File name:

Setup.msi

Full analysis: https://app.any.run/tasks/d9635762-0f44-458e-a745-ac9216caefcb
Verdict: Malicious activity
Analysis date: March 22, 2025, 18:06:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autorun-download
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {74E8E8F7-5DB0-4955-B0A6-269C5D01C516}, Title: Setup, Author: Ray, Number of Words: 2, Last Saved Time/Date: Sat Mar 22 17:51:56 2025, Last Printed: Sat Mar 22 17:51:56 2025
MD5:

2BA2BC7CFBD50568E446F860CD259E86

SHA1:

479674863BDD7DDD4E0E35F7BE54040BF59D4FBC

SHA256:

94052E930F654ADB8E9D7433F4DC4312CC56A1765032BE971840CAFC88BFE51B

SSDEEP:

98304:ViRM4JcABfWo4CdasrOkcSCoEPS8BVR/q2zRJYpagpmcP4dBC+eDQ3d6YaTplfo0:WFyt07B8KLT7+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 7508)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7996)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7508)

    • Reads security settings of Internet Explorer

      • The Amazing Stick Figure Game.exe (PID: 7672)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Searches for installed software

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Starts itself from another location

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 7508)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 7508)

    • SQL CE related mutex has been found

      • The Amazing Stick Figure Game.exe (PID: 8328)

  • INFO

    • The sample compiled with english language support

      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 7508)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • msedge.exe (PID: 6416)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 7508)
      • msedge.exe (PID: 7900)
      • msedge.exe (PID: 6416)

    • Checks supported languages

      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 7308)
      • The Amazing Stick Figure Game.exe (PID: 7672)
      • msiexec.exe (PID: 7508)
      • identity_helper.exe (PID: 1568)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 9136)
      • msiexec.exe (PID: 9208)
      • msiexec.exe (PID: 7364)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Reads the computer name

      • msiexec.exe (PID: 7548)
      • The Amazing Stick Figure Game.exe (PID: 7672)
      • msiexec.exe (PID: 7508)
      • identity_helper.exe (PID: 1568)
      • msiexec.exe (PID: 7308)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 9208)
      • msiexec.exe (PID: 9136)
      • msiexec.exe (PID: 7364)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Manual execution by a user

      • The Amazing Stick Figure Game.exe (PID: 7672)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Autorun file from Downloads

      • msedge.exe (PID: 8400)

    • Application launched itself

      • msedge.exe (PID: 7900)

    • Reads Environment values

      • identity_helper.exe (PID: 1568)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Create files in a temporary directory

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Manages system restore points

      • SrTasks.exe (PID: 5072)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7508)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Process checks computer location settings

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)

    • Creates files in the program directory

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7508)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7508)

    • Reads the software policy settings

      • msiexec.exe (PID: 7508)
      • slui.exe (PID: 8352)

    • Checks proxy server information

      • slui.exe (PID: 8352)
      • The Amazing Stick Figure Game.exe (PID: 8328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (90.2)
.msp | Windows Installer Patch (8.4)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CreateDate: 1999:06:21 07:00:00
Software: Windows Installer
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
Pages: 200
RevisionNumber: {74E8E8F7-5DB0-4955-B0A6-269C5D01C516}
Title: Setup
Subject: -
Author: Ray
Keywords: -
Comments: -
Words: 2
ModifyDate: 2025:03:22 17:51:56
LastPrinted: 2025:03:22 17:51:56
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
77
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs the amazing stick figure game.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs windowsdesktop-runtime-8.0.14-win-x64.exe windowsdesktop-runtime-8.0.14-win-x64.exe windowsdesktop-runtime-8.0.14-win-x64.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs the amazing stick figure game.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8100 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2572 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1072"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7844 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x274,0x24c,0x26c,0x234,0x32c,0x7ffc876f5fd8,0x7ffc876f5fe4,0x7ffc876f5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1196"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5908 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6568 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
2560"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6292 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5464 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2616 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
25 451
Read events
24 149
Write events
1 238
Delete events
64

Modification events

(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D65C5521559BDB01541D00002C1F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D65C5521559BDB01541D00002C1F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000008EBD9521559BDB01541D00002C1F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000008EBD9521559BDB01541D00002C1F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000094209821559BDB01541D00002C1F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000F8E79C21559BDB01541D00002C1F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000BCD50522559BDB01541D0000B41F0000E8030000010000000000000000000000EE2E0D7EB5E9F041B5DE6DBFAC11880B00000000000000000000000000000000
(PID) Process:(7996) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000001B41122559BDB013C1F0000581F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7996) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000001B41122559BDB013C1F0000DC1F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
511
Suspicious files
530
Text files
127
Unknown types
0

Dropped files

PID
Process
Filename
Type
7508msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7508msiexec.exeC:\Windows\Installer\114459.msi
MD5:
SHA256:
7356msiexec.exeC:\Users\admin\AppData\Local\Temp\MSICEBC.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
7508msiexec.exeC:\Program Files (x86)\Ray\Setup\Resources\raidshadowad.mp4
MD5:
SHA256:
7508msiexec.exeC:\Program Files (x86)\Ray\Setup\Interop.WMPLib.dllexecutable
MD5:4C3F091000BDFB010CD1CFA6F70A4003
SHA256:C41A9D10B75DF04FAD97618B3806FD326F9969D70ABD9E746128E533C2DBEA30
7508msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:DE73556337F805C5B19FF8BFD95C90E0
SHA256:14B5E7DDD79121EFF95CA5AFC1CE22DA44669357BC2C36C75B083AF3C0644ECC
7508msiexec.exeC:\Windows\Installer\MSI4B5E.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
7508msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{7e0d2eee-e9b5-41f0-b5de-6dbfac11880b}_OnDiskSnapshotPropbinary
MD5:DE73556337F805C5B19FF8BFD95C90E0
SHA256:14B5E7DDD79121EFF95CA5AFC1CE22DA44669357BC2C36C75B083AF3C0644ECC
7508msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:4176600083B93431DF8A3A28BECF6769
SHA256:5B376614732039C1E3EF4690285EEFBF62B467734DCF0732C6A03B601A6AD888
7508msiexec.exeC:\Windows\Installer\MSI4BCC.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
91
DNS requests
89
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7380
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1324
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7900
msedge.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8292
svchost.exe
HEAD
200
23.50.131.74:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1742783918&P2=404&P3=2&P4=hpmlV8j82fcTLxqFsHfhQIxfQHFSQO2Tucd9ylpr9DDBZaBOpkm2E9c7oWv%2bSDrjdoFltj3EsYZWIxuWOs0s4w%3d%3d
unknown
whitelisted
7900
msedge.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
8292
svchost.exe
GET
206
23.50.131.74:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1742783918&P2=404&P3=2&P4=hpmlV8j82fcTLxqFsHfhQIxfQHFSQO2Tucd9ylpr9DDBZaBOpkm2E9c7oWv%2bSDrjdoFltj3EsYZWIxuWOs0s4w%3d%3d
unknown
whitelisted
8292
svchost.exe
GET
206
23.50.131.74:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1742783918&P2=404&P3=2&P4=hpmlV8j82fcTLxqFsHfhQIxfQHFSQO2Tucd9ylpr9DDBZaBOpkm2E9c7oWv%2bSDrjdoFltj3EsYZWIxuWOs0s4w%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7380
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7380
backgroundTaskHost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.166
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.164
  • 23.53.40.178
  • 23.53.41.90
  • 23.53.40.176
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.132
  • 40.126.32.134
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.msi