File name:

Retrac.Launcher_1.0.13_x64_en-US.msi

Full analysis: https://app.any.run/tasks/0f17fa50-b580-47c6-b285-e283ab14c8ca
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 21, 2024, 12:38:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
github
discord
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Retrac Launcher, Author: retrac, Keywords: Installer, Comments: This installer database contains the logic and data required to install Retrac Launcher., Template: x64;0, Revision Number: {96B6EFCC-925B-4F3C-B073-1B1E96E5D875}, Create Time/Date: Fri Aug 30 21:43:00 2024, Last Saved Time/Date: Fri Aug 30 21:43:00 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

5F1EAA7C85D7589BFF98B064E521A8CF

SHA1:

FB4183909BFA7D8CCD056D15D3062A2343811B11

SHA256:

77F824CBC498DD3CA31197B8251C41B3F810F8FED50C5A9893552D42EE42FA65

SSDEEP:

98304:/mpbDmD4IPKBzzrvuziWwLuFHArMAfDZdf7zrPwOC+rGBIJql2phRPvqFAvn4i6s:/sDjn7fVv1Lue

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2924)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6396)

    • Powershell scripting: start process

      • msiexec.exe (PID: 840)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 840)

    • Downloads file from URI

      • powershell.exe (PID: 2924)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 840)

    • Request a resource from the Internet using PowerShell's cmdlet

      • msiexec.exe (PID: 840)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2924)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6940)
      • MicrosoftEdgeUpdate.exe (PID: 2608)
      • MicrosoftEdge_X64_129.0.2792.52.exe (PID: 6880)
      • setup.exe (PID: 6196)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 2924)
      • MicrosoftEdgeWebview2Setup.exe (PID: 6940)
      • MicrosoftEdgeUpdate.exe (PID: 2608)
      • MicrosoftEdgeUpdate.exe (PID: 5916)
      • MicrosoftEdge_X64_129.0.2792.52.exe (PID: 6880)
      • setup.exe (PID: 6196)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 6940)
      • MicrosoftEdgeUpdate.exe (PID: 2608)

    • Application launched itself

      • MicrosoftEdgeUpdate.exe (PID: 5916)
      • setup.exe (PID: 6196)
      • msedgewebview2.exe (PID: 644)
      • msedgewebview2.exe (PID: 4280)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 2608)

    • Potential Corporate Privacy Violation

      • MicrosoftEdgeUpdate.exe (PID: 5916)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6284)
      • cmd.exe (PID: 2136)
      • cmd.exe (PID: 7600)
      • cmd.exe (PID: 7604)
      • cmd.exe (PID: 3552)
      • cmd.exe (PID: 5288)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7192)
      • cmd.exe (PID: 3464)
      • cmd.exe (PID: 6940)
      • cmd.exe (PID: 4108)
      • cmd.exe (PID: 4164)

    • Starts CMD.EXE for commands execution

      • Retrac Launcher.exe (PID: 3908)
      • Retrac Launcher.exe (PID: 2624)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 3324)
      • msiexec.exe (PID: 840)

    • An automatically generated document

      • msiexec.exe (PID: 1060)

    • Reads the computer name

      • msiexec.exe (PID: 840)
      • msiexec.exe (PID: 3324)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 840)
      • msiexec.exe (PID: 1060)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 6940)

    • Manual execution by a user

      • Retrac Launcher.exe (PID: 2624)

    • Application launched itself

      • msedge.exe (PID: 1020)
      • msedge.exe (PID: 8144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Retrac Launcher
Author: retrac
Keywords: Installer
Comments: This installer database contains the logic and data required to install Retrac Launcher.
Template: x64;0
RevisionNumber: {96B6EFCC-925B-4F3C-B073-1B1E96E5D875}
CreateDate: 2024:08:30 21:43:00
ModifyDate: 2024:08:30 21:43:00
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
260
Monitored processes
118
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe slui.exe microsoftedge_x64_129.0.2792.52.exe setup.exe setup.exe no specs microsoftedgeupdate.exe retrac launcher.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs retrac launcher.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
368taskkill /F /IM FortniteClient-Win64-Shipping.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
368"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4924 --field-trial-handle=2356,i,8747991566277512656,17517051121660197803,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
472taskkill /F /IM EasyAntiCheat_EOS.exeC:\Windows\System32\taskkill.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
644"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.52\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.13 --user-data-dir="C:\Users\admin\AppData\Local\site.retrac\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=3908.4296.15256244959901820407C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\129.0.2792.52\msedgewebview2.exe
Retrac Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
129.0.2792.52
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\129.0.2792.52\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\129.0.2792.52\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
736"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTkiIGlzbWFjaGluZT0iMCIgc2Vzc2lvbmlkPSJ7MTM1Qjc2QzktNDNCRi00MTczLTkzNjItQ0JBNzcyNEFEQTI4fSIgdXNlcmlkPSJ7NjM4MzhGMzgtRTE1RS00RjM0LUIyODItQTFEMUFDREE2MjA1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0QTk5QkQ3QS0wN0EwLTRDMDAtOTcxOS1DQ0QwOEI3RDU4NUJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREVMTCIgcHJvZHVjdF9uYW1lPSJERUxMIi8-PGV4cCBldGFnPSImcXVvdDs3M1NWWjhYSVJIY00vNGtSOWJySTJ2RzRzd2U0YllvVXVpeGhwWVRZeDZBPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjkuMC4yNzkyLjUyIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIxMTQ1NjE1OTczIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjExNDU2MTU5NzMiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyMjEzNTE0NzMzOCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZTlkY2MzZDctZDI0YS00MDdkLThmNzQtNzVjM2Q3ZmQ4Y2ZlP1AxPTE3Mjc1MjcxNDgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VUNMT3B2anVkVXdkSlJYWVNoc3NLWEloZDdIQXFGM1A2UEhkd09EMU0ycHFiSk5zRkJhRHdDOTloTHpYaVMwRDlqZ3gzUjdCYmp6VldYanVtVzlmMmclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIyLjE5LjEyNi4xNTUiIGNkbl9jaWQ9IjIiIGNkbl9jY2M9IkRFIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTczOTAyMjgwIiB0b3RhbD0iMTczOTAyMjgwIiBkb3dubG9hZF90aW1lX21zPSI5NTk4NCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIyMTM1MzAzOTYxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjIxNTIxODA0ODkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjIyNDk4ODY1MDk4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjUwIiBkb3dubG9hZF90aW1lX21zPSI5ODk1MyIgZG93bmxvYWRlZD0iMTczOTAyMjgwIiB0b3RhbD0iMTczOTAyMjgwIiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSIzNDY2OCIvPjwvYXBwPjwvcmVxdWVzdD4C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.19
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
840C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1020"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.com/oauth2/authorize?client_id=1212184991732080700&redirect_uri=https%3A%2F%2Fretrac.site%2Fretrac%2Fdiscord&response_type=code&scope=identifyC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeRetrac Launcher.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1060"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\Retrac.Launcher_1.0.13_x64_en-US.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1084"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3852 --field-trial-handle=2356,i,8747991566277512656,17517051121660197803,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 475
Read events
18 205
Write events
4 185
Delete events
85

Modification events

(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000E6E44432230CDB0148030000EC010000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000E6E44432230CDB0148030000EC010000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
480000000000000006798032230CDB0148030000EC010000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
480000000000000006798032230CDB0148030000EC010000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000BFDC8232230CDB0148030000EC010000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000009BA48732230CDB0148030000EC010000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000F3420133230CDB0148030000EC010000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(840) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000067930333230CDB0148030000901A0000E8030000010000000000000000000000C49F6F2B7628C44D9286B45A46A0C58D00000000000000000000000000000000
(PID) Process:(6396) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000652E0D33230CDB01FC18000068180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
207
Suspicious files
447
Text files
152
Unknown types
9

Dropped files

PID
Process
Filename
Type
840msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
840msiexec.exeC:\Windows\Installer\202213.msi
MD5:
SHA256:
840msiexec.exeC:\Windows\Installer\202215.msi
MD5:
SHA256:
1060msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE1FC.tmpexecutable
MD5:4FDD16752561CF585FED1506914D73E0
SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7
840msiexec.exeC:\Windows\Temp\~DF98A7210190725941.TMPbinary
MD5:BF5260CC59C71CECF4E4BEC301A738D3
SHA256:C15EDA4AD1DCA78BC912F6CDC098272ECF6CAA56FE2B7A0A0D076BD94BBD6913
840msiexec.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\~etrac Launcher.tmpbinary
MD5:D2EEC5CB9A7E88B73D85FA0605653230
SHA256:CBB93BA4869F903A95E80DE25AD46E3FC5C052EB2636F630B3979C72FCCC90A1
840msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2b6f9fc4-2876-4dc4-9286-b45a46a0c58d}_OnDiskSnapshotPropbinary
MD5:5261517D3DB1D826C183F08E6EA47B47
SHA256:5CB19887A1043C3BBE48FBC1C7A413C70E463F5ED9912528B28C4E6D9F1ED74B
840msiexec.exeC:\Windows\Installer\MSI25EB.tmpbinary
MD5:B158992155BBF75B806C08C8A53C6A08
SHA256:367F808CAEB31629D9F85751630E8A8813A6AED4787B0366B56B246B8E5EBE7F
840msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:5261517D3DB1D826C183F08E6EA47B47
SHA256:5CB19887A1043C3BBE48FBC1C7A413C70E463F5ED9912528B28C4E6D9F1ED74B
840msiexec.exeC:\Windows\Temp\~DF54EEBB739185A2EE.TMPbinary
MD5:BF619EAC0CDF3F68D496EA9344137E8B
SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
85
DNS requests
76
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5196
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2092
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3852
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3852
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5916
MicrosoftEdgeUpdate.exe
GET
200
2.19.126.155:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e9dcc3d7-d24a-407d-8f74-75c3d7fd8cfe?P1=1727527148&P2=404&P3=2&P4=UCLOpvjudUwdJRXYShssKXIhd7HAqF3P6PHdwOD1M2pqbJNsFBaDwC99hLzXiS0D9jgx3R7BbjzVWXjumW9f2g%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5196
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6820
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.189.173.23:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
4
System
192.168.100.255:138
whitelisted
5196
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5196
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
  • 52.167.249.196
whitelisted
google.com
  • 142.250.185.142
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.4
  • 20.190.159.0
  • 40.126.31.69
  • 20.190.159.73
  • 40.126.31.67
  • 20.190.159.68
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
msedge.sf.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
browser.pipe.aria.microsoft.com
  • 20.42.73.26
  • 20.189.173.11
whitelisted

Threats

PID
Process
Class
Message
5916
MicrosoftEdgeUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
6388
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6388
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
6388
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
6388
msedgewebview2.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\site.retrac directory exists )
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Retrac.Launcher_1.0.13_x64_en-US.msi