analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Google AI Gemini Ultra For PC V1.0.1.msi |
| Full analysis: | https://app.any.run/tasks/0ef391d1-20c0-4279-adb6-e89afe28d37f |
| Verdict: | Malicious activity |
| Analysis date: | February 11, 2024 at 22:33:59 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {C6C2D440-EA93-4E35-B8C6-83DD50C1613C}, Title: Install, Author: Install, Comments: Bringing the benefits of AI to everyone, Number of Words: 2, Last Saved Time/Date: Mon Jan 22 11:59:18 2024, Last Printed: Mon Jan 22 11:59:18 2024 |
| MD5: | BF17D7F8DAC7DF58B37582CEC39E609D |
| SHA1: | 0C55B3C75E5759EFC6DB20B6DB4FAD790CBCD4E7 |
| SHA256: | BB7C3B78F2784A7AC3C090331326279476C748087188AEB69F431BBD70AC6407 |
| SSDEEP: | 24576:C1ipiRvE4wbF60m3oOEZ/vTk1oQ53eYc:C1ipiRM4wbF60m3oOEZ/vTk1oQ53lc |
MALICIOUS
Drops the executable file immediately after the start
- msiexec.exe (PID: 2940)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 2496)
Bypass execution policy to execute commands
- powershell.exe (PID: 6444)
SUSPICIOUS
Process drops legitimate windows executable
- msiexec.exe (PID: 2400)
- msiexec.exe (PID: 2940)
Executes as Windows Service
- VSSVC.exe (PID: 2584)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 2940)
Starts CMD.EXE for commands execution
- msiexec.exe (PID: 2940)
Executing commands from ".cmd" file
- msiexec.exe (PID: 2940)
The process executes Powershell scripts
- cmd.exe (PID: 2496)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2496)
Reads the date of Windows installation
- identity_helper.exe (PID: 6780)
INFO
Checks supported languages
- msiexec.exe (PID: 2940)
- msiexec.exe (PID: 6336)
- msiexec.exe (PID: 6456)
- identity_helper.exe (PID: 6780)
- identity_helper.exe (PID: 6432)
Reads the computer name
- msiexec.exe (PID: 2940)
- msiexec.exe (PID: 6336)
- msiexec.exe (PID: 6456)
- identity_helper.exe (PID: 6780)
- identity_helper.exe (PID: 6432)
Drops the executable file immediately after the start
- msiexec.exe (PID: 2400)
- chrome.exe (PID: 1728)
Create files in a temporary directory
- msiexec.exe (PID: 6336)
- msiexec.exe (PID: 6456)
Executable content was dropped or overwritten
- msiexec.exe (PID: 2400)
- msiexec.exe (PID: 2940)
Application launched itself
- msedge.exe (PID: 4520)
- chrome.exe (PID: 1728)
- msedge.exe (PID: 8792)
Reads Microsoft Office registry keys
- msedge.exe (PID: 4520)
- chrome.exe (PID: 1728)
- msedge.exe (PID: 8792)
Checks proxy server information
- slui.exe (PID: 4008)
Reads the software policy settings
- slui.exe (PID: 4008)
Creates files or folders in the user directory
- msiexec.exe (PID: 2940)
Creates a software uninstall entry
- msiexec.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (90.2) |
|---|---|---|
| .msp | | | Windows Installer Patch (8.4) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| CreateDate: | 1999:06:21 07:00:00 |
|---|---|
| Software: | Windows Installer |
| Security: | Password protected |
| CodePage: | Windows Latin 1 (Western European) |
| Template: | Intel;1033 |
| Pages: | 200 |
| RevisionNumber: | {C6C2D440-EA93-4E35-B8C6-83DD50C1613C} |
| Title: | Install |
| Subject: | - |
| Author: | Install |
| Keywords: | - |
| Comments: | Bringing the benefits of AI to everyone |
| Words: | 2 |
| ModifyDate: | 2024:01:22 11:59:18 |
| LastPrinted: | 2024:01:22 11:59:18 |
Total processes
210
Monitored processes
66
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 728 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=112.0.5615.50 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88b0baa60,0x7ff88b0baa70,0x7ff88b0baa80 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 1520 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1724 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=111.0.5563.149 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=111.0.1661.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x178,0x7ff88a81b5f8,0x7ff88a81b608,0x7ff88a81b618 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 111.0.1661.62 Modules
| |||||||||||||||
| 1728 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --load-extension="C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic" --new-window https://www.bing.com/images/create | C:\Program Files\Google\Chrome\Application\chrome.exe | powershell.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 112.0.5615.50 Modules
| |||||||||||||||
| 2400 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\Google AI Gemini Ultra For PC V1.0.1.msi" | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2496 | C:\WINDOWS\system32\cmd.exe /c ""C:\Program Files (x86)\Google\Install\install.cmd"" | C:\Windows\System32\cmd.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2584 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2588 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:5 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2940 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3504 | "C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4012 --field-trial-handle=1988,i,5543273393830092669,16467123026098477353,131072 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\identity_helper.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: PWA Identity Proxy Host Exit code: 3221226029 Version: 111.0.1661.62 Modules
| |||||||||||||||
Total events
36 606
Read events
36 070
Write events
506
Delete events
30
Modification events
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4800000000000000203AC4773A5DDA017C0B000024130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000203AC4773A5DDA017C0B000024130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 480000000000000095D2E0773A5DDA017C0B000024130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 480000000000000095D2E0773A5DDA017C0B000024130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 480000000000000095D2E0773A5DDA017C0B000024130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000113AE3773A5DDA017C0B000024130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 5 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000916FFD773A5DDA017C0B000024130000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2940) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000916FFD773A5DDA017C0B0000E00F0000E803000001000000000000000000000083515AD26E251E4894197777F90A20E000000000000000000000000000000000 | |||
| (PID) Process: | (2584) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000BA3802783A5DDA01180A0000A8170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
12
Suspicious files
144
Text files
154
Unknown types
104
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2940 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2400 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI5B81.tmp | executable | |
MD5:B77A2A2768B9CC78A71BBFFB9812B978 | SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0 | |||
| 6336 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\CFG5BEE.tmp | xml | |
MD5:68675E0D405C8C76102802FA624EB895 | SHA256:B839CDD1C3F55651CD4D0E54A679BCE5AC60ED7618A7B74BFC8EF8CA311E53ED | |||
| 2400 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI5BFF.tmp | executable | |
MD5:B77A2A2768B9CC78A71BBFFB9812B978 | SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0 | |||
| 2940 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:28689439DD4644C44D0B20BB41BFA795 | SHA256:3F8938D15D86F2B5257CC7C6FA85FD83BD868AF5EC843156E431E349C88DB128 | |||
| 6456 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\CFGA83A.tmp | xml | |
MD5:68675E0D405C8C76102802FA624EB895 | SHA256:B839CDD1C3F55651CD4D0E54A679BCE5AC60ED7618A7B74BFC8EF8CA311E53ED | |||
| 2940 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{d25a5183-256e-481e-9419-7777f90a20e0}_OnDiskSnapshotProp | binary | |
MD5:28689439DD4644C44D0B20BB41BFA795 | SHA256:3F8938D15D86F2B5257CC7C6FA85FD83BD868AF5EC843156E431E349C88DB128 | |||
| 2940 | msiexec.exe | C:\WINDOWS\Installer\13a6d2.msi | executable | |
MD5:BF17D7F8DAC7DF58B37582CEC39E609D | SHA256:BB7C3B78F2784A7AC3C090331326279476C748087188AEB69F431BBD70AC6407 | |||
| 2940 | msiexec.exe | C:\WINDOWS\Installer\MSIA7FB.tmp | executable | |
MD5:B77A2A2768B9CC78A71BBFFB9812B978 | SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0 | |||
| 2940 | msiexec.exe | C:\WINDOWS\TEMP\~DF70B317768FC831D1.TMP | binary | |
MD5:2E3508E07C551933E37171464100D7A2 | SHA256:B9076E39E7177F12E5FEDE029B9090D4E55F28EDEBA9EA0113A17E0C809D8CAB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
160
TCP/UDP connections
102
DNS requests
86
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5356 | SIHClient.exe | GET | 304 | 13.85.23.86:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL | unknown | — | — | — |
5356 | SIHClient.exe | GET | 200 | 13.85.23.86:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19044.1288/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.1288&MK=DELL&MD=DELL | unknown | — | 23.9 Kb | — |
5356 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | binary | 813 b | — |
5356 | SIHClient.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | binary | 824 b | — |
5356 | SIHClient.exe | GET | 200 | 20.242.39.171:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
5356 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | binary | 400 b | — |
— | — | POST | 200 | 40.126.32.136:443 | https://login.live.com/RST2.srf | unknown | xml | 10.9 Kb | — |
— | — | POST | 200 | 20.190.160.20:443 | https://login.live.com/RST2.srf | unknown | xml | 9.93 Kb | — |
1440 | backgroundTaskHost.exe | GET | 200 | 20.223.35.26:443 | https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=310091&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20240211T223403Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=abc4a90bc0de48bd890268d69d09e49c&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.1023&currsel=133529005600000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19044.1288&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3381993&metered=false&nettype=ethernet&npid=sc-310091&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&rver=2&smBiosDm=DELL&stabedgever=111.0.1661.62&tl=2&tsu=772523&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2 | unknown | binary | 1.34 Kb | — |
5356 | SIHClient.exe | GET | 200 | 13.85.23.86:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3848 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
— | — | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1440 | backgroundTaskHost.exe | 20.223.35.26:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
5356 | SIHClient.exe | 13.85.23.86:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
5356 | SIHClient.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5356 | SIHClient.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | unknown |
5356 | SIHClient.exe | 20.242.39.171:443 | fe3cr.delivery.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
1728 | chrome.exe | 239.255.255.250:1900 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
arc.msn.com |
| unknown |
slscr.update.microsoft.com |
| unknown |
www.microsoft.com |
| unknown |
crl.microsoft.com |
| unknown |
fe3cr.delivery.mp.microsoft.com |
| unknown |
www.bing.com |
| unknown |
clientservices.googleapis.com |
| unknown |
config.edge.skype.com |
| unknown |
www.googleapis.com |
| unknown |
clients2.google.com |
| unknown |