Malware analysis deef940da19f6baca00002f28ee02998269ac036b0d277132402cd4bb086f093.msi Malicious activity

Add for printing

File name:	deef940da19f6baca00002f28ee02998269ac036b0d277132402cd4bb086f093.msi
Full analysis:	https://app.any.run/tasks/1796606c-b13e-40d8-adaf-690038e20d1d
Verdict:	Malicious activity
Analysis date:	January 03, 2025, 16:18:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rdp
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Code page: 1252, Last Printed: Mon Jun 3 18:16:22 2024, Title: Setup2, Author: Microsoft, Template: Intel;1033, Last Saved By: Asterix, Revision Number: {346216D6-FC2D-4B10-AF3A-E3FFCBE2B3C3}, Last Saved Time/Date: Mon Jun 3 18:17:41 2024, Number of Pages: 200, Number of Words: 10, Security: 0
MD5:	47F1B324EAB7E1DA2CA116F62B7C2D05
SHA1:	1D35C95616D2D9187B735B039DB7D4D71FF7DAF2
SHA256:	DEEF940DA19F6BACA00002F28EE02998269AC036B0D277132402CD4BB086F093
SSDEEP:	98304:qBvwwznn8+aM3rmFEqPqzeRFf0CZbuk8GO9AoJqDgOo0n7IgtuVw9UdHGdhe95Z6:A+EwtS3V2ty+E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Accesses name of a computer manufacturer via WMI (SCRIPT)
  - cscript.exe (PID: 4388)
SUSPICIOUS
- Executes as Windows Service
  - VSSVC.exe (PID: 6920)
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 6368)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 6368)
  - nwsvc.exe (PID: 1156)
- Likely accesses (executes) a file from the Public directory
  - nwsvc.exe (PID: 1156)
- Starts a Microsoft application from unusual location
  - nwsvc.exe (PID: 1156)
- The process creates files with name similar to system file names
  - msiexec.exe (PID: 6368)
- Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)
  - cscript.exe (PID: 4388)
- There is functionality for enable RDP (YARA)
  - nwsvc.exe (PID: 1156)
- Executable content was dropped or overwritten
  - nwsvc.exe (PID: 1156)
- The process executes VB scripts
  - nwsvc.exe (PID: 1156)
INFO
- Checks supported languages
  - msiexec.exe (PID: 6368)
  - SearchApp.exe (PID: 5064)
  - nwsvc.exe (PID: 1156)
- Manages system restore points
  - SrTasks.exe (PID: 6424)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6368)
- The sample compiled with english language support
  - msiexec.exe (PID: 6368)
  - nwsvc.exe (PID: 1156)
- Reads the computer name
  - nwsvc.exe (PID: 1156)
- Reads the machine GUID from the registry
  - nwsvc.exe (PID: 1156)
  - SearchApp.exe (PID: 5064)
- Reads Environment values
  - nwsvc.exe (PID: 1156)
- Reads security settings of Internet Explorer
  - cscript.exe (PID: 4388)
- Manual execution by a user
  - notepad.exe (PID: 5340)
  - notepad.exe (PID: 396)
- Reads the software policy settings
  - SearchApp.exe (PID: 5064)
- Process checks computer location settings
  - SearchApp.exe (PID: 5064)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CreateDate:	1999:06:21 07:00:00
Software:	Windows Installer
CodePage:	Windows Latin 1 (Western European)
LastPrinted:	2024:06:03 18:16:22
Title:	Setup2
Subject:	-
Author:	Microsoft
Keywords:	-
Comments:	-
Template:	Intel;1033
LastModifiedBy:	Asterix
RevisionNumber:	{346216D6-FC2D-4B10-AF3A-E3FFCBE2B3C3}
ModifyDate:	2024:06:03 18:17:41
Pages:	200
Words:	10
Security:	None

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

396

"C:\WINDOWS\System32\Notepad.exe" C:\Users\admin\Desktop\detectvm.vbs

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

1156

"C:\Users\Public\Music\nwsvc.exe" /usermode

C:\Users\Public\Music\nwsvc.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Access Service

Version:

6.1.7600.16385

Modules

Images
c:\users\public\music\nwsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\rpcrt4.dll

4388

C:\WINDOWS\system32\cscript.exe "C:\Users\admin\AppData\Local\Temp\VPN_6E3F\detectvm.vbs"

C:\Windows\System32\cscript.exe

—

nwsvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Console Based Script Host

Exit code:

Version:

5.812.10240.16384

Modules

Images
c:\windows\system32\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4824

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

5064

"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Search application

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5340

"C:\WINDOWS\system32\notepad.exe"

C:\Windows\System32\notepad.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Notepad

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll

5576

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6276

"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\deef940da19f6baca00002f28ee02998269ac036b0d277132402cd4bb086f093.msi

C:\Windows\System32\msiexec.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6368

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\coml2.dll
c:\windows\system32\srclient.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\spp.dll

6424

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11

C:\Windows\System32\SrTasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

10 699

Read events

10 399

Write events

287

Delete events

Modification events


(PID) Process:	(5064) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	SafeSearchMode
Value: 1
(PID) Process:	(5064) SearchApp.exe	Key:	\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\ConstraintIndex
Operation:	write	Name:	CurrentConstraintIndexCabPath
Value: 43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0049006E007000750074005F007B00380033003200620036003800640032002D0037006600650032002D0034006500370031002D0061003300610064002D003200360031003600360062003600350036006500630036007D000000631BD027FB5DDB01
(PID) Process:	(5064) SearchApp.exe	Key:	\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\AppsConstraintIndex
Operation:	write	Name:	LatestConstraintIndexFolder
Value: 43003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C005000610063006B0061006700650073005C004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E005300650061007200630068005F006300770035006E003100680032007400780079006500770079005C004C006F00630061006C00530074006100740065005C0043006F006E00730074007200610069006E00740049006E006400650078005C0041007000700073005F007B00610030003200350036006600340032002D0062006200300037002D0034003000620034002D0039003400390035002D006200300030003300390036003800380039006500380035007D000000631BD027FB5DDB01
(PID) Process:	(5064) SearchApp.exe	Key:	\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\AppsConstraintIndex
Operation:	write	Name:	LastConstraintIndexBuildCompleted
Value: 743AD027FB5DDB01631BD027FB5DDB01
(PID) Process:	(5064) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:	write	Name:	CurrentConstraintIndexCabPath
Value: C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{832b68d2-7fe2-4e71-a3ad-26166b656ec6}
(PID) Process:	(5064) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:	write	Name:	LatestConstraintIndexFolder
Value: C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0256f42-bb07-40b4-9495-b00396889e85}
(PID) Process:	(5064) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Microsoft.Windows.Search_cw5n1h2txyewy\AppsConstraintIndex
Operation:	write	Name:	IndexedLanguage
Value: en-US
(PID) Process:	(5064) SearchApp.exe	Key:	\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\AppIndexer
Operation:	write	Name:	LatestCacheFileName
Value: 410070007000430061006300680065003100330033003800300033003900340037003100350034003200370030003000360031002E007400780074000000631BD027FB5DDB01
(PID) Process:	(5064) SearchApp.exe	Key:	\REGISTRY\A\{ee080948-b2ea-145a-6870-f9164b908eb9}\LocalState\AppIndexer
Operation:	write	Name:	InstalledWin32AppsRevision
Value: 7B00340046003200330031003700450030002D0034003600460033002D0034003300300042002D0039003500360034002D003500330043003700410041003000340039003300370035007D000000787ED227FB5DDB01
(PID) Process:	(5064) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:	write	Name:	Total
Value: 929

Add for printing

Executable files

Suspicious files

Text files

196

Unknown types

Dropped files

PID	Process	Filename		Type
6368	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6368	msiexec.exe	C:\Windows\Installer\13bd58.msi		—
		MD5:—	SHA256:—
6368	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:A0073CBDD7BEB901F9201F005EAA26B2	SHA256:9A362B52B9DEA799FA82F8DAA6313DC9A4056E0F1F711D6F6F73237DE733E7D5
5064	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xml		text
		MD5:8EC1F39C55C376604561FE334619173C	SHA256:CA1CFE9475A75E5E223C126DD5DCBD2E8D9B096AA5FD80463DBE52D30ECB8B4E
6368	msiexec.exe	C:\Users\Public\Music\hamcore\languages.txt		text
		MD5:331C37929CC46B4C9853D4018BE2F676	SHA256:C35287198BBF4C4643AB31C29B55F3471885A649B6B1F99D8885FA07C2021396
5064	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0256f42-bb07-40b4-9495-b00396889e85}\0.2.filtertrie.intermediate.txt		text
		MD5:C204E9FAAF8565AD333828BEFF2D786E	SHA256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F
6368	msiexec.exe	C:\Windows\Temp\~DF1D5AF186BD78DF1F.TMP		binary
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6368	msiexec.exe	C:\Users\Public\Music\nwsvb.exe		executable
		MD5:A3FD2D29D6DC9BE3625AE87BF1EA5B78	SHA256:C7D731AFC4303DC898D65F9E2FDDF282C659D2517FE7A448778CBBE7759B17C2
6368	msiexec.exe	C:\Windows\Installer\MSIBF1D.tmp		binary
		MD5:B34444EBDE51EB5E39A5BCAC889346E2	SHA256:2DD9F1ECE101E35FEC8E8FA99F1BAA357DD283FC10FFD2D4C42383C1AEA89B2D
6368	msiexec.exe	C:\Windows\Temp\~DFFCFB9DB0E4FFC4D3.TMP		binary
		MD5:CFD927EE3EDD6FBE4B46E108688A8B32	SHA256:7FC137EDED63F14D987AB7048339DF21D594E5A7246CF168B591037279DB08F0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

102

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1920	SIHClient.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
3732	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5004	svchost.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1920	SIHClient.exe	GET	200	184.30.230.103:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1156	nwsvc.exe	POST	200	103.41.63.66:80	http://x4.xd.open.servers.ddns.softether-network.net/ddns/ddns.aspx?v=4758416074676061695	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	2.16.164.112:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
4712	MoUsoCoreWorker.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5004	svchost.exe	184.30.230.103:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	2.23.227.208:443	www.bing.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	unknown
1176	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	2.16.164.112 2.16.164.128 2.16.164.51 2.16.164.99 2.16.164.120	whitelisted
www.microsoft.com	184.30.230.103	whitelisted
google.com	142.250.185.78	whitelisted
www.bing.com	2.23.227.208 2.23.227.215	whitelisted
ocsp.digicert.com	192.229.221.95	unknown
login.live.com	20.190.159.75 20.190.159.64 40.126.31.69 20.190.159.23 20.190.159.68 40.126.31.67 40.126.31.71 20.190.159.0	whitelisted
go.microsoft.com	23.56.254.14	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

deef940da19f6baca00002f28ee02998269ac036b0d277132402cd4bb086f093.msi

47F1B324EAB7E1DA2CA116F62B7C2D05

1D35C95616D2D9187B735B039DB7D4D71FF7DAF2

DEEF940DA19F6BACA00002F28EE02998269AC036B0D277132402CD4BB086F093

98304:qBvwwznn8+aM3rmFEqPqzeRFf0CZbuk8GO9AoJqDgOo0n7IgtuVw9UdHGdhe95Z6:A+EwtS3V2ty+E

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Accesses name of a computer manufacturer via WMI (SCRIPT)

SUSPICIOUS

Executes as Windows Service

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Likely accesses (executes) a file from the Public directory

Starts a Microsoft application from unusual location

The process creates files with name similar to system file names

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

There is functionality for enable RDP (YARA)

Executable content was dropped or overwritten

The process executes VB scripts

INFO

Checks supported languages

Manages system restore points

Executable content was dropped or overwritten

The sample compiled with english language support

Reads the computer name

Reads the machine GUID from the registry

Reads Environment values

Reads security settings of Internet Explorer

Manual execution by a user

Reads the software policy settings

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings