File name: | 8da646fe11393fb01f81e285d1938a85a82c5334b874edd0e57143858afc54fd.msi |
Full analysis: | https://app.any.run/tasks/c837abe0-ba1e-4332-846c-42e5fc396a87 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 23:33:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1251, Title: Installation Database, Subject: InnoExtractor, Author: user, Keywords: Installer, Comments: This installer database contains the logic and data required to install InnoExtractor., Template: Intel;1049, Revision Number: {D3FAC324-5F24-482C-9903-6EEF40424C0F}, Create Time/Date: Tue Mar 19 00:02:38 2019, Last Saved Time/Date: Tue Mar 19 00:02:38 2019, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.11.0.1528), Security: 2 |
MD5: | C02FBDF52638241988047706B51AE564 |
SHA1: | F0522CE00357561311469CDE7AF0F63F443B7B3F |
SHA256: | 8DA646FE11393FB01F81E285D1938A85A82C5334B874EDD0E57143858AFC54FD |
SSDEEP: | 49152:KVIeH1g95jvIMLd/4SzCaQeHlMxihRfa1ys:KVv65BaS4eHlAL1 |
.msi | | | Microsoft Windows Installer (98.5) |
---|---|---|
.msi | | | Microsoft Installer (100) |
Security: | Read-only recommended |
---|---|
Software: | Windows Installer XML Toolset (3.11.0.1528) |
Words: | 10 |
Pages: | 200 |
ModifyDate: | 2019:03:19 00:02:38 |
CreateDate: | 2019:03:19 00:02:38 |
RevisionNumber: | {D3FAC324-5F24-482C-9903-6EEF40424C0F} |
Template: | Intel;1049 |
Comments: | This installer database contains the logic and data required to install InnoExtractor. |
Keywords: | Installer |
Author: | user |
Subject: | InnoExtractor |
Title: | Installation Database |
CodePage: | Windows Cyrillic |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2260 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\8da646fe11393fb01f81e285d1938a85a82c5334b874edd0e57143858afc54fd.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2140 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2088 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1308 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C0" "000005B4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1352 | C:\Windows\system32\MsiExec.exe -Embedding 432005C4E8CEDB47545E15A8497481D9 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 1 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1524 | "cmd" /c "cd "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\"&z -o -P kika mse.zip" | C:\Windows\system32\cmd.exe | — | MsiExec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2480 | z -o -P kika mse.zip | C:\Users\admin\AppData\Local\Temp\Steam64.dll\z.exe | — | cmd.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2320 | "cmd" /v:on /c "set Tlder=rundll32&set Dlsrt=%random%&mkdir "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\!Dlsrt!"&cd "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\!Dlsrt!\"&move /y "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\*.*" "C:\Users\admin\AppData\Local\Temp\\Steam64.dll\!Dlsrt!"\&!Tlder! _steam.dll,Entry i" | C:\Windows\system32\cmd.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 3221225477 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2284 | rundll32 _steam.dll,Entry i | C:\Windows\system32\rundll32.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 3221225477 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1728 | "C:\Windows\System32\taskkill.exe" /IM msiexec.exe /F | C:\Windows\System32\taskkill.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2140 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2140 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{5c95f8d3-98c7-4e8a-b3d0-03f6dddba5cb}_OnDiskSnapshotProp | binary | |
MD5:AF550987887789CD8F99BA0493270B34 | SHA256:C4F6732B30240F23F94CE1A6B77218586708430C33BC03391F01FE09A846FDB2 | |||
1308 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
1308 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:05B0BA9E89CAD2BA1ECE02FD5E7E3619 | SHA256:2C00288834543A7245DCC70F63C46D700AD93EB30AC47C2C9DD625987CAC2C04 | |||
1308 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:6EAF41B83D58273105BCA803F437BAE5 | SHA256:B2793DBB346600FE2FB5E523ACE6941E1CF14F7F63D42987E4DBCEC8B03C2D12 | |||
2140 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:AF550987887789CD8F99BA0493270B34 | SHA256:C4F6732B30240F23F94CE1A6B77218586708430C33BC03391F01FE09A846FDB2 | |||
2140 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF4FB82D5AEBF69A49.TMP | — | |
MD5:— | SHA256:— | |||
2140 | msiexec.exe | C:\Windows\Installer\MSIC433.tmp | — | |
MD5:— | SHA256:— | |||
2480 | z.exe | C:\Users\admin\AppData\Local\Temp\Steam64.dll\bin.dat | — | |
MD5:— | SHA256:— | |||
2480 | z.exe | C:\Users\admin\AppData\Local\Temp\Steam64.dll\_steam.dll | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2216 | WerFault.exe | GET | — | 40.67.186.102:80 | http://watson.microsoft.com/StageOne/rundll32_exe/6_1_7600_16385/4a5bc637/ntdll_dll/6_1_7601_17514/4ce7b96e/c0000005/000533b1.htm?LCID=1033&OS=6.1.7601.2.00010100.1.0.48.17514&SM=DELL&SPN=DELL&BV=DELL&MID=3ADE2C42-4AB9-49B7-B142-BE9AEEA69063 | US | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2216 | WerFault.exe | 40.67.186.102:80 | watson.microsoft.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2216 | WerFault.exe | Potential Corporate Privacy Violation | ET POLICY Application Crash Report Sent to Microsoft |
Process | Message |
---|---|
rundll32.exe | |
rundll32.exe | |
rundll32.exe |