File name:

Setup.msi

Full analysis: https://app.any.run/tasks/d9635762-0f44-458e-a745-ac9216caefcb
Verdict: Malicious activity
Analysis date: March 22, 2025, 18:06:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autorun-download
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {74E8E8F7-5DB0-4955-B0A6-269C5D01C516}, Title: Setup, Author: Ray, Number of Words: 2, Last Saved Time/Date: Sat Mar 22 17:51:56 2025, Last Printed: Sat Mar 22 17:51:56 2025
MD5:

2BA2BC7CFBD50568E446F860CD259E86

SHA1:

479674863BDD7DDD4E0E35F7BE54040BF59D4FBC

SHA256:

94052E930F654ADB8E9D7433F4DC4312CC56A1765032BE971840CAFC88BFE51B

SSDEEP:

98304:ViRM4JcABfWo4CdasrOkcSCoEPS8BVR/q2zRJYpagpmcP4dBC+eDQ3d6YaTplfo0:WFyt07B8KLT7+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 7508)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7996)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 7508)

    • Reads security settings of Internet Explorer

      • The Amazing Stick Figure Game.exe (PID: 7672)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Searches for installed software

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Starts itself from another location

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 7508)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 7508)

    • SQL CE related mutex has been found

      • The Amazing Stick Figure Game.exe (PID: 8328)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 7508)
      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 7308)
      • The Amazing Stick Figure Game.exe (PID: 7672)
      • identity_helper.exe (PID: 1568)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 7364)
      • msiexec.exe (PID: 9208)
      • The Amazing Stick Figure Game.exe (PID: 8328)
      • msiexec.exe (PID: 9136)

    • Reads the computer name

      • msiexec.exe (PID: 7508)
      • msiexec.exe (PID: 7548)
      • msiexec.exe (PID: 7308)
      • The Amazing Stick Figure Game.exe (PID: 7672)
      • identity_helper.exe (PID: 1568)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • msiexec.exe (PID: 8876)
      • msiexec.exe (PID: 9136)
      • msiexec.exe (PID: 9208)
      • msiexec.exe (PID: 7364)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 7508)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • msedge.exe (PID: 6416)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 7508)
      • msedge.exe (PID: 7900)
      • msedge.exe (PID: 6416)

    • Manages system restore points

      • SrTasks.exe (PID: 5072)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 7508)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Manual execution by a user

      • The Amazing Stick Figure Game.exe (PID: 7672)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Autorun file from Downloads

      • msedge.exe (PID: 8400)

    • Application launched itself

      • msedge.exe (PID: 7900)

    • Reads Environment values

      • identity_helper.exe (PID: 1568)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Create files in a temporary directory

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8680)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)

    • Process checks computer location settings

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8704)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 7508)
      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Creates files in the program directory

      • windowsdesktop-runtime-8.0.14-win-x64.exe (PID: 8788)
      • The Amazing Stick Figure Game.exe (PID: 8328)

    • Reads the software policy settings

      • msiexec.exe (PID: 7508)
      • slui.exe (PID: 8352)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 7508)

    • Checks proxy server information

      • The Amazing Stick Figure Game.exe (PID: 8328)
      • slui.exe (PID: 8352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (90.2)
.msp | Windows Installer Patch (8.4)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CreateDate: 1999:06:21 07:00:00
Software: Windows Installer
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
Pages: 200
RevisionNumber: {74E8E8F7-5DB0-4955-B0A6-269C5D01C516}
Title: Setup
Subject: -
Author: Ray
Keywords: -
Comments: -
Words: 2
ModifyDate: 2025:03:22 17:51:56
LastPrinted: 2025:03:22 17:51:56
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
77
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs the amazing stick figure game.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs windowsdesktop-runtime-8.0.14-win-x64.exe windowsdesktop-runtime-8.0.14-win-x64.exe windowsdesktop-runtime-8.0.14-win-x64.exe msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs the amazing stick figure game.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
232"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8100 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
668"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2572 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1072"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7844 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1128"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x274,0x24c,0x26c,0x234,0x32c,0x7ffc876f5fd8,0x7ffc876f5fe4,0x7ffc876f5ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1196"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5908 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1228"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6568 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
2560"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6292 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5464 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2616 --field-trial-handle=2576,i,8186161492340229623,11973445269881888103,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
25 451
Read events
24 149
Write events
1 238
Delete events
64

Modification events

(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D65C5521559BDB01541D00002C1F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D65C5521559BDB01541D00002C1F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000008EBD9521559BDB01541D00002C1F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000008EBD9521559BDB01541D00002C1F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
480000000000000094209821559BDB01541D00002C1F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000F8E79C21559BDB01541D00002C1F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(7508) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000BCD50522559BDB01541D0000B41F0000E8030000010000000000000000000000EE2E0D7EB5E9F041B5DE6DBFAC11880B00000000000000000000000000000000
(PID) Process:(7996) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000001B41122559BDB013C1F0000581F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(7996) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
480000000000000001B41122559BDB013C1F0000DC1F0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
511
Suspicious files
530
Text files
127
Unknown types
0

Dropped files

PID
Process
Filename
Type
7508msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
7508msiexec.exeC:\Windows\Installer\114459.msi
MD5:
SHA256:
7508msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:DE73556337F805C5B19FF8BFD95C90E0
SHA256:14B5E7DDD79121EFF95CA5AFC1CE22DA44669357BC2C36C75B083AF3C0644ECC
7508msiexec.exeC:\Program Files (x86)\Ray\Setup\Resources\raidshadowad.mp4
MD5:
SHA256:
7508msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{7e0d2eee-e9b5-41f0-b5de-6dbfac11880b}_OnDiskSnapshotPropbinary
MD5:DE73556337F805C5B19FF8BFD95C90E0
SHA256:14B5E7DDD79121EFF95CA5AFC1CE22DA44669357BC2C36C75B083AF3C0644ECC
7508msiexec.exeC:\Program Files (x86)\Ray\Setup\GameWin.deps.jsonbinary
MD5:D204BD67363935F98F9C2064A65B980A
SHA256:FF07D133E4325DAEFEE611B0B6266D8C41203CE4822F5D29556E81BCEBBDEF28
7356msiexec.exeC:\Users\admin\AppData\Local\Temp\MSICF68.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
7508msiexec.exeC:\Program Files (x86)\Ray\Setup\The Amazing Stick Figure Game.deps.jsonbinary
MD5:58C87219EC5F6F4AB0D327906678B442
SHA256:AFEDC3E397E8F85C0DF5907BAF259A86523A5C603DADA8417DDB27F25D9907A5
7508msiexec.exeC:\Program Files (x86)\Ray\Setup\Resources\main_char.pngimage
MD5:DF29D82CBF74F7236785F736B80B5ED0
SHA256:F8E64A938FCD5E675847EAC13ACF3CDB53246F0528DDC6CBBBA059BFCAF8E325
7508msiexec.exeC:\Windows\Installer\MSI4CA8.tmpbinary
MD5:687115273C71A502761D8D71E0A2C15D
SHA256:97070BDBC0D85A331F3B69144DE8FD4FC6F3259588ACAFB4B09CD0DB912D29E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
91
DNS requests
89
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7380
backgroundTaskHost.exe
GET
200
23.54.109.203:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1324
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
8292
svchost.exe
HEAD
200
23.50.131.74:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1742783918&P2=404&P3=2&P4=hpmlV8j82fcTLxqFsHfhQIxfQHFSQO2Tucd9ylpr9DDBZaBOpkm2E9c7oWv%2bSDrjdoFltj3EsYZWIxuWOs0s4w%3d%3d
unknown
whitelisted
7900
msedge.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7900
msedge.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
8292
svchost.exe
GET
206
23.50.131.74:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1742783918&P2=404&P3=2&P4=hpmlV8j82fcTLxqFsHfhQIxfQHFSQO2Tucd9ylpr9DDBZaBOpkm2E9c7oWv%2bSDrjdoFltj3EsYZWIxuWOs0s4w%3d%3d
unknown
whitelisted
8292
svchost.exe
GET
206
23.50.131.74:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/e97d85e8-2e6f-4c6c-8a9a-1d07973733be?P1=1742783918&P2=404&P3=2&P4=hpmlV8j82fcTLxqFsHfhQIxfQHFSQO2Tucd9ylpr9DDBZaBOpkm2E9c7oWv%2bSDrjdoFltj3EsYZWIxuWOs0s4w%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7380
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7380
backgroundTaskHost.exe
23.54.109.203:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.166
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.164
  • 23.53.40.178
  • 23.53.41.90
  • 23.53.40.176
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.132
  • 40.126.32.134
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 23.54.109.203
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.msi