File name:

VTRL_2.1.8_x64_en-US.msi

Full analysis: https://app.any.run/tasks/8a180eb3-679d-4b82-ba87-3a1e37149c03
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 25, 2024, 17:20:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: VTRL, Author: VTRL, Keywords: Installer, Comments: This installer database contains the logic and data required to install VTRL., Template: x64;0, Revision Number: {22CB0795-C95E-4146-B8FD-8E0BFDC9A73A}, Create Time/Date: Sat Aug 17 19:54:28 2024, Last Saved Time/Date: Sat Aug 17 19:54:28 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

700427241064DAB4A148B04E108BBA0C

SHA1:

00386136BB09FECEB619DB3EBEC8C1EC87093625

SHA256:

DA8EB686634F66C5305F4E80C4155706BF155CAA66EFC2C144B7B0683442F1DD

SSDEEP:

98304:wejDmepTD2v9jkGc3dJ+WRHFvGv+BeVUnJ3G/bbDsDIAtNk/BPicgg7ZqQqNRZyx:ae9VQr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1372)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 2388)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 6728)
      • powershell.exe (PID: 1372)
      • msiexec.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6552)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6872)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1372)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1372)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6872)

    • Downloads file from URI

      • powershell.exe (PID: 1372)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6872)

    • Powershell scripting: start process

      • msiexec.exe (PID: 6872)

    • Request a resource from the Internet using PowerShell's cmdlet

      • msiexec.exe (PID: 6872)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1372)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4088)
      • MicrosoftEdgeUpdate.exe (PID: 7144)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6488)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 736)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 7024)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 6872)
      • msiexec.exe (PID: 6952)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeUpdate.exe (PID: 7144)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4088)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6488)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 736)
      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2024)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6728)
      • msiexec.exe (PID: 6872)

    • Reads the computer name

      • msiexec.exe (PID: 6872)
      • msiexec.exe (PID: 6952)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeUpdate.exe (PID: 7144)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 736)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6488)
      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2024)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4088)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6872)

    • Checks proxy server information

      • powershell.exe (PID: 1372)
      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Disables trace logs

      • powershell.exe (PID: 1372)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • svchost.exe (PID: 7024)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1436)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: VTRL
Author: VTRL
Keywords: Installer
Comments: This installer database contains the logic and data required to install VTRL.
Template: x64;0
RevisionNumber: {22CB0795-C95E-4146-B8FD-8E0BFDC9A73A}
CreateDate: 2024:08:17 19:54:28
ModifyDate: 2024:08:17 19:54:28
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
18
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.15\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1372powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1436"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7QUMxQUYzNkQtMUUxMi00MjQ5LTlCQjAtMTc3RjQ4Q0UzQjJFfSIgdXNlcmlkPSJ7QUQ1RTFDOUItMjhCQS00NDFFLTlCM0MtM0EyRDc4NjFCRTUyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxN0E4MDlGQS0wRkE2LTRBNzktOTM4MS1EMzI0QjIzRUNEMjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4xNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyNjIxOTI0NDkiIGluc3RhbGxfdGltZV9tcz0iODI4Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2024"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{AC1AF36D-1E12-4249-9BB0-177F48CE3B2E}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2368"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2388C:\Users\admin\AppData\Local\Temp\EUAB2C.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EUAB2C.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\temp\euab2c.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4088"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.15\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5244"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6460C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
31 329
Read events
28 130
Write events
3 155
Delete events
44

Modification events

(PID) Process:(7024) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Operation:writeName:PerfMMFileName
Value:
Global\MMF_BITS2b8d9d74-6149-4a83-b8b2-6ed3ecb6dd0d
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000006944FE1413F7DA01D81A0000001A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000006944FE1413F7DA01D81A0000001A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000F8FC5F1513F7DA01D81A0000001A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000F8FC5F1513F7DA01D81A0000001A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000067C7641513F7DA01D81A0000001A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000008F76B1513F7DA01D81A0000001A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000A091F81513F7DA01D81A0000001A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000E0F4FA1513F7DA01D81A000058190000E80300000100000000000000000000009ACEF648316D42499715B8E64655223200000000000000000000000000000000
Executable files
206
Suspicious files
14
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
6872msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6872msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:6DD1AA1229E534EFBF69FBCEB229F835
SHA256:9043232ECA5AFE390C3D06E92B1736FDDC84095EBF3E491570A0D381265864C0
6728msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI670.tmpexecutable
MD5:CFBB8568BD3711A97E6124C56FCFA8D9
SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC
7024svchost.exeC:\ProgramData\Microsoft\Network\Downloader\qmgr.dbedb
MD5:BF6875EF6144D7B852D78644420255E6
SHA256:D00DA3B6D50ECBBC8C7EB0EB4FCE8C6402BF4206A086BADD76EDBE87BAEEEE2F
6872msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:3B74C72781F4689B9ED6E0422B3E5282
SHA256:5B31170145A0D340E6D0FD56B03256DF5B993BB397C5FB87385F0184C76855B5
6872msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{48f6ce9a-6d31-4942-9715-b8e646552232}_OnDiskSnapshotPropbinary
MD5:3B74C72781F4689B9ED6E0422B3E5282
SHA256:5B31170145A0D340E6D0FD56B03256DF5B993BB397C5FB87385F0184C76855B5
6872msiexec.exeC:\Windows\Temp\~DFCEB7969419E566F6.TMPgmc
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6872msiexec.exeC:\Windows\Installer\126980.msiexecutable
MD5:700427241064DAB4A148B04E108BBA0C
SHA256:DA8EB686634F66C5305F4E80C4155706BF155CAA66EFC2C144B7B0683442F1DD
6872msiexec.exeC:\Windows\Installer\126982.msiexecutable
MD5:700427241064DAB4A148B04E108BBA0C
SHA256:DA8EB686634F66C5305F4E80C4155706BF155CAA66EFC2C144B7B0683442F1DD
6872msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk~RF126eb0.TMPlnk
MD5:1FEC597357D6B9D3265D88E1B027BB3A
SHA256:A4BDBF2DEE6300732B5215698618962B7B3AEC0B3D4FD40D2D5E1C39389FCA27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7024
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725211274&P2=404&P3=2&P4=l0ZEPCehs%2fIdMqsa6e4swaCZrrQq2IXaAWWlQoqsukbxuUs3%2bXJvzkY7578csfWFmHFyyAl%2beYXkdHL4rRliMg%3d%3d
unknown
whitelisted
7024
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725211274&P2=404&P3=2&P4=l0ZEPCehs%2fIdMqsa6e4swaCZrrQq2IXaAWWlQoqsukbxuUs3%2bXJvzkY7578csfWFmHFyyAl%2beYXkdHL4rRliMg%3d%3d
unknown
whitelisted
POST
200
13.95.26.4:443
https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates
unknown
text
103 b
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.15?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.15&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.15&requestOmahaVersion=1.3.195.15
unknown
binary
439 b
POST
200
13.95.26.4:443
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/128.0.2739.42/files?action=GenerateDownloadInfo&foregroundPriority=true
unknown
text
8.20 Kb
GET
200
152.199.21.175:443
https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/bfbbeee6-130c-46b7-bf66-6b8eab0e894d/MicrosoftEdgeWebview2Setup.exe
unknown
executable
1.57 Mb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5880
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4876
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4876
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.110
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 13.67.191.143
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

PID
Process
Class
Message
7024
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VTRL_2.1.8_x64_en-US.msi