msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA413.tmp
MD5:
SHA256:
664msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
664msiexec.exeC:\Windows\Installer\5d438c.msi
MD5:
SHA256:
664msiexec.exeC:\Windows\Installer\MSI489D.tmp
MD5:
SHA256:
664msiexec.exeC:\Windows\Installer\MSI49A8.tmp
MD5:
SHA256:
664msiexec.exeC:\Windows\Installer\MSI49B8.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
MsiExec.exe
CPTCommon::SavePTInstallFileTemp: GetPTInstallPath FAILED!
MsiExec.exe
CPTCommon::LoadNewPTInstCkForMSI: GetPTInstallPath FAILED!
MsiExec.exe
C:\Program Files\WebEx\Productivity Tools\PTInstCk.dll
MsiExec.exe
C:\Users\admin\AppData\Roaming\Webex\Productivity Tools\PTInstCk_Tmp.dll
MsiExec.exe
CPTCommon::LoadNewPTInstCkForMSI: PTInstCk.dll was not existed!
MsiExec.exe
MSICheckAppsExist: -----Call Old CheckAppsExistEx()
MsiExec.exe
CPTCommon::SavePTIMFileTemp: GetPTInstallPath FAILED!
MsiExec.exe
Can not open Event!!!
MsiExec.exe
Global\EVENT_WEBEXPT_OI_20578
MsiExec.exe
CPTCommon::IsPTWithNI: can not find msitype from register!
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ptools.msi