File name:

heist-launcher_0.5.2_x64_en-US.msi

Full analysis: https://app.any.run/tasks/252cb60f-6686-4087-9e31-fb03a7435ab1
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 08, 2025, 14:37:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: heist-launcher, Author: heist-launcher, Keywords: Installer, Comments: This installer database contains the logic and data required to install heist-launcher., Template: x64;0, Revision Number: {9AEEE150-1CCB-4857-BA01-DE04E7F133D8}, Create Time/Date: Tue Apr 15 22:43:28 2025, Last Saved Time/Date: Tue Apr 15 22:43:28 2025, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:

83025AA5847148A956D6E43327A6041E

SHA1:

C26A7448CBF7BFAE55C974BC2B266B3F13AEC3D2

SHA256:

422CD2B564CD7A7996C4BD0812E68681175D44ED9B8E0915E7EF443776CA8548

SSDEEP:

98304:4Gf1FIFq2x3o9Io8PtxQZ/nm8ZqFG0CwSXzz9IVmORI2RaJdChIZLFLn+TuRKLiS:K52JkwvHoq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5540)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6192)

    • Starts process via Powershell

      • powershell.exe (PID: 5540)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 5540)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 2652)

    • Manipulates environment variables

      • powershell.exe (PID: 5540)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 2652)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5540)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4040)
      • MicrosoftEdgeUpdate.exe (PID: 7748)
      • MicrosoftEdge_X64_137.0.3296.68.exe (PID: 4164)
      • setup.exe (PID: 4424)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5540)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4040)
      • MicrosoftEdge_X64_137.0.3296.68.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 7748)
      • setup.exe (PID: 4424)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 4040)
      • MicrosoftEdgeUpdate.exe (PID: 7748)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 7748)

    • Application launched itself

      • setup.exe (PID: 4424)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 8012)
      • msiexec.exe (PID: 2652)

    • An automatically generated document

      • msiexec.exe (PID: 8012)

    • Checks supported languages

      • msiexec.exe (PID: 2652)
      • msiexec.exe (PID: 5304)

    • Reads the computer name

      • msiexec.exe (PID: 2652)
      • msiexec.exe (PID: 5304)

    • Manages system restore points

      • SrTasks.exe (PID: 5008)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 4040)

    • The sample compiled with english language support

      • powershell.exe (PID: 5540)
      • MicrosoftEdge_X64_137.0.3296.68.exe (PID: 4164)
      • MicrosoftEdgeUpdate.exe (PID: 7748)
      • MicrosoftEdgeWebview2Setup.exe (PID: 4040)
      • setup.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: heist-launcher
Author: heist-launcher
Keywords: Installer
Comments: This installer database contains the logic and data required to install heist-launcher.
Template: x64;0
RevisionNumber: {9AEEE150-1CCB-4857-BA01-DE04E7F133D8}
CreateDate: 2025:04:15 22:43:28
ModifyDate: 2025:04:15 22:43:28
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.14.1.8722)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
23
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe sppextcomobj.exe no specs slui.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe slui.exe microsoftedge_x64_137.0.3296.68.exe setup.exe setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
456"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Version:
1.3.195.61
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1116"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.61\MicrosoftEdgeUpdateComRegisterShell64.exe" /user C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\1.3.195.61\MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update COM Registration Helper
Exit code:
0
Version:
1.3.195.61
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\1.3.195.61\microsoftedgeupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2124C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\EDGEMITMP_93736.tmp\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=137.0.7151.69 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\EDGEMITMP_93736.tmp\setup.exe --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=137.0.3296.68 --initial-client-data=0x230,0x234,0x238,0x20c,0x23c,0x7ff68ff253f8,0x7ff68ff25404,0x7ff68ff25410C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\EDGEMITMP_93736.tmp\setup.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
137.0.3296.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{54c10ee2-dfe7-4595-9e12-32a6618ab706}\edgemitmp_93736.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2600"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNjEiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7RTIwRjRBNDQtREQ1MC00OEZCLThFMTAtNzQ5MTExMTFCMDVFfSIgdXNlcmlkPSJ7OTdBODc1NUMtNzQxNS00Q0EwLUIyRUQtMjVGQUVDRDBBQzIwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3Qzk5NkE4OC0xRDc3LTRGQjQtQTQ2OS0zRUZFN0U2MEEzREF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE5NS42MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA3NjA5MjkyNjgiIGluc3RhbGxfdGltZV9tcz0iNjQxIi8-PC9hcHA-PC9yZXF1ZXN0PgC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.61
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2652C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2852C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4040"C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install C:\Users\admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update Setup
Version:
1.3.195.61
Modules
Images
c:\users\admin\appdata\local\temp\microsoftedgewebview2setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4164"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\MicrosoftEdge_X64_137.0.3296.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\MicrosoftEdge_X64_137.0.3296.68.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Version:
137.0.3296.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{54c10ee2-dfe7-4595-9e12-32a6618ab706}\microsoftedge_x64_137.0.3296.68.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
4424"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\EDGEMITMP_93736.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\MicrosoftEdge_X64_137.0.3296.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{54C10EE2-DFE7-4595-9E12-32A6618AB706}\EDGEMITMP_93736.tmp\setup.exe
MicrosoftEdge_X64_137.0.3296.68.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
137.0.3296.68
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{54c10ee2-dfe7-4595-9e12-32a6618ab706}\edgemitmp_93736.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5008C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
18 244
Read events
15 339
Write events
2 848
Delete events
57

Modification events

(PID) Process:(2652) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000688B7FD482D8DB015C0A0000C8130000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2652) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000688B7FD482D8DB015C0A0000C8130000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2652) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000006F4DC2D482D8DB015C0A0000C8130000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2652) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000001DE9BFD482D8DB015C0A0000C8130000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2652) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000001DE9BFD482D8DB015C0A0000C8130000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2652) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000A215C7D482D8DB015C0A0000C8130000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6192) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000007894CD582D8DB0130180000780C0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6192) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000007894CD582D8DB0130180000B4170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6192) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000007894CD582D8DB013018000074140000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6192) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
206
Suspicious files
16
Text files
8
Unknown types
3

Dropped files

PID
Process
Filename
Type
2652msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2652msiexec.exeC:\Windows\Installer\1248aa.msi
MD5:
SHA256:
2652msiexec.exeC:\Windows\Installer\1248ac.msi
MD5:
SHA256:
2652msiexec.exeC:\Windows\Installer\MSI4D2E.tmpbinary
MD5:6C3D81DB832BEB8B664D4FC79891A473
SHA256:462E5C2DFA7A933F19F609467B8023339A6148243B510101D5E7261DCBE0A8E5
2652msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:26545FDE1B7709AF115A1EBDBA30E655
SHA256:62A45BB3E225EFE3220939DD98FE2B051073A317645D31BACF57C97164A5DF2D
8012msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI8D2.tmpexecutable
MD5:CFBB8568BD3711A97E6124C56FCFA8D9
SHA256:7F47D98AB25CFEA9B3A2E898C3376CC9BA1CD893B4948B0C27CAA530FD0E34CC
2652msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{99b9e07d-0b1b-405e-8afe-3fa77e5c08b5}_OnDiskSnapshotPropbinary
MD5:E0F143FF493B95FC9F5F60FF409A7998
SHA256:5DB5E50EFC3A2B206F6AAC4A930C922A0039CB713F1D61D749C546859B818E00
2652msiexec.exeC:\Program Files\heist-launcher\Uninstall heist-launcher.lnkbinary
MD5:A3D9E509C27BF00D7A2FF84B5171E3D8
SHA256:AD72BB84CCF66D88875E924A30A15D769450675C1C6A0F3DE9ACA01495C65CE2
2652msiexec.exeC:\Users\Public\Desktop\heist-launcher.lnkbinary
MD5:D6A21D7BA86570FC4905011385333A78
SHA256:DB853A9D10FF8CF3F82B03C3569F5DFFEB3B6921A6B5637B9253766E5F73BD02
5540powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s5sbldi5.dvw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6644
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6644
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7556
svchost.exe
HEAD
200
208.89.74.17:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dd10bb14-d22e-42e7-9282-77f2eefe7577?P1=1749998262&P2=404&P3=2&P4=P8vcEKv1rMC%2fnkz0qrBJc43pXfkb8xVHF2R6vHGS029gSdGjY6wWsEVmVsef%2femSGZyg9s1SmDEZZLWvmtEixQ%3d%3d
unknown
whitelisted
7556
svchost.exe
GET
200
208.89.74.17:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/dd10bb14-d22e-42e7-9282-77f2eefe7577?P1=1749998262&P2=404&P3=2&P4=P8vcEKv1rMC%2fnkz0qrBJc43pXfkb8xVHF2R6vHGS029gSdGjY6wWsEVmVsef%2femSGZyg9s1SmDEZZLWvmtEixQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5216
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7872
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.76:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.180
  • 23.48.23.159
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.164
  • 23.48.23.166
  • 23.48.23.141
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.219.150.101
whitelisted
google.com
  • 142.250.185.110
whitelisted
login.live.com
  • 40.126.32.76
  • 20.190.160.20
  • 20.190.160.17
  • 20.190.160.64
  • 20.190.160.66
  • 20.190.160.132
  • 20.190.160.22
  • 20.190.160.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.19.126.139
  • 2.19.126.136
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
7556
svchost.exe
Misc activity
ET INFO Packed Executable Download
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
heist-launcher_0.5.2_x64_en-US.msi