File name: | fusion msi x32.msi |
Full analysis: | https://app.any.run/tasks/2067a29e-d9d3-4735-b364-41af4baac77a |
Verdict: | Malicious activity |
Analysis date: | May 14, 2019, 20:46:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: FusionInventory Agent 2.4.3 (x86 edition) 2.4.3.0, Subject: FusionInventory Agent 2.4.3 (x86 edition), Author: FusionInventory Team, Keywords: Installer, Comments: Installer wrapped by MSI Wrapper (6.0.91.0) from www.exemsi.com, Template: Intel;1033, Revision Number: {8395FC6B-092B-4A0F-BD32-4DE08C17DA49}, Create Time/Date: Wed Dec 17 10:17:14 2014, Last Saved Time/Date: Wed Dec 17 10:17:14 2014, Number of Pages: 200, Number of Words: 2, Name of Creating Application: MSI Wrapper (6.0.91.0), Security: 2 |
MD5: | 770364A3401636811ABE9321CE0F6ACB |
SHA1: | 7043E964451ECC6E3F6189F38E1BB16A5C64851F |
SHA256: | 443D8439723B2C3EEC509D3DF8151190DC375E06AFFF78B74FA08351CFE5638A |
SSDEEP: | 196608:FqNsSPjvozSrFFG+AIRQybwWQgwC0JjacTNkwEWRpTtfs:wNnPzozcFGNIRQybwbgwCwjNNfRZ |
.msi | | | Microsoft Installer (100) |
---|
Company: | FusionInventory Team |
---|---|
LocaleIndicator: | 13322 |
CodePage: | Unicode UTF-16, little endian |
Security: | Read-only recommended |
Software: | MSI Wrapper (6.0.91.0) |
Words: | 2 |
Pages: | 200 |
ModifyDate: | 2014:12:17 10:17:14 |
CreateDate: | 2014:12:17 10:17:14 |
RevisionNumber: | {8395FC6B-092B-4A0F-BD32-4DE08C17DA49} |
Template: | Intel;1033 |
Comments: | Installer wrapped by MSI Wrapper (6.0.91.0) from www.exemsi.com |
Keywords: | Installer |
Author: | FusionInventory Team |
Subject: | FusionInventory Agent 2.4.3 (x86 edition) |
Title: | FusionInventory Agent 2.4.3 (x86 edition) 2.4.3.0 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3236 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\fusion msi x32.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1603 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2472 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1180 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
832 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000560" "000004C0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3880 | C:\Windows\system32\MsiExec.exe -Embedding 0ED7C0E95499F456C02203DBCA244E9F | C:\Windows\system32\MsiExec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3348 | C:\Windows\system32\MsiExec.exe -Embedding 81A3B68699FC638DF1154DBDAA7D3471 M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3124 | "C:\Users\admin\AppData\Local\Temp\MW-02e3bf8a-3938-412d-99f5-23bfdb567436\fusion msi x32.exe" /s | C:\Users\admin\AppData\Local\Temp\MW-02e3bf8a-3938-412d-99f5-23bfdb567436\fusion msi x32.exe | MsiExec.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 Modules
| |||||||||||||||
2612 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\RarSFX0\fusion.VBS" | C:\Windows\System32\WScript.exe | — | fusion msi x32.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1828 | cmd /c ""C:\Users\admin\AppData\Local\Temp\RarSFX0\install.bat" " | C:\Windows\System32\cmd.exe | — | WScript.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3104 | fusioninventory-agent_windows-x86_2.4.3.exe /S /acceptlicense /server="http://inventario-fi.forum.cl/plugins/fusioninventory/" /no-ssl-check /installtasks=full /add-firewall-exception /delaytime=20 /runnow | C:\Users\admin\AppData\Local\Temp\RarSFX0\fusioninventory-agent_windows-x86_2.4.3.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: FusionInventory Team (http://www.fusioninventory.org) Integrity Level: SYSTEM Description: FusionInventory Agent for Microsoft Windows Exit code: 0 Version: 2.4.3.23 Modules
|
(PID) Process: | (2472) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000E0A42326960AD501A809000020090000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2472) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000E0A42326960AD501A809000020090000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2472) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
Operation: | write | Name: | LastIndex |
Value: 20 | |||
(PID) Process: | (2472) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 40000000000000000C519126960AD501A809000020090000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2472) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000001A789826960AD501A809000038040000E8030000010000000000000000000000A1DF5994DA5A8E45B59C9000DE046D890000000000000000 | |||
(PID) Process: | (1180) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000036C6A626960AD5019C040000EC0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1180) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000036C6A626960AD5019C040000C4080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1180) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000036C6A626960AD5019C040000F0090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1180) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000009028A926960AD5019C040000180C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1180) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Leave) |
Value: 40000000000000005214B526960AD5019C040000F0090000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2472 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
832 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
2472 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:4D3349E2BA0926266529E916995C9FB1 | SHA256:967F8F8012AF4697BE394DD35EF570AEA64E9F51E457724637C985D65528A0ED | |||
832 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:49A4DA70BCECF861F2C030E87894E373 | SHA256:06BCF0818D1C0B2898FA1E74D953A1D0D5BCCF0662A95694333C3B28E830A0C1 | |||
2472 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{9459dfa1-5ada-458e-b59c-9000de046d89}_OnDiskSnapshotProp | binary | |
MD5:4D3349E2BA0926266529E916995C9FB1 | SHA256:967F8F8012AF4697BE394DD35EF570AEA64E9F51E457724637C985D65528A0ED | |||
832 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:8D6FAE4951C84860FAF95CD1081A9980 | SHA256:8FE4712B8D784F72AAFF532CD880A384E5C5B8BBBC6348EEF6DF4725AAA21E43 | |||
2472 | msiexec.exe | C:\Windows\Installer\1240ab.msi | — | |
MD5:— | SHA256:— | |||
2472 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF24E9442507633A61.TMP | — | |
MD5:— | SHA256:— | |||
1180 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
2472 | msiexec.exe | C:\Windows\Installer\1240ac.ipi | binary | |
MD5:580CEC8677CDB9AA6E83B1E9AB11EF74 | SHA256:B1866F9382F8A10BA349E436EFE1B45111FD2D098A7A9A03A346EAAFB0231AE9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2804 | perl.exe | GET | 200 | 200.75.4.78:80 | http://inventario-fi.forum.cl/plugins/fusioninventory/?action=getConfig&task[Collect]=2.5&machineid=User-PC-2019-05-14-21-47-25 | CL | text | 42 b | unknown |
3676 | perl.exe | GET | 200 | 200.75.4.78:80 | http://inventario-fi.forum.cl/plugins/fusioninventory/?action=getConfig&task[Collect]=2.5&machineid=User-PC-2019-05-14-21-47-25 | CL | text | 42 b | unknown |
3676 | perl.exe | GET | 200 | 200.75.4.78:80 | http://inventario-fi.forum.cl/plugins/fusioninventory/?action=getConfig&machineid=User-PC-2019-05-14-21-47-25&task[Deploy]=2.7 | CL | text | 42 b | unknown |
2804 | perl.exe | POST | 200 | 200.75.4.78:80 | http://inventario-fi.forum.cl/plugins/fusioninventory/ | CL | pz | 98 b | unknown |
3676 | perl.exe | POST | 200 | 200.75.4.78:80 | http://inventario-fi.forum.cl/plugins/fusioninventory/ | CL | pz | 98 b | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2804 | perl.exe | 200.75.4.78:80 | inventario-fi.forum.cl | Gtd Internet S.A. | CL | unknown |
3676 | perl.exe | 200.75.4.78:80 | inventario-fi.forum.cl | Gtd Internet S.A. | CL | unknown |
Domain | IP | Reputation |
---|---|---|
inventario-fi.forum.cl |
| unknown |
Process | Message |
---|---|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|
dmidecode.exe | Invalid parameter passed to C runtime function.
|