Edit tour

Windows Analysis Report
installer64v1.2.5.msi

Overview

General Information

Sample name:installer64v1.2.5.msi
Analysis ID:1583201
MD5:bcd0b8e1f91a783d5fbea7f22aba3635
SHA1:96f7e71339cacd7c6d0beed08de414ade7167c22
SHA256:19ca1d898d1d6f7fefa6881600da9c2d7c787503dd109a2fd33d093f0eb92318
Tags:msiSilverFoxValleyRATwinosuser-kafan_shengui
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Checks for available system drives (often done to infect USB drives)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • msiexec.exe (PID: 5232 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer64v1.2.5.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6796 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5720 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 1B77181C02B35BE3FBECFB9A5F421F34 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Windows\Installer\MSI8BA4.tmpVirustotal: Detection: 16%Perma Link
Source: installer64v1.2.5.msiVirustotal: Detection: 8%Perma Link
Source: installer64v1.2.5.msiReversingLabs: Detection: 13%
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior

System Summary

barindex
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d82f9.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B6EF2558-948E-4BD4-8631-A1BE8A21F8C2}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI856A.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d82fb.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\6d82fb.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8BA4.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\6d82fb.msiJump to behavior
Source: MSI8BA4.tmp.2.drStatic PE information: Number of sections : 12 > 10
Source: installer64v1.2.5.msiBinary or memory string: OriginalFilenameFramework.resources.dll4 vs installer64v1.2.5.msi
Source: MSI8BA4.tmp.2.drStatic PE information: Section: ZLIB complexity 1.0002398574561404
Source: MSI8BA4.tmp.2.drStatic PE information: Section: ZLIB complexity 0.9985094572368421
Source: MSI8BA4.tmp.2.drStatic PE information: Section: ZLIB complexity 1.0000765931372548
Source: classification engineClassification label: mal60.winMSI@4/21@0/0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Windows NT\file.datJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF8207086CBE0EECAA.TMPJump to behavior
Source: installer64v1.2.5.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 88.31%
Source: installer64v1.2.5.msiVirustotal: Detection: 8%
Source: installer64v1.2.5.msiReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer64v1.2.5.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 1B77181C02B35BE3FBECFB9A5F421F34 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 1B77181C02B35BE3FBECFB9A5F421F34 E Global\MSI0000Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: installer64v1.2.5.msiStatic file information: File size 9408512 > 1048576
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name:
Source: MSI8BA4.tmp.2.drStatic PE information: section name: entropy: 7.999838624059003
Source: MSI8BA4.tmp.2.drStatic PE information: section name: entropy: 7.994191995436867
Source: MSI8BA4.tmp.2.drStatic PE information: section name: entropy: 7.999783120172928
Source: MSI8BA4.tmp.2.drStatic PE information: section name: entropy: 7.044401972645219
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8BA4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8BA4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8BA4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exe TID: 1656Thread sleep count: 664 > 30Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media
Windows Management Instrumentation1
DLL Side-Loading
1
Process Injection
21
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Software Packing
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection
NTDS11
Peripheral Device Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets11
System Information Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Obfuscated Files or Information
Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion
DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583201 Sample: installer64v1.2.5.msi Startdate: 02/01/2025 Architecture: WINDOWS Score: 60 15 Multi AV Scanner detection for dropped file 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 PE file has nameless sections 2->19 6 msiexec.exe 75 29 2->6         started        9 msiexec.exe 5 2->9         started        process3 file4 13 C:\Windows\Installer\MSI8BA4.tmp, PE32+ 6->13 dropped 11 msiexec.exe 6->11         started        process5

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
installer64v1.2.5.msi8%VirustotalBrowse
installer64v1.2.5.msi13%ReversingLabs
SourceDetectionScannerLabelLink
C:\Windows\Installer\MSI8BA4.tmp17%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1583201
Start date and time:2025-01-02 08:43:11 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 22s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:installer64v1.2.5.msi
Detection:MAL
Classification:mal60.winMSI@4/21@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .msi
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
No simulations
No context
No context
No context
No context
No context
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):7025402
Entropy (8bit):7.985653136881668
Encrypted:false
SSDEEP:98304:OgD3Ntf3Q/Ixq44vxs2xmlKHVOas+eEM1G+8u+ZCVhSxg6L5DfFMLarMoVqvyUZA:Os7A/IhYeKUaZMj7R6Ldd6mel1/8
MD5:B03369ED608343F1A807837FB76F688C
SHA1:3DB830CB1BC9EEBD2DDE8C79CB8E1DC6A43DB324
SHA-256:A81A8FDBA46E83011067BEA2A31A521B184C393168BC996076A5A87E5A4487E1
SHA-512:32C3B12FD082AD2752F4A11794308EA7906DDC15954EDF979D9EE6967550E7F202A7CCFA1170B124E92734006B8B1B755214CAC011407F49ED74CF21AE43FEE9
Malicious:false
Reputation:low
Preview:...@IXOS.@.....@.."Z.@.....@.....@.....@.....@.....@......&.{B6EF2558-948E-4BD4-8631-A1BE8A21F8C2}..Setup..installer64v1.2.5.msi.@.....@.....@.....@........&.{EACC16D7-A1C3-4EBE-B7ED-4B0C7C1FCDD8}.....@.....@.....@.....@.......@.....@.....@.......@......Setup......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{125CBCBA-000D-4311-82CD-4ABABCD734C4}&.{B6EF2558-948E-4BD4-8631-A1BE8A21F8C2}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..".C:\Program Files (x86)\Windows NT\....*.C:\Program Files (x86)\Windows NT\file.dat...._K..._.@A.......k.MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...x.uX.........." .....R...0...............................................0.......k...`... ...... ........ ...... ..............`0V....P.V.\....P2.....8.V..}..........@0V.........................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):2343409
Entropy (8bit):7.999916767223231
Encrypted:true
SSDEEP:49152:li3730AKWV2/D3LkVGHoPeGUvfjJMq0WCIqcYQ+vMH2dWI6:lK39Y/DYVdmtvfGq0DIEQ+UHaA
MD5:30F50A0C9E1834DB639D209A0191562F
SHA1:00A5B56FBE81DAC0FCBD3003EED6BB84AEEE593C
SHA-256:E3721B516E9265D0563367117E5FA90C036C5D94C2A5CB80BCAD1B0C2197562D
SHA-512:1A05D2F8FB5161C0BFCC9279CC225139408E34F3E8AF464160C5CB185893ED85E23FE3B596E3DF5ED44EE94E1EF01F09CFDDE1F24C4949534E175F8D88713415
Malicious:false
Reputation:low
Preview:.@S....^.B^l=...............}..*.>..U.x..f%....J...l^....P....:.^>.W..9.0G.[.q>.........wDj.|..D.R*.n.(g.i...U...s.dc....a...5.ZE"h.7....F...7f-pm7.*g.P........jx...R........0.T=x....S...cj...*..?....[%!.t..C.f.N.r5t."...>...G.h...|.@...5\&.......>.l...h..D../..1@:...Q......N..hW...w..:.......Y/,;.~".X..^?..L..h.)...%8.V.^..*..SHy....$'u@'...P?X.sJr.M9.X....'......W...I[;..)....{K.........j..F.O.Y...4.9].2"..Q../.....O.>...Q....a...A...c........?...............O..iA.8....M.^..i.....E.{...?..........%..-p.6.e.`....o.0...A..MO.$.6........../.i..(c2..c..1.?c]%n.....e/.S..^(.AI..#.yg;.]......}l.N....Q..M.'y......-...g.oc..5.69.....Y..@&H..z....O......V`..qK...j...~......9r,....Z,ag...<.kH`>C..J.Y.Q.l ...9.2.)nr/o.K..... '.@@.i_'..D.[....#..G...6..V..^..........X.,uS..e.d....!u.....Ye1.O...&.D.u......n.].......|..k.ys]..g..r^.z~.+.e.w4.4....c...m"c.r/n.`=..4.gp$.'_...m.......),...5b...u<n....v..(.........[5).'..s... ....)0;IA0...?".......f2%...<..{..A..h.n.
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Setup, Author: Netease, Keywords: Installer, Comments: rdhgsrthg, Template: Intel;1033, Revision Number: {EACC16D7-A1C3-4EBE-B7ED-4B0C7C1FCDD8}, Create Time/Date: Thu Jan 2 05:59:30 2025, Last Saved Time/Date: Thu Jan 2 05:59:30 2025, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:dropped
Size (bytes):9408512
Entropy (8bit):7.987528323216537
Encrypted:false
SSDEEP:196608:GBQsxDBnWevpl41b87A/IhYeK2aZMj7R6Ldd6Lel1/:RsBBWevpmaK2aOj96Ldd6Lu
MD5:BCD0B8E1F91A783D5FBEA7F22ABA3635
SHA1:96F7E71339CACD7C6D0BEED08DE414ADE7167C22
SHA-256:19CA1D898D1D6F7FEFA6881600DA9C2D7C787503DD109A2FD33D093F0EB92318
SHA-512:05AAB296CEEDADFDE9941A12133982C5FFD6DDAB204355BC39BC79954376B0AE24E5949522ECBB3E2853EACEB84520D74EEA673431AB037DC90341683990B209
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Setup, Author: Netease, Keywords: Installer, Comments: rdhgsrthg, Template: Intel;1033, Revision Number: {EACC16D7-A1C3-4EBE-B7ED-4B0C7C1FCDD8}, Create Time/Date: Thu Jan 2 05:59:30 2025, Last Saved Time/Date: Thu Jan 2 05:59:30 2025, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Category:dropped
Size (bytes):9408512
Entropy (8bit):7.987528323216537
Encrypted:false
SSDEEP:196608:GBQsxDBnWevpl41b87A/IhYeK2aZMj7R6Ldd6Lel1/:RsBBWevpmaK2aOj96Ldd6Lu
MD5:BCD0B8E1F91A783D5FBEA7F22ABA3635
SHA1:96F7E71339CACD7C6D0BEED08DE414ADE7167C22
SHA-256:19CA1D898D1D6F7FEFA6881600DA9C2D7C787503DD109A2FD33D093F0EB92318
SHA-512:05AAB296CEEDADFDE9941A12133982C5FFD6DDAB204355BC39BC79954376B0AE24E5949522ECBB3E2853EACEB84520D74EEA673431AB037DC90341683990B209
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):7019702
Entropy (8bit):7.9859650873563135
Encrypted:false
SSDEEP:98304:/gD3Ntf3Q/Ixq44vxs2xmlKHVOas+eEM1G+8u+ZCVhSxg6L5DfFMLarMoVqvyUZ2:/s7A/IhYeKUaZMj7R6Ldd6mel1/C
MD5:230BD438951E98DBF306613ACA737FFE
SHA1:A4FE33A96D0F3B527F47438B5F77C3AB1023766D
SHA-256:CF284456F28EC02114D0476F1D4A697FDFBB5FFF6194FF9C38CCFDB1936C30D0
SHA-512:047F7439360B395AB31FA9CC37CF8F4535015E81E619F335FF593850369888C3DB20A8D8F169C8A7263A61BA4F59701E6E1320EBD96E698F517DB2CEFEFF66B0
Malicious:false
Reputation:low
Preview:...@IXOS.@.....@.."Z.@.....@.....@.....@.....@.....@......&.{B6EF2558-948E-4BD4-8631-A1BE8A21F8C2}..Setup..installer64v1.2.5.msi.@.....@.....@.....@........&.{EACC16D7-A1C3-4EBE-B7ED-4B0C7C1FCDD8}.....@.....@.....@.....@.......@.....@.....@.......@......Setup......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{125CBCBA-000D-4311-82CD-4ABABCD734C4}*.C:\Program Files (x86)\Windows NT\file.dat.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@..#..@.....@......".C:\Program Files (x86)\Windows NT\....1\gujfn150\|Windows NT\......Please insert the disk: ..cab1.cab.@.....@......C:\Windows\Installer\6d82f9.msi.........@........file.dat..l4d..file.dat.@.....@..#..@.......@.............@.........@.....@.....@0....@..4..@c. ..@..V/......_....J..._.@A.......k.MZx.....................@..........................
Process:C:\Windows\System32\msiexec.exe
File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:modified
Size (bytes):7017984
Entropy (8bit):7.986044955216238
Encrypted:false
SSDEEP:98304:jgD3Ntf3Q/Ixq44vxs2xmlKHVOas+eEM1G+8u+ZCVhSxg6L5DfFMLarMoVqvyUZb:js7A/IhYeKUaZMj7R6Ldd6mel1/
MD5:FE8E9FBD1F499E2DEFFDE54157397625
SHA1:A3B513FCF766915AEA638A22CA47E08F8AB64C5D
SHA-256:39074BA19FF61AFEE936F597FF66FBDED452861ABE500F9CAC572B9333EF0319
SHA-512:F4C611CE77BAEBC2D0AC8CE0950E6D0471E308FF8E8140275C7E8682EA7D87C1B618C1A9082497F67148F558F331784A034BE7A6568B2EEF7700A2976F54F1F8
Malicious:true
Antivirus:
  • Antivirus: Virustotal, Detection: 17%, Browse
Reputation:low
Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...x.uX.........." .....R...0...............................................0.......k...`... ...... ........ ...... ..............`0V....P.V.\....P2.....8.V..}..........@0V..............................0V.(............................................................`..........................@............0...p......................@............ ..........................@............@....1.....................@.................2.....................@.................2.....................@................ 2.....................@................02.....................@................@2.....................@....rsrc........P2......"..............@..@..........#..`2......&..............@............0D...V..&D...&.............@...........................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.1682878049091345
Encrypted:false
SSDEEP:12:JSbX72Fjn/6AGiLIlHVRpwh/7777777777777777777777777vDHFwFDrEgXkjXz:JpSQI5Yu5FRF
MD5:7E927E5CC0B6EDCEA9C6F2CDA098AD71
SHA1:E77CBB85CBFD22577170211C891F47E059DC1482
SHA-256:5566A11A9052875C952E09059A961FE23B58C5B2262721C7807F62273AAA5E8C
SHA-512:61383612EB397EB92F6F34B6434BA9BBB3A61C8282F3144B8AF3FC45A2B18ED47631BBF573A26EE15CA17DA4FF3368209D359F5D7A2D7E3239FD7F42FC187895
Malicious:false
Reputation:low
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.467533966328809
Encrypted:false
SSDEEP:48:l8PhMuRc06WXJAjT5WvadeS56rCdeSIGV:IhM1DjTO3lSV
MD5:23FCD2ACFE4B3E831EC0403A20A5965D
SHA1:3FD4241553DD5D9817DF49CAC881F936BD663A42
SHA-256:FB3DFBAF4BEFB61427F39CB0077AEC6A61BD0C3C56313857289882F95B562DA5
SHA-512:87B34B1CB8AEF8BD4640CA7867F9C347B8109FAA086F06360DBBF9F11846E76304439B12E580AADB452718D2564ED4EE19A6BB1E2B172D4452DAB4BFAA107D0A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:dropped
Size (bytes):360001
Entropy (8bit):5.362986154837764
Encrypted:false
SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauu:zTtbmkExhMJCIpEz
MD5:A2244E88175087E59C11E16B08635AD8
SHA1:3CB294EE33600F947B8E28FED8A7335CC4460E49
SHA-256:0B12820FE17DEF7EFDC3C9E599606E24F4D574F2709A2804526BBA531EC2B712
SHA-512:F6933E6ED3ABACFBA1BDDFA33BDAD13FAE2A978188A8D51404B295F65AF0BA8C48CB89FF0946E46BDE478F7C2351AE4033C36A22963FC83DBD78D0F98B446DE9
Malicious:false
Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):32768
Entropy (8bit):1.1825465585764507
Encrypted:false
SSDEEP:24:JLhC3nkuxZiEipKP2xza2tzhA5ZZagUMClXtd851v+DJdB5GipV7VgwG5lrkgCdn:MnkunJveFXJjT5IvadeS56rCdeSIGV
MD5:AFA7F7612D952DC632D3B25D99564972
SHA1:3F6BA65D77EC75EABF8ABFE5DBCC31DB4FAD5D04
SHA-256:22CEAF1BA02DAC94BB6FB321ED10EB6915C29F0121B590F0613B8E26046D3521
SHA-512:AA32C1704600B3482EC901163E309EC3A9A1BF8CC6B3399D04B3846ECB5C8AB3FA5AAF0A3FDC2036D5F57AC1DA14D90E4A0F712E58A79C63C9AB00E31A9172DE
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):32768
Entropy (8bit):1.1825465585764507
Encrypted:false
SSDEEP:24:JLhC3nkuxZiEipKP2xza2tzhA5ZZagUMClXtd851v+DJdB5GipV7VgwG5lrkgCdn:MnkunJveFXJjT5IvadeS56rCdeSIGV
MD5:AFA7F7612D952DC632D3B25D99564972
SHA1:3F6BA65D77EC75EABF8ABFE5DBCC31DB4FAD5D04
SHA-256:22CEAF1BA02DAC94BB6FB321ED10EB6915C29F0121B590F0613B8E26046D3521
SHA-512:AA32C1704600B3482EC901163E309EC3A9A1BF8CC6B3399D04B3846ECB5C8AB3FA5AAF0A3FDC2036D5F57AC1DA14D90E4A0F712E58A79C63C9AB00E31A9172DE
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.467533966328809
Encrypted:false
SSDEEP:48:l8PhMuRc06WXJAjT5WvadeS56rCdeSIGV:IhM1DjTO3lSV
MD5:23FCD2ACFE4B3E831EC0403A20A5965D
SHA1:3FD4241553DD5D9817DF49CAC881F936BD663A42
SHA-256:FB3DFBAF4BEFB61427F39CB0077AEC6A61BD0C3C56313857289882F95B562DA5
SHA-512:87B34B1CB8AEF8BD4640CA7867F9C347B8109FAA086F06360DBBF9F11846E76304439B12E580AADB452718D2564ED4EE19A6BB1E2B172D4452DAB4BFAA107D0A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):69632
Entropy (8bit):0.10456626897163789
Encrypted:false
SSDEEP:24:+pXZLdB5GipVGdB5GipV7VgwG5lrkgSg+f:+pXldeScdeS56r1e
MD5:0B429671A979B073EA8293DD782311D9
SHA1:87FF3CEF3A1B8BAA3EEB57D05FB28EF1E08C257D
SHA-256:919E8833FAD4360E191046885699797B9D5169832FE9DC266FEDC972B8904F37
SHA-512:9FEB8F3EB8291929DAFA5B558ABA50A88644AFB2EF8775D75702F84BF0F574DD9AD9767D852F2428084DE8CC2745F248FE24F77C02B6561928E3DAA6865AD988
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.07462005778945771
Encrypted:false
SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOUrVMeDQ1YWyEgXTRcCVky6ljX:2F0i8n0itFzDHFwFDrEgXkjX
MD5:13F342E5D849EEEF102ADF487DAF385D
SHA1:FC93E0F6A499471418D412FA2DA3A4460FFB40C6
SHA-256:D21301A5316A54D201BE1CB9977F15A9D5603BF40EE19E10EE180C790984CBEF
SHA-512:905FA7DE4DCEDEB6D6C41C19D554AF4BFCFAD7A22E0A4D84B9C2D2D6619981C3D83E9986F0BF2CE4E4C5260A937EFA5F971ED0FD0F5FE451F84F9C1756234F8B
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):20480
Entropy (8bit):1.467533966328809
Encrypted:false
SSDEEP:48:l8PhMuRc06WXJAjT5WvadeS56rCdeSIGV:IhM1DjTO3lSV
MD5:23FCD2ACFE4B3E831EC0403A20A5965D
SHA1:3FD4241553DD5D9817DF49CAC881F936BD663A42
SHA-256:FB3DFBAF4BEFB61427F39CB0077AEC6A61BD0C3C56313857289882F95B562DA5
SHA-512:87B34B1CB8AEF8BD4640CA7867F9C347B8109FAA086F06360DBBF9F11846E76304439B12E580AADB452718D2564ED4EE19A6BB1E2B172D4452DAB4BFAA107D0A
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):32768
Entropy (8bit):1.1825465585764507
Encrypted:false
SSDEEP:24:JLhC3nkuxZiEipKP2xza2tzhA5ZZagUMClXtd851v+DJdB5GipV7VgwG5lrkgCdn:MnkunJveFXJjT5IvadeS56rCdeSIGV
MD5:AFA7F7612D952DC632D3B25D99564972
SHA1:3F6BA65D77EC75EABF8ABFE5DBCC31DB4FAD5D04
SHA-256:22CEAF1BA02DAC94BB6FB321ED10EB6915C29F0121B590F0613B8E26046D3521
SHA-512:AA32C1704600B3482EC901163E309EC3A9A1BF8CC6B3399D04B3846ECB5C8AB3FA5AAF0A3FDC2036D5F57AC1DA14D90E4A0F712E58A79C63C9AB00E31A9172DE
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Process:C:\Windows\System32\msiexec.exe
File Type:data
Category:dropped
Size (bytes):512
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:false
Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Setup, Author: Netease, Keywords: Installer, Comments: rdhgsrthg, Template: Intel;1033, Revision Number: {EACC16D7-A1C3-4EBE-B7ED-4B0C7C1FCDD8}, Create Time/Date: Thu Jan 2 05:59:30 2025, Last Saved Time/Date: Thu Jan 2 05:59:30 2025, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
Entropy (8bit):7.987528323216537
TrID:
  • Microsoft Windows Installer (60509/1) 88.31%
  • Generic OLE2 / Multistream Compound File (8008/1) 11.69%
File name:installer64v1.2.5.msi
File size:9'408'512 bytes
MD5:bcd0b8e1f91a783d5fbea7f22aba3635
SHA1:96f7e71339cacd7c6d0beed08de414ade7167c22
SHA256:19ca1d898d1d6f7fefa6881600da9c2d7c787503dd109a2fd33d093f0eb92318
SHA512:05aab296ceedadfde9941a12133982c5ffd6ddab204355bc39bc79954376b0ae24e5949522ecbb3e2853eaceb84520d74eea673431ab037dc90341683990b209
SSDEEP:196608:GBQsxDBnWevpl41b87A/IhYeK2aZMj7R6Ldd6Lel1/:RsBBWevpmaK2aOj96Ldd6Lu
TLSH:32963399AD3F88AFE18B52B90F3BE08DC70D6D9689B0445A7758B7580830371D7EB0D9
File Content Preview:........................>......................................................................................................................................................................................................................................
Icon Hash:2d2e3797b32b2b99
No network behavior found
050100s020406080100

Click to jump to process

050100s0.00510152025MB

Click to jump to process

Target ID:0
Start time:02:44:00
Start date:02/01/2025
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\installer64v1.2.5.msi"
Imagebase:0x7ff608870000
File size:69'632 bytes
MD5 hash:E5DA170027542E25EDE42FC54C929077
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Target ID:2
Start time:02:44:00
Start date:02/01/2025
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\msiexec.exe /V
Imagebase:0x7ff608870000
File size:69'632 bytes
MD5 hash:E5DA170027542E25EDE42FC54C929077
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Target ID:3
Start time:02:44:03
Start date:02/01/2025
Path:C:\Windows\System32\msiexec.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\MsiExec.exe -Embedding 1B77181C02B35BE3FBECFB9A5F421F34 E Global\MSI0000
Imagebase:0x7ff608870000
File size:69'632 bytes
MD5 hash:E5DA170027542E25EDE42FC54C929077
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

No disassembly