File name:

avp.msi

Full analysis: https://app.any.run/tasks/91fc5966-e363-4684-92a6-7cc82c48c2ec
Verdict: Malicious activity
Analysis date: April 17, 2024, 21:06:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 14:06:51 2020, Security: 0, Code page: 1252, Revision Number: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}, Number of Words: 10, Subject: GeoTdata, Author: Since Flawer, Name of Creating Application: GeoTdata, Template: ;1033, Comments: This installer database contains the logic and data required to install GeoTdata., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
MD5:

4D81BE09C23E02FAB7364E508C21C111

SHA1:

52CAE521D7A808C8206F4B5AFD6B037BC573B50E

SHA256:

DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A

SSDEEP:

49152:Hte9IjHnotTeor8trZeIlogiyDTP6q9jp8d38C4WaaIWbpc2VHrzujXFbO9yINbJ:o9IDotTeor2yZyvP/jpOpaaIWbpbVL6O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1872)
      • msiexec.exe (PID: 7016)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7016)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6500)

    • Connects to the server without a host name

      • msiexec.exe (PID: 4024)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 7016)
      • msiexec.exe (PID: 6984)
      • msiexec.exe (PID: 4024)

    • Reads the computer name

      • msiexec.exe (PID: 7016)
      • msiexec.exe (PID: 6984)
      • msiexec.exe (PID: 4024)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1872)
      • msiexec.exe (PID: 7016)

    • Reads Environment values

      • msiexec.exe (PID: 6984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2020:09:18 14:06:51
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {117CFEB2-6376-4FA5-ACE4-CD1494F2E3DD}
Words: 10
Subject: GeoTdata
Author: Since Flawer
LastModifiedBy: -
Software: GeoTdata
Template: ;1033
Comments: This installer database contains the logic and data required to install GeoTdata.
Title: Installation Database
Keywords: Installer, MSI, Database
Pages: 200
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
1872"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Downloads\avp.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4024C:\Windows\syswow64\MsiExec.exe -Embedding 6DC6AD0949756697114EB8CE7B0E9530C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\installer\msi71b9.tmp
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\netapi32.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\netutils.dll
c:\windows\syswow64\logoncli.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\windows.storage.dll
4512C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6500C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\clusapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
6984C:\Windows\syswow64\MsiExec.exe -Embedding 034A43A4EFA7D9CF1A109EEE9A056E94 CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7016C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
Total events
3 307
Read events
3 189
Write events
118
Delete events
0

Modification events

(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000F347E2300B91DA01681B00006C0F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000F347E2300B91DA01681B00006C0F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000E38B1B310B91DA01681B00006C0F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000023DE1D310B91DA01681B00006C0F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000023DE1D310B91DA01681B00006C0F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000055A522310B91DA01681B00006C0F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6500) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000B5457D310B91DA016419000048180000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Leave)
Value:
4800000000000000AB2FAB330B91DA01681B000074180000E80300000000000000000000000000008C4DFF2D8ADB6A43BE901DBCA88BD56400000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
48000000000000001CA085350B91DA01681B00006C0F0000D30700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7016) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Enter)
Value:
48000000000000001CA085350B91DA01681B00006C0F0000D40700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
10
Suspicious files
2
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
7016msiexec.exeC:\WINDOWS\Installer\inprogressinstallinfo.ipi
MD5:
SHA256:
7016msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2dff4d8c-db8a-436a-be90-1dbca88bd564}_OnDiskSnapshotProp
MD5:
SHA256:
7016msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1872msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI39B1.tmpexecutable
MD5:475D20C0EA477A35660E3F67ECF0A1DF
SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
1872msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI3AEE.tmpexecutable
MD5:475D20C0EA477A35660E3F67ECF0A1DF
SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
7016msiexec.exeC:\WINDOWS\Installer\41712c.msiexecutable
MD5:4D81BE09C23E02FAB7364E508C21C111
SHA256:DCAE57EC4B69236146F744C143C42CC8BDAC9DA6E991904E6DBF67EC1179286A
7016msiexec.exeC:\WINDOWS\Installer\MSI71B9.tmpexecutable
MD5:475D20C0EA477A35660E3F67ECF0A1DF
SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
1872msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI3ACE.tmpexecutable
MD5:475D20C0EA477A35660E3F67ECF0A1DF
SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
7016msiexec.exeC:\WINDOWS\Installer\MSI72A4.tmpexecutable
MD5:475D20C0EA477A35660E3F67ECF0A1DF
SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
1872msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI3A6E.tmpexecutable
MD5:475D20C0EA477A35660E3F67ECF0A1DF
SHA256:426E6CF199A8268E8A7763EC3A4DD7ADD982B28C51D89EBEA90CA792CBAE14DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
28
DNS requests
13
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2568
svchost.exe
GET
200
23.34.165.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4024
msiexec.exe
POST
200
85.239.53.219:80
http://85.239.53.219/api/b44ae09f-2f89-f9bc-d814-69d7b28f4e2d/tasks
unknown
unknown
4024
msiexec.exe
POST
200
85.239.53.219:80
http://85.239.53.219/api/b44ae09f-2f89-f9bc-d814-69d7b28f4e2d/tasks
unknown
unknown
4024
msiexec.exe
POST
200
85.239.53.219:80
http://85.239.53.219/api/gateway
unknown
unknown
3012
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
4024
msiexec.exe
POST
200
85.239.53.219:80
http://85.239.53.219/api/b44ae09f-2f89-f9bc-d814-69d7b28f4e2d/tasks
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2568
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
2568
svchost.exe
23.34.165.217:80
www.microsoft.com
AKAMAI-AS
US
unknown
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4016
svchost.exe
23.44.141.138:443
go.microsoft.com
AKAMAI-AS
IT
unknown
5152
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:137
whitelisted
4024
msiexec.exe
104.26.12.205:443
api.ipify.org
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
www.microsoft.com
  • 23.34.165.217
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
go.microsoft.com
  • 23.44.141.138
whitelisted
api.ipify.org
  • 104.26.12.205
  • 104.26.13.205
  • 172.67.74.152
shared
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.2
  • 40.126.31.73
  • 40.126.31.71
  • 20.190.159.23
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted

Threats

PID
Process
Class
Message
2136
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
4024
msiexec.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
4024
msiexec.exe
A Network Trojan was detected
ET MALWARE Win32/SSLoad Registration Activity (POST)
4024
msiexec.exe
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Request (POST)
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Request (POST)
A Network Trojan was detected
ET MALWARE Win32/SSLoad Tasking Request (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
avp.msi