File name:

QuickLook-3.7.3.msi

Full analysis: https://app.any.run/tasks/1376ec12-187c-4221-874d-e16701266e63
Verdict: Malicious activity
Analysis date: March 02, 2025, 05:40:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: QuickLook, Author: Paddy Xu, Keywords: Installer, Comments: This installer database contains the logic and data required to install QuickLook., Template: Intel;1033, Revision Number: {26DF46D5-CC2A-4F4E-8DA3-3101D9B42C13}, Create Time/Date: Wed Nov 23 21:34:34 2022, Last Saved Time/Date: Wed Nov 23 21:34:34 2022, Number of Pages: 500, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

C4829CB65C1644AEA30149F3BD8FDB6B

SHA1:

197B17AD980BE078986B9B363485E5551559D0ED

SHA256:

258D42A4B7BDEC8BAD1B6A2531C935B617D8CF450D31D5E0CCC31437481F7224

SSDEEP:

393216:s8kLrMAYKKbtRKLRdTSDSFU2rxO7MYhIDkltO4ZfF5SFSh8kC9HiiTi:s8k47KjLRNiOxOH6MnF5SFcG3Ti

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • QuickLook.exe (PID: 7264)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 7944)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 7660)

    • Reads security settings of Internet Explorer

      • QuickLook.exe (PID: 7264)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 7660)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7660)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7592)
      • msiexec.exe (PID: 7660)

    • An automatically generated document

      • msiexec.exe (PID: 7592)

    • Reads the computer name

      • msiexec.exe (PID: 7660)
      • msiexec.exe (PID: 7884)
      • QuickLook.exe (PID: 7264)

    • Checks supported languages

      • msiexec.exe (PID: 7884)
      • msiexec.exe (PID: 7660)
      • QuickLook.WoW64HookHelper.exe (PID: 3888)
      • QuickLook.exe (PID: 7264)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7660)

    • Manages system restore points

      • SrTasks.exe (PID: 7212)

    • Reads the machine GUID from the registry

      • QuickLook.exe (PID: 7264)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7660)
      • QuickLook.exe (PID: 7264)

    • The sample compiled with german language support

      • msiexec.exe (PID: 7660)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7660)

    • Checks proxy server information

      • slui.exe (PID: 1512)

    • Reads the software policy settings

      • slui.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: QuickLook
Author: Paddy Xu
Keywords: Installer
Comments: This installer database contains the logic and data required to install QuickLook.
Template: Intel;1033
RevisionNumber: {26DF46D5-CC2A-4F4E-8DA3-3101D9B42C13}
CreateDate: 2022:11:23 21:34:34
ModifyDate: 2022:11:23 21:34:34
Pages: 500
Words: 10
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
9
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs slui.exe quicklook.exe quicklook.wow64hookhelper.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1512C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3888033A853A-E4B2-4552-9A91-E88789761C48C:\Users\admin\AppData\Local\Programs\QuickLook\QuickLook.WoW64HookHelper.exeQuickLook.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\programs\quicklook\quicklook.wow64hookhelper.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7212C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7264"C:\Users\admin\AppData\Local\Programs\QuickLook\QuickLook.exe" /firstC:\Users\admin\AppData\Local\Programs\QuickLook\QuickLook.exe
msiexec.exe
User:
admin
Company:
pooi.moe
Integrity Level:
MEDIUM
Description:
QuickLook
Version:
3.7.3.0
Modules
Images
c:\users\admin\appdata\local\programs\quicklook\quicklook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7592"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\QuickLook-3.7.3.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7660C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7884C:\Windows\syswow64\MsiExec.exe -Embedding 8A20F77E05644CB45436C214C8958C52 CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7944C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
15 143
Read events
14 115
Write events
1 010
Delete events
18

Modification events

(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
480000000000000010F886C6358BDB01EC1D0000F81E0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
480000000000000010F886C6358BDB01EC1D0000F81E0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000003BB3C9C6358BDB01EC1D0000F81E0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000003BB3C9C6358BDB01EC1D0000F81E0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000007717CCC6358BDB01EC1D0000F81E0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000E242D3C6358BDB01EC1D0000F81E0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000F7263CC7358BDB01EC1D0000F81E0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7660) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000118A3EC7358BDB01EC1D0000601F0000E8030000010000000000000000000000CB94B66CB4F33F44B1E3456ADCDF76A500000000000000000000000000000000
(PID) Process:(7944) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000107B4AC7358BDB01081F0000241F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
195
Suspicious files
22
Text files
102
Unknown types
0

Dropped files

PID
Process
Filename
Type
7660msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7660msiexec.exeC:\Windows\Installer\1198b3.msi
MD5:
SHA256:
7592msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI51B7.tmpexecutable
MD5:4FDD16752561CF585FED1506914D73E0
SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7
7660msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{6cb694cb-f3b4-443f-b1e3-456adcdf76a5}_OnDiskSnapshotPropbinary
MD5:C54EAF279D964DE079541D7C274679CD
SHA256:566D728E93779D02CB14684413E5987BED3C73C71DE83982D22357E4A888C33E
7660msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:631998E7982B39C9DDC1B3501340BD7B
SHA256:BFCC05A4E599EDA4CC9296C3D7A53F805238F6FA40844202B898E348CCF7BD59
7660msiexec.exeC:\Windows\Temp\~DF2294033AE52CEE28.TMPbinary
MD5:631998E7982B39C9DDC1B3501340BD7B
SHA256:BFCC05A4E599EDA4CC9296C3D7A53F805238F6FA40844202B898E348CCF7BD59
7660msiexec.exeC:\Users\admin\AppData\Local\Programs\QuickLook\QuickLook.Plugin\QuickLook.Plugin.ArchiveViewer\System.Security.Cryptography.Encoding.dllexecutable
MD5:7AB10B31C5CE290672B319D403751E95
SHA256:1F5C1ABE1B2720680170388569354D8CDA9D558B53AFF7CAF175CE0F7E3733E5
7660msiexec.exeC:\Windows\Temp\~DFBE0AFC2D493E3E17.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
7660msiexec.exeC:\Users\admin\AppData\Local\Programs\QuickLook\QuickLook.Plugin\QuickLook.Plugin.VideoViewer\LAVFilters-0.72-x86\LAVVideo.axexecutable
MD5:CCDF744625F1D38EFE038F85A2EB87A7
SHA256:D199AD866D53E7EF88D4CB5780AAD6ADB6D6A5357310FA349328702250648901
7660msiexec.exeC:\Users\admin\AppData\Local\Programs\QuickLook\QuickLook.Plugin\QuickLook.Plugin.ArchiveViewer\System.Text.Encoding.Extensions.dllexecutable
MD5:D40515A84448B91315F956E6D1A6C64B
SHA256:CBE29672CD2B6A0EA97B55F3844FBEDE3E591996F39C3AA1F829F2FA50551FA9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
7344
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1512
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
QuickLook-3.7.3.msi