分析任务

分析类型 虚拟机标签 开始时间 结束时间 持续时间
文件 (Windows) win7-sp1-x64-hpdapp01-1 2020-09-25 20:06:53 2020-09-25 20:07:42 49 秒

魔盾分数

2.95

可疑的

文件详细信息

文件名 msiexec.exe
文件大小 65536 字节
文件类型 PE32+ executable (GUI) x86-64, for MS Windows
MD5 2a37cdfd4e507d05c98f6b6128780f48
SHA1 79cc1a09650fb1ada6017e885a1c1e6d4fb4150e
SHA256 da4a7995c19c18493ae07f4b97cfbbef584534c8f0892e4ecd00c4d0c77b60f2
SHA512 4f9a6584dc663e5738811c8380297fd4e1a75b83b84ce4d8bead1bf623f269ad9833e095ab327a9312479b667350c2e6dc7ea1e2fef120306d623e0e86f4881a
CRC32 45617A31
Ssdeep 1536:bZTx4ri3Gcd6YKCMy45ICZCP6Lz2N2ug:bZTx4rhcd6645ICZCP6lH
Yara
  • Spotted potential malicious behaviors from a small size target, like process manipultion, privilege, token and files
  • Detected a 64bit PE sample
样本下载 提交漏报

登录查看威胁特征

运行截图


访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 23.2.16.116
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.219.172.56

摘要

C:\Users\test\AppData\Local\Temp\msiexec.exe.Local\
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\Users\test\AppData\Local\Temp\MsiMsg.dll
C:\Windows\sysnative\msimsg.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
C:\Windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\Windows\sysnative\msimsg.dll
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Fonts\staticcache.dat
\Device\KsecDD
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\msiexec.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3FC47A08-E5C9-4BCA-A2C7-BC9A282AED14}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_CURRENT_USER\Software\Microsoft\CTF\LayoutIcon\0804\00000804
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000804
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\a
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\SimSun\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
lpk.dll.LpkEditControl
comctl32.dll.InitCommonControlsEx
kernel32.dll.HeapSetInformation
msi.dll.#197
kernel32.dll.GetThreadPreferredUILanguages
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
msi.dll.#280
comctl32.dll.RegisterClassNameW
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
uxtheme.dll.EnableThemeDialogTexture
uxtheme.dll.OpenThemeData
imm32.dll.ImmGetContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmAssociateContext
imm32.dll.ImmIsIME
user32.dll.ChangeWindowMessageFilterEx
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
gdi32.dll.GetTextFaceAliasW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
advapi32.dll.RegQueryValueExA
advapi32.dll.RegEnumKeyExW
gdi32.dll.GetTextExtentExPointWPri
ole32.dll.CoInitializeEx
ole32.dll.CoUninitialize
cryptbase.dll.SystemFunction036
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
gdi32.dll.GdiIsMetaPrintDC
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
oleaut32.dll.#500
Local\MSCTF.Asm.MutexDefault1

PE 信息

初始地址 0x140000000
入口地址 0x14000a600
声明校验值 0x00012ea9
实际校验值 0x00012ea9
最低操作系统版本要求 6.3
PDB路径 msiexec.pdb
编译时间 2018-06-19 21:29:58
载入哈希 e097c2eba2804cfabad295256c8b4a6f

版本信息

LegalCopyright
InternalName
FileVersion
CompanyName
ProductName
ProductVersion
FileDescription
OriginalFilename
Translation

PE 数据组成

名称 虚拟地址 虚拟大小 原始数据大小 特征 熵(Entropy)
.text 0x00001000 0x0000ac30 0x0000ae00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.01
.data 0x0000c000 0x00002350 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.30
.pdata 0x0000f000 0x000004e0 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 3.71
.idata 0x00010000 0x000011e6 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.66
.didat 0x00012000 0x00000098 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.97
.rsrc 0x00013000 0x00001f18 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.70
.reloc 0x00015000 0x000000d4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 2.38

导入

库: ADVAPI32.dll:
0x140010000 OpenProcessToken
0x140010008 OpenThreadToken
0x140010018 SetThreadToken
0x140010028 GetTokenInformation
0x140010030 RegEnumKeyW
0x140010038 EqualSid
0x140010040 RegQueryValueExW
0x140010058 LookupPrivilegeValueW
0x140010060 GetAce
0x140010070 MakeAbsoluteSD
0x140010078 InitializeAcl
0x140010080 AllocateAndInitializeSid
0x140010088 SetServiceStatus
0x140010098 AddAccessAllowedAce
0x1400100a0 RevertToSelf
0x1400100a8 FreeSid
0x1400100b0 RegOpenKeyExW
0x1400100b8 MakeSelfRelativeSD
0x1400100c8 GetLengthSid
0x1400100d0 AdjustTokenPrivileges
0x1400100d8 RegCloseKey
库: KERNEL32.dll:
0x1400100e8 GetSystemDefaultLangID
0x1400100f0 ExitProcess
0x1400100f8 GetCommandLineW
0x140010100 GetEnvironmentVariableW
0x140010108 FreeLibrary
0x140010110 LoadLibraryExW
0x140010118 GetCurrentProcess
0x140010120 GetModuleHandleExW
0x140010128 WaitForSingleObject
0x140010130 SetEvent
0x140010138 OutputDebugStringW
0x140010140 GetModuleHandleW
0x140010148 GetCurrentThread
0x140010150 WriteFile
0x140010160 OpenProcess
0x140010168 GlobalAlloc
0x140010170 WideCharToMultiByte
0x140010178 LoadLibraryW
0x140010180 GetLocaleInfoW
0x140010188 Sleep
0x140010190 FormatMessageW
0x140010198 GetVersionExW
0x1400101a0 LeaveCriticalSection
0x1400101a8 GetModuleFileNameW
0x1400101b0 CompareStringW
0x1400101b8 GetACP
0x1400101c0 lstrcmpW
0x1400101c8 MultiByteToWideChar
0x1400101d0 lstrlenW
0x1400101d8 GetStdHandle
0x1400101e0 GetLastError
0x1400101e8 SetLastError
0x1400101f0 GetProcAddress
0x1400101f8 EnterCriticalSection
0x140010200 GlobalFree
0x140010208 UnhandledExceptionFilter
0x140010210 GetFileType
0x140010218 CreateEventW
0x140010220 SetCurrentDirectoryW
0x140010228 OpenEventW
0x140010230 DeleteCriticalSection
0x140010238 CloseHandle
0x140010240 GetVersion
0x140010248 CreateThread
0x140010250 GetSystemDirectoryW
0x140010258 LoadLibraryExA
0x140010260 GetTickCount
0x140010268 GetSystemTimeAsFileTime
0x140010270 GetCurrentThreadId
0x140010278 GetCurrentProcessId
0x140010280 QueryPerformanceCounter
0x140010288 TerminateProcess
0x140010290 DelayLoadFailureHook
0x1400102a0 GetStartupInfoW
库: USER32.dll:
0x1400102b0 PostQuitMessage
0x1400102c0 TranslateMessage
0x1400102c8 IsCharAlphaNumericW
0x1400102d0 PeekMessageW
0x1400102d8 PostThreadMessageW
0x1400102e0 DispatchMessageW
0x1400102e8 GetMessageW
库: msvcrt.dll:
0x1400102f8 _XcptFilter
0x140010300 _amsg_exit
0x140010308 __getmainargs
0x140010310 __set_app_type
0x140010318 exit
0x140010320 _exit
0x140010328 _cexit
0x140010330 _ismbblead
0x140010338 __setusermatherr
0x140010340 _initterm
0x140010348 __C_specific_handler
0x140010350 _acmdln
0x140010358 _fmode
0x140010360 _commode
0x140010368 _lock
0x140010370 _unlock
0x140010378 __dllonexit
0x140010380 _onexit
0x140010388 memcpy
0x140010390 memset
0x140010398 ?terminate@@YAXXZ
0x1400103a0 _vsnprintf
0x1400103a8 _wcsicmp
0x1400103b0 _vsnwprintf
库: ntdll.dll:
0x1400103c0 RtlCaptureContext
0x1400103c8 RtlLookupFunctionEntry
0x1400103d0 RtlVirtualUnwind
库: ole32.dll:
0x1400103e0 CoInitialize
0x1400103e8 StgOpenStorage
0x1400103f0 CoRevokeClassObject
0x1400103f8 CoRegisterClassObject
0x140010400 CoUninitialize

.text
`.data
.pdata
@.idata
@.didat
.rsrc
@.reloc
msi.dll
DllGetClassObject
InstallStatusMIF
Installer error %i
QueryInstanceCount
GetUserDefaultUILanguage
HeapSetInformation
FDllUnregisterServer
DllRegisterServer
CoInitializeEx
CoCreateInstance
CoInitializeSecurity
CoIsHandlerConnected
InitCommonControls
InitCommonControlsEx
TaskDialog
GetFileVersionInfoSizeW
GetFileVersionInfoW
VerQueryValueW
CreateWaitableTimerW
SetWaitableTimer
CancelWaitableTimer
ResolveDelayLoadedAPI
ResolveDelayLoadsFromDll
msiexec.pdb
D$`A9
D9%$t
D9-zb
D9-ZU
D8%HD
L9%,K
L9%.L
OpenProcessToken
OpenThreadToken
StartServiceCtrlDispatcherW
SetThreadToken
SetSecurityDescriptorGroup
GetTokenInformation
RegEnumKeyW
EqualSid
RegQueryValueExW
InitializeSecurityDescriptor
SetSecurityDescriptorDacl
LookupPrivilegeValueW
GetAce
GetSecurityDescriptorLength
MakeAbsoluteSD
InitializeAcl
AllocateAndInitializeSid
SetServiceStatus
SetSecurityDescriptorOwner
AddAccessAllowedAce
RevertToSelf
FreeSid
RegOpenKeyExW
MakeSelfRelativeSD
RegisterServiceCtrlHandlerW
GetLengthSid
AdjustTokenPrivileges
RegCloseKey
ADVAPI32.dll
GetSystemDefaultLangID
ExitProcess
GetCommandLineW
GetEnvironmentVariableW
FreeLibrary
LoadLibraryExW
GetCurrentProcess
GetModuleHandleExW
WaitForSingleObject
SetEvent
OutputDebugStringW
GetModuleHandleW
GetCurrentThread
WriteFile
InitializeCriticalSection
OpenProcess
GlobalAlloc
WideCharToMultiByte
LoadLibraryW
GetLocaleInfoW
Sleep
FormatMessageW
GetVersionExW
LeaveCriticalSection
GetModuleFileNameW
CompareStringW
GetACP
lstrcmpW
MultiByteToWideChar
lstrlenW
GetStdHandle
GetLastError
SetLastError
GetProcAddress
EnterCriticalSection
GlobalFree
UnhandledExceptionFilter
GetFileType
CreateEventW
SetCurrentDirectoryW
OpenEventW
DeleteCriticalSection
CloseHandle
GetVersion
CreateThread
GetSystemDirectoryW
KERNEL32.dll
DispatchMessageW
PostThreadMessageW
PeekMessageW
IsCharAlphaNumericW
TranslateMessage
MsgWaitForMultipleObjects
PostQuitMessage
GetMessageW
USER32.dll
_wcsicmp
_vsnwprintf
_vsnprintf
_XcptFilter
_amsg_exit
__getmainargs
__set_app_type
_exit
_cexit
_ismbblead
__setusermatherr
_initterm
__C_specific_handler
_acmdln
_fmode
_commode
msvcrt.dll
_lock
_unlock
__dllonexit
_onexit
memcpy
memset
?terminate@@YAXXZ
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
ntdll.dll
CoUninitialize
CoInitialize
StgOpenStorage
CoRevokeClassObject
CoRegisterClassObject
ole32.dll
GetStartupInfoW
SetUnhandledExceptionFilter
TerminateProcess
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
GetTickCount
LoadLibraryExA
DelayLoadFailureHook
</assembly>
wxr""/p
r""/p
wr""/p
wwwwwwwxp
wwwwwwww
SeSecurityPrivilege
MSIServer
_MSI_TEST
SetServiceStatus failed.
RegisterServiceCtrlHandler failed.
Msi.dll
%d.%d.%.4d.%d
LocalPackage
MSIINSTANCEGUID=
REMOVE=ALL
ACTION=ADMIN
PECMS
REINSTALL=ALL REINSTALLMODE=%s
PackageCode
ISMIF32.DLL
Software\Policies\Microsoft\Windows\Installer
Debug
KERNEL32
Install error %i
Failed to connect to server. Error: 0x%X
Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries
update
uninstall
package
quiet
passive
/qb!- REBOOTPROMPT=S
norestart
REBOOT=ReallySuppress
forcerestart
REBOOT=Force
promptrestart
REBOOTPROMPT=""
PATCH=
MSIPATCHREMOVE=
OLEAUT32.dll
ServerMain (CA): Open synchronization event failed
ServerMain (CA): Wait on synchronization event failed
OpenProcessToken failed with %d
ServerMain (CA): Error: icacContext in CA server should be EEUI but is not any impersonated type
ServerMain (CA): CoInitializeSecurity failed
ServerMain (CA): Connection to Service failed.
ServerMain (CA): Process not registered with service.
ServerMain (CA): Could not open synchronization handle.
ServerMain (CA): Impersonation token not saved.
StartServiceCtrlDispatcher failed.
CLSID
ServiceThreadMain: CoInitializeSecurity failed
CoCreateInstance of CLSID_GlobalOptions failed.
Set of COMGLB_UNMARSHALING_POLICY failed.
ServiceThreadMain: CreateSD for CreateWaitableTimer failed.
ServiceThreadMain: CreateEvent failed.
ServiceThreadMain: CreateWaitableTimer failed.
ServiceThreadMain: SetWaitableTimer failed.
ServiceThreadMain: Class registration failed
Wait Failed in MsgWait.
mewuifsoarpcvxgh!
RUVEH?IJDqXFAtPYZlgmnc
SummaryInformation
rpoedcamusv
OLE32
COMCTL32
VERSION
api-ms-win-core-delayload-l1-1-1.dll
KERNEL32.DLL
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
installer
FileVersion
5.0.9600.19082 (winblue_ltsb.180619-0600)
InternalName
msiexec
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
msiexec.exe
ProductName
Windows Installer - Unicode
ProductVersion
5.0.9600.19082
VarFileInfo
Translation
en-US
没有防病毒引擎扫描信息!

