Malware analysis fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06.msi Malicious activity

Add for printing

File name:	fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06.msi
Full analysis:	https://app.any.run/tasks/0273e93d-555a-4399-95f2-c2d8ad39d6d7
Verdict:	Malicious activity
Analysis date:	April 30, 2023, 12:21:04
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installer, Author: Installer, Keywords: Installer, Comments: Installer Package, Template: Intel;1033, Revision Number: {45F7917A-AAA7-4834-B69B-DBFD6CBD2AD1}, Create Time/Date: Sat Apr 30 14:13:22 2022, Last Saved Time/Date: Sat Apr 30 14:13:22 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.13.3.1364), Security: 2
MD5:	2EB29D721FBEE14EDBF2AD8F60336EBF
SHA1:	E1AADA3863D929F9674597EBB595DC84BAC7263E
SHA256:	FB3F2B0636C7F9E8913FB5FF593C38ED261473BC1A2F8FB0860DCE82ECAF5E06
SSDEEP:	1536:3RGjMkF2VAv21tCHDca26KfpD15sy7o/D6Ds0Ds7d:QJAAvatCHDaF515V7iDL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.789.19041.0
Adobe Acrobat Reader DC (20.013.20074)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (5.74)
FileZilla Client 3.51.0 (3.51.0)
Google Chrome (112.0.5615.50)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (111.0.1661.62)
Microsoft Edge Update (1.3.173.51)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.30.30704 (14.30.30704.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.30.30704 (14.30.30704)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.30.30704 (14.30.30704)
Mozilla Firefox (x64 en-US) (111.0.1)
Mozilla Maintenance Service (111.0.1)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
Opera 12.15 (12.15.1748)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.67.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)

Add for printing

MALICIOUS
- Application was injected by another process
  - SearchApp.exe (PID: 4736)
  - dllhost.exe (PID: 4924)
  - svchost.exe (PID: 3712)
  - explorer.exe (PID: 860)
  - sihost.exe (PID: 3688)
  - RuntimeBroker.exe (PID: 4620)
  - svchost.exe (PID: 4136)
  - svchost.exe (PID: 3760)
  - ApplicationFrameHost.exe (PID: 5704)
  - StartMenuExperienceHost.exe (PID: 4556)
  - RuntimeBroker.exe (PID: 4904)
  - TextInputHost.exe (PID: 5156)
  - svchost.exe (PID: 1656)
  - UserOOBEBroker.exe (PID: 5140)
  - dllhost.exe (PID: 624)
  - RuntimeBroker.exe (PID: 4248)
  - ShellExperienceHost.exe (PID: 3412)
  - RuntimeBroker.exe (PID: 6664)
- Runs injected code in another process
  - msiexec.exe (PID: 4580)
- Registers / Runs the DLL via REGSVR32.EXE
  - explorer.exe (PID: 860)
  - svchost.exe (PID: 4136)
  - RuntimeBroker.exe (PID: 4620)
  - svchost.exe (PID: 3712)
  - svchost.exe (PID: 3760)
  - UserOOBEBroker.exe (PID: 5140)
  - ApplicationFrameHost.exe (PID: 5704)
  - TextInputHost.exe (PID: 5156)
  - svchost.exe (PID: 1656)
  - StartMenuExperienceHost.exe (PID: 4556)
  - RuntimeBroker.exe (PID: 4904)
  - RuntimeBroker.exe (PID: 6664)
  - msiexec.exe (PID: 1536)
  - RuntimeBroker.exe (PID: 4248)
  - sihost.exe (PID: 3688)
  - fodhelper.exe (PID: 6296)
  - fodhelper.exe (PID: 8204)
- Using BCDEDIT.EXE to modify recovery options
  - regsvr32.exe (PID: 7232)
  - regsvr32.exe (PID: 324)
- Deletes shadow copies
  - regsvr32.exe (PID: 324)
  - regsvr32.exe (PID: 7232)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 1536)
- Reads settings of System Certificates
  - msiexec.exe (PID: 1536)
- Executes as Windows Service
  - VSSVC.exe (PID: 6888)
  - vds.exe (PID: 9472)
  - wbengine.exe (PID: 8596)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6392)
- Executes application which crashes
  - dllhost.exe (PID: 624)
  - dllhost.exe (PID: 4924)
- Starts CMD.EXE for commands execution
  - TextInputHost.exe (PID: 5156)
  - StartMenuExperienceHost.exe (PID: 4556)
  - RuntimeBroker.exe (PID: 4904)
  - explorer.exe (PID: 860)
  - svchost.exe (PID: 4136)
  - RuntimeBroker.exe (PID: 4620)
  - UserOOBEBroker.exe (PID: 5140)
  - RuntimeBroker.exe (PID: 4248)
  - RuntimeBroker.exe (PID: 6664)
  - svchost.exe (PID: 3760)
  - ApplicationFrameHost.exe (PID: 5704)
  - svchost.exe (PID: 1656)
  - svchost.exe (PID: 3712)
  - sihost.exe (PID: 3688)
INFO
- The process checks LSA protection
  - msiexec.exe (PID: 6392)
  - msiexec.exe (PID: 1536)
  - VSSVC.exe (PID: 6888)
- Application launched itself
  - msiexec.exe (PID: 6392)
- Checks supported languages
  - msiexec.exe (PID: 6392)
- Reads the computer name
  - msiexec.exe (PID: 6392)
- Manual execution by a user
  - regsvr32.exe (PID: 6768)
  - cmd.exe (PID: 8040)
  - cmd.exe (PID: 7784)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

Security:	Read-only recommended
Software:	Windows Installer XML Toolset (3.13.3.1364)
Words:	10
Pages:	200
ModifyDate:	2022:05:31 14:13:22
CreateDate:	2022:05:31 14:13:22
RevisionNumber:	{45F7917A-AAA7-4834-B69B-DBFD6CBD2AD1}
Template:	Intel;1033
Comments:	Installer Package
Keywords:	Installer
Author:	Installer
Subject:	Installer
Title:	Installation Database
CodePage:	Windows Latin 1 (Western European)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

618

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

324

"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/kq1k2a

C:\Windows\System32\regsvr32.exe

—

fodhelper.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

624

C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\System32\dllhost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

COM Surrogate

Exit code:

3221225477

Version:

10.0.19041.546 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll

860

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.1023 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

1076

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

bcdedit.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1108

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\SrTasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

2147942421

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\spp.dll

1400

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

1536

"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06.msi"

C:\Windows\System32\msiexec.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll

1656

C:\WINDOWS\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\System32\svchost.exe

services.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Services

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

2012

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

wbadmin.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\advapi32.dll

2264

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

24 200

Read events

23 928

Write events

196

Delete events

Modification events


(PID) Process:	(6392) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000FEDD345EB5CCD801FC0E00005C100000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6392) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000002BF41169B5CCD801D81100000C150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Description
Operation:	write	Name:	FirmwareModified
Value: 1
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{5b970157-8568-11eb-b45c-806e6f6e6963}\Elements\12000002
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Description
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\24000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6888) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{a5a30fa2-3d06-4e9f-b5f4-a01df9d1fcba}\Elements\25000004
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

164

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6392	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6392	msiexec.exe	C:\WINDOWS\Installer\434b99.msi		—
		MD5:—	SHA256:—
3712	svchost.exe	C:\Users\Public\kq1k2a		—
		MD5:—	SHA256:—
6392	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{4b0a8e6c-595c-405a-9a16-f63f3f7e1c8a}_OnDiskSnapshotProp		binary
		MD5:A9BE8F6403929E6D2C186D10B7B3CE89	SHA256:AC7DF8DEBCECEA79B191B3D2709D31D8DA013AE06EB5C7BC2143341CCF2EE90A
3688	sihost.exe	C:\Users\admin\Desktop\commercialbeen.rtf.rpmdzlml		binary
		MD5:16A02E7F9A8A1A9E31B450C53196CC35	SHA256:95F57D1C700E95083A2A8A15DFF4F4A25E8442FE04603A7C90484C47BCB21824
6392	msiexec.exe	C:\WINDOWS\Installer\MSI4DEC.tmp		binary
		MD5:59C1484B09503EFECCCBE218592FD57C	SHA256:7676D413C346668EAAB1A2AA02359F19EBF14A1AA50E6605728BBDB7B8251834
6392	msiexec.exe	C:\WINDOWS\Installer\MSI4C84.tmp		executable
		MD5:58CBB401A11D8C1DFFEAFB2912F19DBA	SHA256:373C717D2F44A4B7DFFAEBAD38955B0A9403B4123C03FB58510C5976CC6B918A
860	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6392	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:A9BE8F6403929E6D2C186D10B7B3CE89	SHA256:AC7DF8DEBCECEA79B191B3D2709D31D8DA013AE06EB5C7BC2143341CCF2EE90A
3688	sihost.exe	C:\Users\admin\Desktop\finalasked.rtf.rpmdzlml		binary
		MD5:6B471F032CC9AE4C89CE67D0DF34C3A2	SHA256:69C3FC928D522C3793F5A2306B37B3A281ED67E0713E7D1D5730AFBDB4C910BD

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7236	WerFault.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.11 Kb	whitelisted
3820	SIHClient.exe	GET	200	2.18.233.62:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	der	409 b	whitelisted
7236	WerFault.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	binary	814 b	whitelisted
3820	SIHClient.exe	GET	200	2.18.233.62:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	der	418 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6372	WerFault.exe	104.208.16.94:443	umwatson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
5756	svchost.exe	20.190.159.64:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7236	WerFault.exe	20.189.173.21:443	umwatson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	suspicious
7236	WerFault.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7236	WerFault.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	suspicious
7052	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3820	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5952	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3820	SIHClient.exe	2.18.233.62:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3820	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
officeclient.microsoft.com	52.109.52.148 52.109.32.24	whitelisted
umwatson.events.data.microsoft.com	20.189.173.21 104.208.16.94	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	88.221.169.152 2.18.233.62	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
nexusrules.officeapps.live.com	52.109.77.2	whitelisted
self.events.data.microsoft.com	52.182.141.63	whitelisted

Threats

No threats detected

Add for printing

Process	Message
wbadmin.exe	Invalid parameter passed to C runtime function.
wbadmin.exe	Invalid parameter passed to C runtime function.
wbadmin.exe	Invalid parameter passed to C runtime function.
wbadmin.exe	Invalid parameter passed to C runtime function.

General Info

fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06.msi

2EB29D721FBEE14EDBF2AD8F60336EBF

E1AADA3863D929F9674597EBB595DC84BAC7263E

FB3F2B0636C7F9E8913FB5FF593C38ED261473BC1A2F8FB0860DCE82ECAF5E06

1536:3RGjMkF2VAv21tCHDca26KfpD15sy7o/D6Ds0Ds7d:QJAAvatCHDaF515V7iDL

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

Registers / Runs the DLL via REGSVR32.EXE

Using BCDEDIT.EXE to modify recovery options

Deletes shadow copies

SUSPICIOUS

Reads security settings of Internet Explorer

Reads settings of System Certificates

Executes as Windows Service

Executable content was dropped or overwritten

Executes application which crashes

Starts CMD.EXE for commands execution

INFO

The process checks LSA protection

Application launched itself

Checks supported languages

Reads the computer name

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings