Setup_XFINITY.msi
This report is generated from a file or URL submitted to this webservice on November 25th 2016 23:12:03 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Persistence
- Modifies System Certificates Settings
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Exploit/Shellcode
-
Possible document exploit detected
- details
- Document can spawn a new process although no macro was present in the original file
- source
- Indicator Combinations
- relevance
- 10/10
-
Possible document exploit detected
-
System Security
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE") - source
- Registry Access
- relevance
- 8/10
-
References security related windows services
- details
- "7468656d65312e786d6cec595d8bdb46147d2ff43f08bd3bfe92fcb1c41b6cd9ceb6d94d42eca4e4716c8fadc98e344633de8d0981923c160aa569e943037deb" (Indicator: "bfe")
- source
- String
- relevance
- 7/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains native function calls
- details
- NtQueryInformationProcess@NTDLL.DLL from msiexec.exe (PID: 968) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Contains native function calls
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Contains ability to open a service
- details
- OpenServiceW@ADVAPI32.DLL from msiexec.exe (PID: 968) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00018102-00000968-00000105-43917837
- source
- API Call
- relevance
- 6/10
-
Sets the process error mode to suppress error box
- details
-
"msiexec.exe" set its error mode to SEM_NOOPENFILEERRORBOX
"msiexec.exe" set its error mode to SEM_NOGPFAULTERRORBOX - source
- API Call
- relevance
- 8/10
-
Contains ability to open a service
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
".YsK:n32*i$?{qeMUc7!!'T(ybZmbBF'`wFk]N[)IW>U|Pq!\KT6p}.*;nZ)gCls&7A^Y!Xf" (Indicator: "qemu")
"*(<=!F cyNm*la3k;#Sw]ws(@Q*8G0dGWU}cSp[ez+rj,^lWk$sk7["+dN~N_OheP-*>P6jZ:-V;qeMUjGbUXz6{F'mukYe&s9^U`l-6|w,V.+U9XV;Ua_Zq8Nog<P08n9Dw;]@yy`1'e}xW7/9`qv~7`8?)N$&H4A!C0&4BsPrZu!h" (Indicator: "qemu") - source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Reads configuration files
- details
- "msiexec.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4)
"msiexec.exe" monitors "HKCU\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 1)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 1) - source
- API Call
- relevance
- 4/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "msiexec.exe" opened "MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Monitors specific registry key for changes
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "%USERPROFILE%\SVN\eos\tags\NetwiseCMTray\v1.2.2.59_Production\Source\GUI\Release\InstSupp.pdb"
Heuristic match: "3.5.2519.0"
Heuristic match: "%USERPROFILE%\svn\eos\tags\netwisecmtray\v1.2.2.59_production\source\gui\main\HotspotManagerDlg.h"
Heuristic match: "%USERPROFILE%\svn\eos\tags\netwisecmtray\v1.2.2.59_production\source\gui\smsubsystem\..\Main\WifiManager.h"
"1.2.2.59"
Heuristic match: "%USERPROFILE%\svn\eos\tags\netwisecmtray\v1.2.2.59_production\source\gui\main\WifiAccessPoint.h"
Heuristic match: "%USERPROFILE%\svn\eos\tags\netwisecmtray\v1.2.2.59_production\source\gui\main\WifiAccessPointList.h" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "-nD]\26lLgKK^6vk:\CrKogS[t75#S4~kov7$<Qlo=|g=;\vncSywQG~:FB" (Indicator for product: Generic VNC)
- source
- String
- relevance
- 10/10
-
Contains a remote desktop related string
-
System Destruction
-
Marks file for deletion
- details
-
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\CabE145.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\TarE146.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\CabE18D.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\TarE18E.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\CabE1DF.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\TarE1E0.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\CabFE34.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\TarFE35.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\Cab1283.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\Tar128E.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\Cab2CCF.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "%TEMP%\Tar2CD0.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\MSI34592.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"msiexec.exe" opened "%TEMP%\CabE145.tmp" with delete access
"msiexec.exe" opened "%TEMP%\TarE146.tmp" with delete access
"msiexec.exe" opened "%TEMP%\CabE18D.tmp" with delete access
"msiexec.exe" opened "%TEMP%\TarE18E.tmp" with delete access
"msiexec.exe" opened "%TEMP%\CabE1DF.tmp" with delete access
"msiexec.exe" opened "%TEMP%\TarE1E0.tmp" with delete access
"msiexec.exe" opened "%TEMP%\CabFE34.tmp" with delete access
"msiexec.exe" opened "%TEMP%\TarFE35.tmp" with delete access
"msiexec.exe" opened "%TEMP%\Cab1283.tmp" with delete access
"msiexec.exe" opened "%TEMP%\Tar128E.tmp" with delete access
"msiexec.exe" opened "%TEMP%\Cab2CCF.tmp" with delete access
"msiexec.exe" opened "%TEMP%\Tar2CD0.tmp" with delete access
"msiexec.exe" opened "C:\MSI34592.tmp" with delete access
"msiexec.exe" opened "%SAMPLEDIR%\MSI34593.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
MakeAbsoluteSD@ADVAPI32.DLL from msiexec.exe (PID: 968) (Show Stream)
MakeAbsoluteSD@ADVAPI32.DLL from msiexec.exe (PID: 968) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.DLL from msiexec.exe (PID: 968) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings" - source
- String
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
"msiexec.exe" wrote bytes "94987a7651c17a76efb28076ee9c7a7675dc7c7690977a7610997a7600000000013d337638ed3376cfcd327631233276de2f3376c4ca327680bb327652ba32769fbb3276707f317692bb327646ba32760abf327600000000" to virtual address "0x705A1000" (part of module "MSLS31.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTimeAsFileTime@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersion@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream)
GetVersionExW@KERNEL32.DLL from msiexec.exe (PID: 968) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.DLL (Target: "msiexec.exe"; Stream UID: "00018102-00000968-50415-173-00074A2C")
which is directly followed by "cmp dword ptr [ebp-00000108h], 02h" and "jne 00077BBCh". See related instructions: "...
+66 call dword ptr [000710D8h] ;GetVersionExW
+72 cmp dword ptr [ebp-00000108h], 02h
+79 jne 00077BBCh" ... from msiexec.exe (PID: 968) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "msiexec.exe"; Stream UID: "00018102-00000968-50415-115-00078851")
which is directly followed by "cmp dword ptr [ebp-00000108h], 02h" and "jne 000788D8h". See related instructions: "...
+38 lea eax, dword ptr [ebp-00000118h]
+44 push eax
+45 mov dword ptr [ebp-00000118h], 00000114h
+55 call dword ptr [000710D8h] ;GetVersionExW
+61 cmp dword ptr [ebp-00000108h], 02h
+68 jne 000788D8h" ... from msiexec.exe (PID: 968) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "msiexec.exe"; Stream UID: "00018102-00000968-50415-116-000788F2")
which is directly followed by "cmp dword ptr [ebp-00000108h], 02h" and "jne 00078940h". See related instructions: "...
+0 mov edi, edi
+2 push ebp
+3 mov ebp, esp
+5 sub esp, 00000118h
+11 mov eax, dword ptr [0007E00Ch]
+16 xor eax, ebp
+18 mov dword ptr [ebp-04h], eax
+21 lea eax, dword ptr [ebp-00000118h]
+27 push eax
+28 mov dword ptr [ebp-00000118h], 00000114h
+38 call dword ptr [000710D8h] ;GetVersionExW
+44 cmp dword ptr [ebp-00000108h], 02h
+51 jne 00078940h" ... from msiexec.exe (PID: 968) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00018102-00000968-0000010C-44044000
"msiexec.exe" queries volume information of "C:\share" at 00018102-00000968-0000010C-50205825 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00018102-00000968-0000010C-44044000
- source
- API Call
- relevance
- 8/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"C:\delivery\Dev\wix35_public\build\ship\x86\wixca.pdb"
"%USERPROFILE%\SVN\eos\tags\NetwiseCMTray\v1.2.2.59_Production\Source\GUI\Release\InstSupp.pdb"
"UUU !"#$%&'()*+,-./0123U456U789:;<=>?@ABCDEFGHIJKLMNOPQRSTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU9^(null)(null)EEE50P( 8PX700WP `h````xpxxxxCONOUT$EEE00P('8PW700PP (`h`hhhxppwppH4P6RSDS:$]%EiZcC:\delivery\Dev\wix35_public\build\ship\x86\wixca.pdb0x$UVWhu3}}}d;}h9EPh;}hEEEPEP;}hVYYWu-9}tu&9}tu&;|3CP&_^VWhpt$3yhZAt@h0jYYjjt$S~yhV0YYyCW_^UQeEPu@E;Eu=Phj.jjjuDPhjj3@t$hjt$h7<utPhjUQQWu3h\j}}EPEPu6xD9}v?Vuuhjd39}vE4YF;urhuu4^9}_tu4UQQueeh\jEPEPu{5x)}v#uuuhnjuu}tu4UVW3hRu}}}}}};}", "msiexec.pdb" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"msiexec.exe" created file "%TEMP%\CabE145.tmp"
"msiexec.exe" created file "%TEMP%\TarE146.tmp"
"msiexec.exe" created file "%TEMP%\CabE18D.tmp"
"msiexec.exe" created file "%TEMP%\TarE18E.tmp"
"msiexec.exe" created file "%TEMP%\CabE1DF.tmp"
"msiexec.exe" created file "%TEMP%\TarE1E0.tmp"
"msiexec.exe" created file "%TEMP%\CabFE34.tmp"
"msiexec.exe" created file "%TEMP%\TarFE35.tmp"
"msiexec.exe" created file "%TEMP%\Tar128E.tmp"
"msiexec.exe" created file "%TEMP%\Cab2CCF.tmp"
"msiexec.exe" created file "%TEMP%\Tar2CD0.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6B9A0000
- source
- Loaded Module
-
Reads System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\7D7F4414CCEF168ADF6BF40753B5BECD78375931"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CDD4EEAE6000AC7F40C3802C171E30148030C072"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\02FAF3E291435468607857694DF5E45B68851868"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\2796BAE63F1801E277261BA0D77770028F20EEE4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "XFINITY WiFi.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "msiexec.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"0972B7C417F696E06E186AEB26286F01_49B63408691CDF23E938DEAF21E5252E" has type "data"
"CabFE34.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"Cab1283.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"CabE145.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"TarE18E.tmp" has type "data"
"CabE18D.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F" has type "data"
"CabE1DF.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"94308059B57B3142E455B38A6EB92015" has type "data"
"3D0AC26322348780E90E022EA217C58C" has type "data"
"TarE1E0.tmp" has type "data"
"Cab2CCF.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"Tar2CD0.tmp" has type "data"
"TarFE35.tmp" has type "data"
"TarE146.tmp" has type "data"
"94308059B57B3142E455B38A6EB92015" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"Tar128E.tmp" has type "data" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"msiexec.exe" touched file "%WINDIR%\System32\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"msiexec.exe" touched file "%WINDIR%\system32\rsaenh.dll"
"msiexec.exe" touched file "%WINDIR%\System32\MsiMsg.dll"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\MsiMsg.dll.mui"
"msiexec.exe" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"msiexec.exe" touched file "%WINDIR%\Fonts\staticcache.dat"
"msiexec.exe" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\WINHTTP.dll.mui"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\system32\sxs.DLL"
"msiexec.exe" touched file "%WINDIR%\system32\en-US\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://s.symcb.com/pca3-g5.crl0"
Pattern match: "http://s.symcd.com0_"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sw.symcb.com/sw.crl0"
Pattern match: "http://sw.symcd.com0"
Pattern match: "http://sw1.symcb.com/sw.crt0"
Pattern match: "http://s.symcd.com06"
Pattern match: "http://s.symcb.com/universal-root.crl0"
Pattern match: "https://d.symcb.com/rpa0@"
Pattern match: "http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0"
Pattern match: "www.smithmicro.com"
Heuristic match: "i`)`OTjW\=mHytlw--HH%yowZkpk~9bTJ:i`RMaOUjIU99G.DF`|<c$!Y1shn<wLg7Md|y/LF~<x@~%{/`UuJBx!'Jwox0671l#(BP.@0mnX-^m&d->&F!5k9_Wyd *&{G2<[2se\kp\`W@N]~`o.\,$+3^kp0`X*]t.kI"
Pattern match: "xfinity.comcast.net/profile"
Pattern match: "https://customer.comcast.com/Secu}{\rtlch\fcs1"
Pattern match: "http://}{\rtlch\fcs1"
Pattern match: "www.comcast.com/Corporate/Customers/Policies/SubscriberAgreement.html}{\rtlch\fcs1"
Pattern match: "http://xfinity.comcast.net/terms/}{\rtlch\fcs1"
Pattern match: "http://xfinity.comcast.net/privacy/}{\rtlch\fcs1"
Pattern match: "http://xfinit}{\rtlch\fcs1"
Pattern match: "y.comcast.net/terms/opensource}{\rtlch\fcs1"
Pattern match: "http://www.comcast.com/Corporate/Customers/Policies/SubscriberAgreement.html}{\rtlch\fcs1"
Pattern match: "xfinity.comcast.net/terms/"
Pattern match: "j.DWy/1ud@X]n~XCA[lTO\MxeE9^"
Pattern match: "http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdU"
Heuristic match: "<x#x6C}.HM"
Pattern match: "http://sw.symcb.com/sw.crl"
Pattern match: "http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEDpZnjigeVqbi4hnuo"
Pattern match: "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
Heuristic match: "w*YptY[ESaXyG3>JTCrs8-cz.er\f?1C]!?KZvq;e0I)Tw=i4v2.Nf"
Pattern match: "mJ.yuJ/;xs&^Pe"
Heuristic match: "zQH,5q{`J/*g.Sg"
Heuristic match: "\5X=Mo,i7r_Gv,n(Wy1?HQS^2bMCR8P9Pr!XehA>F97D@EA>n1]P$\WN%Nz[D2\Wgvgu^6oU<1p[r9'`qq-UK!!8Uv,^G-%KbNy{y/}pr./Aco.To"
Heuristic match: "lxm.WS|5fUI FJ=R1:*WHL[bLm&i`C=C9.pn"
Heuristic match: "?_y9xnRd0.8'S?7CN.8!)Zc?t,7W=>vF:Jz.mu"
Heuristic match: "D4]y%r/#g9W.Gi"
Heuristic match: "<G?8[\zG6::4jFdMwiv`K[Z54i&MMMc[=7p#sUel7l(y=*fPa#gNtY{&v>&`9p|(_XeP6i=Kx4PZ#k+)+SVcJ}X3_Vvgu:Xh`1J]j/q1j-gHP3,;k4+WBSvi=mR.er"
Heuristic match: "f[YL,35+gxg7AkEN3Y>Lq4L<, 8<4[{k=:.aR"
Heuristic match: "o67{)u:Er#l{M*pU$D4vmRCX2]9?`cN1O#V[@S})Pa FHR(Q.mA"
Pattern match: "t.RH/Z_{Z$3/^Ad?+~R$Q$tI^y"
Heuristic match: "u4^\5XY9M^9~T$.eu"
Heuristic match: "_~R%^6yp(@1N~^w_5j4[/d4.KP"
Heuristic match: "#P@k#s[)3l_EB(/_Rk:WjAOn_5M4fT7- l1g(%`I.bt"
Heuristic match: "JdVsi#El#P|!\e<^1C?Z<;2b?yC1,$J>+;zSXEU.yTHqgDn[=(Es$m`C.py"
Pattern match: "6.yds/lhZNln=LkgI90/SW^|^l"
Heuristic match: "q%A[OWv*xMiNmI'^-u#z8r&m9STFxw(225?V+i08zb !>>VX7zy}QXW*$D*ZRfxjz5bWWN+m&$<%Dd?zw2i]^#JX={e:6jTY*ZC10*:OUDBQKYDr!_yF-<h\*'p|C+ED>GV$#QDZ.Za"
Pattern match: "kN.qa/;Wuk"
Heuristic match: "]z+NB0#}y4+78xF#7z{xhsE3;f&G@XoMm(+j;~t\fKw+nO0_.={C{s[(<.Re"
Pattern match: "KyrE.BfI/|c!?~dSLQ{L2"
Pattern match: "WJQWAOaQc71m.hpb/U"
Pattern match: "L2n.Gq/5jq$,=R1%sct`Wh*"
Heuristic match: "a_.mo"
Pattern match: "RA1.DjNP/Ib"
Heuristic match: "CtLg.ga"
Heuristic match: "?kHI'JlGyuy;y<DD,&7/77n.ms"
Heuristic match: "~!p'a;uj]*-(!F7K{~dL%#83c9FGT#<iAzSqD.kP"
Pattern match: "Q.Kc/PxL"
Heuristic match: "B4Z.CC"
Heuristic match: "^7T3u>FU>?v^sfjz!y0}3L5^4nwhDNF([i@k5aXSp?.mo"
Heuristic match: "an{tyE^c!~c.A R6.Sz"
Heuristic match: "B$Ct'hHi.Mt"
Heuristic match: "V5dlje.Cz"
Pattern match: "KST.Ho/pn|]u"
Pattern match: "q.zIM.8qLPvLsQO6z.rV/3E{EEk,iVh9*]s&"
Pattern match: "4Z.sF/,la"
Pattern match: "A.Sx/D1W%3pEjU6@vE?;NXa"
Pattern match: "x.so/%P#&vAm"
Pattern match: "7N4.MBq/74e[AdqH"
Pattern match: "bz.ju/FvY"
Pattern match: "4cN.Tm/p]CNfwq*%"
Pattern match: "c.oupa/86S"
Pattern match: "2.wH/]o=F!PB~&OUoj&w6t4m`YZ/^b9G4:l~g'Vz|NG_Co&G.rNCb2lu*5v9{:{DG"
Pattern match: "U.KU/L4Pxh|n6_fD"
Pattern match: "asX.qw/(98h$!)fc5Ip+/0-._P4ZIv8"
Pattern match: "gsa1.LGj/I_X"
Pattern match: "W.vxe/!qM5a0\J\75Drka"
Pattern match: "Q.Uv/AKB|$bW%UKfRpI"
Heuristic match: "#Dlr9}fgPZ)&Z^x]}8H-&,z09b/9e{ (!TJ-U\<eH3/ogtXp(:)j'$9Hqm1Cq.ph"
Heuristic match: "8n$?dqx$J|XzQg.Z.id"
Pattern match: "G.oz/;Hn7cAH"
Pattern match: "I.Dlc/Sc"
Heuristic match: "b?XN|^3CWWw`aawp*BB%{`#8g-qCfgV|<)%!V_+m0 sym_A*@Tlj0:C&>7*2t`olk.Bj"
Heuristic match: "F/6:&^rS&4xduuo.-.MM"
Heuristic match: "janm[~c/7q:\=`X&b3)H v>sJ(EIb8lg.ge"
Heuristic match: "vY@8ro;\ :vH3nRC|9'>jwe9\%Cpr?{%.SZ"
Pattern match: "N2.qX/'KLHGk']?eDo~ujy%"
Heuristic match: "qYu<gYhc|#}.CD"
Pattern match: "yh.dKw/ti4pe&gkQ=%KyLy5BA"
Heuristic match: "#c-VZ/\.gS"
Pattern match: "gf.TO/?U"
Heuristic match: "LgU$WlyR`G\I=z:BgFSr KE]j_*Dbg`2]UQ'n|r:pKS0+P.:cwzs%M%d7>ZJ9m&;6~ZAufPj{~+4y0Z15@q!&E.SI"
Pattern match: "u.wE/,#4kPL&:x"
Heuristic match: "_5uagMdf]Sdgm]8Zk>k{O?Ja:.JE"
Pattern match: "nq.uDOc/\'AszElM"
Heuristic match: "5um!M4r5IE{`iHSzPYBvOB*OnRi\g*S[y#Q\]kbh\xC<2 /(4*O,(XsL.mw"
Heuristic match: ")aCSjh9lwye]&*byJT\^w{wN-gs~KX[xC7 Eh&~I.S&FWZ/~ZT'ASlx)l2x@7Be.{dl{<fCRhM)1)iGS.BD|&*_<1)a7n_Bkh%p9x5qPIvni;b~L=<oDB}zsV/!.mv"
Pattern match: "V..WB/E^l{]}q^1~rWezWN/"
Heuristic match: "&lY`+KTT.@'xkM>qZS7Jrb%.Is"
Heuristic match: "#T'La-M+jo[SKRXBJi!!Tlq;0KS'ps,B`T,%ZIVMX`.vI"
Heuristic match: "jqZai00>Oc_\64W1TO[Pxb.~Qsjo!hR38Xh<eV+e9F'[H9G7CG%!uel{r7&jfQO@R(>mC5qyB/.54ZYm'x}BYC'`J0ji4I|G.iE"
Pattern match: "0.Kdl/E]7"
Heuristic match: "eXuG;dEE,}VKqzE4@oSrr$N?g<sQbb0V.lu"
Pattern match: "Ds.nE/xQ"
Pattern match: "Ofs.H.bzOg/}o5k#"
Heuristic match: "uy$ne'y}]_uGz-0QE.EG"
Pattern match: "q.pqY/YgN?Q+6sfe8:p"
Pattern match: "A.NW////_{ShbZ|WKFu"
Pattern match: "eYS.ogO/SZFVL}XAhat[cv|3||+'t~0gg-bI?Q"
Pattern match: "2.aT/S9s9kM4DMygn4mpoN.,8}lrgVO4m{%LfDiCm=7?if|Ca^[Bvq{a-mdw~4kP&"
Pattern match: "T.fUR/ESEAb*9A,-TEW!As&d!p34Kw.g"
Pattern match: "BOsrnV.Vz/!AUE6h"
Pattern match: "9.OdK/f=`#K"
Heuristic match: ";U/x*/jNPKr=!b;L_~'I4>|{>}5/oqQ_|sbk_s(HV}cH7?o()W$2OH6K4-,amgj:WCd/FhN5y~I~+Tec6WQwB'r+Sg(;r!Lh]N9pg.qJNOSGo(3j7.^cG2={t6mH\ fjamZ!/KbhX5|sxa~bl6k'.PR"
Pattern match: "Q.uS/==#g"
Pattern match: "zwtqv.cC/'N?p"
Pattern match: "jxN.HUr/]rgNR*#hT0ZVEX&=l\m[&Zpq.k%$,3Q2*T;*/d596n}n4C*&w*R7=g'i"
Heuristic match: "f 5#[Icc\rU)1b*N82G|,>\E`_jwv=|+}y<ua%kdXTP1.d.bR"
Heuristic match: "Ep?.(@-p.pzI4t.ML"
Heuristic match: "e<I%J1)4L_Ls\KzMu{&So]tMM[Z*'WnK<1&^cT93SVk2p[`]+.aX"
Heuristic match: "6,Y<exo$ZZ2<BK.F|dU1axqF0u]Wm'7@.mh"
Heuristic match: "BR@re0>057x$HnMmL)u{,_6.ML"
Pattern match: "xO.DMQ/p.r@^&IBES"
Pattern match: "0.qtqJ/c]d~"
Pattern match: "D.Vn/w&h+QYE"
Heuristic match: "QO&DD}3m~j&ie.EJM[oJX#fQ(/|y[JHi8qX.uA"
Heuristic match: "eKt]L.tg"
Pattern match: "E.Hi/E.AoTW/8de-\5IMWe[rZaBwa~e"
Pattern match: "Njl.ge/=`_Y"
Heuristic match: "$P|AH_d <O^}`w);e]J^7.KY"
Heuristic match: "oS<4hb0)l{4WdWdDGSG-.aU"
Heuristic match: "jKQeo]]MxP]Ml*`81!Avv?4SZpU/IC4WW@M;/:<w&cQgX1^xBx2svVJ&XJ;mvCRWq^-FEiBJ'm3vd7BXQ*Glfs`u:9tW)6f(E{wlg(S0.qf`2aiMdqrs4Xk+ozR+W.Gi"
Pattern match: "G.ypo/0t{@3GgXg"
Pattern match: "53.IT/g6\@^]u"
Pattern match: "jzn.cRwo/$EA;="
Pattern match: "B.TWtx/sZ"
Pattern match: "QU.Rx/D$hD"
Heuristic match: "j$*~.Ch"
Heuristic match: "c`|Au[\__W]]W_Zuk==-n5ODDjQ}`x11JyA![B\]=GYTRm{m76?P|&%TQ$C+6He*T6*)\[J.Ve"
Pattern match: "26.rawE/zG\K.%L%/w*yc*o,au:7;s8awO"
Heuristic match: "#[Dcw.<o~ _oVM!TzAZhm`jdW8ci}sii8sl-\$]cPvHb]'>:s9Cy.Ne"
Pattern match: "94V.dTEB/,X:;S^4"
Heuristic match: "?SOfHT'XVSz$r-\lz0.kp"
Pattern match: "r8n.cj/oUL9i&HfV!T#3B9*un}C9XOs"
Heuristic match: "Y&]l0T&2=e0fBc)6db{q,Sc|c.Rs"
Pattern match: "Uxv.FJy/On"
Pattern match: "JDHaWMa.pYvY/CH@v}#[I?QyE#t!k_g1;fR\ks="
Pattern match: "Y1kq.br/h`tVT*{^*"
Pattern match: "eG.Dk/Za&Ss[RTec"
Heuristic match: "p*Z:`=g?$F)/\UMaW(|N@k[,y]! 1*6`+iYEC@/{a|,Kp]5 2*<ufT.mWCdsq |[].Z=EvF@u.gp"
Pattern match: "6Z.oW/+4WB|JK\+z*6X8f#Yb;:y"
Pattern match: "x.hp/?-P\\$"
Pattern match: "p.iGd/1V{uNsXhz[JyRdnI4:`fQD.%oEC2@"
Heuristic match: "h(GV]b@nVTKx[-7o%_*A(7'-RGu[@=.Se"
Pattern match: "Hi.eH/RyN"
Pattern match: "aRu.vIt/DP&Ym5uMFK}PFU/^"
Heuristic match: "%bgyEs503n9U~XF5Kw!x'vxO<oe(x6[[?=*md~W|-vx\:m0vduv.Rw"
Heuristic match: "?/0vc3.cX"
Heuristic match: "%S!LBx7$*9ypam_'5ydXs#dx,.cC"
Heuristic match: "s?Vs\mv.tv.LA @e~[ffx3 s}&<-y1=mINvex)%-(IUbF N\=S?>>ghWhj`qH?V\Ce3+?R.Ma"
Pattern match: "h.PPLx/bBbx"
Pattern match: "7.nI/_oJt6"
Pattern match: "A57k.wnb/8Tt?=c'+*o,.z6"
Heuristic match: "?A8&'7|A,HrZ<Tr1(xIYoE.<rVB3Zg1~WyRZ}FD4-0FPCQ0/g%wl|{7Xq>n2\9xN-tN2L#s?^s.Is"
Pattern match: "UL.GB/Cv#"
Pattern match: "JLE.hK/m_:I"
Heuristic match: "]/;.[c2-+ I,!|B0 IT}fa~P!~N9(>UY7N&7T(j(m1}B1Y4TS&J2'?/Y{Ky:[:ONv%=:g$z+R+)v/Eou.+5~Cm;0:_Igq:QScQp])b=;#zmYHdMzY5.[Tuc+*NuNWnt+t]6tgyULeu]_f?BZww5mi#w.nC"
Pattern match: "O.sJ/9PK"
Pattern match: "re.zwa/e1I5WH^+-XNs"
Heuristic match: "MSWVLJ#DAnw%sMaecj-k-q-I\9\Lg1b}_JToaw_oX=.~|rj7v;5x|.6CGBgq~O&;IK3QpFf=YXA::zr2yyY&@V#C,<f!]H@Tm^`o(K`|Q'(,lAuDsU^B8t{J)H/Z]76rj;$|t!Xm-x{/hI%/I9<byl|54eNsI4&uH%vh<#t[7^SR>lR:bsOm:tr~Q<1)K.Jm"
Heuristic match: "iu%7f;-Kr\z?./|GSx(sWHykFkk)|y$AHTiINh+HxU-(.$#?qVN:R<tN6-WU|+L& YX`yQOxS[Q]sS%Qu3URZG{e2vuy;V)Xa.3T ,a-O6vrRJM[*A8jR71>.6[oSE#XvQA_<l$U0HV#B[LRt]_'.gg"
Pattern match: "W.Lt/3,r}k@w-Mwg%L=!Re!V1qF]jpP_DeN-W1[FonY=6"
Pattern match: "g.LXdq/I=K+w"
Heuristic match: "|!4} @=^cij=J;9<emBiSKvc?n4T{QzqPA^T{q{amg.gd"
Pattern match: "noOexzCypnEI.ZS/nrj!Mc"
Pattern match: "http://s.symcb.com/pca3-g5.crl0U%0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0"
Pattern match: "http://sw.symcb.com/sw.crl0`U"
Pattern match: "sw1.symcb.com/sw.crt0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0.+0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0@U9070531/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0U%0"
Pattern match: "http://www.google.com/blank.html"
Pattern match: "http://google.com"
Heuristic match: "C0mcast.net" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "msiexec.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
Setup_XFINITY.msi
- Filename
- Setup_XFINITY.msi
- Size
- 9.3MiB (9729536 bytes)
- Type
- msi data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {23E14021-55BF-4562-A836-44A39F4EC5DF}, Title: Setup_XFINITY, Author: Smith Micro Software, Inc., Number of Words: 2, Last Saved Time/Date: Fri Mar 11 02:48:40 2016, Last Printed: Fri Mar 11 02:48:40 2016
- Architecture
- WINDOWS
- SHA256
- 2ed9bf61e4c1cc72a70bc7ef2c212bd422a2591a5ec07443a37f8de53d539aee
- MD5
- 476f2e245637fda296a029fcd012527d
- SHA1
- e6b84c672b316a3f46f5e6a6bba14fc360a54ebd
Classification (TrID)
- 89.3% (.MSI) Microsoft Windows Installer
- 9.4% (.MST) Windows SDK Setup Transform Script
- 1.2% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
msiexec.exe
/i "C:\Setup_XFINITY.msi"
(PID: 968)
- XFINITY WiFi.exe (PID: 3344)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://google.com | Domain/IP reference | 00031899-00003344-56976-3019-00D054C0 |
1.2.2.59 | Domain/IP reference | 00031899-00003344-56976-1151-00CCEDD0 |
http://www.google.com/blank.html | Domain/IP reference | 00031899-00003344-56976-149-00CAF750 |
Extracted Strings
Extracted Files
Displaying 16 extracted file(s). The remaining 4 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 5
-
-
Tar128E.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
TarE146.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
TarE18E.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
TarE1E0.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
TarFE35.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
-
Informative 11
-
-
0972B7C417F696E06E186AEB26286F01_49B63408691CDF23E938DEAF21E5252E
- Size
- 1.6KiB (1625 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 4a7e937a36597d9c26037f42c6fb3393
- SHA1
- 3ee89478a7ce360864906be4456690a98b367b02
- SHA256
- 8c6558465938c8a774697251b5aa3c3814527fa3f60be3adec3b3827e42dfc3a
-
3D0AC26322348780E90E022EA217C58C
- Size
- 262B (262 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- d59582e46970cee0e35f468f9c7bdc75
- SHA1
- d1795f7e6287351b61e8a6d9424762dd6c2d8247
- SHA256
- f42a9c37be2e8713a1b182e562b70918831116a7b4a73c4ad6dea2dcd579361d
-
8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F
- Size
- 1.7KiB (1761 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- d35669b71f5eed05846670bcf351044a
- SHA1
- 3599e89459cde4f5b0aee4488ee8b589103142a7
- SHA256
- 2b44ee6c9847201e856834072e2d63cba550f7c8460881553db65f16b12b70c9
-
94308059B57B3142E455B38A6EB92015
- Size
- 50KiB (50939 bytes)
- Type
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Cab1283.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
Cab2CCF.tmp
- Size
- 50KiB (50939 bytes)
- Type
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
CabE145.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
CabE18D.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
CabE1DF.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
CabFE34.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
Tar2CD0.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 968)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-31" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "registry-38" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)