进程树


msiexec.exe, PID: 2432, 上一级进程 PID: 2160

访问主机纪录 (可点击查询WPING实时安全评级)

无主机纪录.

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 23.219.172.56 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63282 192.168.122.1 53

域名解析 (可点击查询WPING实时安全评级)

域名 安全评级 响应
acroipm.adobe.com A 23.2.16.116
CNAME acroipm.adobe.com.edgesuite.net
CNAME a1983.dscd.akamai.net
A 23.219.172.56

TCP

源地址 源端口 目标地址 目标端口
192.168.122.201 49158 23.219.172.56 acroipm.adobe.com 80

UDP

源地址 源端口 目标地址 目标端口
192.168.122.201 63282 192.168.122.1 53

HTTP 请求

URI HTTP数据
URL专业沙箱检测 -> http://acroipm.adobe.com/11/rdr/CHS/win/nooem/none/message.zip
GET /11/rdr/CHS/win/nooem/none/message.zip HTTP/1.1
Accept: */*
If-Modified-Since: Mon, 08 Nov 2017 08:44:36 GMT
User-Agent: IPM
Host: acroipm.adobe.com
Connection: Keep-Alive
Cache-Control: no-cache

SMTP 流量

无SMTP流量.

IRC 流量

无IRC请求.

ICMP 流量

无ICMP流量.

CIF 报告

无 CIF 结果

网络警报

无警报

TLS

No TLS

Suricata HTTP

No Suricata HTTP

未发现网络提取文件
抱歉! 没有任何文件投放。
没有发现相似的分析.
HTML 总结报告
(需15-60分钟同步)
下载

Processing ( 20.908 seconds )

  • 15.539 Suricata
  • 2.376 VirusTotal
  • 1.127 Static
  • 0.823 NetworkAnalysis
  • 0.422 peid
  • 0.354 TargetInfo
  • 0.137 AnalysisInfo
  • 0.118 BehaviorAnalysis
  • 0.009 Strings
  • 0.003 Memory

Signatures ( 2.017 seconds )

  • 1.839 md_url_bl
  • 0.027 antiav_detectreg
  • 0.022 md_domain_bl
  • 0.011 infostealer_ftp
  • 0.007 anomaly_persistence_autorun
  • 0.007 antiav_detectfile
  • 0.007 infostealer_im
  • 0.006 antianalysis_detectreg
  • 0.006 geodo_banking_trojan
  • 0.006 ransomware_files
  • 0.005 api_spamming
  • 0.005 infostealer_bitcoin
  • 0.005 network_http
  • 0.005 ransomware_extensions
  • 0.004 stealth_timeout
  • 0.004 infostealer_mail
  • 0.003 tinba_behavior
  • 0.003 stealth_decoy_document
  • 0.003 antivm_vbox_files
  • 0.003 disables_browser_warn
  • 0.003 network_torgateway
  • 0.002 rat_nanocore
  • 0.002 betabot_behavior
  • 0.002 cerber_behavior
  • 0.002 browser_security
  • 0.002 modify_proxy
  • 0.002 md_bad_drop
  • 0.002 network_cnc_http
  • 0.001 mimics_filetime
  • 0.001 reads_self
  • 0.001 ursnif_behavior
  • 0.001 kibex_behavior
  • 0.001 shifu_behavior
  • 0.001 virus
  • 0.001 antianalysis_detectfile
  • 0.001 antidbg_devices
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_parallels_keys
  • 0.001 antivm_xen_keys
  • 0.001 banker_zeus_mutex
  • 0.001 bot_drive
  • 0.001 bot_drive2
  • 0.001 browser_addon
  • 0.001 disables_system_restore
  • 0.001 disables_windows_defender
  • 0.001 darkcomet_regkeys
  • 0.001 maldun_malicious_drop_executable_file_to_temp_folder
  • 0.001 maldun_network_blacklist
  • 0.001 recon_fingerprint
  • 0.001 stealth_modify_uac_prompt

Reporting ( 0.857 seconds )

  • 0.78 ReportHTMLSummary
  • 0.077 Malheur
Task ID 577687
Mongo ID 5f6dddae2f8f2e0ab952cfb9
Cuckoo release 1.4-Maldun