File name:	XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi
Full analysis:	https://app.any.run/tasks/5ff421db-086f-428b-9765-dd2cfc5801ef
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 01, 2025, 20:26:39
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc loader
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EDCC9F56-550B-44C7-A648-E8A28B21A169}, Number of Words: 2, Subject: XXMI Launcher, Author: SpectrumQT, Name of Creating Application: XXMI Launcher, Template: x64;1033, Comments: This installer database contains the logic and data required to install XXMI Launcher., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Nov 15 16:08:15 2024, Last Saved Time/Date: Fri Nov 15 16:08:15 2024, Last Printed: Fri Nov 15 16:08:15 2024, Number of Pages: 450
MD5:	D45FBBA1B23191DF6E2C6363E1C2FA90
SHA1:	72A41C684486F47E193431BDB354313DBEAEB508
SHA256:	59BE65FD43C0808AB750B4691F3530EDAC0523136B0DA172D9993B64108194B0
SSDEEP:	393216:FoGme40F6b+MUPRDvU5jQ1mbQtB5ydwolUvoBsS8BrGUItdl6BqC:weK1UPR7WivC1sSurcdMBqC

.msi	\|	Microsoft Windows Installer (88.6)
.mst	\|	Windows SDK Setup Transform Script (10)
.msi	\|	Microsoft Installer (100)

Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{EDCC9F56-550B-44C7-A648-E8A28B21A169}
Words:	2
Subject:	XXMI Launcher
Author:	SpectrumQT
LastModifiedBy:	-
Software:	XXMI Launcher
Template:	x64;1033
Comments:	This installer database contains the logic and data required to install XXMI Launcher.
Title:	Installation Database
Keywords:	Installer, MSI, Database
CreateDate:	2024:11:15 16:08:15
ModifyDate:	2024:11:15 16:08:15
LastPrinted:	2024:11:15 16:08:15
Pages:	450


(PID) Process:	(5880) msiexec.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:	write	Name:	{F2A98983-25EE-4F5A-AD10-79DF8ED2082F}
Value: C:\WINDOWS\system32\msiexec.exe /i "C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi" ADDLOCAL=MainFeature,C4FE6FD5B7C4D07B3A313E754A9A6A8
(PID) Process:	(3640) VC_redist.x64.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4000000000000000C1FF53AD8B5CDB01380E0000E8130000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1792) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 480000000000000013328DAD8B5CDB0100070000F40A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1792) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 480000000000000013328DAD8B5CDB0100070000F40A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1792) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 48000000000000001B5E94AD8B5CDB0100070000F40A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1792) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000C20502AE8B5CDB0100070000F40A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2216) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000D0FA0DAE8B5CDB01A808000050170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2216) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000D0FA0DAE8B5CDB01A8080000C4160000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2216) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000D0FA0DAE8B5CDB01A8080000880D0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2216) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000D0FA0DAE8B5CDB01A80800006C100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\resources.pri		—
		MD5:—	SHA256:—
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.UI.Xaml.dll		executable
		MD5:6586CDC1057963B1CD0D5D6B89B9B093	SHA256:9C2B2585B9D75E302002C8DAFE60871196FFE059855747D63843C7A570A4EE7E
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\EnhancedUI.exe		executable
		MD5:766D9E2EC1D3AA3AE09F09B232B42911	SHA256:30791EB229D55D42DA62B7048B36BCE26BD5DBC89E26056DDF042A951D519624
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\WinUiBootstrapperEui.dll		executable
		MD5:CBA525D7B96102F5E0EB48C73AB09FB5	SHA256:901B1D184F1077CF4C59162E9E82B4F59E44D4B3E9356469B6FD6679BD4D7BD2
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.Web.WebView2.Core.dll		executable
		MD5:2B4735E30C39A0267310FCC65C1C4285	SHA256:BC3E0C69E9F4BC03EEC9C3B92846B42497419FFEF79DE12F382B27F5778E2A32
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\App.xbf		xbf
		MD5:74B378E0D84B6E145A812B9C802BB285	SHA256:1FC04ACE8A8CFA4E462E5FB2403D65BA757181611BD1D261DD7F2C8C80274F1D
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\HtmlHostControl.xbf		xbf
		MD5:CE179CB5243A891F830B3030DBF227DA	SHA256:C2E888B120D063D0C58BC034733267CEFCDE3E2BE63F3D90BD2C463CA6CBE50D
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\msvcp140_app.dll		executable
		MD5:516930B2E574608E21C1340F4BCD9206	SHA256:BB552C9477ACF8CF6C7202A039CDE7EE04948625AE8EB7BDC5922AAF951A734F
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\Microsoft.Toolkit.Win32.UI.XamlHost.dll		executable
		MD5:14C39CDA89987D637565E45B7E04F5C8	SHA256:DD136F1FD23E91866A53B9E9A0F28C83FA63C2AEE01E61B3FC280E8F8FE549CA
4672	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI30991\msvcp140.dll		executable
		MD5:996D01AD6A71761F29A98EC9E9F30007	SHA256:C8E7456F4AC9AA65EF3AD61A6DAF30EFEC9737344D173B2D6D2C16E752052A55

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3220	svchost.exe	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.32.238.107:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3220	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5728	msiexec.exe	GET	200	2.16.241.19:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5728	msiexec.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted
—	—	GET	200	2.19.198.48:443	https://download.visualstudio.microsoft.com/download/pr/c7707d68-d6ce-4479-973e-e2a3dc4341fe/1AD7988C17663CC742B01BEF1A6DF2ED1741173009579AD50A94434E54F56073/VC_redist.x64.exe	unknown	executable	24.2 Mb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
5064	SearchApp.exe	104.126.37.123:443	www.bing.com	Akamai International B.V.	DE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
3220	svchost.exe	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.32.238.107:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3220	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
www.bing.com	104.126.37.123 104.126.37.178 104.126.37.186 104.126.37.131 104.126.37.129 104.126.37.130 104.126.37.163 104.126.37.136 104.126.37.128	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	23.32.238.107 23.32.238.112 2.16.241.19 2.16.241.12	whitelisted
www.microsoft.com	184.30.21.171 88.221.169.152	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
download.visualstudio.microsoft.com	2.16.168.102 2.16.168.105	whitelisted
self.events.data.microsoft.com	51.104.15.252	whitelisted

General Info

XXMI-Launcher-Installer-Online-v1.1.1--zzz.msi

D45FBBA1B23191DF6E2C6363E1C2FA90

72A41C684486F47E193431BDB354313DBEAEB508

59BE65FD43C0808AB750B4691F3530EDAC0523136B0DA172D9993B64108194B0

393216:FoGme40F6b+MUPRDvU5jQ1mbQtB5ydwolUvoBsS8BrGUItdl6BqC:weK1UPR7WivC1sSurcdMBqC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

The process creates files with name similar to system file names

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Checks Windows Trust Settings

Searches for installed software

Starts a Microsoft application from unusual location

Starts itself from another location

Executes as Windows Service

Reads the Windows owner or organization settings

The process checks if it is being run in the virtual environment

Creates a software uninstall entry

Application launched itself

Process drops python dynamic module

Loads Python modules

INFO

Checks supported languages

An automatically generated document

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Executable content was dropped or overwritten

Reads Environment values

Reads the software policy settings

Checks proxy server information

Reads the machine GUID from the registry

Creates files or folders in the user directory

The process uses the downloaded file

Process checks computer location settings

Manages system restore points

Creates files in the program directory

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity