Malware analysis Setup.msi Malicious activity | ANY.RUN

Add for printing

File name:	Setup.msi
Full analysis:	https://app.any.run/tasks/cf8cf167-1098-4aab-9061-33950a40826f
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	July 26, 2025, 15:14:31
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc auto generic hijackloader loader
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2020 - Premier Edition with Virtualization Pack 26, Last Saved Time/Date: Fri Jul 25 22:26:10 2025, Create Time/Date: Fri Jul 25 22:26:10 2025, Last Printed: Fri Jul 25 22:26:10 2025, Revision Number: {934E6911-C4C1-4FEB-98D1-EEEB07051F56}, Code page: 1252, Template: Intel;1033
MD5:	2B9C643373051441C7DFD1A693CA46B6
SHA1:	514F80B9C078F6C7E5AD8061B8D022E2512011DB
SHA256:	4533E15932F30837C6F5D8D31784E940FF1C10FF8F7E787CC52B2F1E37D730F6
SSDEEP:	98304:MUtTF8zvM/MF+65gQAD38rTPAPN8ijpVCHUxxQ/40HWiOoHT9xKLGAvGm4VeVHim:XUtlAR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- GENERIC has been found (auto)
  - StellaCore64.exe (PID: 5628)
- HIJACKLOADER has been detected (YARA)
  - StellaCore64.exe (PID: 5628)
SUSPICIOUS
- The process drops C-runtime libraries
  - msiexec.exe (PID: 2848)
  - StellaCore64.exe (PID: 5284)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 2848)
  - StellaCore64.exe (PID: 5284)
- Starts itself from another location
  - StellaCore64.exe (PID: 5284)
- Executable content was dropped or overwritten
  - StellaCore64.exe (PID: 5628)
  - StellaCore64.exe (PID: 5284)
- The process creates files with name similar to system file names
  - StellaCore64.exe (PID: 5628)
- The process checks if it is being run in the virtual environment
  - XeExplorer.exe (PID: 3872)
INFO
- Reads the computer name
  - msiexec.exe (PID: 6948)
  - msiexec.exe (PID: 2848)
  - ISBEW64.exe (PID: 6312)
  - ISBEW64.exe (PID: 3860)
  - ISBEW64.exe (PID: 1636)
  - ISBEW64.exe (PID: 1380)
  - ISBEW64.exe (PID: 4400)
  - ISBEW64.exe (PID: 7116)
  - ISBEW64.exe (PID: 2368)
  - ISBEW64.exe (PID: 5960)
  - StellaCore64.exe (PID: 5284)
  - StellaCore64.exe (PID: 5628)
  - XPFix.exe (PID: 6524)
  - XeExplorer.exe (PID: 3872)
  - ISBEW64.exe (PID: 4748)
  - ISBEW64.exe (PID: 6876)
- Checks supported languages
  - msiexec.exe (PID: 6948)
  - msiexec.exe (PID: 2848)
  - ISBEW64.exe (PID: 6312)
  - ISBEW64.exe (PID: 4748)
  - ISBEW64.exe (PID: 3860)
  - ISBEW64.exe (PID: 6876)
  - ISBEW64.exe (PID: 5960)
  - ISBEW64.exe (PID: 1636)
  - ISBEW64.exe (PID: 4400)
  - ISBEW64.exe (PID: 1380)
  - ISBEW64.exe (PID: 7116)
  - ISBEW64.exe (PID: 2368)
  - StellaCore64.exe (PID: 5284)
  - StellaCore64.exe (PID: 5628)
  - XeExplorer.exe (PID: 3872)
  - XPFix.exe (PID: 6524)
- An automatically generated document
  - msiexec.exe (PID: 1728)
- The sample compiled with english language support
  - msiexec.exe (PID: 1728)
  - msiexec.exe (PID: 2848)
  - StellaCore64.exe (PID: 5284)
  - StellaCore64.exe (PID: 5628)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 1728)
  - msiexec.exe (PID: 2848)
- Create files in a temporary directory
  - msiexec.exe (PID: 2848)
  - StellaCore64.exe (PID: 5628)
- The sample compiled with chinese language support
  - msiexec.exe (PID: 2848)
  - StellaCore64.exe (PID: 5628)
  - StellaCore64.exe (PID: 5284)
- Creates files or folders in the user directory
  - StellaCore64.exe (PID: 5628)
- Creates files in the program directory
  - StellaCore64.exe (PID: 5628)
  - StellaCore64.exe (PID: 5284)
- Reads the machine GUID from the registry
  - XeExplorer.exe (PID: 3872)
- Manual execution by a user
  - OOBE-Maintenance.exe (PID: 3480)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (84.2)
.mst	\|	Windows SDK Setup Transform Script (9.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

Characters:	-
LastModifiedBy:	InstallShield
Words:	-
Title:	Installation Database
Comments:	Contact: Your local administrator
Keywords:	Installer,MSI,Database
Subject:	Blank Project Template
Author:	InstallShield
Security:	Password protected
Pages:	200
Software:	InstallShield? 2020 - Premier Edition with Virtualization Pack 26
ModifyDate:	2025:07:25 22:26:10
CreateDate:	2025:07:25 22:26:10
LastPrinted:	2025:07:25 22:26:10
RevisionNumber:	{934E6911-C4C1-4FEB-98D1-EEEB07051F56}
CodePage:	Windows Latin 1 (Western European)
Template:	Intel;1033

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1380

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83E7B8DB-0C86-45D0-B7C5-254EFBC076DE}

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe

—

msiexec.exe

User:

admin

Company:

Flexera

Integrity Level:

MEDIUM

Description:

InstallShield (R) 64-bit Setup Engine

Exit code:

Version:

26.0.546

Modules

Images
c:\users\admin\appdata\local\temp\{836a923b-4c9f-4417-9e58-d50cb0c39348}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1636

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{542AA9E8-DAF6-4B07-A90E-213FBC0E92FE}

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe

—

msiexec.exe

User:

admin

Company:

Flexera

Integrity Level:

MEDIUM

Description:

InstallShield (R) 64-bit Setup Engine

Exit code:

Version:

26.0.546

Modules

Images
c:\users\admin\appdata\local\temp\{836a923b-4c9f-4417-9e58-d50cb0c39348}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

1728

"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\Setup.msi

C:\Windows\System32\msiexec.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

1603

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2368

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B3E5BDB6-BC80-4EEF-A848-5BD57E85F186}

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe

—

msiexec.exe

User:

admin

Company:

Flexera

Integrity Level:

MEDIUM

Description:

InstallShield (R) 64-bit Setup Engine

Exit code:

Version:

26.0.546

Modules

Images
c:\users\admin\appdata\local\temp\{836a923b-4c9f-4417-9e58-d50cb0c39348}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2848

C:\Windows\syswow64\MsiExec.exe -Embedding F02D090CE152CC05D62CA659DD1495C6 C

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

3480

"C:\WINDOWS\system32\OOBE-Maintenance.exe"

C:\Windows\System32\OOBE-Maintenance.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

OOBE-Maintenance

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\oobe-maintenance.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll

3768

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3860

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D2BEE350-F882-483A-9338-BC5C904EF55F}

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe

—

msiexec.exe

User:

admin

Company:

Flexera

Integrity Level:

MEDIUM

Description:

InstallShield (R) 64-bit Setup Engine

Exit code:

Version:

26.0.546

Modules

Images
c:\users\admin\appdata\local\temp\{836a923b-4c9f-4417-9e58-d50cb0c39348}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

3872

C:\ProgramData\XeExplorer.exe

StellaCore64.exe

User:

admin

Company:

Ludwig.guru

Integrity Level:

MEDIUM

Description:

Ludwig

Exit code:

Version:

3.1.8

Modules

Images
c:\users\admin\appdata\local\temp\5bcde85.tmp
c:\programdata\xeexplorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll

4400

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8357A859-C1F9-4D15-9E45-00581061CB23}

C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\ISBEW64.exe

—

msiexec.exe

User:

admin

Company:

Flexera

Integrity Level:

MEDIUM

Description:

InstallShield (R) 64-bit Setup Engine

Exit code:

Version:

26.0.546

Modules

Images
c:\users\admin\appdata\local\temp\{836a923b-4c9f-4417-9e58-d50cb0c39348}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

Add for printing

Total events

1 477

Read events

1 477

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\BugSplat64.dll		executable
		MD5:5586BC6536324699FA939E6183BB94DB	SHA256:18AD20E5F8BF6D9F7F00C2F6F64995C9C69EE694205562BAE0F9E8FBB9574FB8
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\MSVCR120.dll		executable
		MD5:9C861C079DD81762B6C54E37597B7712	SHA256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\Cortteng.zt		binary
		MD5:B73443340435B1719E58AE9552B40200	SHA256:1254C6BE3E2C7DCB46E33CF3311F094E90615DC9EAE3F6809CA94003C3CDA13C
1728	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSICF14.tmp		executable
		MD5:36D5C2D7AB1708D4918C4EC1024D7206	SHA256:1DEA4265ABA6B0BD08CC064B64205D81174B52EF7B0519D488418770431056B3
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\WS_Log.DLL		executable
		MD5:CF46BE0C22FA34389ADBA1F40B547D42	SHA256:3F947D2EE794527EE4E81BD06F3BCACFA7514B01B6E5C5AA5B6B6279C7A2FD9E
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\CValiableVTSList.dll		executable
		MD5:2B3F4B046D585D2E5ADFD0ADBE797A5C	SHA256:57B04950019A3B7B1AD59A335FE1407A93FE5223B5DD7E9B2E288BD8ACA1DCC9
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\Criestiet.ts		binary
		MD5:96AA171B2637DBA1951E2FFADC538B22	SHA256:B018F1AF994E8F160700EDA95478E02190AA988ED1CFCB751E8994A2E60F5CFA
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\MSVCP120.dll		executable
		MD5:46060C35F697281BC5E7337AEE3722B1	SHA256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{429AF88D-0304-4721-A5DA-9AA6E85F3B07}\StellaCore64.exe		executable
		MD5:DB55C6DD39CF4E11CE318483C0A316FE	SHA256:67702FF3B28C29F96912050F2C48EA1C3A74A2276FFBCC3EB85CC6137B247D4E
2848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{836A923B-4C9F-4417-9E58-D50CB0C39348}\IsConfig.ini		text
		MD5:0EA633EC0FCC2D940CDD43A38480651A	SHA256:C303C4888AEB3B2FDBD249F617FA3A8CD2512C7AB94C834251D068EDA8A7C600

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.55.110.193:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2528	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4400	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4400	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1352	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	23.55.110.193:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2528	svchost.exe	20.190.159.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 20.73.194.208 51.124.78.146	whitelisted
google.com	172.217.18.14	whitelisted
crl.microsoft.com	23.55.110.193 23.55.110.211	whitelisted
www.microsoft.com	95.101.149.131 23.35.229.160	whitelisted
login.live.com	20.190.159.2 40.126.31.130 40.126.31.67 20.190.159.0 40.126.31.1 20.190.159.128 20.190.159.129 40.126.31.128	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
self.events.data.microsoft.com	20.42.73.28	whitelisted

Threats

PID	Process	Class	Message
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
3872	XeExplorer.exe	Misc activity	ET INFO Cloudflare DNS Over HTTPS Certificate Inbound

Add for printing

No debug info

General Info

Setup.msi

2B9C643373051441C7DFD1A693CA46B6

514F80B9C078F6C7E5AD8061B8D022E2512011DB

4533E15932F30837C6F5D8D31784E940FF1C10FF8F7E787CC52B2F1E37D730F6

98304:MUtTF8zvM/MF+65gQAD38rTPAPN8ijpVCHUxxQ/40HWiOoHT9xKLGAvGm4VeVHim:XUtlAR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

GENERIC has been found (auto)

HIJACKLOADER has been detected (YARA)

SUSPICIOUS

The process drops C-runtime libraries

Process drops legitimate windows executable

Starts itself from another location

Executable content was dropped or overwritten

The process creates files with name similar to system file names

The process checks if it is being run in the virtual environment

INFO

Reads the computer name

Checks supported languages

An automatically generated document

The sample compiled with english language support

Executable content was dropped or overwritten

Create files in a temporary directory

The sample compiled with chinese language support

Creates files or folders in the user directory

Creates files in the program directory

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings