General Info

File name

Downloaded093.msi

Full analysis
https://app.any.run/tasks/a87e0b88-40ec-4d4f-9f87-6839c16a832f
Verdict
Malicious activity
Analysis date
9/11/2019, 05:59:02
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

generated-doc

trojan

banload

Indicators:

MIME:
application/x-msi
File info:
Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {5E720F7C-17F8-4670-A9F0-704B42FD4A4B}, Number of Words: 10, Subject: Google Crash Handler, Author: Google Crash Handler, Name of Creating Application: Advanced Installer 12.3 build 64631, Template: ;1046, Comments: Google Crash Handler Google Crash Handler.
MD5

7ac62d9bfba8887dedc6e2686eb08464

SHA1

715a870a0b356e5bf6def5765ff1177e4d4eb117

SHA256

d09bc288923966f6d93a2c2dc0fa794b37610e78101ca49bd61368aba8d3fad6

SSDEEP

12288:aXBGcY5AUrxiOH/t2S4TuHJTEl3SdQshdkP77GqUTqp4nb0j:aXBGcY5AUrv/t2S/HJTEl3S2shd47qWn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • SearchProtocolHost.exe (PID: 752)
  • GCYBYRISYHGW.exe (PID: 3452)
Writes to a start menu file
  • GCYBYRISYHGW.exe (PID: 3452)
Application was dropped or rewritten from another process
  • GCYBYRISYHGW.exe (PID: 3452)
Changes the autorun value in the registry
  • reg.exe (PID: 2908)
BANLOAD was detected
  • MsiExec.exe (PID: 4020)
Executable content was dropped or overwritten
  • GCYBYRISYHGW.exe (PID: 3452)
  • MsiExec.exe (PID: 4020)
  • msiexec.exe (PID: 2976)
Uses REG.EXE to modify Windows registry
  • MsiExec.exe (PID: 4020)
Creates files in the user directory
  • GCYBYRISYHGW.exe (PID: 3452)
  • MsiExec.exe (PID: 4020)
Reads Environment values
  • GCYBYRISYHGW.exe (PID: 3452)
Creates files in the program directory
  • MsiExec.exe (PID: 4020)
Loads dropped or rewritten executable
  • MsiExec.exe (PID: 4020)
Application launched itself
  • msiexec.exe (PID: 2976)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.msi
|   Microsoft Windows Installer (88.6%)
.mst
|   Windows SDK Setup Transform Script (10%)
.msi
|   Microsoft Installer (100%)
EXIF
FlashPix
Title:
Installation Database
Keywords:
Installer, MSI, Database
LastPrinted:
2009:12:11 11:47:44
CreateDate:
2009:12:11 11:47:44
ModifyDate:
2009:12:11 11:47:44
Pages:
200
Security:
None
CodePage:
Windows Latin 1 (Western European)
RevisionNumber:
{5E720F7C-17F8-4670-A9F0-704B42FD4A4B}
Words:
10
Subject:
Google Crash Handler
Author:
Google Crash Handler
LastModifiedBy:
null
Software:
Advanced Installer 12.3 build 64631
Template:
;1046
Comments:
Google Crash Handler Google Crash Handler.

Screenshots

Processes

Total processes
37
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

+
start drop and start msiexec.exe no specs msiexec.exe #BANLOAD msiexec.exe reg.exe gcybyrisyhgw.exe searchprotocolhost.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
752
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\public\documents\gcybyrisyhgw\sptdintf.dll
c:\users\public\documents\gcybyrisyhgw\name.exe
c:\users\public\documents\gcybyrisyhgw\gcybyris
c:\windows\system32\acppage.dll

PID
3384
CMD
"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Downloaded093.msi"
Path
C:\Windows\System32\msiexec.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll

PID
2976
CMD
C:\Windows\system32\msiexec.exe /V
Path
C:\Windows\system32\msiexec.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msimsg.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\microsoft.net\framework\v4.0.30319\fusion.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\devrtl.dll

PID
4020
CMD
C:\Windows\system32\MsiExec.exe -Embedding 0EA0AD5251DB491789D9C0AAD0475E1C
Path
C:\Windows\system32\MsiExec.exe
Indicators
Parent process
msiexec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows® installer
Version
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\installer\msi9ddb.tmp
c:\windows\system32\comdlg32.dll
c:\windows\installer\msi9e78.tmp
c:\windows\installer\msi9f55.tmp
c:\windows\system32\jscript.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\scrrun.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\propsys.dll
c:\windows\system32\zipfldr.dll
c:\program files\winrar\rarext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\winshfhc.dll
c:\windows\system32\wdscore.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\wpdshext.dll
c:\users\public\documents\gcybyrisyhgw\gcybyris
c:\windows\installer\msidd79.tmp
c:\windows\installer\msidd99.tmp

PID
2908
CMD
"C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\Run" /v GCYBYRISYHGW /t reg_sz /d C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe
Path
C:\Windows\System32\reg.exe
Indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3452
CMD
"C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe"
Path
C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe
Indicators
Parent process
MsiExec.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Disc Soft Ltd
Description
Disc Soft Bus Service Pro
Version
8.2.1.0709
Modules
Image
c:\users\public\documents\gcybyrisyhgw\gcybyrisyhgw.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\public\documents\gcybyrisyhgw\imgengine.dll
c:\windows\system32\version.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\windows\system32\magnification.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winmm.dll
c:\users\public\documents\gcybyrisyhgw\sptdintf.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\newdev.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\security.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\idndl.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\sxs.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll

Registry activity

Total events
859
Read events
812
Write events
41
Delete events
6

Modification events

PID
Process
Operation
Key
Name
Value
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
752
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\acppage.dll,-6005
Shortcut to MS-DOS Program
2976
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72\52C64B7E
2976
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\72
2976
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
2976
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
2976
msiexec.exe
delete key
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
2976
msiexec.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
2976
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Owner
A00B000054B40F495568D501
2976
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
SessionHash
C5C1F1C84BDA792AB1016856BC414A353A834012D56A03178B3306D35816A0AA
2976
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000
Sequence
1
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\InProgress
C:\Windows\Installer\169d50.ipi
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Config.Msi\
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\169d51.rbs
30763101
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
C:\Config.Msi\169d51.rbsLow
3032425104
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\A6CE16FCAD99DCF499D475D0D16C9206
4715E6F04F19318448EE0E9521ED8719
C:\Users\admin\AppData\Roaming\Google Crash Handler\Google Crash Handler\
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\AA2E08D17768D414C858A5F146751752
4715E6F04F19318448EE0E9521ED8719
01:\Software\Google Crash Handler\Google Crash Handler\Version
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1302019708-1500728564-335382590-1000\Components\D490174C55D6B4C439B8D9E5A39FA8A6
4715E6F04F19318448EE0E9521ED8719
C:\ProgramData\1.3.34.11\
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\Google Crash Handler\Google Crash Handler\
1
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\Users\admin\AppData\Roaming\Google Crash Handler\
1
2976
msiexec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
C:\ProgramData\1.3.34.11\
1
2976
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Google Crash Handler\Google Crash Handler
Version
1.3.34.11
2976
msiexec.exe
write
HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Google Crash Handler\Google Crash Handler
Path
C:\Users\admin\AppData\Roaming\Google Crash Handler\Google Crash Handler\
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
EnableFileTracing
0
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
EnableConsoleTracing
0
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
FileTracingMask
4294901760
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
ConsoleTracingMask
4294901760
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
MaxFileSize
1048576
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASAPI32
FileDirectory
%windir%\tracing
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
EnableFileTracing
0
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
EnableConsoleTracing
0
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
FileTracingMask
4294901760
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
ConsoleTracingMask
4294901760
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
MaxFileSize
1048576
4020
MsiExec.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\MsiExec_RASMANCS
FileDirectory
%windir%\tracing
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307090003000B0003003B001D00AA0100000000
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\XML Config\{0F6E5174-91F4-4813-84EE-E05912DE7891}
C:\Users\admin\AppData\Roaming\Google Crash Handler\Google Crash Handler\1.3.34.11_Google Crash Handler.swidtag
*
4020
MsiExec.exe
write
HKEY_CURRENT_USER\Software\Caphyon\Advanced Installer\XML Config\{0F6E5174-91F4-4813-84EE-E05912DE7891}
C:\ProgramData\1.3.34.11\1.3.34.11_Google Crash Handler.swidtag
*
2908
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
GCYBYRISYHGW
C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe
3452
GCYBYRISYHGW.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
GCYBYRISYHGW.exe

Files activity

Executable files
6
Suspicious files
4
Text files
13
Unknown types
3

Dropped files

PID
Process
Filename
Type
2976
msiexec.exe
C:\Windows\Installer\169d4e.msi
executable
MD5: 7ac62d9bfba8887dedc6e2686eb08464
SHA256: d09bc288923966f6d93a2c2dc0fa794b37610e78101ca49bd61368aba8d3fad6
3452
GCYBYRISYHGW.exe
C:\Users\Public\Documents\GCYBYRISYHGW\kozjblvnzs.pif
executable
MD5: e75f64e6c8346c6392bd2e87d934dae7
SHA256: ee38171c75dbb5c3cde877ec28d8cca9eec2ca3277eea9250e03bd90b1125d6f
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\sptdintf.dll
executable
MD5: 3862c98f3676f3fd8bf4759db17cf273
SHA256: 1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\Name.exe
executable
MD5: e75f64e6c8346c6392bd2e87d934dae7
SHA256: ee38171c75dbb5c3cde877ec28d8cca9eec2ca3277eea9250e03bd90b1125d6f
2976
msiexec.exe
C:\Windows\Installer\MSI9DDB.tmp
executable
MD5: 5c5bef05b6f3806106f8f3ce13401cc1
SHA256: f2f3ae8ca06f5cf320ca1d234a623bf55cf2b84c1d6dea3d85d5392e29aaf437
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\GCYBYRISYHGW.exe
executable
MD5: e75f64e6c8346c6392bd2e87d934dae7
SHA256: ee38171c75dbb5c3cde877ec28d8cca9eec2ca3277eea9250e03bd90b1125d6f
2976
msiexec.exe
C:\Windows\Installer\169d50.ipi
––
MD5:  ––
SHA256:  ––
2976
msiexec.exe
C:\Windows\Installer\MSIDD99.tmp
––
MD5:  ––
SHA256:  ––
2976
msiexec.exe
C:\Config.Msi\169d51.rbs
––
MD5:  ––
SHA256:  ––
4020
MsiExec.exe
C:\Users\admin\AppData\Roaming\Google Crash Handler\Google Crash Handler\1.3.34.11_Google Crash Handler.swidtag
xml
MD5: de646ca994708ce936cb4c14a2f69efb
SHA256: 553a6c01c425dc9512eb452bad3f93e1e2dac984eec3205d42d19c377b38d25d
4020
MsiExec.exe
C:\ProgramData\1.3.34.11\1.3.34.11_Google Crash Handler.swidtag
xml
MD5: de646ca994708ce936cb4c14a2f69efb
SHA256: 553a6c01c425dc9512eb452bad3f93e1e2dac984eec3205d42d19c377b38d25d
2976
msiexec.exe
C:\Windows\Installer\MSIDD79.tmp
––
MD5:  ––
SHA256:  ––
2976
msiexec.exe
C:\Windows\Installer\MSI9F44.tmp
binary
MD5: 0d03a275d9a80a9784e2b8a611d9264f
SHA256: e70e37a767fa7cf9ed65c7dd2f2e967b50ea16d683c6f4516abacd85f9c95b9d
3452
GCYBYRISYHGW.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yepnztmwyy.vbs
text
MD5: 8459a9dedf1eac9cbcaa24d5dde19d36
SHA256: 568972488c15161bc070f0e9df68f8a90d921fa254bf76ceb426dec5ea611d96
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\imgengine.dll
––
MD5:  ––
SHA256:  ––
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\winrar_14662.ico
image
MD5: 108b2adae976823f05321df5dbf7807a
SHA256: ddd484f8273a49724573917c14ea9408ead9b0e9db5cf5fa7d8d9c92365f147b
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\tub4r4o.ico
image
MD5: 41184866f215e69aaf4c4ff22dee8afc
SHA256: e617d66b060854b1ac186a08959b0303cf100a518bf51ea3f85a7940581cbdfe
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\quimicamedo.gif
image
MD5: 6cd55d30cc8628605a70c309acdfcb6a
SHA256: 8cd26a84018dba116f50f7d3131ae74f4842257e4a98b183d49c3af2843d0fe3
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\pdf.ico
image
MD5: 00e6bae5c25a82493129c02ef760db1a
SHA256: 97f00fc67bb2b8f4412e8fdcb17b2aa1e3545bb575c1ba775e8eff072e9fe9f1
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\Nvidia Display.ico
image
MD5: 2fd54a80384e8b70f4fdbf8480e1502b
SHA256: f19d6d7cbfccb0e340335b38d81cdf0fee79d5a5a711e14f201db3c048c88ae0
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\morton2560.jpg
image
MD5: bfab2a2f32782b811a32b0fa5e12c5f9
SHA256: ed7c9c1119fb75b41e7d748d9fb8ae8123e362e673873de4e7e27063a8a46a30
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\images.jpg
image
MD5: ca63cb4b67a1f61ff2415ff42f09d849
SHA256: c97bf0d81b83007ca1e58725d9d1dfe9adbf65eeea0b534c62fab636db86fe67
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\images (1).jpg
image
MD5: b6d60d8b9079ba575599f9d06b8627ab
SHA256: 76b81c7975762dab43dee2455991b63c0b43eeec6fc2d5635ab7aafd58973601
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\iconfinder_Adobe_Flash_Player_60255.ico
image
MD5: fe0a2332048df13fcecbdb33837e15f4
SHA256: 04a226b46b1297ae467d2f98330dd8822ced7aa1707341a6c16e2fef1db65c65
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW\fox.jpg
image
MD5: 5f8e727c0b4306651424eed9c7278809
SHA256: 338750e53e3ca439b9365605ef3b52f4bcf61157ca285bfa255a0d4f2302e003
3384
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI69be7.LOG
txt
MD5: cd244fdb751f6bc5c017aba37ba5d7e9
SHA256: c808b989e8d0e4a5bb5b4abdad0c1daf64423747c1758d5fadce25e3389524ea
2976
msiexec.exe
C:\Users\admin\AppData\Local\Temp\MSI69be7.LOG
txt
MD5: cd244fdb751f6bc5c017aba37ba5d7e9
SHA256: c808b989e8d0e4a5bb5b4abdad0c1daf64423747c1758d5fadce25e3389524ea
4020
MsiExec.exe
C:\Users\Public\Documents\GCYBYRISYHGW_GCYBYRISYHGW_GCYBYRISYHGW.zip
compressed
MD5: f7085bdea1b9c8fac9f8be125d3b3bcc
SHA256: caf6114102115c349d1c5eeaf8c048c55ef8c7403a5b8222330b91c3ba20a77b
4020
MsiExec.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\puma[1].zip
compressed
MD5: f7085bdea1b9c8fac9f8be125d3b3bcc
SHA256: caf6114102115c349d1c5eeaf8c048c55ef8c7403a5b8222330b91c3ba20a77b
2976
msiexec.exe
C:\Windows\Installer\MSI9F55.tmp
––
MD5:  ––
SHA256:  ––
2976
msiexec.exe
C:\Windows\Installer\169d50.ipi
binary
MD5: 7434111c81abe95bc268ba0ea41d4797
SHA256: 5a57127a7f641b7cfb5801d2f22f8f4328f2f0f193ffdde74288ddc6c3395864
2976
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DFD24CDD6BB451AD2C.TMP
––
MD5:  ––
SHA256:  ––
2976
msiexec.exe
C:\Windows\Installer\MSI9E78.tmp
––
MD5:  ––
SHA256:  ––
2976
msiexec.exe
C:\Users\admin\AppData\Local\Temp\~DF0B17991AF24EE7AF.TMP
––
MD5:  ––
SHA256:  ––
3452
GCYBYRISYHGW.exe
C:\Users\Public\Documents\GCYBYRISYHGW\higar.vc
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
3

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4020 MsiExec.exe GET 200 15.222.6.255:80 http://15.222.6.255/puma.zip US
compressed
malicious
3452 GCYBYRISYHGW.exe POST –– 5.57.226.202:80 http://natalsemfome2019.webcindario.com/avisos/ ES
––
––
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4020 MsiExec.exe 15.222.6.255:80 Hewlett-Packard Company US malicious
3452 GCYBYRISYHGW.exe 5.57.226.202:80 ServiHosting Networks S.L. ES suspicious

DNS requests

Domain IP Reputation
natalsemfome2019.webcindario.com 5.57.226.202
unknown

Threats

PID Process Class Message
4020 MsiExec.exe Potentially Bad Traffic ET INFO Dotted Quad Host ZIP Request
4020 MsiExec.exe A Network Trojan was detected MALWARE [PTsecurity] Trojan.Loader (Trojan.Agent.DDSA) Requesting Zip Archive

1 ETPRO signatures available at the full report

Debug output strings

No debug info.