download: | FoxySpar.msi |
Full analysis: | https://app.any.run/tasks/e460c59c-b0b4-44d3-b6d1-692848591bf2 |
Verdict: | Malicious activity |
Analysis date: | January 17, 2020, 19:20:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Author: FoxySpar, Keywords: Installer, Template: Intel;1033, Revision Number: {F3E9D595-1E7E-46ED-96BE-9776910A8D8A}, Create Time/Date: Wed Dec 18 10:55:14 2019, Last Saved Time/Date: Wed Dec 18 10:55:14 2019, Number of Pages: 310, Number of Words: 2, Security: 2 |
MD5: | C8D2BD0763239DB2C4CA364AC19E96BC |
SHA1: | 6B61E9800C582B48ECFC7DF7E4C4FF29BCD2466C |
SHA256: | A78DC162140313A35C489A72F6919D425B7F1CB57392725F4FA8C62B9AE2096B |
SSDEEP: | 49152:rheMLGYeGmLHZqqbWzvoq1YINULyxX9gvglTCmOt7dD5haLn:rh/LGYQMqbWzDYNLO9xu9tf |
.msi | | | Microsoft Installer (100) |
---|
Security: | Read-only recommended |
---|---|
Words: | 2 |
Pages: | 310 |
ModifyDate: | 2019:12:18 10:55:14 |
CreateDate: | 2019:12:18 10:55:14 |
RevisionNumber: | {F3E9D595-1E7E-46ED-96BE-9776910A8D8A} |
Template: | Intel;1033 |
Keywords: | Installer |
Author: | FoxySpar |
Title: | Installation Database |
CodePage: | Windows Latin 1 (Western European) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2448 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\FoxySpar.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1936 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2152 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1324 | "C:\Program Files\foxyspar\ff\instui.exe" /starter | C:\Program Files\foxyspar\ff\instui.exe | — | msiexec.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3468 | "C:\Program Files\foxyspar\ff\instui.exe" /install /url=? /preurl=? /uinsturl=? /waitforenterprise=0 /forceenterprise=0 /tag=? | C:\Program Files\foxyspar\ff\instui.exe | msiexec.exe | |
User: admin Integrity Level: MEDIUM Exit code: 80000 | ||||
2508 | "C:\Program Files\foxyspar\ff\PService.exe" 183865836.1224242629F62D337B81813E76858E958FD4C5DC98D3DFE3A5EEE1F537393F42333B044C4452 183865836.F0FF08514B4E3F56 | C:\Program Files\foxyspar\ff\PService.exe | instui.exe | |
User: admin Company: Service Software Integrity Level: MEDIUM Description: Service Exit code: 0 Version: 1.0.0.0 | ||||
1524 | "C:\Program Files\Mozilla Firefox\firefox.exe" -new-window "C:\Program Files\foxyspar\ff\foxyspar-1.0.1-fx.xpi" | C:\Program Files\Mozilla Firefox\firefox.exe | — | instui.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
2952 | "C:\Program Files\Mozilla Firefox\firefox.exe" -new-window "C:\Program Files\foxyspar\ff\foxyspar-1.0.1-fx.xpi" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
2988 | "C:\Users\admin\AppData\Roaming\PService Software\PService.exe" | C:\Users\admin\AppData\Roaming\PService Software\PService.exe | PService.exe | |
User: admin Company: Service Software Integrity Level: MEDIUM Description: Service Version: 1.0.0.0 | ||||
3092 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2952.0.402914269\1593731857" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2952 "\\.\pipe\gecko-crash-server-pipe.2952" 1172 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 68.0.1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1936 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2152 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
1936 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF3653C7EE75D5436A.TMP | — | |
MD5:— | SHA256:— | |||
1936 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:B6075EAFAF897E56017BE0D700549908 | SHA256:B0CF71C4461379E2D8BB347F3F04C584384DA8910CDAE0B47A75227BF68E55C1 | |||
1936 | msiexec.exe | C:\Windows\Installer\MSID8B7.tmp | binary | |
MD5:98B5F160E5E191C51A67DC90670BE04F | SHA256:6C85DB3E3207F3921C0525618388903039A3BC32E4FE1FE2F6C4D682994D2412 | |||
2508 | PService.exe | C:\Users\admin\AppData\Roaming\PService Software\init.params | text | |
MD5:69C858EEEA39EA67AFC92BAE174C4032 | SHA256:1D88A845EE16C1438C36761416E3FD149BE6E12B940ACF4579D0D7385124F54C | |||
1936 | msiexec.exe | C:\Windows\Installer\{F5C3B9AF-DE19-47B8-B240-284E26FA0220}\PRODUCT_ICON | image | |
MD5:BDB93ACA74B49DC4598FF2869D818694 | SHA256:F076C9CC75BDB79C0C9D5EE7FAAC2B8EBCD10CF8D79BA0E52D9B7281590BF730 | |||
1936 | msiexec.exe | C:\Windows\Installer\39d319.msi | executable | |
MD5:C8D2BD0763239DB2C4CA364AC19E96BC | SHA256:A78DC162140313A35C489A72F6919D425B7F1CB57392725F4FA8C62B9AE2096B | |||
1936 | msiexec.exe | C:\Program Files\foxyspar\ff\foxyspar-1.0.1-fx.xpi | compressed | |
MD5:2EF40156CB4944C1E84FE072C15871EF | SHA256:7E7FD834A0E799182AFAA9F783C6C04B13C7350E67BB0F2F7928CE7E71A982CC | |||
2508 | PService.exe | C:\Users\admin\AppData\Roaming\PService Software\PService.exe | executable | |
MD5:16A954DEA9598B3D4C2E583508F7FD06 | SHA256:4E6646DEA5C5D1BE48E920A23C4C455ADB41F7543B3EA32442B82AE0FC6BA408 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2952 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
1704 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
1704 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 172.217.22.67:80 | http://ocsp.pki.goog/gts1o1 | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 2.21.242.220:80 | http://ocsp.int-x3.letsencrypt.org/ | NL | der | 527 b | whitelisted |
2952 | firefox.exe | POST | 200 | 172.217.22.67:80 | http://ocsp.pki.goog/gts1o1 | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2952 | firefox.exe | POST | 200 | 72.21.91.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | firefox.exe | 2.16.186.50:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2952 | firefox.exe | 172.217.22.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2952 | firefox.exe | 54.69.207.70:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3468 | instui.exe | 63.34.125.24:443 | www.foxyspar.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | unknown |
2952 | firefox.exe | 72.21.91.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2952 | firefox.exe | 52.222.174.142:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 34.215.87.43:443 | services.addons.mozilla.org | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 52.89.218.39:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2952 | firefox.exe | 63.34.125.24:443 | www.foxyspar.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | unknown |
2988 | PService.exe | 63.34.125.24:443 | www.foxyspar.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.foxyspar.com |
| unknown |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
d228z91au11ukj.cloudfront.net |
| whitelisted |
services.addons.mozilla.org |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |