| File name: | XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr |
| Full analysis: | https://app.any.run/tasks/ead48814-3b3a-425a-92c8-5611a5da7838 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | October 31, 2024, 21:17:27 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {7DDD38F9-7DA4-44CD-AC57-732249A77EAB}, Number of Words: 2, Subject: XXMI Launcher, Author: SpectrumQT, Name of Creating Application: XXMI Launcher, Template: x64;1033, Comments: This installer database contains the logic and data required to install XXMI Launcher., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Oct 9 16:32:24 2024, Last Saved Time/Date: Wed Oct 9 16:32:24 2024, Last Printed: Wed Oct 9 16:32:24 2024, Number of Pages: 450 |
| MD5: | ADE799235AAF27C7A98381A7813467EC |
| SHA1: | 74DDDC921C62363B9DF68FE4A68CDCF569D23B47 |
| SHA256: | 68068FF8E4D417BDD54E14395FCAF965DDC0784343496D69F8DDCE1F5EC89E80 |
| SSDEEP: | 393216:joJMe40F6b+MUPRDvU5jQ1mbQSLjYfoNTksnyzAuRVQep42nRM8YdNC:TeK1UPR7WbfYfgkeyzAkVQeS2nBYNC |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process drops C-runtime libraries
- msiexec.exe (PID: 3604)
- msiexec.exe (PID: 2632)
The process creates files with name similar to system file names
- msiexec.exe (PID: 3604)
Process drops legitimate windows executable
- EnhancedUI.exe (PID: 7088)
- VC_redist.x64.exe (PID: 7040)
- msiexec.exe (PID: 7076)
- VC_redist.x64.exe (PID: 2776)
- VC_redist.x64.exe (PID: 4080)
- msiexec.exe (PID: 2632)
- VC_redist.x64.exe (PID: 6856)
Executable content was dropped or overwritten
- EnhancedUI.exe (PID: 7088)
- VC_redist.x64.exe (PID: 2776)
- VC_redist.x64.exe (PID: 7040)
- VC_redist.x64.exe (PID: 4080)
- VC_redist.x64.exe (PID: 2132)
- VC_redist.x64.exe (PID: 6856)
Starts a Microsoft application from unusual location
- VC_redist.x64.exe (PID: 7040)
- VC_redist.x64.exe (PID: 4080)
Checks Windows Trust Settings
- msiexec.exe (PID: 7076)
Starts itself from another location
- VC_redist.x64.exe (PID: 7040)
Executes as Windows Service
- VSSVC.exe (PID: 1376)
Application launched itself
- VC_redist.x64.exe (PID: 4316)
- VC_redist.x64.exe (PID: 2132)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 7076)
Process drops python dynamic module
- msiexec.exe (PID: 2632)
INFO
Checks supported languages
- msiexec.exe (PID: 2632)
- msiexec.exe (PID: 3108)
- EnhancedUI.exe (PID: 7088)
- msiexec.exe (PID: 7076)
Reads the computer name
- msiexec.exe (PID: 3108)
- msiexec.exe (PID: 2632)
- msiexec.exe (PID: 7076)
- EnhancedUI.exe (PID: 7088)
Create files in a temporary directory
- msiexec.exe (PID: 3604)
- EnhancedUI.exe (PID: 7088)
- msiexec.exe (PID: 7076)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3604)
- msiexec.exe (PID: 7076)
- msiexec.exe (PID: 2632)
Reads Environment values
- msiexec.exe (PID: 7076)
- EnhancedUI.exe (PID: 7088)
Checks proxy server information
- msiexec.exe (PID: 7076)
Reads the machine GUID from the registry
- msiexec.exe (PID: 7076)
Reads the software policy settings
- msiexec.exe (PID: 7076)
Manages system restore points
- SrTasks.exe (PID: 6156)
- SrTasks.exe (PID: 6552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (88.6) |
|---|---|---|
| .mst | | | Windows SDK Setup Transform Script (10) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| Security: | None |
|---|---|
| CodePage: | Windows Latin 1 (Western European) |
| RevisionNumber: | {7DDD38F9-7DA4-44CD-AC57-732249A77EAB} |
| Words: | 2 |
| Subject: | XXMI Launcher |
| Author: | SpectrumQT |
| LastModifiedBy: | - |
| Software: | XXMI Launcher |
| Template: | x64;1033 |
| Comments: | This installer database contains the logic and data required to install XXMI Launcher. |
| Title: | Installation Database |
| Keywords: | Installer, MSI, Database |
| CreateDate: | 2024:10:09 16:32:24 |
| ModifyDate: | 2024:10:09 16:32:24 |
| LastPrinted: | 2024:10:09 16:32:24 |
| Pages: | 450 |
Total processes
134
Monitored processes
18
Malicious processes
1
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 764 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1376 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2132 | "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=556 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1112 -burn.embedded BurnPipe.{FA322C88-BB9E-4D19-9C6F-0EB2072A7983} {411A25FE-4576-4038-9839-F774FE1F81C6} 4080 | C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe | VC_redist.x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 Exit code: 0 Version: 14.36.32532.0 Modules
| |||||||||||||||
| 2632 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2776 | "C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe" /q /norestart REBOOT=ReallySuppress | C:\Users\admin\AppData\Roaming\XXMI Launcher\prerequisites\Visual C++ Redistributable for Visual Studio 2015-2022\VC_redist.x64.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 Exit code: 3010 Version: 14.38.33135.0 Modules
| |||||||||||||||
| 3108 | C:\Windows\syswow64\MsiExec.exe -Embedding 0D36706B40D2DEAF7B4B06CA552C5DD9 U | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3604 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr.msi | C:\Windows\System32\msiexec.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4080 | "C:\Users\admin\AppData\Local\Temp\{E38C8376-D206-432C-86B5-EB789C221845}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0726C1E3-D619-443E-B545-FE4A9F617CEE} {989F016A-DA11-4D04-AC4A-1689137EAC6F} 7040 | C:\Users\admin\AppData\Local\Temp\{E38C8376-D206-432C-86B5-EB789C221845}\.be\VC_redist.x64.exe | VC_redist.x64.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 Exit code: 3010 Version: 14.38.33135.0 Modules
| |||||||||||||||
| 4316 | "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1112 -burn.embedded BurnPipe.{FA322C88-BB9E-4D19-9C6F-0EB2072A7983} {411A25FE-4576-4038-9839-F774FE1F81C6} 4080 | C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe | — | VC_redist.x64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 Exit code: 0 Version: 14.36.32532.0 Modules
| |||||||||||||||
| 4376 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) | |||||||||||||||
Total events
16 952
Read events
15 951
Write events
624
Delete events
377
Modification events
| (PID) Process: | (7076) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | {D0077297-54D3-45E8-B92C-7119B5049D8D} |
Value: C:\WINDOWS\system32\msiexec.exe /i "C:\Users\admin\Desktop\XXMI-Launcher-Installer-Online-v1.0.4.msi.malwr.msi" ADDLOCAL=MainFeature,C4FE6FD5B7C4D07B3A313E754A9A6A8 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 4800000000000000AF4D9E7DDA2BDB01FC14000054180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4080) VC_redist.x64.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000AF4D9E7DDA2BDB01F00F0000700F0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 48000000000000001984D77DDA2BDB01FC14000054180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 48000000000000001984D77DDA2BDB01FC14000054180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000BAE8D97DDA2BDB01FC14000054180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000139DDE7DDA2BDB01FC14000054180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 4800000000000000F80B3E7EDA2BDB01FC14000054180000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (5372) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4800000000000000F3C0427EDA2BDB01FC140000A4140000E803000001000000000000000000000052504678C57EB7448CFECCFAE1E3631000000000000000000000000000000000 | |||
Executable files
169
Suspicious files
74
Text files
1 073
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\resources.pri | — | |
MD5:— | SHA256:— | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\Microsoft.Toolkit.Win32.UI.XamlHost.dll | executable | |
MD5:14C39CDA89987D637565E45B7E04F5C8 | SHA256:DD136F1FD23E91866A53B9E9A0F28C83FA63C2AEE01E61B3FC280E8F8FE549CA | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\App.xbf | xbf | |
MD5:74B378E0D84B6E145A812B9C802BB285 | SHA256:1FC04ACE8A8CFA4E462E5FB2403D65BA757181611BD1D261DD7F2C8C80274F1D | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\EnhancedUI.exe | executable | |
MD5:766D9E2EC1D3AA3AE09F09B232B42911 | SHA256:30791EB229D55D42DA62B7048B36BCE26BD5DBC89E26056DDF042A951D519624 | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\msvcp140.dll | executable | |
MD5:996D01AD6A71761F29A98EC9E9F30007 | SHA256:C8E7456F4AC9AA65EF3AD61A6DAF30EFEC9737344D173B2D6D2C16E752052A55 | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\Microsoft.Web.WebView2.Core.dll | executable | |
MD5:2B4735E30C39A0267310FCC65C1C4285 | SHA256:BC3E0C69E9F4BC03EEC9C3B92846B42497419FFEF79DE12F382B27F5778E2A32 | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\vcruntime140.dll | executable | |
MD5:81B11024A8ED0C9ADFD5FBF6916B133C | SHA256:EB6A3A491EFCC911F9DFF457D42FED85C4C170139414470EA951B0DAFE352829 | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\vcamp140_app.dll | executable | |
MD5:E62BAA55E529246328640B5D88387305 | SHA256:1DABF86E47DD38B3EE69125CEE2A7E1588DBE6F0F7A9D906BB9CDA5F2B44EED3 | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\ucrtbase.dll | executable | |
MD5:B65AA2646529E9C1DE570D28C2E37C2B | SHA256:783AAD71C976972DEF8A34579123439CFEBFF071901D97BC91033A05D9C2068F | |||
| 3604 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI13253\vcomp140_app.dll | executable | |
MD5:0F9349FC1456D77DA8BDA1BD82B96F14 | SHA256:0402133AD636A4839FA4042FD13D43F305FF0C0914F2CFF223C44E8D4CE285D4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
24
DNS requests
9
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.43:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 1.01 Kb | whitelisted |
— | — | GET | 200 | 2.16.164.43:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 1.01 Kb | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | BR | binary | 973 b | whitelisted |
2632 | msiexec.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl | DE | binary | 1.05 Kb | whitelisted |
— | — | GET | 200 | 199.232.214.172:443 | https://download.visualstudio.microsoft.com/download/pr/c7707d68-d6ce-4479-973e-e2a3dc4341fe/1AD7988C17663CC742B01BEF1A6DF2ED1741173009579AD50A94434E54F56073/VC_redist.x64.exe | US | executable | 24.2 Mb | whitelisted |
2632 | msiexec.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 1.01 Kb | whitelisted |
— | — | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | BR | binary | 973 b | whitelisted |
6944 | svchost.exe | GET | 200 | 2.16.164.43:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 1.01 Kb | whitelisted |
6944 | svchost.exe | GET | 200 | 23.32.185.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | BR | binary | 973 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 2.16.164.43:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
— | — | 2.16.164.43:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 2.16.164.43:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6944 | svchost.exe | 23.32.185.131:80 | www.microsoft.com | AKAMAI-AS | BR | whitelisted |
— | — | 23.32.185.131:80 | www.microsoft.com | AKAMAI-AS | BR | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.32.185.131:80 | www.microsoft.com | AKAMAI-AS | BR | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
download.visualstudio.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO EXE - Served Attached HTTP |
1 ETPRO signatures available at the full report