File name:

XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr

Full analysis: https://app.any.run/tasks/ead48814-3b3a-425a-92c8-5611a5da7838
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: October 31, 2024, 21:17:27
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
adware
advancedinstaller
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {7DDD38F9-7DA4-44CD-AC57-732249A77EAB}, Number of Words: 2, Subject: XXMI Launcher, Author: SpectrumQT, Name of Creating Application: XXMI Launcher, Template: x64;1033, Comments: This installer database contains the logic and data required to install XXMI Launcher., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Oct 9 16:32:24 2024, Last Saved Time/Date: Wed Oct 9 16:32:24 2024, Last Printed: Wed Oct 9 16:32:24 2024, Number of Pages: 450
MD5:

ADE799235AAF27C7A98381A7813467EC

SHA1:

74DDDC921C62363B9DF68FE4A68CDCF569D23B47

SHA256:

68068FF8E4D417BDD54E14395FCAF965DDC0784343496D69F8DDCE1F5EC89E80

SSDEEP:

393216:joJMe40F6b+MUPRDvU5jQ1mbQSLjYfoNTksnyzAuRVQep42nRM8YdNC:TeK1UPR7WbfYfgkeyzAkVQeS2nBYNC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 3604)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 3604)
      • msiexec.exe (PID: 2632)

    • Executable content was dropped or overwritten

      • EnhancedUI.exe (PID: 7088)
      • VC_redist.x64.exe (PID: 2776)
      • VC_redist.x64.exe (PID: 7040)
      • VC_redist.x64.exe (PID: 4080)
      • VC_redist.x64.exe (PID: 2132)
      • VC_redist.x64.exe (PID: 6856)

    • Process drops legitimate windows executable

      • EnhancedUI.exe (PID: 7088)
      • msiexec.exe (PID: 7076)
      • VC_redist.x64.exe (PID: 2776)
      • VC_redist.x64.exe (PID: 7040)
      • msiexec.exe (PID: 2632)
      • VC_redist.x64.exe (PID: 4080)
      • VC_redist.x64.exe (PID: 6856)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 7076)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 7076)

    • Starts a Microsoft application from unusual location

      • VC_redist.x64.exe (PID: 7040)
      • VC_redist.x64.exe (PID: 4080)

    • Starts itself from another location

      • VC_redist.x64.exe (PID: 7040)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1376)

    • Application launched itself

      • VC_redist.x64.exe (PID: 2132)
      • VC_redist.x64.exe (PID: 4316)

    • Process drops python dynamic module

      • msiexec.exe (PID: 2632)

  • INFO

    • Create files in a temporary directory

      • msiexec.exe (PID: 3604)
      • EnhancedUI.exe (PID: 7088)
      • msiexec.exe (PID: 7076)

    • Checks supported languages

      • msiexec.exe (PID: 2632)
      • EnhancedUI.exe (PID: 7088)
      • msiexec.exe (PID: 3108)
      • msiexec.exe (PID: 7076)

    • Reads the computer name

      • msiexec.exe (PID: 3108)
      • msiexec.exe (PID: 7076)
      • msiexec.exe (PID: 2632)
      • EnhancedUI.exe (PID: 7088)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3604)
      • msiexec.exe (PID: 7076)
      • msiexec.exe (PID: 2632)

    • Reads Environment values

      • msiexec.exe (PID: 7076)
      • EnhancedUI.exe (PID: 7088)

    • Checks proxy server information

      • msiexec.exe (PID: 7076)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7076)

    • Reads the software policy settings

      • msiexec.exe (PID: 7076)

    • Manages system restore points

      • SrTasks.exe (PID: 6156)
      • SrTasks.exe (PID: 6552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {7DDD38F9-7DA4-44CD-AC57-732249A77EAB}
Words: 2
Subject: XXMI Launcher
Author: SpectrumQT
LastModifiedBy: -
Software: XXMI Launcher
Template: x64;1033
Comments: This installer database contains the logic and data required to install XXMI Launcher.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:10:09 16:32:24
ModifyDate: 2024:10:09 16:32:24
LastPrinted: 2024:10:09 16:32:24
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
18
Malicious processes
1
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs enhancedui.exe msiexec.exe vc_redist.x64.exe vc_redist.x64.exe vc_redist.x64.exe SPPSurrogate no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs vc_redist.x64.exe no specs vc_redist.x64.exe vc_redist.x64.exe srtasks.exe no specs conhost.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
764\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1376C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2132"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1112 -burn.embedded BurnPipe.{FA322C88-BB9E-4D19-9C6F-0EB2072A7983} {411A25FE-4576-4038-9839-F774FE1F81C6} 4080C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2632C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2776"C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" /q /norestart REBOOT=ReallySuppressC:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135
Exit code:
3010
Version:
14.38.33135.0
Modules
Images
c:\users\admin\appdata\roaming\xxmi launcher\prerequisites\visual c++ redistributable for visual studio 2015-2022\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3108C:\Windows\syswow64\MsiExec.exe -Embedding 0D36706B40D2DEAF7B4B06CA552C5DD9 UC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3604"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4080"C:\Users\admin\AppData\Local\Temp\{E38C8376-D206-432C-86B5-EB789C221845}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0726C1E3-D619-443E-B545-FE4A9F617CEE} {989F016A-DA11-4D04-AC4A-1689137EAC6F} 7040C:\Users\admin\AppData\Local\Temp\{E38C8376-D206-432C-86B5-EB789C221845}\.be\VC_redist.x64.exe
VC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135
Exit code:
3010
Version:
14.38.33135.0
Modules
Images
c:\users\admin\appdata\local\temp\{e38c8376-d206-432c-86b5-eb789c221845}\.be\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4316"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1112 -burn.embedded BurnPipe.{FA322C88-BB9E-4D19-9C6F-0EB2072A7983} {411A25FE-4576-4038-9839-F774FE1F81C6} 4080C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeVC_redist.x64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532
Exit code:
0
Version:
14.36.32532.0
Modules
Images
c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
16 952
Read events
15 951
Write events
624
Delete events
377

Modification events

(PID) Process:(7076) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:{D0077297-54D3-45E8-B92C-7119B5049D8D}
Value:
C:\WINDOWS\system32\msiexec.exe /i "C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr.msi" ADDLOCAL=MainFeature,C4FE6FD5B7C4D07B3A313E754A9A6A8
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000AF4D9E7DDA2BDB01FC14000054180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4080) VC_redist.x64.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000AF4D9E7DDA2BDB01F00F0000700F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000001984D77DDA2BDB01FC14000054180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000001984D77DDA2BDB01FC14000054180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000BAE8D97DDA2BDB01FC14000054180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000139DDE7DDA2BDB01FC14000054180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000F80B3E7EDA2BDB01FC14000054180000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5372) dllhost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000F3C0427EDA2BDB01FC140000A4140000E803000001000000000000000000000052504678C57EB7448CFECCFAE1E3631000000000000000000000000000000000
Executable files
169
Suspicious files
74
Text files
1 073
Unknown types
3

Dropped files

PID
Process
Filename
Type
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\resources.pri
MD5:
SHA256:
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\embeddeduiproxy.dllexecutable
MD5:8DC7199AEA9216EEA74B18CD32D3A20A
SHA256:96E0FE57C2F2347E8994D6E3685C85A97B0C12F920EB37882D24BB0606FA915A
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\WinUiBootstrapperEui.dllexecutable
MD5:CBA525D7B96102F5E0EB48C73AB09FB5
SHA256:901B1D184F1077CF4C59162E9E82B4F59E44D4B3E9356469B6FD6679BD4D7BD2
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\Microsoft.Web.WebView2.Core.dllexecutable
MD5:2B4735E30C39A0267310FCC65C1C4285
SHA256:BC3E0C69E9F4BC03EEC9C3B92846B42497419FFEF79DE12F382B27F5778E2A32
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\Microsoft.UI.Xaml.dllexecutable
MD5:6586CDC1057963B1CD0D5D6B89B9B093
SHA256:9C2B2585B9D75E302002C8DAFE60871196FFE059855747D63843C7A570A4EE7E
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\EnhancedUI.exeexecutable
MD5:766D9E2EC1D3AA3AE09F09B232B42911
SHA256:30791EB229D55D42DA62B7048B36BCE26BD5DBC89E26056DDF042A951D519624
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\vccorlib140_app.dllexecutable
MD5:1859180F11674524A760DFB45C14F442
SHA256:E3226D79DC944393DCBCBD3A7EE8023F627A9571B09A20214A390F00FF5F88D1
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\vcamp140_app.dllexecutable
MD5:E62BAA55E529246328640B5D88387305
SHA256:1DABF86E47DD38B3EE69125CEE2A7E1588DBE6F0F7A9D906BB9CDA5F2B44EED3
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI13253\vcomp140_app.dllexecutable
MD5:0F9349FC1456D77DA8BDA1BD82B96F14
SHA256:0402133AD636A4839FA4042FD13D43F305FF0C0914F2CFF223C44E8D4CE285D4
3604msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI115B.tmpexecutable
MD5:13056F6FC48A93C1268D690E554F4571
SHA256:AEDA49BAF2D79DA2F7A9266F1FB7884111C2620E187090321F5278AF5131C996
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
24
DNS requests
9
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.32.185.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2632
msiexec.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2632
msiexec.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
GET
200
199.232.214.172:443
https://download.visualstudio.microsoft.com/download/pr/c7707d68-d6ce-4479-973e-e2a3dc4341fe/1AD7988C17663CC742B01BEF1A6DF2ED1741173009579AD50A94434E54F56073/VC_redist.x64.exe
unknown
executable
24.2 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
5488
MoUsoCoreWorker.exe
23.32.185.131:80
www.microsoft.com
AKAMAI-AS
BR
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.16.164.43
  • 2.16.164.49
  • 2.16.164.18
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.32.185.131
  • 23.52.120.96
whitelisted
download.visualstudio.microsoft.com
  • 199.232.210.172
  • 199.232.214.172
whitelisted
self.events.data.microsoft.com
  • 20.189.173.13
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ET INFO EXE - Served Attached HTTP
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr