File name: | C:\Windows\Installer\fe863.msi |
Full analysis: | https://app.any.run/tasks/602244d3-1f15-474a-87d7-a95ae3456bbe |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 10:33:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installer, Author: Corporation, Keywords: Installer, Comments: Installer Package, Template: Intel;1033, Revision Number: {DEBB4A85-EC27-4415-B5D6-DF4F44095086}, Create Time/Date: Wed Apr 27 17:56:46 2022, Last Saved Time/Date: Wed Apr 27 17:56:46 2022, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4163), Security: 2 |
MD5: | 5D4E40D1D41C4588FBF7065FA85454E7 |
SHA1: | CA876C335EF0A4D90B456F13CC975C04016A5CC1 |
SHA256: | 4C7314083933A283C87DC28ABBED3082040F12E92EDAC47FF72F8539AF6E3EA1 |
SSDEEP: | 768:qhDfhKuI7+HwtCvdttj42XZ5uNenzMtKf17xXbdTXbkVB3YoyWMDCTyWMDC/YifW:8u7+ACu2XZ/zMkIVCo0D80DO7fxP |
.msi | | | Microsoft Installer (100) |
---|
Security: | Read-only recommended |
---|---|
Software: | Windows Installer XML Toolset (3.11.2.4163) |
Words: | 10 |
Pages: | 200 |
ModifyDate: | 2022:04:27 16:56:46 |
CreateDate: | 2022:04:27 16:56:46 |
RevisionNumber: | {DEBB4A85-EC27-4415-B5D6-DF4F44095086} |
Template: | Intel;1033 |
Comments: | Installer Package |
Keywords: | Installer |
Author: | Corporation |
Subject: | Installer |
Title: | Installation Database |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2948 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\fe863.msi" | C:\Windows\System32\msiexec.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2928 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3824 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2492 | C:\Windows\system32\MsiExec.exe -Embedding E1C185B651FCB724C0228915813C24DB | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2948) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2928) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000D88D2449FE6CD801700B0000CC0E0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2928) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000D88D2449FE6CD801700B0000CC0E0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2928) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
Operation: | write | Name: | LastIndex |
Value: 69 | |||
(PID) Process: | (2928) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4000000000000000723B7349FE6CD801700B0000CC0E0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2928) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000723B7349FE6CD801700B0000E0080000E8030000010000000000000000000000BB5661CB8D6C754684DA76553A2B22B10000000000000000 | |||
(PID) Process: | (3824) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000080627A49FE6CD801F00E0000F4070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3824) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000080627A49FE6CD801F00E0000AC0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3824) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000080627A49FE6CD801F00E000038060000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (3824) vssvc.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 400000000000000080627A49FE6CD801F00E000098050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2928 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2928 | msiexec.exe | C:\Users\admin\AppData\Local\uhau8i5a9k | — | |
MD5:— | SHA256:— | |||
2928 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF9027DA7B2F744E07.TMP | gmc | |
MD5:D6F1BF6D6FAD010718D9DC94A274B873 | SHA256:A201F04EF6A95140CEB24198C016591F4738FF383E20C788860659A7C4187520 | |||
2928 | msiexec.exe | C:\Windows\Installer\MSI5DA2.tmp | executable | |
MD5:EADAAA6EDAB657ED52D0B76325494469 | SHA256:EC0AC9068FA7C0E422F0F090EFB31E335EF87439BB5034E98A6D9F1A6E292ACB | |||
2928 | msiexec.exe | C:\Windows\Installer\SourceHash{1FB7F52F-AE2D-47D5-93EC-49261060D88C} | binary | |
MD5:7ED9472A2A640622234876743AB4895E | SHA256:DCBFC8F6D61F7AA1427C9DCD2877E0A5C5DFECA72CAF7C90E81A337ABBEBB786 | |||
2928 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{cb6156bb-6c8d-4675-84da-76553a2b22b1}_OnDiskSnapshotProp | binary | |
MD5:94E21ABC217A6DAA4DCED8613D49B05C | SHA256:B821B6DEDFDA90F63B42AB6B802377BD5094C177527DA52F74346FDA255BFA44 | |||
2928 | msiexec.exe | C:\Windows\Installer\105be0.msi | executable | |
MD5:5D4E40D1D41C4588FBF7065FA85454E7 | SHA256:4C7314083933A283C87DC28ABBED3082040F12E92EDAC47FF72F8539AF6E3EA1 | |||
2928 | msiexec.exe | C:\Config.Msi\105bdf.rbs | binary | |
MD5:3D8576C8978F7DDFFADC5243E15FF41E | SHA256:95DEA80B5F758E9A54A3AA2805B92513101D412366C305AA879BB0A66ACDA5B4 | |||
2928 | msiexec.exe | C:\Windows\Installer\105bdd.msi | executable | |
MD5:5D4E40D1D41C4588FBF7065FA85454E7 | SHA256:4C7314083933A283C87DC28ABBED3082040F12E92EDAC47FF72F8539AF6E3EA1 | |||
2928 | msiexec.exe | C:\Windows\Installer\105bde.ipi | binary | |
MD5:F1E6D4BB887795DC45E3E9DBE474D542 | SHA256:7B6208011F752FBBA37FA600FD85EBBC58AC62484CEE303B02816C26321C5E7A |