File name:

TinyWall-v3-Installer.msi

Full analysis: https://app.any.run/tasks/1d477ec5-9b62-4332-a760-b7d6bc5c2a8e
Verdict: Malicious activity
Analysis date: January 15, 2025, 20:16:11
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1250, Title: Installation Database, Subject: A non-intrusive firewall solution., Author: Kroly Pados, Keywords: Installer, Comments: This installer database contains the logic and data required to install TinyWall., Template: Intel;1033, Revision Number: {B29362A5-AC89-446C-9D15-99D364C13890}, Create Time/Date: Sun Mar 12 17:54:36 2023, Last Saved Time/Date: Sun Mar 12 17:54:36 2023, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

792984FCABFDA6BFA2DF1D6975F02DBE

SHA1:

7B14C031514B80FC58E313E1FB9EC2AEE372D874

SHA256:

250B56EFF2CD5316C6CF8C8B92CB5F29FB3849089E69C8138BF5DD9BD0E9E001

SSDEEP:

98304:V46A+JoD0NQchKRRcqKjyLb1tGbmGRWpB0d7qsDOu33/naa5ybHnJGT:G

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6632)
      • TinyWall.exe (PID: 2672)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6392)
      • TinyWall.exe (PID: 3288)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7128)
      • msiexec.exe (PID: 5920)
      • TinyWall.exe (PID: 5464)
      • TinyWall.exe (PID: 3288)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 6392)

    • Reads Mozilla Firefox installation path

      • TinyWall.exe (PID: 3288)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6248)

    • An automatically generated document

      • msiexec.exe (PID: 6248)

    • Reads the software policy settings

      • msiexec.exe (PID: 6248)
      • msiexec.exe (PID: 6392)
      • TinyWall.exe (PID: 3288)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6248)
      • msiexec.exe (PID: 6392)

    • Reads the computer name

      • msiexec.exe (PID: 6392)
      • msiexec.exe (PID: 6580)
      • msiexec.exe (PID: 7128)
      • msiexec.exe (PID: 5920)
      • TinyWall.exe (PID: 5464)

    • Checks supported languages

      • msiexec.exe (PID: 6392)
      • msiexec.exe (PID: 6580)
      • msiexec.exe (PID: 7128)
      • msiexec.exe (PID: 5920)
      • TinyWall.exe (PID: 5464)
      • TinyWall.exe (PID: 2672)
      • TinyWall.exe (PID: 3288)

    • Manages system restore points

      • SrTasks.exe (PID: 6920)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6392)
      • TinyWall.exe (PID: 5464)
      • TinyWall.exe (PID: 3288)
      • TinyWall.exe (PID: 2672)

    • Reads Environment values

      • TinyWall.exe (PID: 3288)
      • TinyWall.exe (PID: 2672)

    • Reads product name

      • TinyWall.exe (PID: 3288)
      • TinyWall.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 2 (Central European)
Title: Installation Database
Subject: A non-intrusive firewall solution.
Author: Károly Pados
Keywords: Installer
Comments: This installer database contains the logic and data required to install TinyWall.
Template: Intel;1033
RevisionNumber: {B29362A5-AC89-446C-9D15-99D364C13890}
CreateDate: 2023:03:12 17:54:36
ModifyDate: 2023:03:12 17:54:36
Pages: 301
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
11
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs tinywall.exe no specs tinywall.exe tinywall.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2672"C:\Program Files (x86)\TinyWall\TinyWall.exe"C:\Program Files (x86)\TinyWall\TinyWall.exe
services.exe
User:
SYSTEM
Company:
Károly Pados
Integrity Level:
SYSTEM
Description:
TinyWall
Version:
3.3.1.0
Modules
Images
c:\program files (x86)\tinywall\tinywall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3288"C:\Program Files (x86)\TinyWall\TinyWall.exe" /autowhitelistC:\Program Files (x86)\TinyWall\TinyWall.exemsiexec.exe
User:
admin
Company:
Károly Pados
Integrity Level:
MEDIUM
Description:
TinyWall
Version:
3.3.1.0
Modules
Images
c:\program files (x86)\tinywall\tinywall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5464"C:\Program Files (x86)\TinyWall\TinyWall.exe" /installC:\Program Files (x86)\TinyWall\TinyWall.exemsiexec.exe
User:
admin
Company:
Károly Pados
Integrity Level:
MEDIUM
Description:
TinyWall
Exit code:
0
Version:
3.3.1.0
Modules
Images
c:\program files (x86)\tinywall\tinywall.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5920C:\Windows\syswow64\MsiExec.exe -Embedding 16FEDA57590D53FC2AEBF131F35D8B47 E Global\MSI0000C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6248"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\TinyWall-v3-Installer.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6392C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
6580C:\Windows\syswow64\MsiExec.exe -Embedding 4FE8C807A4C3028AE20F7997F045471B CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6632C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6920C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
21 695
Read events
21 321
Write events
361
Delete events
13

Modification events

(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000C82753608A67DB01F8180000D8190000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000C82753608A67DB01F8180000D8190000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000009C698C608A67DB01F8180000D8190000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000009C698C608A67DB01F8180000D8190000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000087CC8E608A67DB01F8180000D8190000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000005A3191608A67DB01F8180000D8190000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6392) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6632) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000324614618A67DB01E8190000641A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6632) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000324614618A67DB01E81900005C1A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6632) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000324614618A67DB01E8190000041A0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
31
Suspicious files
44
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
6392msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6392msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{dd5d0b09-15c6-4a0a-bf5b-eb648f806c3f}_OnDiskSnapshotPropbinary
MD5:9A7B3572F08695E24E3E6993BA69D5AD
SHA256:50E0397A10660FEF469C606851914EE36E37E4E2EE792699809CDFA5321879D8
6392msiexec.exeC:\Windows\Installer\13cd84.msiexecutable
MD5:792984FCABFDA6BFA2DF1D6975F02DBE
SHA256:250B56EFF2CD5316C6CF8C8B92CB5F29FB3849089E69C8138BF5DD9BD0E9E001
6392msiexec.exeC:\Windows\Installer\MSID1AB.tmpbinary
MD5:C3D9A3439953B6A01352E5F3B8E06E20
SHA256:2D0388B845D7350D618BD9B849EEA913597471BA790A127184E97F8937E200E8
6248msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI8792.tmpexecutable
MD5:4FDD16752561CF585FED1506914D73E0
SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7
6392msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:435E851E5090B38724DDEA0D1193BD05
SHA256:E222174A9D1C93215590DCB46CEF9C0D4FC5FA9E6F53C6E67B291FF9271403F7
6392msiexec.exeC:\Windows\Installer\MSID1DB.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
6392msiexec.exeC:\Windows\Temp\~DFF05121EFD7D5D398.TMPbinary
MD5:435E851E5090B38724DDEA0D1193BD05
SHA256:E222174A9D1C93215590DCB46CEF9C0D4FC5FA9E6F53C6E67B291FF9271403F7
6392msiexec.exeC:\Windows\Temp\~DFDC24D286D928B485.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
6392msiexec.exeC:\ProgramData\TinyWall\profiles.jsonbinary
MD5:F2EA74153417A217FA2A1739047B02FF
SHA256:1098F1889FB97FF3C3F98D20DAEBB57AFCF6C5B5C1D1070E1A108B997F61259C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
28
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6248
msiexec.exe
GET
18.173.205.43:80
http://ocsps.ssl.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCCGQzUdPHOJ8I
unknown
whitelisted
6248
msiexec.exe
GET
18.244.18.60:80
http://crls.ssl.com/ssl.com-rsa-RootCA.crl
unknown
whitelisted
6248
msiexec.exe
GET
18.244.18.60:80
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl
unknown
whitelisted
6392
msiexec.exe
GET
18.173.205.43:80
http://ocsps.ssl.com/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBQMDtATfnJO6JAXDQoHl8pAaJdhTQQU3QQJB6L1en1SUxKSle44gCUNplkCCGQzUdPHOJ8I
unknown
whitelisted
6392
msiexec.exe
GET
18.244.18.60:80
http://crls.ssl.com/ssl.com-rsa-RootCA.crl
unknown
whitelisted
6392
msiexec.exe
GET
18.244.18.60:80
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl
unknown
whitelisted
GET
159.69.69.248:443
https://tinywall.pados.hu/updates/UpdVer6/update.json
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.21.65.154:443
www.bing.com
Akamai International B.V.
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6248
msiexec.exe
18.173.205.43:80
ocsps.ssl.com
US
whitelisted
6248
msiexec.exe
18.244.18.60:80
crls.ssl.com
US
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6392
msiexec.exe
18.173.205.43:80
ocsps.ssl.com
US
whitelisted
6392
msiexec.exe
18.244.18.60:80
crls.ssl.com
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.21.65.154
  • 2.21.65.132
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.186.110
whitelisted
ocsps.ssl.com
  • 18.173.205.43
  • 18.173.205.76
  • 18.173.205.113
  • 18.173.205.57
whitelisted
crls.ssl.com
  • 18.244.18.60
  • 18.244.18.55
  • 18.244.18.54
  • 18.244.18.92
whitelisted
tinywall.pados.hu
  • 159.69.69.248
unknown
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
TinyWall-v3-Installer.msi