File name:

Microsoft.HEVCVideoExtensions.Installer.x64.msi

Full analysis: https://app.any.run/tasks/42a64ce8-8aa5-4a1e-b39a-afeba097dcad
Verdict: Malicious activity
Analysis date: October 06, 2023, 03:19:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installs HEVC Video Extensions, Author: Microsoft Corporation, Keywords: Installer, Comments: (c) Microsoft Corporation, Template: Intel;1033, Revision Number: {03277E07-66F1-482A-B127-833B9A1E307A}, Create Time/Date: Fri Apr 22 22:37:24 2022, Last Saved Time/Date: Fri Apr 22 22:37:24 2022, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

A672724CAB0C0289EDF5B40106AA6AC5

SHA1:

C6B6D4588D6E909F9B8EA20DDE25B405D2049F93

SHA256:

C847DAAED5BB462E46F648484F5ED7757D3ED72D358E9CC162E8CDAD5AB8AA4F

SSDEEP:

98304:l/mMHLcNDA3K8zGl7X6It+Acq+LFdA4f2D865v86LC5ogOyUswz9x7pG5RCoeHbd:DROh8e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1692)

    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 2984)

    • Loads dropped or rewritten executable

      • msiexec.exe (PID: 2984)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2648)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 1928)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 1692)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 2984)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 2984)

    • The process hide an interactive prompt from the user

      • msiexec.exe (PID: 2984)

    • Powershell version downgrade attack

      • powershell.exe (PID: 2648)

    • Starts CMD.EXE for commands execution

      • msiexec.exe (PID: 1692)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 1692)
      • wmpnscfg.exe (PID: 3876)
      • msiexec.exe (PID: 2984)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3628)

    • Checks supported languages

      • msiexec.exe (PID: 1692)
      • wmpnscfg.exe (PID: 3876)
      • msiexec.exe (PID: 2984)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3628)
      • msiexec.exe (PID: 1692)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1692)
      • wmpnscfg.exe (PID: 3876)
      • msiexec.exe (PID: 2984)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3876)

    • Application launched itself

      • msiexec.exe (PID: 1692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Installs HEVC Video Extensions
Author: Microsoft Corporation
Keywords: Installer
Comments: (c) Microsoft Corporation
Template: Intel;1033
RevisionNumber: {03277E07-66F1-482A-B127-833B9A1E307A}
CreateDate: 2022:04:22 21:37:24
ModifyDate: 2022:04:22 21:37:24
Pages: 200
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs wmpnscfg.exe no specs msiexec.exe no specs powershell.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
668cmd /c copy "C:\Users\admin\AppData\Local\Temp\MSI50cac.LOG" "C:\Users\admin\AppData\Local\Temp\Microsoft.HEVCVideoExtensions.Installer.x64\\Microsoft.HEVCVideoExtensions.Installer.x64.log"C:\Windows\System32\cmd.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\cmd.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1692C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1928C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2648"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -InputFormat None -ExecutionPolicy Bypass Add-ProvisionedAppxPackage -Online -PackagePath "C:\Users\admin\AppData\Local\Temp\Microsoft.HEVCVideoExtensions.Installer.x64\Microsoft.HEVCVideoExtensions_8wekyb3d8bbwe.x64.appx" -LicensePath "C:\Users\admin\AppData\Local\Temp\Microsoft.HEVCVideoExtensions.Installer.x64\license.xml" -DependencyPackagePath "C:\Users\admin\AppData\Local\Temp\Microsoft.HEVCVideoExtensions.Installer.x64\Microsoft.VCLibs.x64.14.00.appx"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\sechost.dll
2984C:\Windows\system32\MsiExec.exe -Embedding 154338D986C9DB4E81A43C530E85DBBB E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3628"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Microsoft.HEVCVideoExtensions.Installer.x64.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3876"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
Total events
9 286
Read events
9 225
Write events
42
Delete events
19

