File name: | XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi |
Full analysis: | https://app.any.run/tasks/5ff421db-086f-428b-9765-dd2cfc5801ef |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 01, 2025, 20:26:39 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-msi |
File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EDCC9F56-550B-44C7-A648-E8A28B21A169}, Number of Words: 2, Subject: XXMI Launcher, Author: SpectrumQT, Name of Creating Application: XXMI Launcher, Template: x64;1033, Comments: This installer database contains the logic and data required to install XXMI Launcher., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 15 16:08:15 2024, Last Saved Time/Date: Fri Nov 15 16:08:15 2024, Last Printed: Fri Nov 15 16:08:15 2024, Number of Pages: 450 |
MD5: | D45FBBA1B23191DF6E2C6363E1C2FA90 |
SHA1: | 72A41C684486F47E193431BDB354313DBEAEB508 |
SHA256: | 59BE65FD43C0808AB750B4691F3530EDAC0523136B0DA172D9993B64108194B0 |
SSDEEP: | 393216:FoGme40F6b+MUPRDvU5jQ1mbQtB5ydwolUvoBsS8BrGUItdl6BqC:weK1UPR7WivC1sSurcdMBqC |
.msi | | | Microsoft Windows Installer (88.6) |
---|---|---|
.mst | | | Windows SDK Setup Transform Script (10) |
.msi | | | Microsoft Installer (100) |
Security: | None |
---|---|
CodePage: | Windows Latin 1 (Western European) |
RevisionNumber: | {EDCC9F56-550B-44C7-A648-E8A28B21A169} |
Words: | 2 |
Subject: | XXMI Launcher |
Author: | SpectrumQT |
LastModifiedBy: | - |
Software: | XXMI Launcher |
Template: | x64;1033 |
Comments: | This installer database contains the logic and data required to install XXMI Launcher. |
Title: | Installation Database |
Keywords: | Installer, MSI, Database |
CreateDate: | 2024:11:15 16:08:15 |
ModifyDate: | 2024:11:15 16:08:15 |
LastPrinted: | 2024:11:15 16:08:15 |
Pages: | 450 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
68 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
644 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12 | C:\Windows\System32\SrTasks.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
732 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
836 | "C:\Users\admin\AppData\Local\Temp\{0A854F1A-54ED-4B5A-9570-29F359DB6D0A}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=520 /q /norestart REBOOT=ReallySuppress | C:\Users\admin\AppData\Local\Temp\{0A854F1A-54ED-4B5A-9570-29F359DB6D0A}\.cr\VC_redist.x64.exe | VC_redist.x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 Exit code: 3010 Version: 14.38.33135.0 Modules
| |||||||||||||||
1392 | "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1096 -burn.embedded BurnPipe.{FA820735-93BC-4AEE-A6EC-5C4E5D8EDBA7} {574E7D03-4AFA-4B98-98A4-7EE1F66248B6} 3640 | C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe | — | VC_redist.x64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 Exit code: 0 Version: 14.36.32532.0 Modules
| |||||||||||||||
1448 | "C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" /q /norestart REBOOT=ReallySuppress | C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 Exit code: 3010 Version: 14.38.33135.0 Modules
| |||||||||||||||
1792 | C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
2216 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
2392 | "C:\Users\admin\AppData\Roaming\XXMI Launcher\Resources\Bin\XXMI Launcher.exe" --msi="C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi" --update --create_shortcut="ImageCheckBox" | C:\Users\admin\AppData\Roaming\XXMI Launcher\Resources\Bin\XXMI Launcher.exe | msiexec.exe | ||||||||||||
User: admin Company: SpectrumQT Integrity Level: HIGH Description: XXMI Launcher Version: 1.1.1.0 Modules
| |||||||||||||||
3000 | "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1096 -burn.embedded BurnPipe.{FA820735-93BC-4AEE-A6EC-5C4E5D8EDBA7} {574E7D03-4AFA-4B98-98A4-7EE1F66248B6} 3640 | C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe | VC_redist.x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 Exit code: 0 Version: 14.36.32532.0 Modules
|
(PID) Process: | (5880) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
Operation: | write | Name: | {F2A98983-25EE-4F5A-AD10-79DF8ED2082F} |
Value: C:\WINDOWS\system32\msiexec.exe /i "C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi" ADDLOCAL=MainFeature,C4FE6FD5B7C4D07B3A313E754A9A6A8 | |||
(PID) Process: | (3640) VC_redist.x64.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000C1FF53AD8B5CDB01380E0000E8130000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1792) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 480000000000000013328DAD8B5CDB0100070000F40A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1792) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 480000000000000013328DAD8B5CDB0100070000F40A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1792) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppCreate (Enter) |
Value: 48000000000000001B5E94AD8B5CDB0100070000F40A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1792) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000C20502AE8B5CDB0100070000F40A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2216) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000D0FA0DAE8B5CDB01A808000050170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2216) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000D0FA0DAE8B5CDB01A8080000C4160000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2216) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000D0FA0DAE8B5CDB01A8080000880D0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (2216) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer |
Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000D0FA0DAE8B5CDB01A80800006C100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\resources.pri | — | |
MD5:— | SHA256:— | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\embeddeduiproxy.dll | executable | |
MD5:8DC7199AEA9216EEA74B18CD32D3A20A | SHA256:96E0FE57C2F2347E8994D6E3685C85A97B0C12F920EB37882D24BB0606FA915A | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\App.xbf | xbf | |
MD5:74B378E0D84B6E145A812B9C802BB285 | SHA256:1FC04ACE8A8CFA4E462E5FB2403D65BA757181611BD1D261DD7F2C8C80274F1D | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\WinUiBootstrapperEui.dll | executable | |
MD5:CBA525D7B96102F5E0EB48C73AB09FB5 | SHA256:901B1D184F1077CF4C59162E9E82B4F59E44D4B3E9356469B6FD6679BD4D7BD2 | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\msvcp140.dll | executable | |
MD5:996D01AD6A71761F29A98EC9E9F30007 | SHA256:C8E7456F4AC9AA65EF3AD61A6DAF30EFEC9737344D173B2D6D2C16E752052A55 | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.Web.WebView2.Core.dll | executable | |
MD5:2B4735E30C39A0267310FCC65C1C4285 | SHA256:BC3E0C69E9F4BC03EEC9C3B92846B42497419FFEF79DE12F382B27F5778E2A32 | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.Toolkit.Win32.UI.XamlHost.dll | executable | |
MD5:14C39CDA89987D637565E45B7E04F5C8 | SHA256:DD136F1FD23E91866A53B9E9A0F28C83FA63C2AEE01E61B3FC280E8F8FE549CA | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\vcruntime140_app.dll | executable | |
MD5:B876EE7ECF95CECB6BB9D994701B0E4B | SHA256:372C955EE558F4EF733ACBD801D1FC6082539FCE9D8A14A584B6EE131F3142FA | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\ucrtbase.dll | executable | |
MD5:B65AA2646529E9C1DE570D28C2E37C2B | SHA256:783AAD71C976972DEF8A34579123439CFEBFF071901D97BC91033A05D9C2068F | |||
4672 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI30991\EnhancedUI.exe | executable | |
MD5:766D9E2EC1D3AA3AE09F09B232B42911 | SHA256:30791EB229D55D42DA62B7048B36BCE26BD5DBC89E26056DDF042A951D519624 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.32.238.107:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3220 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3220 | svchost.exe | GET | 200 | 23.32.238.107:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5728 | msiexec.exe | GET | 200 | 2.16.241.19:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5728 | msiexec.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.19.198.48:443 | https://download.visualstudio.microsoft.com/download/pr/c7707d68-d6ce-4479-973e-e2a3dc4341fe/1AD7988C17663CC742B01BEF1A6DF2ED1741173009579AD50A94434E54F56073/VC_redist.x64.exe | unknown | executable | 24.2 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5064 | SearchApp.exe | 104.126.37.123:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
3220 | svchost.exe | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3220 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
download.visualstudio.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |