File name:

XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi

Full analysis: https://app.any.run/tasks/5ff421db-086f-428b-9765-dd2cfc5801ef
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 01, 2025, 20:26:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EDCC9F56-550B-44C7-A648-E8A28B21A169}, Number of Words: 2, Subject: XXMI Launcher, Author: SpectrumQT, Name of Creating Application: XXMI Launcher, Template: x64;1033, Comments: This installer database contains the logic and data required to install XXMI Launcher., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 15 16:08:15 2024, Last Saved Time/Date: Fri Nov 15 16:08:15 2024, Last Printed: Fri Nov 15 16:08:15 2024, Number of Pages: 450
MD5:

D45FBBA1B23191DF6E2C6363E1C2FA90

SHA1:

72A41C684486F47E193431BDB354313DBEAEB508

SHA256:

59BE65FD43C0808AB750B4691F3530EDAC0523136B0DA172D9993B64108194B0

SSDEEP:

393216:FoGme40F6b+MUPRDvU5jQ1mbQtB5ydwolUvoBsS8BrGUItdl6BqC:weK1UPR7WivC1sSurcdMBqC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 3640)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 4672)
    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4672)
      • msiexec.exe (PID: 5728)
    • Executable content was dropped or overwritten

      • EnhancedUI.exe (PID: 5920)
      • VC_redist.x64.exe (PID: 1448)
      • VC_redist.x64.exe (PID: 3640)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3000)
      • VC_redist.x64.exe (PID: 3140)
    • Process drops legitimate windows executable

      • EnhancedUI.exe (PID: 5920)
      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 1448)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3640)
      • msiexec.exe (PID: 5728)
      • VC_redist.x64.exe (PID: 3140)
    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3000)
    • Checks Windows Trust Settings

      • msiexec.exe (PID: 5880)
      • msiexec.exe (PID: 5728)
    • Starts a Microsoft application from unusual location

      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3640)
    • Searches for installed software

      • VC_redist.x64.exe (PID: 836)
      • dllhost.exe (PID: 1792)
      • VC_redist.x64.exe (PID: 3000)
      • VC_redist.x64.exe (PID: 3140)
    • Starts itself from another location

      • VC_redist.x64.exe (PID: 836)
    • Executes as Windows Service

      • VSSVC.exe (PID: 2216)
    • Creates a software uninstall entry

      • VC_redist.x64.exe (PID: 3640)
    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 5728)
    • The process checks if it is being run in the virtual environment

      • msiexec.exe (PID: 5728)
    • Application launched itself

      • VC_redist.x64.exe (PID: 1392)
      • VC_redist.x64.exe (PID: 3000)
    • Process drops python dynamic module

      • msiexec.exe (PID: 5728)
    • Loads Python modules

      • XXMI Launcher.exe (PID: 2392)
  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 4672)
    • Reads the computer name

      • msiexec.exe (PID: 5728)
      • msiexec.exe (PID: 4264)
      • msiexec.exe (PID: 5880)
      • EnhancedUI.exe (PID: 5920)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3640)
      • VC_redist.x64.exe (PID: 3140)
      • msiexec.exe (PID: 4544)
      • msiexec.exe (PID: 3172)
      • VC_redist.x64.exe (PID: 3000)
      • XXMI Launcher.exe (PID: 2392)
    • Checks supported languages

      • msiexec.exe (PID: 5728)
      • msiexec.exe (PID: 4264)
      • msiexec.exe (PID: 5880)
      • EnhancedUI.exe (PID: 5920)
      • VC_redist.x64.exe (PID: 1448)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3640)
      • VC_redist.x64.exe (PID: 1392)
      • VC_redist.x64.exe (PID: 3000)
      • VC_redist.x64.exe (PID: 3140)
      • msiexec.exe (PID: 4544)
      • msiexec.exe (PID: 3172)
      • XXMI Launcher.exe (PID: 2392)
    • Create files in a temporary directory

      • msiexec.exe (PID: 4672)
      • EnhancedUI.exe (PID: 5920)
      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 1448)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3640)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4672)
      • msiexec.exe (PID: 5880)
      • msiexec.exe (PID: 5728)
    • The sample compiled with english language support

      • msiexec.exe (PID: 4672)
      • EnhancedUI.exe (PID: 5920)
      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 1448)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3640)
      • msiexec.exe (PID: 5728)
      • VC_redist.x64.exe (PID: 3000)
      • VC_redist.x64.exe (PID: 3140)
    • Reads Environment values

      • msiexec.exe (PID: 5880)
      • EnhancedUI.exe (PID: 5920)
      • msiexec.exe (PID: 4544)
    • Checks proxy server information

      • msiexec.exe (PID: 5880)
    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5880)
      • msiexec.exe (PID: 5728)
    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 3640)
      • msiexec.exe (PID: 5728)
    • Reads the software policy settings

      • msiexec.exe (PID: 5880)
      • msiexec.exe (PID: 5728)
    • The process uses the downloaded file

      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 836)
    • Process checks computer location settings

      • msiexec.exe (PID: 5880)
      • VC_redist.x64.exe (PID: 836)
      • VC_redist.x64.exe (PID: 3000)
    • Manages system restore points

      • SrTasks.exe (PID: 5684)
      • SrTasks.exe (PID: 644)
    • Creates files in the program directory

      • VC_redist.x64.exe (PID: 3640)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 5728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {EDCC9F56-550B-44C7-A648-E8A28B21A169}
Words: 2
Subject: XXMI Launcher
Author: SpectrumQT
LastModifiedBy: -
Software: XXMI Launcher
Template: x64;1033
Comments: This installer database contains the logic and data required to install XXMI Launcher.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:11:15 16:08:15
ModifyDate: 2024:11:15 16:08:15
LastPrinted: 2024:11:15 16:08:15
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
20
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs enhancedui.exe msiexec.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs xxmi launcher.exe

Process information

PID
CMD
Path
Indicators
Parent process
68\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
836"C:\Users\admin\AppData\Local\Temp\{0A854F1A-54ED-4B5A-9570-29F359DB6D0A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=520 /q /norestart REBOOT=ReallySuppressC:\Users\admin\AppData\Local\Temp\{0A854F1A-54ED-4B5A-9570-29F359DB6D0A}\.cr\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135
Exit code:
3010
Version:
14.38.33135.0
Modules
Images
c:\users\admin\appdata\local\temp\{0a854f1a-54ed-4b5a-9570-29f359db6d0a}\.cr\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1392"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1096 -burn.embedded BurnPipe.{FA820735-93BC-4AEE-A6EC-5C4E5D8EDBA7} {574E7D03-4AFA-4B98-98A4-7EE1F66248B6} 3640C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1448"C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" /q /norestart REBOOT=ReallySuppressC:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135
Exit code:
3010
Version:
14.38.33135.0
Modules
Images
c:\users\admin\appdata\roaming\xxmi launcher\prerequisites\visual c++ redistributable for visual studio 2015-2022\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1792C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
2216C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2392"C:\Users\admin\AppData\Roaming\XXMI Launcher\Resources\Bin\XXMI Launcher.exe" --msi="C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi" --update --create_shortcut="ImageCheckBox"C:\Users\admin\AppData\Roaming\XXMI Launcher\Resources\Bin\XXMI Launcher.exe
msiexec.exe
User:
admin
Company:
SpectrumQT
Integrity Level:
HIGH
Description:
XXMI Launcher
Version:
1.1.1.0
Modules
Images
c:\users\admin\appdata\roaming\xxmi launcher\resources\bin\xxmi launcher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3000"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1096 -burn.embedded BurnPipe.{FA820735-93BC-4AEE-A6EC-5C4E5D8EDBA7} {574E7D03-4AFA-4B98-98A4-7EE1F66248B6} 3640C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
20 459
Read events
19 021
Write events
1 035
Delete events
403

Modification events

(PID) Process:(5880) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:{F2A98983-25EE-4F5A-AD10-79DF8ED2082F}
Value:
C:\WINDOWS\system32\msiexec.exe /i "C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi" ADDLOCAL=MainFeature,C4FE6FD5B7C4D07B3A313E754A9A6A8
(PID) Process:(3640) VC_redist.x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000C1FF53AD8B5CDB01380E0000E8130000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1792) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000013328DAD8B5CDB0100070000F40A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1792) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000013328DAD8B5CDB0100070000F40A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1792) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000001B5E94AD8B5CDB0100070000F40A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1792) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000C20502AE8B5CDB0100070000F40A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2216) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D0FA0DAE8B5CDB01A808000050170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2216) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D0FA0DAE8B5CDB01A8080000C4160000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2216) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D0FA0DAE8B5CDB01A8080000880D0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2216) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000D0FA0DAE8B5CDB01A80800006C100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
176
Suspicious files
87
Text files
1 085
Unknown types
3

Dropped files

PID
Process
Filename
Type
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\resources.pri
MD5:
SHA256:
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\embeddeduiproxy.dllexecutable
MD5:8DC7199AEA9216EEA74B18CD32D3A20A
SHA256:96E0FE57C2F2347E8994D6E3685C85A97B0C12F920EB37882D24BB0606FA915A
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\App.xbfxbf
MD5:74B378E0D84B6E145A812B9C802BB285
SHA256:1FC04ACE8A8CFA4E462E5FB2403D65BA757181611BD1D261DD7F2C8C80274F1D
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\WinUiBootstrapperEui.dllexecutable
MD5:CBA525D7B96102F5E0EB48C73AB09FB5
SHA256:901B1D184F1077CF4C59162E9E82B4F59E44D4B3E9356469B6FD6679BD4D7BD2
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\msvcp140.dllexecutable
MD5:996D01AD6A71761F29A98EC9E9F30007
SHA256:C8E7456F4AC9AA65EF3AD61A6DAF30EFEC9737344D173B2D6D2C16E752052A55
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.Web.WebView2.Core.dllexecutable
MD5:2B4735E30C39A0267310FCC65C1C4285
SHA256:BC3E0C69E9F4BC03EEC9C3B92846B42497419FFEF79DE12F382B27F5778E2A32
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.Toolkit.Win32.UI.XamlHost.dllexecutable
MD5:14C39CDA89987D637565E45B7E04F5C8
SHA256:DD136F1FD23E91866A53B9E9A0F28C83FA63C2AEE01E61B3FC280E8F8FE549CA
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\vcruntime140_app.dllexecutable
MD5:B876EE7ECF95CECB6BB9D994701B0E4B
SHA256:372C955EE558F4EF733ACBD801D1FC6082539FCE9D8A14A584B6EE131F3142FA
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\ucrtbase.dllexecutable
MD5:B65AA2646529E9C1DE570D28C2E37C2B
SHA256:783AAD71C976972DEF8A34579123439CFEBFF071901D97BC91033A05D9C2068F
4672msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI30991\EnhancedUI.exeexecutable
MD5:766D9E2EC1D3AA3AE09F09B232B42911
SHA256:30791EB229D55D42DA62B7048B36BCE26BD5DBC89E26056DDF042A951D519624
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
25
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3220
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3220
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5728
msiexec.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5728
msiexec.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
GET
200
2.19.198.48:443
https://download.visualstudio.microsoft.com/download/pr/c7707d68-d6ce-4479-973e-e2a3dc4341fe/1AD7988C17663CC742B01BEF1A6DF2ED1741173009579AD50A94434E54F56073/VC_redist.x64.exe
unknown
executable
24.2 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.168.100.255:138
whitelisted
3220
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3220
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.123
  • 104.126.37.178
  • 104.126.37.186
  • 104.126.37.131
  • 104.126.37.129
  • 104.126.37.130
  • 104.126.37.163
  • 104.126.37.136
  • 104.126.37.128
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
download.visualstudio.microsoft.com
  • 2.16.168.102
  • 2.16.168.105
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted

Threats

No threats detected
No debug info