File name: | RechnungswesenStartcenterMachine.msi |
Full analysis: | https://app.any.run/tasks/b7d5572a-e124-49ac-a2b1-d41d9a68dbeb |
Verdict: | Malicious activity |
Analysis date: | July 18, 2019, 14:06:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installs the Accounting Startcenter, Author: Diamant Software GmbH, Keywords: Installer, Comments: (c) 2019 Diamant Software GmbH, Create Time/Date: Mon May 27 10:45:48 2019, Name of Creating Application: Windows Installer XML Toolset (3.10.2.2516), Security: 2, Template: Intel;1031,1033, Last Saved By: Intel;1031,1033, Revision Number: {16E302BD-260F-4AD4-BE1F-9E8784D9E1AF}1.0.0.0;{16E302BD-260F-4AD4-BE1F-9E8784D9E1AF}1.0.0.0;{16E302BD-260F-4AD4-BE1F-9E8784D9E1AF}, Number of Pages: 200, Number of Characters: 0 |
MD5: | 8FB4E4DE55878BAF0FEBDFD84F2D5F52 |
SHA1: | 702C45272A56EF5B71C2C635BFE3BF53F403FCEC |
SHA256: | 61FEBABE0D2F25EC653E4D29914535488B09CC095F104E5C0FDD208B9160894F |
SSDEEP: | 12288:EFSnpIlPTLIRTRWNKnnUbSDw6+L3xv5yfXA7S44QnopObHrT+nZnYOHmDpeVgEEU:EFtLI3EK5Pe/sSbzL0xdV9E8jf6i |
.msi | | | Microsoft Windows Installer (98.5) |
---|---|---|
.msi | | | Microsoft Installer (100) |
Characters: | - |
---|---|
LastModifiedBy: | Intel;1031,1033 |
RevisionNumber: | {B1C74919-880E-4351-8013-D8D3307893D4} |
Security: | Read-only recommended |
Software: | Windows Installer XML Toolset (3.10.2.2516) |
Words: | 2 |
Pages: | 200 |
ModifyDate: | 2019:05:27 09:45:48 |
CreateDate: | 2019:05:27 09:45:48 |
Template: | Intel;1031,1033 |
Comments: | (c) 2019 Diamant Software GmbH |
Keywords: | Installer |
Author: | Diamant Software GmbH |
Subject: | Installs the Accounting Startcenter |
Title: | Installation Database |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3348 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\RechnungswesenStartcenterMachine.msi" | C:\Windows\System32\msiexec.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3068 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3376 | C:\Windows\system32\MsiExec.exe -Embedding 74D985058C3422158529F1C1FCCFD9F3 C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2220 | rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSIF349.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1569734 1 Installer.Actions!Installer.Actions.CustomActions.CheckForValidInstallDir | C:\Windows\system32\rundll32.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1672 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3400 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "00000000" "00000544" "000005C8" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1488 | C:\Windows\system32\MsiExec.exe -Embedding A0471581BAD07D8691A83EC23143A781 M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3356 | rundll32.exe "C:\Windows\Installer\MSI437E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1590734 1 Installer.Actions!Installer.Actions.CustomActions.WriteApplicationConfig | C:\Windows\system32\rundll32.exe | MsiExec.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3620 | "C:\Program Files\Rechnungswesen\Startcenter\(Default)\Diamant.Launcher.Core.exe" /createStartMenu "(Default)" /serverurl=http://INDIBAC02DE.SW.SHERWIN.COM/Produktiv/Rechnungswesen /partner=0020 /productname="dibac.finanz3" | C:\Program Files\Rechnungswesen\Startcenter\(Default)\Diamant.Launcher.Core.exe | — | msiexec.exe |
User: admin Company: Diamant Software Integrity Level: MEDIUM Description: Rechnungswesen Startcenter Exit code: 0 Version: 3.11.2.2400 | ||||
1660 | "C:\Program Files\Rechnungswesen\Startcenter\(Default)\Diamant.Launcher.Core.exe" "C:\Program Files\Rechnungswesen\Startcenter\(Default)\Diamant.Launcher.Core.exe" /createStartMenu "(Default)" /serverurl=http://INDIBAC02DE.SW.SHERWIN.COM/Produktiv/Rechnungswesen /partner=0020 /productname="dibac.finanz3" | C:\Program Files\Rechnungswesen\Startcenter\(Default)\Diamant.Launcher.Core.exe | Diamant.Launcher.Core.exe | |
User: admin Company: Diamant Software Integrity Level: HIGH Description: Rechnungswesen Startcenter Version: 3.11.2.2400 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3068 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
3068 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:545BE833CCFDEE1B539655A36AF469A2 | SHA256:404F61FE622137571DF549116D908D48B2873D4034C51046B2096919519FC942 | |||
3400 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:627FE7EDB33BA7093FEA154EDE035A2F | SHA256:6C3C45C455DBD7E39E89A855FE508F236982BCC8243ADD10B4FDA5781A159C53 | |||
3348 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSIF349.tmp | executable | |
MD5:46FD6FDB1A4B50993F3D133E4080FB02 | SHA256:550A51B279616936E9562B0D464C705F188A07BC388A10C5A95A87D5545841D5 | |||
2220 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSIF349.tmp-\CustomAction.config | xml | |
MD5:52A6E68C421636373B58B0AB462AF0CB | SHA256:B129B22B6189EFBD3390D46E92F4EBA92242A1E7B788CB6529836B70030E2694 | |||
2220 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSIF349.tmp-\Microsoft.Deployment.WindowsInstaller.dll | executable | |
MD5:9CC443B70EA68FB136DD54D6DAAECA0E | SHA256:A1DA28CB626CB52661D2D6E0A6FB14B97DCA16D88FF755A967B7507D38998C44 | |||
3068 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{f95a3ac2-566d-407d-bc54-bfc379be2fe0}_OnDiskSnapshotProp | binary | |
MD5:545BE833CCFDEE1B539655A36AF469A2 | SHA256:404F61FE622137571DF549116D908D48B2873D4034C51046B2096919519FC942 | |||
3068 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF7D28D8FE7A1445F4.TMP | — | |
MD5:— | SHA256:— | |||
3068 | msiexec.exe | C:\Windows\Installer\1837c5.ipi | binary | |
MD5:9CFF0BC5BFE4A31C050D65EB522DBD23 | SHA256:89E0748FB620A75A9D597C111DA282F168AE5D69F6DEEC1688CF98C8835F118E | |||
2220 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\MSIF349.tmp-\Installer.Actions.dll | executable | |
MD5:0A04FFF958473CCFB165ADFEAE69431A | SHA256:7D2857A7BC79C92ECCEB53CDDCD4FC5037BC23D6AAB5E767BE4FDF7D7BC0D5CA |
Domain | IP | Reputation |
---|---|---|
indibac02de.sw.sherwin.com |
| unknown |