Modification events

(PID) Process:(3628) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\178\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3628) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\6F6F4432B6BC37F335C82D6B0C1219041C22C59A
Operation:writeName:Blob
Value:
0F000000010000002000000066484E8F1A538437B1826386C4540FC4E5EA6B1D4D3D1594D0E642B8C03C33C50300000001000000140000006F6F4432B6BC37F335C82D6B0C1219041C22C59A0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00320030004300350036003300420037002D0036004100370031002D0034003700420037002D0039003800310038002D003400440046004600420033004500310035003900300033007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000002000000001000000230300003082031F30820207A00302010202146D26DBDCE96462D8C6C71B8C3E77F5A5373667D7300D06092A864886F70D01010B0500301F310E300C06035504080C054561727468310D300B060355040A0C0446616B65301E170D3233303932373135353632395A170D3238303932353135353632395A301F310E300C06035504080C054561727468310D300B060355040A0C0446616B6530820122300D06092A864886F70D01010105000382010F003082010A0282010100C563F0F98A8B34BF506FE322F3C2F30ED9A7F46A7CE94EACC8538AEF3F13329B9CB2CEF305F20995CA6E7DC1A3A6DC9DDF9C9C28FBBD301FDD72D45C18B9798B320D1F2002B489C2DF483BD505D3208E3305570C67041AB8CA04912A2072E36E9F39A1BFD039460ABED597D4B3C8D8EF68B4338CFE4239EFE35AF82D4D20BDF89161F792470507D5E5625AFFBDD860E4D5203864D12E40E247EA36D09DB6D60E0F344119F232425268A5DA9AAAEDDD4C0DF09BFA0EE99A9A5E1F7460AC452BC6140AD9C2A0343FD501A238B216504D9C93455A92D7460B9970AE54F0C899E5155E94C2E03E0EA8DC9A3AD2DEC04B83D5FEE5DD1EA0D3D22D9A06824DB8BD954F0203010001A3533051301D0603551D0E0416041498C394ABA698BBE7992045125078BCDDEE869E3A301F0603551D2304183016801498C394ABA698BBE7992045125078BCDDEE869E3A300F0603551D130101FF040530030101FF300D06092A864886F70D01010B050003820101000DE7587203EC5FBAED29262654A01E38EE709A574680F848C80A26F58C72F231E6FC8A90C01DC342288F6E5B85D9B85A72074957786331E2F54FD13FAEA920514004D3F167025DE5FAFE250C7F604858586C228A4A5936E25C645E6048C2B361B6F4CD3D5048B5419D4134E76F99B115A74E4D9A7FB86F2B82EBF89F3678C8DF4F01070F88922AC28419AD31FCAEE5D19CBDF7797EE87E5E1E3B9F920B88E32CD3DBF8FFA1A5AA9AF07869951ADACA3FC83653F68B0FE6B49D0531C82B9FE03C90134F839B7EC8E536D91956C79CF9D7429D11F0AC1123E9C443D2215691084ECABC5093E3376F707E136BB21B37B5E16C84A01A619CB69B0A7DAEA8B704C2A6
(PID) Process:(3628) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\6F6F4432B6BC37F335C82D6B0C1219041C22C59A
Operation:writeName:Blob
Value:
14000000010000001400000098C394ABA698BBE7992045125078BCDDEE869E3A0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00320030004300350036003300420037002D0036004100370031002D0034003700420037002D0039003800310038002D003400440046004600420033004500310035003900300033007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000000300000001000000140000006F6F4432B6BC37F335C82D6B0C1219041C22C59A0F000000010000002000000066484E8F1A538437B1826386C4540FC4E5EA6B1D4D3D1594D0E642B8C03C33C52000000001000000230300003082031F30820207A00302010202146D26DBDCE96462D8C6C71B8C3E77F5A5373667D7300D06092A864886F70D01010B0500301F310E300C06035504080C054561727468310D300B060355040A0C0446616B65301E170D3233303932373135353632395A170D3238303932353135353632395A301F310E300C06035504080C054561727468310D300B060355040A0C0446616B6530820122300D06092A864886F70D01010105000382010F003082010A0282010100C563F0F98A8B34BF506FE322F3C2F30ED9A7F46A7CE94EACC8538AEF3F13329B9CB2CEF305F20995CA6E7DC1A3A6DC9DDF9C9C28FBBD301FDD72D45C18B9798B320D1F2002B489C2DF483BD505D3208E3305570C67041AB8CA04912A2072E36E9F39A1BFD039460ABED597D4B3C8D8EF68B4338CFE4239EFE35AF82D4D20BDF89161F792470507D5E5625AFFBDD860E4D5203864D12E40E247EA36D09DB6D60E0F344119F232425268A5DA9AAAEDDD4C0DF09BFA0EE99A9A5E1F7460AC452BC6140AD9C2A0343FD501A238B216504D9C93455A92D7460B9970AE54F0C899E5155E94C2E03E0EA8DC9A3AD2DEC04B83D5FEE5DD1EA0D3D22D9A06824DB8BD954F0203010001A3533051301D0603551D0E0416041498C394ABA698BBE7992045125078BCDDEE869E3A301F0603551D2304183016801498C394ABA698BBE7992045125078BCDDEE869E3A300F0603551D130101FF040530030101FF300D06092A864886F70D01010B050003820101000DE7587203EC5FBAED29262654A01E38EE709A574680F848C80A26F58C72F231E6FC8A90C01DC342288F6E5B85D9B85A72074957786331E2F54FD13FAEA920514004D3F167025DE5FAFE250C7F604858586C228A4A5936E25C645E6048C2B361B6F4CD3D5048B5419D4134E76F99B115A74E4D9A7FB86F2B82EBF89F3678C8DF4F01070F88922AC28419AD31FCAEE5D19CBDF7797EE87E5E1E3B9F920B88E32CD3DBF8FFA1A5AA9AF07869951ADACA3FC83653F68B0FE6B49D0531C82B9FE03C90134F839B7EC8E536D91956C79CF9D7429D11F0AC1123E9C443D2215691084ECABC5093E3376F707E136BB21B37B5E16C84A01A619CB69B0A7DAEA8B704C2A6
(PID) Process:(1692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000F2B487BA16B0D901C80700002C0A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
72
(PID) Process:(1692) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008C62D6BA16B0D901C80700002C0A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3876) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{FDF4BC6B-E1EC-4A77-B4DB-540A6805EE79}\{E1879760-BCF5-484B-AD49-4095D0FBA3B4}
Operation:delete keyName:(default)
Value:
(PID) Process:(3876) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{FDF4BC6B-E1EC-4A77-B4DB-540A6805EE79}
Operation:delete keyName:(default)
Value:
(PID) Process:(3876) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{44997ABD-CDEA-43F8-B81F-7A8806098E04}
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
14
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1692msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1692msiexec.exeC:\Windows\Installer\15402f.msi
MD5:
SHA256:
1692msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:DF5A0BD971DDD92B6F41C69535717D3F
SHA256:D529065E062DC9B62CC07FB64E6C2486693B4AA2094279ECC6B250C4B424DAAF
1692msiexec.exeC:\Users\admin\AppData\Local\Temp\Microsoft.HEVCVideoExtensions.Installer.x64\Microsoft.VCLibs.x64.14.00.appxcompressed
MD5:50D97F4D1C1B158778610206499DE133
SHA256:009F7DB134C6061FE8F260E075374A28ABBBC44E6CF23DE107F93EC8B8C59816
1692msiexec.exeC:\Config.Msi\154031.rbsbinary
MD5:2A6B3939B21AD7F94F6120E2451EB089
SHA256:419EDB299ECCCFFE3D8B148A8E3AE235F3D3012A34C177D019F8CD61A9721872
1692msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFDD828B325A901914.TMPbinary
MD5:9435100A45F60E7C4D80C80B053AF13D
SHA256:A8766659A65C897D26E113E1654C6AD3CD0E2DCA298D29ED55C238BA6700ED12
1692msiexec.exeC:\Windows\Installer\MSI486C.tmpbinary
MD5:504E59F513ED00060CFCB0149AE21544
SHA256:DCAC03F11EC7CDF29618A5062F73BB24151A40B8F01185BBBB8A57B2419DEC8C
2648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
2648powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF154a32.TMPbinary
MD5:CAEA3B1F09925DA2A47C2B8B890AB890
SHA256:66F29B00CBB7B1DED878F96AAC6F52907C088DE194A1FD0CD6E1FF1916047549
1692msiexec.exeC:\Windows\Installer\MSI49A7.tmpexecutable
MD5:A3AE5D86ECF38DB9427359EA37A5F646
SHA256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2656
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Microsoft.HEVCVideoExtensions.Installer.x64.msi