Malware analysis Arixcel_Explorer_v8.7.8793.msi Malicious activity

Add for printing

File name:	Arixcel_Explorer_v8.7.8793.msi
Full analysis:	https://app.any.run/tasks/a62c4ff3-674f-4aad-a2b4-d7a208ff9c27
Verdict:	Malicious activity
Analysis date:	August 13, 2024, 01:50:53
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Arixcel Explorer Installer, Author: Arixcel Ltd, Keywords: Arixcel Installer, Comments: Arixcel Explorer is a spreadsheet analysis add-in for Microsoft Excel., Template: x64;1033, Revision Number: {536F3CBA-F2A0-411E-AC41-4EE4C94EE2D8}, Create Time/Date: Sun Jan 28 20:44:34 2024, Last Saved Time/Date: Sun Jan 28 20:44:34 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.0.5722), Security: 2
MD5:	A9FABC2227E5A5CE5AA17C3783E56110
SHA1:	602A2F1521D423A6111E62FF4D38D8353E5E9EAE
SHA256:	DA7C2031D596747B9AFDDE61CCFC469977495E3F3406ACFBE733B6F598F02A73
SSDEEP:	98304:0Lni9U52/1ZyVMm1xrpEx/q80GQgqrbRxn3SsYsu+w9v6jrs+MSwZOIIN8ts/muU:weq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Drops the executable file immediately after the start
  - msiexec.exe (PID: 6304)
  - msiexec.exe (PID: 6440)
- Executable content was dropped or overwritten
  - rundll32.exe (PID: 6600)
  - rundll32.exe (PID: 6648)
  - rundll32.exe (PID: 6720)
  - rundll32.exe (PID: 6608)
  - rundll32.exe (PID: 5940)
- Executes as Windows Service
  - VSSVC.exe (PID: 7036)
- Checks Windows Trust Settings
  - msiexec.exe (PID: 6440)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6440)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 6440)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 6440)
INFO
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 6304)
- Reads the software policy settings
  - msiexec.exe (PID: 6304)
  - msiexec.exe (PID: 6440)
- Creates files or folders in the user directory
  - msiexec.exe (PID: 6304)
  - msiexec.exe (PID: 6440)
- Checks proxy server information
  - msiexec.exe (PID: 6304)
- Checks supported languages
  - msiexec.exe (PID: 6440)
  - msiexec.exe (PID: 6480)
  - msiexec.exe (PID: 32)
  - TextInputHost.exe (PID: 5300)
- Reads the computer name
  - msiexec.exe (PID: 6440)
  - msiexec.exe (PID: 6480)
  - msiexec.exe (PID: 32)
  - TextInputHost.exe (PID: 5300)
- Create files in a temporary directory
  - rundll32.exe (PID: 6600)
  - rundll32.exe (PID: 6648)
  - rundll32.exe (PID: 6720)
  - rundll32.exe (PID: 5940)
  - rundll32.exe (PID: 6608)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6304)
  - msiexec.exe (PID: 6440)
- Reads the machine GUID from the registry
  - msiexec.exe (PID: 6440)
- Reads Microsoft Office registry keys
  - rundll32.exe (PID: 6608)
  - msiexec.exe (PID: 6440)
- Creates a software uninstall entry
  - msiexec.exe (PID: 6440)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (93)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Arixcel Explorer Installer
Author:	Arixcel Ltd
Keywords:	Arixcel Installer
Comments:	Arixcel Explorer is a spreadsheet analysis add-in for Microsoft Excel.
Template:	x64;1033
RevisionNumber:	{536F3CBA-F2A0-411E-AC41-4EE4C94EE2D8}
CreateDate:	2024:01:28 20:44:34
ModifyDate:	2024:01:28 20:44:34
Pages:	200
Words:	2
Software:	Windows Installer XML Toolset (3.14.0.5722)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

C:\Windows\syswow64\MsiExec.exe -Embedding 271C8CE1D7511F045229A75A9ED08EF8

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

5300

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

5940

rundll32.exe "C:\WINDOWS\Installer\MSIBF55.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_966546 2 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RenameExplorer3Registry

C:\Windows\SysWOW64\rundll32.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6304

"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\Arixcel_Explorer_v8.7.8793.msi

C:\Windows\System32\msiexec.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6440

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6480

C:\Windows\syswow64\MsiExec.exe -Embedding 6C3C55FDF0B7F90E7EC8E5D5781269C7 C

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6600

rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI5418.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_939046 16 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.CheckSystemRequirements

C:\Windows\SysWOW64\rundll32.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6608

rundll32.exe "C:\WINDOWS\Installer\MSIC031.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_966718 8 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.RegisterVbaAddin

C:\Windows\SysWOW64\rundll32.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6648

rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI588D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_940203 22 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.ResetAllUsers

C:\Windows\SysWOW64\rundll32.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6720

rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI595A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_940390 28 ArixcelSetup!Arixcel.Explorer.Setup.CustomActions.SetDefaultInstallFolders

C:\Windows\SysWOW64\rundll32.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

14 919

Read events

14 613

Write events

287

Delete events

Modification events


(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000009640614623EDDA01281900006C1B0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000009640614623EDDA01281900006C1B0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000008FA4A14623EDDA01281900006C1B0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000008FA4A14623EDDA01281900006C1B0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000926CA64623EDDA01281900006C1B0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 48000000000000004E9BAD4623EDDA01281900006C1B0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000003660414723EDDA01281900006C1B0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6440) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B0C4434723EDDA0128190000D41B0000E8030000010000000000000000000000CAE7656C2C68854EA608F126489FDD2200000000000000000000000000000000
(PID) Process:	(7036) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 48000000000000003B574D4723EDDA017C1B0000981B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:8B890C8EDB824721CFB55EA15BF0AE16	SHA256:F15D68D61FA1070AB58CC7AE71216E3F7E9F85D29A79DA4EF309E713BAEF203D
6304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		der
		MD5:D327B84D5A84AB18BEDED6B56565C123	SHA256:B6CACCEDA8F6C9C99041AFF4C80BAE2B44B2B20D52FC62F334A86BE24FA6940C
6440	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_8B6426B6690101B521CAF68DCFDCB929		der
		MD5:3CFFF72BF02AF853785867026345A613	SHA256:9C9216F9275120FF6F197E3E5C1455BBA471FA9B419BECE9DFAB608F2EBFCA06
6600	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI5418.tmp-\ArixcelSetup.dll		executable
		MD5:CC13F1F1DD28EBF8137D8181808C0F21	SHA256:C4ADFC8268A54653057340E416A199A950EDC1D006F740A8F6048F4AAB2C64C2
6600	rundll32.exe	C:\Users\admin\AppData\Local\Temp\MSI5418.tmp-\CustomAction.config		xml
		MD5:82FACDCE498CD0F186C355760C5CF0EC	SHA256:B46DB7ED88826F9D30C4DBDA37BA5C021C94A16A144FF889E1D5BBD77B0B0D71
6304	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI52AF.tmp		executable
		MD5:C90F51E8F8C547CE8A48C22ECDCF5304	SHA256:226F3E224BFC7D77AFFF0F3D9048D1727EEA7AA5E2E443F8CC55BAA7DC5C6473
6304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:53782FA154C658747F539C83C667B72C	SHA256:8FFD69E35560ADA3EB9D82174B033A5A22C0DFB5C20E0192749BE6D3D14874C1
6304	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		der
		MD5:F7969FF802AF4DF4830DCD7E8A56B4FB	SHA256:70CFF6015700026315CA06C5363A226A73AE1CAB5F256CF24F116787A70989B3
6304	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI5418.tmp		executable
		MD5:AB1CCA3723B0803C7BB01D9761169B95	SHA256:5CBCBA474881F712C84244AE00EB903C3ED4AE8ED870BD6034F9D78D516B1016

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
6304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
6304	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAEzhWDJk%2Fozlbna9gYAnv0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1928	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2096	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5984	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1984	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4780	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6304	msiexec.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1984	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	184.86.251.27:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
1928	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.78	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 40.127.240.158	whitelisted
www.bing.com	184.86.251.27 184.86.251.22	whitelisted
login.live.com	40.126.32.74 40.126.32.140 40.126.32.72 40.126.32.76 40.126.32.134 40.126.32.133 40.126.32.138 20.190.160.17	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
th.bing.com	2.23.209.182 2.23.209.149 2.23.209.133 2.23.209.187 2.23.209.140	whitelisted
arc.msn.com	20.103.156.88	whitelisted
go.microsoft.com	2.19.105.250	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Arixcel_Explorer_v8.7.8793.msi

A9FABC2227E5A5CE5AA17C3783E56110

602A2F1521D423A6111E62FF4D38D8353E5E9EAE

DA7C2031D596747B9AFDDE61CCFC469977495E3F3406ACFBE733B6F598F02A73

98304:0Lni9U52/1ZyVMm1xrpEx/q80GQgqrbRxn3SsYsu+w9v6jrs+MSwZOIIN8ts/muU:weq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Drops the executable file immediately after the start

Executable content was dropped or overwritten

Executes as Windows Service

Checks Windows Trust Settings

Reads the Windows owner or organization settings

The process creates files with name similar to system file names

Process drops legitimate windows executable

INFO

Reads security settings of Internet Explorer

Reads the software policy settings

Creates files or folders in the user directory

Checks proxy server information

Checks supported languages

Reads the computer name

Create files in a temporary directory

Executable content was dropped or overwritten

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings