File name: | http://169.239.128.104/alg |
Full analysis: | https://app.any.run/tasks/5783a3e8-4162-4eac-97f1-1eeddb3c3327 |
Verdict: | Malicious activity |
Analysis date: | March 21, 2019, 09:25:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0 |
MD5: | D4C11BDA021113CA4604D80896B2A492 |
SHA1: | 6F6C9D565E37D612D5494A56034BE7A117435514 |
SHA256: | AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829 |
SSDEEP: | 6144:OENa+Dc4rPekT5sBLg6bGTCnvSxLKvSitOunZ2ze4FnPTglY61NpwoF:OEhoGPVTs0LKqxuZ2ze4R4h |
.msi | | | Microsoft Installer (100) |
---|
CodePage: | Windows Latin 1 (Western European) |
---|---|
LastPrinted: | 2012:09:21 09:56:09 |
CreateDate: | 2012:09:21 09:56:09 |
Software: | Windows Installer |
Title: | Exe to msi converter free |
Subject: | - |
Author: | www.exetomsi.com |
Keywords: | - |
Comments: | - |
Template: | ;0 |
LastModifiedBy: | devuser |
RevisionNumber: | {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E} |
ModifyDate: | 2013:05:21 11:56:44 |
Pages: | 100 |
Words: | - |
Security: | None |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2384 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\alg.msi" | C:\Windows\System32\msiexec.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2076 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4044 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2100 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005B4" "00000398" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3064 | "C:\Windows\Installer\MSIC5F8.tmp" | C:\Windows\Installer\MSIC5F8.tmp | msiexec.exe | |
User: admin Company: hepsu burda Integrity Level: MEDIUM Description: hepsu burda Application Version: 1.0.2.1 | ||||
2708 | "C:\Users\admin\AppData\Local\Temp\nsvC721.tmp\nsC761.tmp" "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Users\admin\AppData\Local\Temp\nsvC721.tmp\nsC761.tmp | MSIC5F8.tmp | |
User: SYSTEM Integrity Level: SYSTEM | ||||
648 | "cmd.exe" /c rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Windows\system32\cmd.exe | — | nsC761.tmp |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1572 | rundll32.exe C:\Users\admin\AppData\Local\Temp\xmlparse.dll, sega | C:\Windows\system32\rundll32.exe | cmd.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
416 | cmd.exe /C powershell -nop -ep bypass -f %temp%\enu.ps1 | C:\Windows\system32\cmd.exe | — | rundll32.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2592 | powershell -nop -ep bypass -f C:\Users\admin\AppData\Local\Temp\enu.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2076 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2100 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
2076 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:48171FEB35656D43CE897EECDF0B360C | SHA256:D1DC34B9C477FB404E60FCC10E270C328D47CD251B87C10A61F675493D3A2ADD | |||
2100 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:034E6F015C52ECB911F06567CBFEC464 | SHA256:29672522641F8BFB9FD455AEC4FE56A52EFE9181D7EDB8675229CE21B65C7B39 | |||
2076 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{5c95f8d3-98c7-4e8a-b3d0-03f6dddba5cb}_OnDiskSnapshotProp | binary | |
MD5:48171FEB35656D43CE897EECDF0B360C | SHA256:D1DC34B9C477FB404E60FCC10E270C328D47CD251B87C10A61F675493D3A2ADD | |||
2100 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:08F7FDFC713CDCBE6112FA70062008DF | SHA256:AD9BA9F257150F267AF97709C013173DBA95E8B9AF6827D107DCB0736E9576DB | |||
2076 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF43111A65E17A76FA.TMP | — | |
MD5:— | SHA256:— | |||
4044 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
2592 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FMPUZ87IKNTIYDCZYCU2.temp | — | |
MD5:— | SHA256:— | |||
2076 | msiexec.exe | C:\Windows\Installer\fc03a.msi | executable | |
MD5:D4C11BDA021113CA4604D80896B2A492 | SHA256:AE2B1B1F7265386EDBBF2617084F277CDB9BC5AC34BD9AAC00CBC77A6BDCD829 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1572 | rundll32.exe | POST | 200 | 179.43.156.37:80 | http://cdnavupdate.icu/jquery/jquery.php | CH | text | 3 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1572 | rundll32.exe | 179.43.156.37:80 | cdnavupdate.icu | Private Layer INC | CH | suspicious |
Domain | IP | Reputation |
---|---|---|
cdnavupdate.icu |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .icu Domain |
1572 | rundll32.exe | Potentially Bad Traffic | ET INFO HTTP POST Request to Suspicious *.icu domain |