File name:	Retrac.Launcher_1.0.13_x64_en-US.msi
Full analysis:	https://app.any.run/tasks/b8ce65f3-beba-40ca-af8d-5d0599883752
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	September 02, 2024, 00:55:45
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc loader
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Retrac Launcher, Author: retrac, Keywords: Installer, Comments: This installer database contains the logic and data required to install Retrac Launcher., Template: x64;0, Revision Number: {96B6EFCC-925B-4F3C-B073-1B1E96E5D875}, Create Time/Date: Fri Aug 30 21:43:00 2024, Last Saved Time/Date: Fri Aug 30 21:43:00 2024, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:	5F1EAA7C85D7589BFF98B064E521A8CF
SHA1:	FB4183909BFA7D8CCD056D15D3062A2343811B11
SHA256:	77F824CBC498DD3CA31197B8251C41B3F810F8FED50C5A9893552D42EE42FA65
SSDEEP:	98304:/mpbDmD4IPKBzzrvuziWwLuFHArMAfDZdf7zrPwOC+rGBIJql2phRPvqFAvn4i6s:/sDjn7fVv1Lue

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Retrac Launcher
Author:	retrac
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Retrac Launcher.
Template:	x64;0
RevisionNumber:	{96B6EFCC-925B-4F3C-B073-1B1E96E5D875}
CreateDate:	2024:08:30 21:43:00
ModifyDate:	2024:08:30 21:43:00
Pages:	450
Words:	2
Software:	Windows Installer XML Toolset (3.11.2.4516)
Security:	Read-only recommended


(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 480000000000000072CABCE2D2FCDA0150160000481A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000942DBFE2D2FCDA0150160000481A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000A760F8E2D2FCDA0150160000481A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000A760F8E2D2FCDA0150160000481A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 480000000000000023C4FAE2D2FCDA0150160000481A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000BD27FDE2D2FCDA0150160000481A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 4800000000000000965674E3D2FCDA0150160000481A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(5712) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000BBBC76E3D2FCDA0150160000AC090000E8030000010000000000000000000000F5EE8113B413CE41A429DA68B2F0C9AB00000000000000000000000000000000
(PID) Process:	(1108) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 48000000000000007FB282E3D2FCDA0154040000341B0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
5712	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
5712	msiexec.exe	C:\Windows\Installer\130013.msi		—
		MD5:—	SHA256:—
5712	msiexec.exe	C:\Windows\Installer\130015.msi		—
		MD5:—	SHA256:—
5712	msiexec.exe	C:\Windows\Temp\~DF127467B3DEFA0F55.TMP		gmc
		MD5:BF619EAC0CDF3F68D496EA9344137E8B	SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
5712	msiexec.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\Retrac Launcher.lnk		lnk
		MD5:1B9AE13F0A06983B38DC94D754D3504F	SHA256:DD714BD34B8BF9499CC0093693624BBAC55674438E6F6707FE754D1D2620D662
5712	msiexec.exe	C:\Program Files\Retrac Launcher\Retrac Launcher.exe		executable
		MD5:8EB3B4AE2BCF577A41B13E5AC0DEA44A	SHA256:8C6A9FB495E49421FD229513F33640F70E08737E61B1668B091B73450E76D2C7
5712	msiexec.exe	C:\Windows\Temp\~DF96292747E6650113.TMP		binary
		MD5:427BD109234C7CE776472C4E49C607F8	SHA256:E8EC3FC5284CBC7F94E630DB0C2A71289C41F276C507E404D28BF2763D9AAD5E
5712	msiexec.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\Retrac Launcher.lnk~RF1305c0.TMP		binary
		MD5:1B9AE13F0A06983B38DC94D754D3504F	SHA256:DD714BD34B8BF9499CC0093693624BBAC55674438E6F6707FE754D1D2620D662
5712	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:427BD109234C7CE776472C4E49C607F8	SHA256:E8EC3FC5284CBC7F94E630DB0C2A71289C41F276C507E404D28BF2763D9AAD5E
4980	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSIB81D.tmp		executable
		MD5:4FDD16752561CF585FED1506914D73E0	SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	13.107.42.16:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.195.15?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.195.15&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=4&hwPhysmemory=4&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.195.15&requestOmahaVersion=1.3.195.15	unknown	binary	439 b	—
—	—	POST	200	13.67.191.143:443	https://msedge.api.cdp.microsoft.com/api/v1.1/internal/contents/Browser/namespaces/Default/names/msedgewebview-stable-win-x64/versions/128.0.2739.54/files?action=GenerateDownloadInfo&foregroundPriority=true	unknown	text	6.70 Kb	—
—	—	GET	200	152.199.21.175:443	https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/bfbbeee6-130c-46b7-bf66-6b8eab0e894d/MicrosoftEdgeWebview2Setup.exe	unknown	executable	1.57 Mb	—
1020	svchost.exe	GET	200	199.232.214.172:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e21df09-d909-4575-8e24-d945909e58df?P1=1725843392&P2=404&P3=2&P4=EPaWvYxI5Nt7anjhsKOvtMynCUqgOsqTkbw0kjRAzozzOT%2bY0yEP0kXz2X4siwuEvm0B5b1uQIPErUdV2RkNvQ%3d%3d	unknown	—	—	whitelisted
1020	svchost.exe	HEAD	200	199.232.214.172:80	http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/6e21df09-d909-4575-8e24-d945909e58df?P1=1725843392&P2=404&P3=2&P4=EPaWvYxI5Nt7anjhsKOvtMynCUqgOsqTkbw0kjRAzozzOT%2bY0yEP0kXz2X4siwuEvm0B5b1uQIPErUdV2RkNvQ%3d%3d	unknown	—	—	whitelisted
—	—	POST	200	13.67.191.143:443	https://msedge.api.cdp.microsoft.com/api/v2/contents/Browser/namespaces/Default/names?action=batchupdates	unknown	text	103 b	—

PID	Process	IP	Domain	ASN	CN	Reputation
6232	svchost.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
6420	RUXIMICS.exe	52.140.118.28:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IN	whitelisted
6232	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	20.106.86.13:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4324	svchost.exe	20.106.86.13:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7132	powershell.exe	184.28.89.167:443	go.microsoft.com	AKAMAI-AS	US	whitelisted
7132	powershell.exe	152.199.21.175:443	msedge.sf.dl.delivery.mp.microsoft.com	EDGECAST	DE	whitelisted
1076	MicrosoftEdgeUpdate.exe	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	52.140.118.28 20.73.194.208 20.106.86.13 51.104.136.2	whitelisted
google.com	142.250.184.206	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
msedge.sf.dl.delivery.mp.microsoft.com	152.199.21.175	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
msedge.api.cdp.microsoft.com	13.95.26.4	whitelisted
msedge.f.tlu.dl.delivery.mp.microsoft.com	199.232.214.172 199.232.210.172	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1020	svchost.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

General Info

Retrac.Launcher_1.0.13_x64_en-US.msi

5F1EAA7C85D7589BFF98B064E521A8CF

FB4183909BFA7D8CCD056D15D3062A2343811B11

77F824CBC498DD3CA31197B8251C41B3F810F8FED50C5A9893552D42EE42FA65

98304:/mpbDmD4IPKBzzrvuziWwLuFHArMAfDZdf7zrPwOC+rGBIJql2phRPvqFAvn4i6s:/sDjn7fVv1Lue

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Changes the autorun value in the registry

SUSPICIOUS

Executes as Windows Service

Reads the Windows owner or organization settings

Powershell scripting: start process

Starts POWERSHELL.EXE for commands execution

The process bypasses the loading of PowerShell profile settings

Drops the executable file immediately after the start

Downloads file from URI

Request a resource from the Internet using PowerShell's cmdlet

Gets or sets the security protocol (POWERSHELL)

Process drops legitimate windows executable

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Starts itself from another location

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

Reads the date of Windows installation

Potential Corporate Privacy Violation

Checks Windows Trust Settings

Application launched itself

INFO

Checks supported languages

An automatically generated document

Reads the computer name

Creates a software uninstall entry

Executable content was dropped or overwritten

Disables trace logs

Checks proxy server information

Create files in a temporary directory

The executable file from the user directory is run by the Powershell process

Creates files or folders in the user directory

The process uses the downloaded file

Reads Environment values

Process checks computer location settings

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules