download:

f101v10b5836.exe

Full analysis: https://app.any.run/tasks/c7acc5b6-5a1f-462b-9b12-1c46e0c335fd
Verdict: Malicious activity
Analysis date: April 23, 2019, 21:22:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

CF082D0CE4A47634365464C52FE9A35E

SHA1:

F8115C5AEFF40009126EC999EFD36B8AD22A7682

SHA256:

C795C816CA2438EE173DF19EC37B45E06C481FCD18B6C4706D7032B60F9C76D5

SSDEEP:

393216:cPDQIqd4kqImjqcdnVdO8HzoULyFKLfcSQC8zPw+a0jeQiTO+a8ftz:crQIqddqIOqcdLLLyk0ST+a0/iR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • MSIEXEC.EXE (PID: 3488)

    • Loads dropped or rewritten executable

      • FSRT.exe (PID: 3240)

    • Changes the login/logoff helper path in the registry

      • MsiExec.exe (PID: 2544)

    • Application was dropped or rewritten from another process

      • FLOGO.EXE (PID: 3536)
      • FSRT.exe (PID: 3240)
      • FSRTU.EXE (PID: 2880)
      • fortres.exe (PID: 1816)

  • SUSPICIOUS

    • Starts Microsoft Installer

      • f101v10b5836.exe (PID: 2792)

    • Adds / modifies Windows certificates

      • MSIEXEC.EXE (PID: 3488)

    • Creates files in the driver directory

      • msiexec.exe (PID: 3680)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3680)

    • Creates files in the program directory

      • FSRT.exe (PID: 3240)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3680)

    • Creates COM task schedule object

      • msiexec.exe (PID: 3680)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3680)

  • INFO

    • Creates files in the program directory

      • msiexec.exe (PID: 3680)

    • Application launched itself

      • msiexec.exe (PID: 3680)

    • Searches for installed software

      • msiexec.exe (PID: 3680)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2916)

    • Creates or modifies windows services

      • msiexec.exe (PID: 3680)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2544)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 3680)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (83)
.exe | Win32 Executable (generic) (9)
.exe | Generic Win/DOS Executable (3.9)
.exe | DOS Executable Generic (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:10:17 07:20:43+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 103936
InitializedDataSize: 27126272
UninitializedDataSize: -
EntryPoint: 0x7fa1
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Fortres Grand Corporation
FileDescription: Fortres Grand Setup Launcher
FileVersion: 1, 0, 0, 1
LegalCopyright: Copyright © 2007 Fortres Grand Corporation
OriginalFileName: MSIStub.exe
ProductName: Fortres Grand Installer
ProductVersion: 1, 0, 0, 1

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Oct-2018 05:20:43
Detected languages:
  • English - United States
Debug artifacts:
  • C:\Users\Public\sandbox2013\WiX\Release\MSIStub.pdb
CompanyName: Fortres Grand Corporation
FileDescription: Fortres Grand Setup Launcher
FileVersion: 1, 0, 0, 1
LegalCopyright: Copyright © 2007 Fortres Grand Corporation
OriginalFilename: MSIStub.exe
ProductName: Fortres Grand Installer
ProductVersion: 1, 0, 0, 1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 17-Oct-2018 05:20:43
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00019546
0x00019600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.61128
.rdata
0x0001B000
0x00009950
0x00009A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.03292
.data
0x00025000
0x0000171C
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.11492
.tls
0x00027000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.gfids
0x00028000
0x000000F4
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.98748
.rsrc
0x00029000
0x019D3F78
0x019D4000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.7894

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.31786
833
Latin 1 / Western European
English - United States
RT_MANIFEST
2
5.17787
2216
Latin 1 / Western European
English - United States
RT_ICON
3
4.48224
1736
Latin 1 / Western European
English - United States
RT_ICON
4
3.21515
1384
Latin 1 / Western European
English - United States
RT_ICON
5
4.28558
9640
Latin 1 / Western European
English - United States
RT_ICON
6
4.67587
4264
Latin 1 / Western European
English - United States
RT_ICON
7
1.66997
60
Latin 1 / Western European
English - United States
RT_STRING
8
5.06089
1128
Latin 1 / Western European
English - United States
RT_ICON
9
5.10208
2216
Latin 1 / Western European
English - United States
RT_ICON
107
2.85812
118
Latin 1 / Western European
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
msi.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start f101v10b5836.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe msiexec.exe no specs fsrt.exe flogo.exe no specs fortres.exe fsrtu.exe no specs f101v10b5836.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1816"C:\Program Files\Fortres Grand\Fortres 101 10\fortres.exe" *QUIETC:\Program Files\Fortres Grand\Fortres 101 10\fortres.exe
FSRT.exe
User:
admin
Company:
Fortres Grand Corporation
Integrity Level:
HIGH
Description:
Fortres Application
Exit code:
1073807364
Version:
8, 0, 5834, 0
Modules
Images
c:\program files\fortres grand\fortres 101 10\fortres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2544C:\Windows\system32\MsiExec.exe -Embedding B61C9938711B335FDB245CADC11876FCC:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2792"C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe" C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe
explorer.exe
User:
admin
Company:
Fortres Grand Corporation
Integrity Level:
HIGH
Description:
Fortres Grand Setup Launcher
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\f101v10b5836.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2880"C:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\FSRTU.EXE" /WATCHDOG:3240C:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\FSRTU.EXEFSRT.exe
User:
SYSTEM
Company:
Fortres Grand Corporation
Integrity Level:
SYSTEM
Description:
Fortres Security Runtime User Component
Exit code:
0
Version:
8.0.1610.0
Modules
Images
c:\program files\fortres grand\fortres security runtime 6.0\fsrtu.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2916C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2984C:\Windows\system32\MsiExec.exe -Embedding 8112D7700085D0D92CBFEEC10EDE81F1 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3240"C:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\FSRT.exe"C:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\FSRT.exe
services.exe
User:
SYSTEM
Company:
Fortres Grand Corporation
Integrity Level:
SYSTEM
Description:
Fortres Security Runtime
Exit code:
0
Version:
8.0.1611.0
Modules
Images
c:\program files\fortres grand\fortres security runtime 6.0\fsrt.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
3488C:\Windows\SYSTEM32\MSIEXEC.EXE /I C:\Users\admin\AppData\Local\Temp\f101v10.msiC:\Windows\SYSTEM32\MSIEXEC.EXE
f101v10b5836.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
1641
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3536"C:\PROGRAM FILES\FORTRES GRAND\FORTRES SECURITY RUNTIME 6.0\FLOGO.EXE"C:\PROGRAM FILES\FORTRES GRAND\FORTRES SECURITY RUNTIME 6.0\FLOGO.EXEFSRT.exe
User:
SYSTEM
Company:
Fortres Grand Corporation
Integrity Level:
SYSTEM
Exit code:
1
Version:
7.0.1410.3
Modules
Images
c:\program files\fortres grand\fortres security runtime 6.0\flogo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3568"C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe" C:\Users\admin\AppData\Local\Temp\f101v10b5836.exeexplorer.exe
User:
admin
Company:
Fortres Grand Corporation
Integrity Level:
MEDIUM
Description:
Fortres Grand Setup Launcher
Exit code:
3221226540
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\f101v10b5836.exe
c:\systemroot\system32\ntdll.dll
Total events
1 157
Read events
461
Write events
684
Delete events
12

Modification events

(PID) Process:(3488) MSIEXEC.EXEKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3488) MSIEXEC.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(3488) MSIEXEC.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD
Operation:writeName:Blob
Value:
040000000100000010000000C5DFB849CA051355EE2DBA1AC33EB0280F00000001000000200000005229BA15B31B0C6F4CCA89C2985177974327D1B689A3B935A0BD975532AF22AB090000000100000054000000305206082B0601050507030106082B0601050507030206082B0601050507030306082B0601050507030406082B06010505070308060A2B0601040182370A030406082B0601050507030606082B060105050703070B000000010000003000000047006C006F00620061006C005300690067006E00200052006F006F00740020004300410020002D0020005200330000005300000001000000230000003021301F06092B06010401A032010130123010060A2B0601040182373C0101030200C0620000000100000020000000CBB522D7B7F127AD6A0113865BDF1CD4102E7D0759AF635A7CF4720DC963C53B1400000001000000140000008FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC1D000000010000001000000001728E1ECF7A9D86FB3CEC8948ABA953030000000100000014000000D69B561148F01C77C54578C10926DF5B856976AD190000000100000010000000D0FD3C9C380D7B65E26B9A3FEDD39B8F2000000001000000630300003082035F30820247A003020102020B04000000000121585308A2300D06092A864886F70D01010B0500304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E301E170D3039303331383130303030305A170D3239303331383130303030305A304C3120301E060355040B1317476C6F62616C5369676E20526F6F74204341202D20523331133011060355040A130A476C6F62616C5369676E311330110603550403130A476C6F62616C5369676E30820122300D06092A864886F70D01010105000382010F003082010A0282010100CC2576907906782216F5C083B684CA289EFD057611C5AD8872FC460243C7B28A9D045F24CB2E4BE1608246E152AB0C8147706CDD64D1EBF52CA30F823D0C2BAE97D7B614861079BB3B1380778C08E149D26A622F1F5EFA9668DF892795389F06D73EC9CB26590D73DEB0C8E9260E8315C6EF5B8BD20460CA49A628F6693BF6CBC82891E59D8A615737AC7414DC74E03AEE722F2E9CFBD0BBBFF53D00E10633E8822BAE53A63A16738CDD410E203AC0B4A7A1E9B24F902E3260E957CBB904926868E538266075B29F77FF9114EFAE2049FCAD401548D1023161195EB897EFAD77B7649A7ABF5FC113EF9B62FB0D6CE0546916A903DA6EE983937176C6698582170203010001A3423040300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF301D0603551D0E041604148FF04B7FA82E4524AE4D50FA639A8BDEE2DD1BBC300D06092A864886F70D01010B050003820101004B40DBC050AAFEC80CEFF796544549BB96000941ACB3138686280733CA6BE674B9BA002DAEA40AD3F5F1F10F8ABF73674A83C7447B78E0AF6E6C6F03298E333945C38EE4B9576CAAFC1296EC53C62DE4246CB99463FBDC536867563E83B8CF3521C3C968FECEDAC253AACC908AE9F05D468C95DD7A58281A2F1DDECD0037418FED446DD75328977EF367041E15D78A96B4D3DE4C27A44C1B737376F41799C21F7A0EE32D08AD0A1C2CFF3CAB550E0F917E36EBC35749BEE12E2D7C608BC3415113239DCEF7326B9401A899E72C331F3A3B25D28640CE3B2C8678C9612F14BAEEDB556FDF84EE05094DBD28D872CED36250651EEB92978331D9B3B5CA47583F5F
(PID) Process:(3488) MSIEXEC.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Operation:writeName:Blob
Value:
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D03000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B810B000000010000000E00000074006800610077007400650000001D00000001000000100000005B3B67000EEB80022E42605B6B3B72401400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB57485053000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C009000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B060105050703030F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
(PID) Process:(2792) f101v10b5836.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\f101v10.msi
(PID) Process:(3680) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F484B9E11AFAD401600E0000AC0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3680) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000004EE7BBE11AFAD401600E0000AC0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3680) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
20
(PID) Process:(3680) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000501E14E21AFAD401600E0000AC0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3680) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000501E14E21AFAD401600E000028090000E8030000010000000000000000000000B285B4A8B34B7A42B6077B62CB62F21F0000000000000000
Executable files
29
Suspicious files
18
Text files
76
Unknown types
0

Dropped files

PID
Process
Filename
Type
2792f101v10b5836.exeC:\Users\admin\AppData\Local\Temp\f101v10.msi
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Cab2E18.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Tar2E19.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Cab2E2A.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Tar2E2B.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Cab2E3B.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Tar2E3C.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Cab2ECA.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\Tar2ECB.tmp
MD5:
SHA256:
3488MSIEXEC.EXEC:\Users\admin\AppData\Local\Temp\MSI5F13.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3488
MSIEXEC.EXE
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2544
MsiExec.exe
168.62.48.183:443
www.fortresgrand.com
Microsoft Corporation
US
whitelisted
3488
MSIEXEC.EXE
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
www.fortresgrand.com
  • 168.62.48.183
suspicious

Threats

No threats detected
Process
Message
f101v10b5836.exe
Error opening registry key: 2
f101v10b5836.exe
f101v10b5836.exe
Unable to load fgcnwrk.dll
f101v10b5836.exe
f101v10b5836.exe
f101v10b5836.exe
f101v10b5836.exe
Product ID: {0258A16C-6117-4234-8FCD-9B2BB30FD013}
f101v10b5836.exe
f101v10b5836.exe
MSI File: f101v10.msi
f101v10b5836.exe
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f101v10b5836.exe