File name:

VTRL_2.1.8_x64_en-US.msi

Full analysis: https://app.any.run/tasks/8a180eb3-679d-4b82-ba87-3a1e37149c03
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 25, 2024, 17:20:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: VTRL, Author: VTRL, Keywords: Installer, Comments: This installer database contains the logic and data required to install VTRL., Template: x64;0, Revision Number: {22CB0795-C95E-4146-B8FD-8E0BFDC9A73A}, Create Time/Date: Sat Aug 17 19:54:28 2024, Last Saved Time/Date: Sat Aug 17 19:54:28 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

700427241064DAB4A148B04E108BBA0C

SHA1:

00386136BB09FECEB619DB3EBEC8C1EC87093625

SHA256:

DA8EB686634F66C5305F4E80C4155706BF155CAA66EFC2C144B7B0683442F1DD

SSDEEP:

98304:wejDmepTD2v9jkGc3dJ+WRHFvGv+BeVUnJ3G/bbDsDIAtNk/BPicgg7ZqQqNRZyx:ae9VQr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1372)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 2388)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6872)

    • Request a resource from the Internet using PowerShell's cmdlet

      • msiexec.exe (PID: 6872)

    • Powershell scripting: start process

      • msiexec.exe (PID: 6872)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 1372)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 6728)
      • powershell.exe (PID: 1372)
      • msiexec.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6552)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6872)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1372)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6872)

    • Executable content was dropped or overwritten

      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • powershell.exe (PID: 1372)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Downloads file from URI

      • powershell.exe (PID: 1372)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6488)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 736)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4088)
      • MicrosoftEdgeUpdate.exe (PID: 7144)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Reads the date of Windows installation

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 7024)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6728)
      • msiexec.exe (PID: 6872)

    • Reads the computer name

      • msiexec.exe (PID: 6952)
      • msiexec.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeUpdate.exe (PID: 7144)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6488)
      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 736)
      • MicrosoftEdgeUpdate.exe (PID: 2024)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4088)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Checks proxy server information

      • powershell.exe (PID: 1372)
      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Checks supported languages

      • msiexec.exe (PID: 6952)
      • msiexec.exe (PID: 6872)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 7144)
      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 736)
      • MicrosoftEdgeUpdate.exe (PID: 2024)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 4088)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6488)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6872)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)
      • MicrosoftEdgeUpdate.exe (PID: 2388)
      • svchost.exe (PID: 7024)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 5244)

    • Creates files or folders in the user directory

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Disables trace logs

      • powershell.exe (PID: 1372)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1436)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 2388)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2368)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 1436)
      • MicrosoftEdgeUpdate.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: VTRL
Author: VTRL
Keywords: Installer
Comments: This installer database contains the logic and data required to install VTRL.
Template: x64;0
RevisionNumber: {22CB0795-C95E-4146-B8FD-8E0BFDC9A73A}
CreateDate: 2024:08:17 19:54:28
ModifyDate: 2024:08:17 19:54:28
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
18
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.15\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1372powershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -WaitC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1436"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7QUMxQUYzNkQtMUUxMi00MjQ5LTlCQjAtMTc3RjQ4Q0UzQjJFfSIgdXNlcmlkPSJ7QUQ1RTFDOUItMjhCQS00NDFFLTlCM0MtM0EyRDc4NjFCRTUyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxN0E4MDlGQS0wRkE2LTRBNzktOTM4MS1EMzI0QjIzRUNEMjF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4xNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIyNjIxOTI0NDkiIGluc3RhbGxfdGltZV9tcz0iODI4Ii8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2024"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=false" /installsource otherinstallcmd /sessionid "{AC1AF36D-1E12-4249-9BB0-177F48CE3B2E}" /silentC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2368"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2388C:\Users\admin\AppData\Local\Temp\EUAB2C.tmp\MicrosoftEdgeUpdate.exe /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Users\admin\AppData\Local\Temp\EUAB2C.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\temp\euab2c.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
4088"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.15\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5244"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.15
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6428\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6460C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
31 329
Read events
28 130
Write events
3 155
Delete events
44

Modification events

(PID) Process:(7024) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Operation:writeName:PerfMMFileName
Value:
Global\MMF_BITS2b8d9d74-6149-4a83-b8b2-6ed3ecb6dd0d
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000006944FE1413F7DA01D81A0000001A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
48000000000000006944FE1413F7DA01D81A0000001A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000F8FC5F1513F7DA01D81A0000001A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000F8FC5F1513F7DA01D81A0000001A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000067C7641513F7DA01D81A0000001A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000008F76B1513F7DA01D81A0000001A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000A091F81513F7DA01D81A0000001A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6872) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000E0F4FA1513F7DA01D81A000058190000E80300000100000000000000000000009ACEF648316D42499715B8E64655223200000000000000000000000000000000
Executable files
206
Suspicious files
14
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
6872msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6872msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{48f6ce9a-6d31-4942-9715-b8e646552232}_OnDiskSnapshotPropbinary
MD5:3B74C72781F4689B9ED6E0422B3E5282
SHA256:5B31170145A0D340E6D0FD56B03256DF5B993BB397C5FB87385F0184C76855B5
6872msiexec.exeC:\Windows\Temp\~DFCC42607B08D6E1B9.TMPbinary
MD5:6DD1AA1229E534EFBF69FBCEB229F835
SHA256:9043232ECA5AFE390C3D06E92B1736FDDC84095EBF3E491570A0D381265864C0
6872msiexec.exeC:\Windows\Installer\126980.msiexecutable
MD5:700427241064DAB4A148B04E108BBA0C
SHA256:DA8EB686634F66C5305F4E80C4155706BF155CAA66EFC2C144B7B0683442F1DD
6872msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:6DD1AA1229E534EFBF69FBCEB229F835
SHA256:9043232ECA5AFE390C3D06E92B1736FDDC84095EBF3E491570A0D381265864C0
6872msiexec.exeC:\Windows\Installer\MSI6DB6.tmpbinary
MD5:5F176BB2CD5F13D32173733966FC5BEA
SHA256:846ADB3D08221BA5FC003AD3A3C776C2CE6636D3F8411265BC0D2709EF08B9CE
6872msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnk~RF126eb0.TMPlnk
MD5:1FEC597357D6B9D3265D88E1B027BB3A
SHA256:A4BDBF2DEE6300732B5215698618962B7B3AEC0B3D4FD40D2D5E1C39389FCA27
6872msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\VTRL.lnkbinary
MD5:1FEC597357D6B9D3265D88E1B027BB3A
SHA256:A4BDBF2DEE6300732B5215698618962B7B3AEC0B3D4FD40D2D5E1C39389FCA27
6872msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\VTRL\~TRL.tmpbinary
MD5:775E9151C183683C8C2CF2B11C0B84DC
SHA256:AC715336245025A86ADAF4D590CB3DF62E5695C624AA5C563042FAC4A48AF35E
6872msiexec.exeC:\Users\Public\Desktop\VTRL.lnkbinary
MD5:7B55FA20D5C4CCC96668D36EB7280124
SHA256:5CE2CA6375FF0476EB93918B18200E7FE2FCA73D61258104644213233F87BA00
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
9
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7024
svchost.exe
GET
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725211274&P2=404&P3=2&P4=l0ZEPCehs%2fIdMqsa6e4swaCZrrQq2IXaAWWlQoqsukbxuUs3%2bXJvzkY7578csfWFmHFyyAl%2beYXkdHL4rRliMg%3d%3d
unknown
whitelisted
7024
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/b0f731ce-f706-4c81-906e-a05aa034757d?P1=1725211274&P2=404&P3=2&P4=l0ZEPCehs%2fIdMqsa6e4swaCZrrQq2IXaAWWlQoqsukbxuUs3%2bXJvzkY7578csfWFmHFyyAl%2beYXkdHL4rRliMg%3d%3d
unknown
whitelisted
GET
200
13.107.42.16:443
https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.15?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.15&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.15&requestOmahaVersion=1.3.195.15
unknown
binary
439 b
unknown
GET
200
152.199.21.175:443
https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/bfbbeee6-130c-46b7-bf66-6b8eab0e894d/MicrosoftEdgeWebview2Setup.exe
unknown
executable
1.57 Mb
unknown
POST
200
13.95.26.4:443
https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates
unknown
text
103 b
unknown
POST
200
13.95.26.4:443
https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/128.0.2739.42/files?action=GenerateDownloadInfo&foregroundPriority=true
unknown
text
8.20 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4876
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5880
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4876
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4324
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4876
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.110
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
msedge.api.cdp.microsoft.com
  • 13.67.191.143
whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted

Threats

PID
Process
Class
Message
7024
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VTRL_2.1.8_x64_en-US.msi