File name:

Setup.msi

Full analysis: https://app.any.run/tasks/acec5da3-170b-4354-b07c-ef7df445c4e7
Verdict: Malicious activity
Analysis date: August 26, 2024, 23:55:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 07:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {80D04207-4EF4-4C4D-8015-6B46F2203321}, Title: ADVANCED SETTINGS CHANGER, Author: ADVANCED SETTINGS CHANGER, Number of Words: 2, Last Saved Time/Date: Wed Mar 13 22:38:31 2024, Last Printed: Wed Mar 13 22:38:31 2024
MD5:

F05025805E3C09C8BC77297E86C6ACF1

SHA1:

9C1ABD74246EEDCCA4893792BDEB0BC2C3214523

SHA256:

9C17BF6F767D4FB897A82B55F1D4FA11BB649E3D6AFEF22149CA0F65645A2A75

SSDEEP:

49152:5kipiRM4wSnkEB/nklnkEN6TrdlUWyrG0o6G1/1vod+WfdpdRqJJ:7iRM44Nm6GB1/+plFu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4996)
      • msiexec.exe (PID: 4976)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7472)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 4996)
      • msiexec.exe (PID: 4976)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7472)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)

    • Executes as Windows Service

      • VSSVC.exe (PID: 7116)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 4976)

    • Reads security settings of Internet Explorer

      • DbD Settings Changer.exe (PID: 6860)
      • DbD Settings Changer.exe (PID: 812)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Executable content was dropped or overwritten

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7472)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Starts a Microsoft application from unusual location

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4552)

    • Reads the date of Windows installation

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Starts itself from another location

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Searches for installed software

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 4976)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 4976)

    • Creates a software uninstall entry

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4976)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4996)
      • msiexec.exe (PID: 4976)
      • msedge.exe (PID: 6936)

    • Create files in a temporary directory

      • msiexec.exe (PID: 4440)
      • msiexec.exe (PID: 1020)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7472)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)

    • Reads the computer name

      • msiexec.exe (PID: 4976)
      • msiexec.exe (PID: 4440)
      • msiexec.exe (PID: 1020)
      • DbD Settings Changer.exe (PID: 812)
      • identity_helper.exe (PID: 8076)
      • DbD Settings Changer.exe (PID: 6860)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)
      • msiexec.exe (PID: 7392)
      • msiexec.exe (PID: 7916)
      • msiexec.exe (PID: 7248)
      • DbD Settings Changer.exe (PID: 7368)
      • msiexec.exe (PID: 6860)
      • DbD Settings Changer.exe (PID: 884)

    • Checks supported languages

      • msiexec.exe (PID: 4440)
      • msiexec.exe (PID: 4976)
      • msiexec.exe (PID: 1020)
      • DbD Settings Changer.exe (PID: 812)
      • DbD Settings Changer.exe (PID: 6860)
      • identity_helper.exe (PID: 8076)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7472)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)
      • msiexec.exe (PID: 7392)
      • msiexec.exe (PID: 7916)
      • msiexec.exe (PID: 7248)
      • msiexec.exe (PID: 6860)
      • DbD Settings Changer.exe (PID: 884)
      • DbD Settings Changer.exe (PID: 7368)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4552)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4552)
      • DbD Settings Changer.exe (PID: 884)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 4552)
      • msedge.exe (PID: 6936)
      • DbD Settings Changer.exe (PID: 6860)
      • DbD Settings Changer.exe (PID: 812)

    • Manual execution by a user

      • DbD Settings Changer.exe (PID: 6860)
      • DbD Settings Changer.exe (PID: 812)

    • Reads Environment values

      • identity_helper.exe (PID: 8076)

    • Checks proxy server information

      • explorer.exe (PID: 4552)

    • Reads the software policy settings

      • explorer.exe (PID: 4552)
      • msiexec.exe (PID: 4976)

    • Process checks computer location settings

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 7576)

    • Application launched itself

      • msedge.exe (PID: 6936)

    • Creates files in the program directory

      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)
      • DbD Settings Changer.exe (PID: 884)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 4976)
      • windowsdesktop-runtime-6.0.33-win-x64.exe (PID: 6260)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 4976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (90.2)
.msp | Windows Installer Patch (8.4)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CreateDate: 1999:06:21 07:00:00
Software: Windows Installer
Security: Password protected
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
Pages: 200
RevisionNumber: {80D04207-4EF4-4C4D-8015-6B46F2203321}
Title: ADVANCED SETTINGS CHANGER
Subject: -
Author: ADVANCED SETTINGS CHANGER
Keywords: -
Comments: -
Words: 2
ModifyDate: 2024:03:13 22:38:31
LastPrinted: 2024:03:13 22:38:31
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
213
Monitored processes
78
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe no specs dbd settings changer.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dbd settings changer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs explorer.exe windowsdesktop-runtime-6.0.33-win-x64.exe windowsdesktop-runtime-6.0.33-win-x64.exe windowsdesktop-runtime-6.0.33-win-x64.exe msedge.exe no specs msiexec.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dbd settings changer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs dbd settings changer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7024 --field-trial-handle=2484,i,9801376674961859847,13452011328594701531,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
812"C:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.exe" C:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.exe
explorer.exe
User:
admin
Company:
𝘁𝗲𝗻𝘀𝗵𝗶
Integrity Level:
MEDIUM
Description:
DbD Settings Changer
Exit code:
2147516547
Version:
4.4.2
Modules
Images
c:\program files (x86)\advanced settings changer\advanced settings changer\dbd settings changer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
884"C:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.exe" C:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.exe
explorer.exe
User:
admin
Company:
𝘁𝗲𝗻𝘀𝗵𝗶
Integrity Level:
MEDIUM
Description:
DbD Settings Changer
Exit code:
0
Version:
4.4.2
Modules
Images
c:\program files (x86)\advanced settings changer\advanced settings changer\dbd settings changer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1020C:\Windows\syswow64\MsiExec.exe -Embedding F8BC8571C3A04869D3D7AD998F2A329DC:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1084"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x31c,0x320,0x324,0x314,0x32c,0x7fffd2425fd8,0x7fffd2425fe4,0x7fffd2425ff0C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1108"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2628 --field-trial-handle=2484,i,9801376674961859847,13452011328594701531,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7304 --field-trial-handle=2484,i,9801376674961859847,13452011328594701531,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2368\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2612C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2796"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3572 --field-trial-handle=2484,i,9801376674961859847,13452011328594701531,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 269
Read events
50 761
Write events
1 418
Delete events
90

Modification events

(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E01E4
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0302
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060202
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0302
Operation:delete keyName:(default)
Value:
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000D0302
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060202
Operation:delete keyName:(default)
Value:
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000D0302
Operation:delete keyName:(default)
Value:
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000E0302
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4976) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000EF27697313F8DA017013000078060000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(4976) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000EF27697313F8DA017013000078060000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
541
Suspicious files
386
Text files
155
Unknown types
2

