| File name: | setup.msi |
| Full analysis: | https://app.any.run/tasks/20726d0e-a889-40f0-8207-6ec6e1b04df3 |
| Verdict: | Malicious activity |
| Analysis date: | January 26, 2025, 12:25:25 |
| OS: | Windows 11 Professional (build: 22000, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {B10647ED-B3CC-4B31-AB52-CA6C9C0C8593}, Number of Words: 10, Subject: Kowi SApp, Author: Viaoq Corp Solus, Name of Creating Application: Kowi SApp, Template: x64;2057, Comments: This installer database contains the logic and data required to install Kowi SApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sat Jan 25 15:27:17 2025, Last Saved Time/Date: Sat Jan 25 15:27:17 2025, Last Printed: Sat Jan 25 15:27:17 2025, Number of Pages: 450 |
| MD5: | A86EC101F539EABCDD6CDF2C5EE1D10B |
| SHA1: | 9BCC6CA9327B58A0B990BFAC4101327C6A29F61B |
| SHA256: | 0678EEE9C1995C290EAC1418382E425FABF0BBCFC04EDFBDC48462DC716B6957 |
| SSDEEP: | 196608:pVhszBAlzMGe8V/U2GdzwK8nntb/eC7pIVaCBg7riSVrUSH+Y0mL4mk:n6qiGHJUHxmnVeC7Aa7riSVrUSeYl8m |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads the Windows owner or organization settings
- msiexec.exe (PID: 4768)
Process drops legitimate windows executable
- msiexec.exe (PID: 4768)
The process drops C-runtime libraries
- msiexec.exe (PID: 4768)
Executable content was dropped or overwritten
- UnRar.exe (PID: 3488)
Reads the Internet Settings
- explorer.exe (PID: 1836)
Executes application which crashes
- obs-ffmpeg-mux.exe (PID: 5320)
INFO
An automatically generated document
- msiexec.exe (PID: 876)
Reads the computer name
- msiexec.exe (PID: 4768)
- msiexec.exe (PID: 844)
Checks supported languages
- msiexec.exe (PID: 844)
- msiexec.exe (PID: 4768)
- UnRar.exe (PID: 3488)
- createdump.exe (PID: 5072)
- obs-ffmpeg-mux.exe (PID: 5320)
Creates files or folders in the user directory
- msiexec.exe (PID: 4768)
- UnRar.exe (PID: 3488)
The sample compiled with english language support
- msiexec.exe (PID: 4768)
Reads Environment values
- msiexec.exe (PID: 844)
Executable content was dropped or overwritten
- msiexec.exe (PID: 4768)
Creates a software uninstall entry
- msiexec.exe (PID: 4768)
Checks proxy server information
- explorer.exe (PID: 1836)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (88.6) |
|---|---|---|
| .mst | | | Windows SDK Setup Transform Script (10) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| Security: | None |
|---|---|
| CodePage: | Windows Latin 1 (Western European) |
| RevisionNumber: | {B10647ED-B3CC-4B31-AB52-CA6C9C0C8593} |
| Words: | 10 |
| Subject: | Kowi SApp |
| Author: | Viaoq Corp Solus |
| LastModifiedBy: | - |
| Software: | Kowi SApp |
| Template: | x64;2057 |
| Comments: | This installer database contains the logic and data required to install Kowi SApp. |
| Title: | Installation Database |
| Keywords: | Installer, MSI, Database |
| CreateDate: | 2025:01:25 15:27:17 |
| ModifyDate: | 2025:01:25 15:27:17 |
| LastPrinted: | 2025:01:25 15:27:17 |
| Pages: | 450 |
Total processes
132
Monitored processes
11
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 844 | C:\Windows\syswow64\MsiExec.exe -Embedding EED1265800958FF8C8769CFD28D31B83 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.22000.653 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 876 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\setup.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1436 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | UnRar.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1836 | C:\Windows\SysWOW64\explorer.exe explorer.exe | C:\Windows\SysWOW64\explorer.exe | obs-ffmpeg-mux.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 10.0.22000.184 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2312 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | createdump.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2704 | \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | obs-ffmpeg-mux.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3488 | "C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\UnRar.exe" x -p156427613t -o+ "C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\iwhgjds.rar" "C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\" | C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\UnRar.exe | msiexec.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: Command line RAR Exit code: 0 Version: 7.1.0 Modules
| |||||||||||||||
| 4768 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.22000.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5072 | "C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\createdump.exe" | C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\createdump.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Runtime Crash Dump Generator Exit code: 4294967295 Version: 6,0,2223,42425 @Commit: 4bb6dc195c0a3bc4c7e24ff54a8925b98db Modules
| |||||||||||||||
| 5320 | "C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe" | C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\obs-ffmpeg-mux.exe | msiexec.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
Total events
2 506
Read events
2 360
Write events
135
Delete events
11
Modification events
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: A012000051D25A6CED6FDB01 | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: B692E2375E2AE0B3D12135C8AFB8FB73E46BDD6E43DB692125EFEA247956A4F7 | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-166304369-59083888-3082702900-1001\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\C04D16F8CDF5F4543AC9A3616BA42840 |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-crt-environment-l1-1-0.dll | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\74BFD8668DF9CDF4DAE798C67C0F5E07 |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-crt-filesystem-l1-1-0.dll | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\E84195AD854B9A744A14CCC0101E24CE |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-core-console-l1-1-0.dll | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\1DD769335A51CEF409558BD4F1FD0D16 |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-core-console-l1-2-0.dll | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\A90F39F166BA2EA44BC33F5B99568A56 |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-core-datetime-l1-1-0.dll | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\448F614546145E44A8D80DE268772838 |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-core-debug-l1-1-0.dll | |||
| (PID) Process: | (4768) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-166304369-59083888-3082702900-1001\Components\05FD0BAA4CB2CD9439DCE5CDE594202A |
| Operation: | write | Name: | F99535FE89E8BF942B6F5B5DB8557DA6 |
Value: C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\api-ms-win-core-errorhandling-l1-1-0.dll | |||
Executable files
52
Suspicious files
19
Text files
1
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4768 | msiexec.exe | C:\Windows\Installer\25121c.msi | — | |
MD5:— | SHA256:— | |||
| 4768 | msiexec.exe | C:\Windows\Installer\MSI1394.tmp | executable | |
MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2 | SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752 | |||
| 4768 | msiexec.exe | C:\Windows\Installer\MSI14C2.tmp | executable | |
MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2 | SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752 | |||
| 4768 | msiexec.exe | C:\Windows\Installer\MSI12C8.tmp | executable | |
MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2 | SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752 | |||
| 4768 | msiexec.exe | C:\Windows\Installer\MSI1492.tmp | executable | |
MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2 | SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752 | |||
| 4768 | msiexec.exe | C:\Windows\Temp\~DF08466B0A96536E78.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 4768 | msiexec.exe | C:\Windows\Temp\~DF2C65543F3348C1E6.TMP | binary | |
MD5:116562F16E88040A5C5D5CA12A2B55A8 | SHA256:20EFA5264C32A92891F1A11C873907FFB22B5B457AF2498DC96101D8A8B1C06B | |||
| 4768 | msiexec.exe | C:\Windows\Installer\inprogressinstallinfo.ipi | binary | |
MD5:116562F16E88040A5C5D5CA12A2B55A8 | SHA256:20EFA5264C32A92891F1A11C873907FFB22B5B457AF2498DC96101D8A8B1C06B | |||
| 4768 | msiexec.exe | C:\Windows\Installer\MSI13E3.tmp | executable | |
MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2 | SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752 | |||
| 4768 | msiexec.exe | C:\Users\admin\AppData\Roaming\Viaoq Corp Solus\Kowi SApp\vcruntime140.dll | executable | |
MD5:F34EB034AA4A9735218686590CBA2E8B | SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
55
DNS requests
15
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1296 | svchost.exe | GET | 200 | 2.18.64.200:80 | http://www.msftconnecttest.com/connecttest.txt | unknown | — | — | whitelisted |
4476 | MoUsoCoreWorker.exe | GET | 200 | 199.232.210.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7c50545a2479bbff | unknown | — | — | whitelisted |
1836 | explorer.exe | GET | 200 | 169.150.247.36:80 | http://lightningpatrol.com/front.php?a=ugAIfXiWJSTQl4X&id=0 | unknown | — | — | unknown |
2860 | svchost.exe | GET | 304 | 2.16.10.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6a9a8dc8f99a4184 | unknown | — | — | whitelisted |
2860 | svchost.exe | GET | 200 | 2.16.10.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?3e134dd2738d4661 | unknown | — | — | whitelisted |
2860 | svchost.exe | GET | 200 | 2.16.10.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8a3f5205275d40c7 | unknown | — | — | whitelisted |
2860 | svchost.exe | GET | 200 | 2.16.10.172:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?7b06b985bb73d1f0 | unknown | — | — | whitelisted |
2260 | svchost.exe | POST | 403 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | whitelisted |
2260 | svchost.exe | POST | 403 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | whitelisted |
2260 | svchost.exe | POST | 403 | 23.35.238.131:80 | http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
1296 | svchost.exe | 2.18.64.212:80 | — | Administracion Nacional de Telecomunicaciones | UY | unknown |
1296 | svchost.exe | 2.18.64.200:80 | — | Administracion Nacional de Telecomunicaciones | UY | unknown |
4476 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4476 | MoUsoCoreWorker.exe | 199.232.210.172:80 | ctldl.windowsupdate.com | FASTLY | US | whitelisted |
1592 | svchost.exe | 20.190.159.75:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2884 | svchost.exe | 13.89.179.14:443 | v10.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1836 | explorer.exe | 169.150.247.36:80 | lightningpatrol.com | — | GB | unknown |
2860 | svchost.exe | 2.16.10.172:80 | ctldl.windowsupdate.com | Akamai International B.V. | AT | whitelisted |
5552 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
login.live.com |
| whitelisted |
v10.events.data.microsoft.com |
| whitelisted |
lightningpatrol.com |
| unknown |
fs.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1296 | svchost.exe | Misc activity | ET INFO Microsoft Connection Test |
Process | Message |
|---|---|
obs-ffmpeg-mux.exe | Operation failed. |