File name:

viewpdftools.msi

Full analysis: https://app.any.run/tasks/4f7a9a5f-8570-466f-b1fd-a2d8c8c77cde
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 28, 2025, 13:17:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {4CEC43B9-B497-4A5C-A703-63AB7ADA95E6}, Number of Words: 10, Subject: OneStart PDF, Author: OneStart.ai, Name of Creating Application: OneStart PDF, Template: ;1033, Comments: OneStart PDF 4.5.258.2, Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Oct 28 02:28:51 2024, Last Saved Time/Date: Mon Oct 28 02:28:51 2024, Last Printed: Mon Oct 28 02:28:51 2024, Number of Pages: 450
MD5:

64A47700C3C27341180FC7DC08704210

SHA1:

30C46E57D9E08A1DACE0C66FF8A8549CF8DD7B98

SHA256:

4C35ADA0A8C91AF2A483A077D3BDA707C208D942F0F2E8EC601BD663D2C8AEBF

SSDEEP:

98304:29IpokPuJfbQn4JidV36iSVTuocjXBfZQvv/IVTu5XKiveeOuol5igSEO:F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • onestart.exe (PID: 6396)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 4876)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 6468)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6468)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6760)
      • MSIAA1F.tmp (PID: 6636)
      • msiexec.exe (PID: 1448)
      • MSI4A88.tmp (PID: 4132)
      • msiexec.exe (PID: 7540)

    • Potential Corporate Privacy Violation

      • msiexec.exe (PID: 6760)
      • msiexec.exe (PID: 7896)

    • Process requests binary or script from the Internet

      • msiexec.exe (PID: 6760)
      • msiexec.exe (PID: 7896)

    • Application launched itself

      • setup.exe (PID: 6808)
      • setup.exe (PID: 6944)
      • onestart.exe (PID: 6396)
      • setup.exe (PID: 7824)
      • setup.exe (PID: 7348)

    • Executable content was dropped or overwritten

      • setup.exe (PID: 6808)
      • onestart_installer.exe (PID: 6888)
      • onestart_installer.exe (PID: 7780)
      • setup.exe (PID: 7824)
      • onestart.exe (PID: 7996)

    • Starts CMD.EXE for commands execution

      • onestart_installer.exe (PID: 6888)
      • MSIAA1F.tmp (PID: 6636)
      • msiexec.exe (PID: 1448)
      • MSI4A88.tmp (PID: 4132)
      • msiexec.exe (PID: 7540)

    • The process deletes folder without confirmation

      • MSIAA1F.tmp (PID: 6636)
      • MSI4A88.tmp (PID: 4132)

    • Creates a software uninstall entry

      • setup.exe (PID: 7824)

    • Searches for installed software

      • setup.exe (PID: 7824)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 6304)
      • msiexec.exe (PID: 6576)

    • Reads the software policy settings

      • msiexec.exe (PID: 6304)
      • msiexec.exe (PID: 6576)
      • msiexec.exe (PID: 6468)

    • An automatically generated document

      • msiexec.exe (PID: 6304)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 6304)
      • setup.exe (PID: 6808)
      • setup.exe (PID: 6944)
      • onestart_installer.exe (PID: 6888)
      • onestart.exe (PID: 6524)
      • onestart.exe (PID: 6396)

    • Reads the computer name

      • msiexec.exe (PID: 6468)
      • msiexec.exe (PID: 6512)
      • msiexec.exe (PID: 1448)
      • msiexec.exe (PID: 6760)
      • notification_helper.exe (PID: 4504)
      • onestart.exe (PID: 6396)
      • onestart_installer.exe (PID: 6888)
      • setup.exe (PID: 6808)
      • MSIAA1F.tmp (PID: 6636)
      • onestart.exe (PID: 6524)
      • msiexec.exe (PID: 7540)
      • msiexec.exe (PID: 7896)
      • onestart_installer.exe (PID: 7780)
      • MSI4A88.tmp (PID: 4132)

    • Checks supported languages

      • msiexec.exe (PID: 6468)
      • msiexec.exe (PID: 6512)
      • msiexec.exe (PID: 1448)
      • msiexec.exe (PID: 6760)
      • setup.exe (PID: 6808)
      • notification_helper.exe (PID: 4504)
      • setup.exe (PID: 6428)
      • onestart.exe (PID: 6396)
      • onestart.exe (PID: 6724)
      • onestart_installer.exe (PID: 6888)
      • MSIAA1F.tmp (PID: 6636)
      • onestart.exe (PID: 6728)
      • onestart.exe (PID: 6592)
      • identity_helper.exe (PID: 7424)
      • onestart.exe (PID: 7312)
      • msiexec.exe (PID: 7540)
      • onestart_installer.exe (PID: 7780)
      • setup.exe (PID: 7824)
      • setup.exe (PID: 7192)
      • MSI4A88.tmp (PID: 4132)
      • setup.exe (PID: 7312)
      • notification_helper.exe (PID: 7200)
      • onestart.exe (PID: 7216)
      • onestart.exe (PID: 7156)
      • onestart.exe (PID: 4672)
      • onestart.exe (PID: 7140)
      • onestart.exe (PID: 8120)
      • onestart.exe (PID: 8064)
      • onestart.exe (PID: 4724)
      • onestart.exe (PID: 5972)

    • Reads Environment values

      • msiexec.exe (PID: 6512)
      • msiexec.exe (PID: 1448)
      • msiexec.exe (PID: 6760)
      • msiexec.exe (PID: 7540)
      • msiexec.exe (PID: 7896)
      • msiexec.exe (PID: 7752)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 6304)
      • msiexec.exe (PID: 6576)
      • msiexec.exe (PID: 6468)
      • msedge.exe (PID: 6120)
      • msedge.exe (PID: 5992)
      • msiexec.exe (PID: 7560)
      • msedge.exe (PID: 3140)
      • msiexec.exe (PID: 7388)

    • The sample compiled with english language support

      • msiexec.exe (PID: 6304)
      • msiexec.exe (PID: 6576)
      • msiexec.exe (PID: 6468)
      • onestart_installer.exe (PID: 6888)
      • setup.exe (PID: 6808)
      • msiexec.exe (PID: 6760)
      • msiexec.exe (PID: 7560)
      • msiexec.exe (PID: 7896)
      • onestart_installer.exe (PID: 7780)
      • setup.exe (PID: 7824)
      • msedge.exe (PID: 3140)
      • msiexec.exe (PID: 7388)
      • onestart.exe (PID: 7996)

    • Create files in a temporary directory

      • msiexec.exe (PID: 6304)
      • onestart.exe (PID: 6396)

    • Manual execution by a user

      • msiexec.exe (PID: 6576)

    • Manages system restore points

      • SrTasks.exe (PID: 6628)
      • SrTasks.exe (PID: 4136)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 6468)
      • onestart.exe (PID: 6396)

    • Checks proxy server information

      • msiexec.exe (PID: 6760)
      • onestart.exe (PID: 6396)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 6468)

    • Process checks computer location settings

      • MSIAA1F.tmp (PID: 6636)
      • msiexec.exe (PID: 1448)
      • onestart.exe (PID: 6396)
      • MSI4A88.tmp (PID: 4132)
      • msiexec.exe (PID: 7540)
      • onestart.exe (PID: 5972)
      • onestart.exe (PID: 4724)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 5992)

    • Application launched itself

      • msedge.exe (PID: 5992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {4CEC43B9-B497-4A5C-A703-63AB7ADA95E6}
Words: 10
Subject: OneStart PDF
Author: OneStart.ai
LastModifiedBy: -
Software: OneStart PDF
Template: ;1033
Comments: OneStart PDF 4.5.258.2
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:10:28 02:28:51
ModifyDate: 2024:10:28 02:28:51
LastPrinted: 2024:10:28 02:28:51
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
255
Monitored processes
118
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe onestart_installer.exe setup.exe setup.exe no specs notification_helper.exe no specs chrome.exe no specs setup.exe no specs setup.exe no specs onestart.exe onestart.exe no specs cmd.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msiaa1f.tmp no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe onestart.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msedge.exe no specs onestart_installer.exe setup.exe setup.exe no specs notification_helper.exe no specs chrome.exe no specs setup.exe no specs setup.exe no specs msi4a88.tmp no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs onestart.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe msiexec.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs msedge.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe no specs onestart.exe msedge.exe no specs onestart.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8148 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
768"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5908 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
836"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6020 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1192"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3784 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5424 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1448C:\Windows\syswow64\MsiExec.exe -Embedding 970C2817300ABE1F2FED5F63A0B1E1D3 CC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1576"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5912 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3660 --field-trial-handle=2528,i,15264864928336202984,8783585625916378279,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2088C:\Windows\System32\cmd.exe /c ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://onestart.ai/chr/startup?fhnid=66941034"C:\Windows\System32\cmd.exeonestart_installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
2212"C:\Windows\System32\cmd.exe" /c "rmdir /s /q "C:\Users\admin\AppData\Local\OneStart.ai\OneStart Installer\""C:\Windows\SysWOW64\cmd.exeMSIAA1F.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
32
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
33 659
Read events
33 019
Write events
597
Delete events
43

Modification events

(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
48000000000000007DCA75088771DB0144190000D8150000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000463678088771DB0144190000D8150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000A2BBDE088771DB0144190000D8150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000A2BBDE088771DB0144190000D8150000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000B91EE1088771DB0144190000D8150000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
480000000000000059E5E5088771DB0144190000D8150000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6468) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000811C75098771DB0144190000D8150000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4876) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:writeName:Element
Value:
0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000
(PID) Process:(4876) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\12000002
Operation:delete keyName:(default)
Value:
Executable files
92
Suspicious files
605
Text files
176
Unknown types
1

Dropped files

PID
Process
Filename
Type
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:1AE02800E06A0E717304692FCF790106
SHA256:917C2BDB61E9409114ECB065399F664BAB9A4A3437388349E6B79A2BC7D88F4C
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:26FF050686AA04475D0F428BBD796B6C
SHA256:B1771FAA7CFBCD00DFBD2C5E96AA5B4C1B303530CA5B757793C1F0FA924CCA57
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_92EDC502ED2DCA77FBA738595B424D4Abinary
MD5:FBCEB221346B28B855A1ADFF5476B63A
SHA256:BDA47E3D76268F03D27BB9B11E04E10523DF3362F8142C356F924A927D4497D4
6304msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI6DB2.tmpexecutable
MD5:EC6EBF65FE4F361A73E473F46730E05C
SHA256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
6468msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6576msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA454.tmpexecutable
MD5:EC6EBF65FE4F361A73E473F46730E05C
SHA256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
6576msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA309.tmpexecutable
MD5:EC6EBF65FE4F361A73E473F46730E05C
SHA256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
6304msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI724B.tmpexecutable
MD5:EC6EBF65FE4F361A73E473F46730E05C
SHA256:D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F
6304msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_92EDC502ED2DCA77FBA738595B424D4Abinary
MD5:DC93AD643673C8DA8EAB977C89E32018
SHA256:393D182270A1A5BA40C800E055A88025E5EE7FD3A2795C5B53932511F015754A
6304msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI37274.LOGbinary
MD5:0AECA8FD574077220BA991349ABDBC7F
SHA256:26E3E1307225B04152FCC84C8A82D175377A318880B76B0A59641B815E23CAF6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
120
DNS requests
130
Threats
37

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6304
msiexec.exe
GET
200
151.101.66.133:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
6304
msiexec.exe
GET
200
151.101.66.133:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDHIJtrz9Ya%2BlpHbb8A%3D%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5252
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5252
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6760
msiexec.exe
GET
200
52.222.236.99:80
http://resources.onestart.ai/onestart_installer_128.0.6613.124.exe
unknown
unknown
7064
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6524
onestart.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acccxbt6wwsvpxzpob4hojndwkqq_4.10.2830.0/oimompecagnajdejgnnjijobebaeigek_4.10.2830.0_win64_dldxogwi36sxwpr57ta4lg57z4.crx3
unknown
whitelisted
6888
onestart_installer.exe
POST
200
108.138.26.17:80
http://log.onestart.ai/
unknown
unknown
6888
onestart_installer.exe
POST
200
108.138.26.17:80
http://log.onestart.ai/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2548
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6304
msiexec.exe
151.101.66.133:80
ocsp.globalsign.com
FASTLY
US
whitelisted
2212
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
1076
svchost.exe
23.56.254.14:443
go.microsoft.com
Mobile Telecommunications Company
KW
whitelisted
4
System
192.168.100.255:137
whitelisted
5252
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5252
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ocsp.globalsign.com
  • 151.101.66.133
  • 151.101.194.133
  • 151.101.130.133
  • 151.101.2.133
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.71
  • 20.190.159.64
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.73
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 23.56.254.14
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
6760
msiexec.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6760
msiexec.exe
Potentially Bad Traffic
ET INFO Executable served from Amazon S3
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Requests to a free CDN for open source projects (jsdelivr .net)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Global content delivery network (unpkg .com)
6120
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
viewpdftools.msi