File name:	em_XsVM4WZh_installer_Win7-Win11_x86_x64.msi
Full analysis:	https://app.any.run/tasks/441980ef-5745-4ff8-b662-0ddf28477b43
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 13:33:29
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc python crypto-regex
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Endpoint Manager Communication Client, Author: ITarian LLC, Keywords: Installer, Comments: Version 9.2.49090.24060, Template: Intel;0, Revision Number: {C7630387-EB33-424A-A543-BE5617F676DD}, Create Time/Date: Mon Sep 16 19:55:22 2024, Last Saved Time/Date: Mon Sep 16 19:55:22 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.4330.19070), Security: 2
MD5:	8F7EA7BE4386DA8059546CC2A0646DE1
SHA1:	4E0812D11EE4344E599D5C8A5F52E3E0664D2642
SHA256:	A9C42F11E75C3525D8D0F3F036C2F603E60FE102FC68B8F22A8B4C81779652A2
SSDEEP:	786432:i74NR4XVuHySZut2tIbSyFjsYGvBIPFY2SNrrMAIx:i74NR4XVuSSZMIIbS4jSvBIPFYHFQz

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Endpoint Manager Communication Client
Author:	ITarian LLC
Keywords:	Installer
Comments:	Version 9.2.49090.24060
Template:	Intel;0
RevisionNumber:	{C7630387-EB33-424A-A543-BE5617F676DD}
CreateDate:	2024:09:16 19:55:22
ModifyDate:	2024:09:16 19:55:22
Pages:	301
Words:	2
Software:	Windows Installer XML Toolset (3.11.4330.19070)
Security:	Read-only recommended


(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 480000000000000057FF0A7BC19CDB018003000078070000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 480000000000000057FF0A7BC19CDB018003000078070000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000CE8B527BC19CDB018003000078070000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000CE8B527BC19CDB018003000078070000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000B0EE547BC19CDB018003000078070000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 480000000000000061B5597BC19CDB018003000078070000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000A2F8C47BC19CDB018003000078070000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(896) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000235CC77BC19CDB0180030000A4040000E8030000010000000000000000000000EA01F613086B9740B3CCB71C29298B1E00000000000000000000000000000000
(PID) Process:	(4112) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 4800000000000000DF03D87BC19CDB011010000050120000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
896	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
896	msiexec.exe	C:\Windows\Installer\117443.msi		—
		MD5:—	SHA256:—
536	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F		binary
		MD5:9E290019BF164BAA6C22D5D15D0B7EAD	SHA256:C39879CB97AFCA23BD2B5D432214F7555BB17286FF9047075FFE3D4182A0EAB7
536	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F		binary
		MD5:22D52EA2716ACFD0E2BA304641A8EB0E	SHA256:3B98A64E000BDF178CF22F1F3B256A2C1C0DDD3365C8A862598BC0DEDCE25F54
536	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_EF52C1EC85F21F31CC0157A5C8803013		binary
		MD5:8BE2787F490295AEB2A62B1DE2A009EA	SHA256:F538C9EFA3BF0A2D1CCDE9FDB73D1881EB79535022F6CF5502258CB1FA49DFC7
896	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:417D66F2E336699CA4C69B9F154C97B3	SHA256:BDBDF11B643F75D001E591283E1E3143334FFB7D3371EFBDAF2EF79BBC647D02
536	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3AA0DCD5A74331FBD6F344550EC48B87_B2CA343459C05DC728694AF1B28799A4		binary
		MD5:BDB019E6FE2645C770C2DB5CC1B6C8CE	SHA256:F1E09416E86D37E7F4B2B80917204B357E0A3A6C284D1A6495B493FE0312BA39
896	msiexec.exe	C:\Windows\Installer\MSI81F3.tmp		executable
		MD5:D53B2B818B8C6A2B2BAE3A39E988AF10	SHA256:2A81878BE73B5C1D7D02C6AFC8A82336D11E5F8749EAACF54576638D81DED6E2
536	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3AA0DCD5A74331FBD6F344550EC48B87_B2CA343459C05DC728694AF1B28799A4		binary
		MD5:5A2FCF3F9F29E7ADF19E61041109A9D4	SHA256:2E63EFCD19253851517942D6CE8BE9EBB341DEEB851D94EAB9524FAB5D3CC4E2
896	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{13f601ea-6b08-4097-b3cc-b71c29298b1e}_OnDiskSnapshotProp		binary
		MD5:5EC6ACBFE2F23236C2031B8E02EFF9D7	SHA256:120B3ADA570DDBC37E1F13B03FD173C724C6BA12382600161B5A911068B249A2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
536	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEEj8k7RgVZSNNqfJionWlBY%3D	unknown	—	—	whitelisted
536	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSdE3gf41WAic8Uh9lF92%2BIJqh5qwQUMuuSmv81lkgvKEBCcCA2kVwXheYCEDPXCKiRQFMZ4qW70zm5rW4%3D	unknown	—	—	whitelisted
536	msiexec.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRd0JozUYXMqqW4y4zJTrLcMCRSkAQUgTKSQSsozUbIxKLGKjkS7EipPxQCEQDFkkwCc%2F6QyRK%2F5PUP8RSE	unknown	—	—	whitelisted
—	—	GET	304	4.175.87.197:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	52.165.164.15:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
856	SIHClient.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
856	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	52.29.114.9:443	https://mdmsupport.cmdm.comodo.com/enroll/resolve/token/XsVM4WZh	unknown	text	128 b	—
856	SIHClient.exe	GET	200	2.16.168.124:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
—	—	PUT	200	54.234.53.118:443	https://evphoto-msp.itsm-us1.comodo.com/command/windows/	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
536	msiexec.exe	172.64.149.23:80	ocsp.comodoca.com	CLOUDFLARENET	US	whitelisted
6028	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4000	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3364	ITSMService.exe	18.157.52.237:443	mdmsupport.cmdm.comodo.com	AMAZON-02	DE	unknown
3364	ITSMService.exe	54.234.53.118:443	evphoto-msp.itsm-us1.comodo.com	AMAZON-AES	US	unknown
3812	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted

Domain	IP	Reputation
google.com	216.58.206.78	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
ocsp.comodoca.com	172.64.149.23 104.18.38.233	whitelisted
ocsp.sectigo.com	172.64.149.23 104.18.38.233	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
mdmsupport.cmdm.comodo.com	18.157.52.237 52.29.114.9	unknown
evphoto-msp.itsm-us1.comodo.com	54.234.53.118	unknown
xmpp.itsm-us1.comodo.com	174.129.244.210 34.227.128.175	unknown
api.dragonplatform.net	35.222.52.117	unknown
self.events.data.microsoft.com	20.189.173.25	whitelisted

PID	Process	Class	Message
—	—	Potential Corporate Privacy Violation	ET INFO Outgoing Basic Auth Base64 HTTP Password detected unencrypted
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet has been detected
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
—	—	Potentially Bad Traffic	SUSPICIOUS [ANY.RUN] Get-WmiObject Cmdlet has been detected

Process	Message
ITSMService.exe	QCoreApplication::applicationDirPath: Please instantiate the QApplication object first
ITSMService.exe	Try to find oem.strings in "C:/Program Files (x86)/ITarian/Endpoint Manager/oem.strings"
ITSMService.exe	Log dir is 'C:/ProgramData/ITarian/Endpoint Manager'
ITSMService.exe	OEM strings file does not exists! "C:/Program Files (x86)/ITarian/Endpoint Manager/oem.strings"

General Info

em_XsVM4WZh_installer_Win7-Win11_x86_x64.msi

8F7EA7BE4386DA8059546CC2A0646DE1

4E0812D11EE4344E599D5C8A5F52E3E0664D2642

A9C42F11E75C3525D8D0F3F036C2F603E60FE102FC68B8F22A8B4C81779652A2

786432:i74NR4XVuHySZut2tIbSyFjsYGvBIPFY2SNrrMAIx:i74NR4XVuSSZMIIbS4jSvBIPFYHFQz

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executes as Windows Service

The process drops C-runtime libraries

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Process drops python dynamic module

Reads security settings of Internet Explorer

Executing commands from ".cmd" file

Loads Python modules

Found regular expressions for crypto-addresses (YARA)

Searches for installed software

There is functionality for taking screenshot (YARA)

INFO

Reads security settings of Internet Explorer

Reads the software policy settings

Creates files or folders in the user directory

Checks proxy server information

The sample compiled with english language support

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Manages system restore points

Process checks computer location settings

Creates files in the program directory

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats