File name: | C:\Users\admin\AppData\Local\Temp\Rar$EXa3040.34066\NF03849238867426874.msi |
Full analysis: | https://app.any.run/tasks/1091e946-4696-46d6-9174-13dc19c4a248 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 19:38:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Security: 0, Code page: 1252, Revision Number: {0F37A8B3-51EA-4CDD-8FA7-AA1840F73F13}, Number of Words: 10, Subject: Adobe Acrobat Reader, Author: Adobe Acrobat Reader, Name of Creating Application: Advanced Installer 12.2.1 build 64247, Template: ;1033, Comments: This installer database contains the logic and data required to install Adobe Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200 |
MD5: | F1CEB408E9E673B6C71FB14968920BFD |
SHA1: | BC6ADBD6793FA5729AC471D48BF98EC10FEF94BC |
SHA256: | 0AE98D4F944E0733F80732EBBBE519A0B102249EC9A2DF4041E35B863BC5AAD0 |
SSDEEP: | 12288:xbV1eoNGVUooA6DVyvpFtyDvxGQV7RBw+8er1ndY5AlP:xB1fgVUoxhrQDvw07Rade5dY5AlP |
.msi | | | Microsoft Windows Installer (88.6) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (10) |
.msi | | | Microsoft Installer (100) |
Pages: | 200 |
---|---|
Keywords: | Installer, MSI, Database |
Title: | Installation Database |
Comments: | This installer database contains the logic and data required to install Adobe Acrobat Reader. |
Template: | ;1033 |
Software: | Advanced Installer 12.2.1 build 64247 |
LastModifiedBy: | - |
Author: | Adobe Acrobat Reader |
Subject: | Adobe Acrobat Reader |
Words: | 10 |
RevisionNumber: | {0F37A8B3-51EA-4CDD-8FA7-AA1840F73F13} |
CodePage: | Windows Latin 1 (Western European) |
Security: | None |
ModifyDate: | 2009:12:11 11:47:44 |
CreateDate: | 2009:12:11 11:47:44 |
LastPrinted: | 2009:12:11 11:47:44 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\NF03849238867426874.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2240 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
540 | C:\Windows\system32\MsiExec.exe -Embedding AA0386A7D0D451B2176763248518A3AD | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2468 | "C:\Windows\System32\cmd.exe" /C start /MAX https://adobe.ly/2RY5GJR | C:\Windows\System32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
760 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1073807364 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
476 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:760 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3064 | "C:\Windows\System32\cmd.exe" /C start /MIN reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v nCktTY /t reg_sz /d "C:\Users\admin\AppData\Roaming\AnyDesk\nCktTY\nCktTY.exe" | C:\Windows\System32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2580 | "C:\Windows\System32\cmd.exe" /C shutdown -r -f -t 0 | C:\Windows\System32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3028 | "C:\Windows\system32\cmd.exe" /c shutdown /r /t 1 /f | C:\Windows\system32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1115 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3212 | reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v nCktTY /t reg_sz /d "C:\Users\admin\AppData\Roaming\AnyDesk\nCktTY\nCktTY.exe" | C:\Windows\system32\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
760 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
760 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
476 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:45B49204826EB5A0F40A49E9C2A3736A | SHA256:C8284F44C123994AD264D288F81CE7BAD266906994EB91DDE4F03A19C3599846 | |||
2240 | msiexec.exe | C:\Windows\Installer\12112e.msi | executable | |
MD5:F1CEB408E9E673B6C71FB14968920BFD | SHA256:0AE98D4F944E0733F80732EBBBE519A0B102249EC9A2DF4041E35B863BC5AAD0 | |||
476 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@adobe[2].txt | text | |
MD5:2AA0F98732CBEA8D13EDB1637F9D5979 | SHA256:DD34B5E1339E9498D59DFF8566E3AC8708E3C935933FE0E8BA7BAAABBEF2025A | |||
476 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:7A6B514348723BF7CA5CA1F294BF7EC4 | SHA256:044E5F9CACD76C2651894AE24BF2C089C7F2F0CB50F35EB11D6CCE50D5B79272 | |||
476 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P1CA3GIF\terms[1].html | html | |
MD5:EA2EE123839F554CCF4BE7156D16CF2B | SHA256:3FD6C46E873D77AF25C49CF57ADAABCCC10318896B0F942532EDD4AF26CA9AD1 | |||
476 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:CE65134C975BE0FA1EBA83BB5BF0CEBE | SHA256:B90347D652F8D62EE458033E09EBFAB687AF63FB4CAFD85B34D6CC400F2A8242 | |||
476 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@adobe[1].txt | text | |
MD5:9A55CA239C4B73E5C26C0B326CA56C18 | SHA256:103FF6CD7FCA82FF47B8248BA59F01E214DF1F2A773B5AEF126AFAAE0AF345D3 | |||
476 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
760 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
540 | MsiExec.exe | 172.217.16.164:80 | www.google.com | Google Inc. | US | whitelisted |
476 | iexplore.exe | 104.108.60.31:443 | www.adobe.com | Akamai Technologies, Inc. | NL | whitelisted |
760 | iexplore.exe | 104.108.60.31:443 | www.adobe.com | Akamai Technologies, Inc. | NL | whitelisted |
476 | iexplore.exe | 67.199.248.13:443 | adobe.ly | Bitly Inc | US | shared |
540 | MsiExec.exe | 52.218.36.34:443 | s3-eu-west-1.amazonaws.com | Amazon.com, Inc. | IE | shared |
476 | iexplore.exe | 23.38.53.224:443 | use.typekit.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
s3-eu-west-1.amazonaws.com |
| shared |
www.bing.com |
| whitelisted |
adobe.ly |
| suspicious |
www.adobe.com |
| whitelisted |
use.typekit.com |
| whitelisted |
p.typekit.net |
| shared |
www.google.com |
| whitelisted |