Dropped files

PID
Process
Filename
Type
4976msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
4552explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
4996msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA36C.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
4976msiexec.exeC:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.deps.jsonbinary
MD5:77A6FBB4BC2417E3EDFA6AF16EA09C26
SHA256:5E2AFA07EA604D8881B443E5F8614E9E10DC77830EC3A3A57BC208F4A6A71E74
4976msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{2fca0271-ddee-4f04-9f4b-d909a991bb12}_OnDiskSnapshotPropbinary
MD5:CFB0701E7E03012534A5876857646032
SHA256:9B9058BAF80CB4B636AD2DEA739630905703C0D889024AEAA1C4BA364E26CC2D
1020msiexec.exeC:\Users\admin\AppData\Local\Temp\CFG51.tmpxml
MD5:68675E0D405C8C76102802FA624EB895
SHA256:B839CDD1C3F55651CD4D0E54A679BCE5AC60ED7618A7B74BFC8EF8CA311E53ED
4976msiexec.exeC:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\icon.icoimage
MD5:7DC44E8D24EFCCB127BE4794D8DA287F
SHA256:4718D9BD01F3451C90BC886305BF28A601C6C7D6EA57820AE3EA9275A36DE859
4976msiexec.exeC:\Windows\Installer\12fd73.msiexecutable
MD5:F05025805E3C09C8BC77297E86C6ACF1
SHA256:9C17BF6F767D4FB897A82B55F1D4FA11BB649E3D6AFEF22149CA0F65645A2A75
4996msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA448.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
4976msiexec.exeC:\Windows\Installer\MSIFFF3.tmpexecutable
MD5:B77A2A2768B9CC78A71BBFFB9812B978
SHA256:F74C97B1A53541B059D3BFAFE41A79005CE5065F8210D7DE9F1B600DC4E28AA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
89
DNS requests
108
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1060
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
876
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
876
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6320
svchost.exe
HEAD
200
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8f2381c2-652d-48a2-86f6-19cb7757f5dc?P1=1725197895&P2=404&P3=2&P4=RbUVTJ6BZSOZH3%2frz%2bFx%2fhNBueyI5cfQuTfiPye%2becbN9az4AOGfnI0tNLQz1bvOSq1thqh8DzaI29qI45SM4Q%3d%3d
unknown
whitelisted
6320
svchost.exe
GET
206
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8f2381c2-652d-48a2-86f6-19cb7757f5dc?P1=1725197895&P2=404&P3=2&P4=RbUVTJ6BZSOZH3%2frz%2bFx%2fhNBueyI5cfQuTfiPye%2becbN9az4AOGfnI0tNLQz1bvOSq1thqh8DzaI29qI45SM4Q%3d%3d
unknown
whitelisted
6320
svchost.exe
GET
206
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8f2381c2-652d-48a2-86f6-19cb7757f5dc?P1=1725197895&P2=404&P3=2&P4=RbUVTJ6BZSOZH3%2frz%2bFx%2fhNBueyI5cfQuTfiPye%2becbN9az4AOGfnI0tNLQz1bvOSq1thqh8DzaI29qI45SM4Q%3d%3d
unknown
whitelisted
6320
svchost.exe
HEAD
200
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/087c052d-2d1c-4c24-9226-26ea74392e49?P1=1725262757&P2=404&P3=2&P4=QIH3CCW%2fVtgbQu2E%2fsk2g3CAtPf%2fHOsl2bnN5RLClBk2ECSKIwnaeEVQ1J5Vmm8JzO96dqE47RUW6CC03WGyJA%3d%3d
unknown
whitelisted
6320
svchost.exe
GET
206
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/087c052d-2d1c-4c24-9226-26ea74392e49?P1=1725262757&P2=404&P3=2&P4=QIH3CCW%2fVtgbQu2E%2fsk2g3CAtPf%2fHOsl2bnN5RLClBk2ECSKIwnaeEVQ1J5Vmm8JzO96dqE47RUW6CC03WGyJA%3d%3d
unknown
whitelisted
6320
svchost.exe
GET
206
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8f2381c2-652d-48a2-86f6-19cb7757f5dc?P1=1725197895&P2=404&P3=2&P4=RbUVTJ6BZSOZH3%2frz%2bFx%2fhNBueyI5cfQuTfiPye%2becbN9az4AOGfnI0tNLQz1bvOSq1thqh8DzaI29qI45SM4Q%3d%3d
unknown
whitelisted
6320
svchost.exe
GET
206
146.75.122.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/087c052d-2d1c-4c24-9226-26ea74392e49?P1=1725262757&P2=404&P3=2&P4=QIH3CCW%2fVtgbQu2E%2fsk2g3CAtPf%2fHOsl2bnN5RLClBk2ECSKIwnaeEVQ1J5Vmm8JzO96dqE47RUW6CC03WGyJA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
7072
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6056
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1060
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1060
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6416
svchost.exe
184.30.17.189:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
876
SIHClient.exe
40.127.169.103:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 40.113.103.199
  • 40.113.110.67
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.73
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted

Threats

No threats detected
Process
Message
DbD Settings Changer.exe
You must install .NET to run this application. App: C:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.exe Architecture: x64 App host version: 6.0.28 .NET location: Not found Learn about runtime installation: https://aka.ms/dotnet/app-launch-failed Download the .NET runtime: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.28
DbD Settings Changer.exe
You must install .NET to run this application. App: C:\Program Files (x86)\ADVANCED SETTINGS CHANGER\ADVANCED SETTINGS CHANGER\DbD Settings Changer.exe Architecture: x64 App host version: 6.0.28 .NET location: Not found Learn about runtime installation: https://aka.ms/dotnet/app-launch-failed Download the .NET runtime: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.28
DbD Settings Changer.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 884. Message ID: [0x2509].
DbD Settings Changer.exe
Profiler was prevented from loading notification profiler due to app settings. Process ID (decimal): 7368. Message ID: [0x2509].
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Setup.msi