File name:	VynxLauncher_1.0.0_x64_en-US.msi
Full analysis:	https://app.any.run/tasks/ea877518-14dd-4147-8193-3f186c5f0d22
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	December 20, 2025, 20:52:13
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc loader auto-reg
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Vynx Launcher, Author: VynxLauncher, Keywords: Installer, Comments: This installer database contains the logic and data required to install Vynx Launcher., Template: x64;0, Revision Number: {30E98CB8-DAE7-4C89-8790-BA015302A8EF}, Create Time/Date: Sat Dec 20 19:02:06 2025, Last Saved Time/Date: Sat Dec 20 19:02:06 2025, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
MD5:	94282C58BD48AFB63A56BB2E0DB226CA
SHA1:	E7586E281C457B2D3F5F49E4ACBC6EF42296C90A
SHA256:	97153100819DA63021233AED652D78E52366CC58053725BC251DEE741AAD5BD8
SSDEEP:	98304:NzrZY+o7BZJGSiALDQJD5PBnlH0Xsqa96ksRUK52oMiM1klh29hhaei/iWdKwxCX:GB1VUUXa5

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	Vynx Launcher
Author:	VynxLauncher
Keywords:	Installer
Comments:	This installer database contains the logic and data required to install Vynx Launcher.
Template:	x64;0
RevisionNumber:	{30E98CB8-DAE7-4C89-8790-BA015302A8EF}
CreateDate:	2025:12:20 19:02:06
ModifyDate:	2025:12:20 19:02:06
Pages:	450
Words:	2
Software:	Windows Installer XML Toolset (3.14.1.8722)
Security:	Read-only recommended


(PID) Process:	(7880) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000915B09CBF271DC01C81E0000C00D0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7880) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000915B09CBF271DC01C81E0000C00D0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7880) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 15
(PID) Process:	(7880) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 480000000000000088DF8ECBF271DC01C81E0000C00D0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7880) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 48000000000000004D4191CBF271DC01C81E0000C8110000E8030000010000000000000000000000AD22CEE967D8E94CAB1F6B02E115498B00000000000000000000000000000000
(PID) Process:	(3368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B5F1A1CBF271DC01280D000040180000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B5F1A1CBF271DC01280D0000A8170000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B5F1A1CBF271DC01280D000074100000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(3368) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000B5F1A1CBF271DC01280D00002C1C0000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7880) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 480000000000000089F463CBF271DC01C81E0000C00D0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
7880	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
7880	msiexec.exe	C:\Windows\Installer\11b4c6.msi		—
		MD5:—	SHA256:—
7880	msiexec.exe	C:\Windows\Installer\11b4c8.msi		—
		MD5:—	SHA256:—
7880	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{e9ce22ad-d867-4ce9-ab1f-6b02e115498b}_OnDiskSnapshotProp		binary
		MD5:B9D3FBAB8B789058D37857FFA963B09D	SHA256:C877C63C8D4BC7B5CE937FB807C0B6BE6577EA965C515086B782601AAC04D681
7880	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:C044D04C69BF3208602AE3A2246E6545	SHA256:46F315002C0E31D2B3E4E7488D7B62F1675B40F75043EBE9015D046B32ADBC03
7880	msiexec.exe	C:\Windows\Temp\~DF0631FB8D90D47C1A.TMP		binary
		MD5:19A2854144B63A8F7617A6F225019B12	SHA256:7523C62ABDB7628C5A9DAD8F97D8D8C5C040EDE36535E531A8A3748B6CAE7E00
7880	msiexec.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vynx Launcher\~Vynx Launcher.tmp		binary
		MD5:C6894FDB76C05C3376EFA524C82F3993	SHA256:89F6FBC273C678E80827C1D3DD7052325A945227548C922FB71C7BFB69C2B6C8
7880	msiexec.exe	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vynx Launcher\ Vynx Launcher.lnk		binary
		MD5:EDB991B6B2F8697FA6418F69CABD83EC	SHA256:B141C3952E919548D59FA00F07A4B15C6E4554962B0C18DDA1F62B7AB4892E69
7596	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1wyqr0jl.2bw.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7596	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qlvglhc1.uk0.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7596	powershell.exe	GET	301	88.221.169.205:443	https://go.microsoft.com/fwlink/p/?LinkId=2124703	US	—	—	whitelisted
—	—	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
144	svchost.exe	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.216.77.22:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
144	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
6768	MoUsoCoreWorker.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
—	—	GET	301	23.59.18.102:443	https://go.microsoft.com/fwlink/p/?LinkId=2124703	US	—	—	unknown
—	—	GET	200	199.232.210.172:443	https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c61cd84-5aba-452f-a4da-0b3680446041/MicrosoftEdgeWebview2Setup.exe	US	executable	1.60 Mb	unknown
7596	powershell.exe	GET	200	199.232.210.172:443	https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c61cd84-5aba-452f-a4da-0b3680446041/MicrosoftEdgeWebview2Setup.exe	US	executable	128 Kb	whitelisted
—	—	GET	200	150.171.22.17:443	https://config.edge.skype.com/config/v1/EdgeUpdate/1.3.213.7?clientId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&appChannel_edgeupdate=6&appConsentState_edgeupdate=0&appDayOfInstall_edgeupdate=0&appInactivityBadgeApplied_edgeupdate=0&appInactivityBadgeCleared_edgeupdate=0&appInactivityBadgeDuration_edgeupdate=0&appInstallTimeDiffSec_edgeupdate=0&appIsPinnedSystem_edgeupdate=false&appLastLaunchCount_edgeupdate=0&appLastLaunchTime_edgeupdate=0&appLastLaunchTimeJson_edgeupdate=0&appLastLaunchTimeDaysAgo_edgeupdate=0&appVersion_edgeupdate=1.3.213.7&appUpdateCheckIsUpdateDisabled_edgeupdate=false&appUpdatesAllowedForMeteredNetworks_edgeupdate=false&hwDiskType=2&hwHasSsse3=true&hwLogicalCpus=6&hwPhysmemory=6&isCTADevice=false&isMsftDomainJoined=false&oemProductManufacturer=DELL&oemProductName=DELL&osArch=x64&osIsDefaultNetworkConnectionMetered=false&osIsInLockdownMode=false&osIsWIP=false&osPlatform=win&osProductType=48&osVersion=10.0.19045.4046&requestCheckPeriodSec=-1&requestDomainJoined=false&requestInstallSource=otherinstallcmd&requestIsMachine=false&requestOmahaShellVersion=1.3.213.7&requestOmahaVersion=1.3.213.7	US	text	306 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
144	svchost.exe	23.216.77.22:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
6768	MoUsoCoreWorker.exe	23.216.77.22:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
—	—	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
144	svchost.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
6768	MoUsoCoreWorker.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
6712	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
144	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
google.com	142.251.208.14	whitelisted
crl.microsoft.com	23.216.77.22 23.216.77.42 23.216.77.30 23.216.77.36	whitelisted
www.microsoft.com	23.59.18.102	whitelisted
self.events.data.microsoft.com	20.42.65.89	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
go.microsoft.com	88.221.169.205	whitelisted
msedge.sf.dl.delivery.mp.microsoft.com	199.232.210.172 199.232.214.172	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
msedge.api.cdp.microsoft.com	74.179.71.159	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Misc activity	ET INFO Packed Executable Download
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Misc activity	ET INFO Request for EXE via Powershell
—	—	Misc activity	ET INFO Packed Executable Download
6000	svchost.exe	Misc activity	ET INFO Packed Executable Download

General Info

VynxLauncher_1.0.0_x64_en-US.msi

94282C58BD48AFB63A56BB2E0DB226CA

E7586E281C457B2D3F5F49E4ACBC6EF42296C90A

97153100819DA63021233AED652D78E52366CC58053725BC251DEE741AAD5BD8

98304:NzrZY+o7BZJGSiALDQJD5PBnlH0Xsqa96ksRUK52oMiM1klh29hhaei/iWdKwxCX:GB1VUUXa5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

Changes the autorun value in the registry

SUSPICIOUS

Executes as Windows Service

Manipulates environment variables

The process bypasses the loading of PowerShell profile settings

Executable content was dropped or overwritten

Process drops legitimate windows executable

Downloads file from URI via Powershell

Starts process via Powershell

Starts POWERSHELL.EXE for commands execution

Gets or sets the security protocol (POWERSHELL)

Starts a Microsoft application from unusual location

Starts itself from another location

Creates/Modifies COM task schedule object

Reads security settings of Internet Explorer

INFO

An automatically generated document

Reads the computer name

Checks supported languages

Executable content was dropped or overwritten

Checks proxy server information

Manages system restore points

Create files in a temporary directory

The sample compiled with english language support

Disables trace logs

The executable file from the user directory is run by the Powershell process

Launching a file from a Registry key

Creates files or folders in the user directory

Reads Environment values

Process checks computer location settings

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity