File name:

Visor Local Windows Installer.msi

Full analysis: https://app.any.run/tasks/019ecb41-71ee-4634-920f-f63c855ca24c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 14, 2025, 21:23:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
loader
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: eva-pacs-offline, Author: com.evacenter.viewer, Keywords: Installer, Comments: This installer database contains the logic and data required to install eva-pacs-offline., Template: x64;1033, Revision Number: {960D73FD-964F-4EEA-BE38-2BB2EE1AAA18}, Create Time/Date: Tue Apr 4 21:12:32 2023, Last Saved Time/Date: Tue Apr 4 21:12:32 2023, Number of Pages: 450, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

BA19EB27D3D9D1235E56CD6A3C308AE3

SHA1:

BD618F551A180515199A5A43EDFDBDDCCBF2A608

SHA256:

A1F6C408283BD5505924C417FBD9C3969465AEE1BAD37DB01BDA692C11BAB12E

SSDEEP:

98304:FBgE2VosfhgqGvmcN3dy2VNUPJ0giJr07Ej7wg8AV4OLytVR1qlPAMFvhuKYOvWw:kNfNv+xX+oCLB14aNN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6516)

    • Changes the autorun value in the registry

      • MicrosoftEdgeUpdate.exe (PID: 6856)

    • The DLL Hijacking

      • msedgewebview2.exe (PID: 2572)

    • Scans artifacts that could help determine the target

      • msedgewebview2.exe (PID: 648)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 6308)
      • powershell.exe (PID: 6516)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)
      • MicrosoftEdgeUpdate.exe (PID: 6856)
      • MicrosoftEdge_X64_131.0.2903.146.exe (PID: 6544)
      • setup.exe (PID: 244)
      • msedgewebview2.exe (PID: 1224)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 6308)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 6308)

    • Executes as Windows Service

      • VSSVC.exe (PID: 6904)

    • The process bypasses the loading of PowerShell profile settings

      • msiexec.exe (PID: 6308)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6516)

    • Manipulates environment variables

      • powershell.exe (PID: 6516)

    • Starts POWERSHELL.EXE for commands execution

      • msiexec.exe (PID: 6308)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6516)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)
      • MicrosoftEdgeUpdate.exe (PID: 6856)
      • MicrosoftEdge_X64_131.0.2903.146.exe (PID: 6544)
      • setup.exe (PID: 244)
      • msedgewebview2.exe (PID: 1224)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)
      • MicrosoftEdgeUpdate.exe (PID: 6856)

    • Creates/Modifies COM task schedule object

      • MicrosoftEdgeUpdate.exe (PID: 6868)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7156)

    • Starts itself from another location

      • MicrosoftEdgeUpdate.exe (PID: 6856)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 5916)

    • Reads security settings of Internet Explorer

      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdate.exe (PID: 6856)
      • msedgewebview2.exe (PID: 648)
      • eva-pacs-offline.exe (PID: 1448)

    • Checks Windows Trust Settings

      • MicrosoftEdgeUpdate.exe (PID: 2092)

    • Application launched itself

      • setup.exe (PID: 244)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • msedgewebview2.exe (PID: 648)

    • Creates a software uninstall entry

      • setup.exe (PID: 244)

    • Searches for installed software

      • setup.exe (PID: 244)
      • msedgewebview2.exe (PID: 648)

    • Creates file in the systems drive root

      • eva-pacs-offline.exe (PID: 1448)

  • INFO

    • The sample compiled with english language support

      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 6308)
      • powershell.exe (PID: 6516)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)
      • MicrosoftEdgeUpdate.exe (PID: 6856)
      • svchost.exe (PID: 5916)
      • MicrosoftEdge_X64_131.0.2903.146.exe (PID: 6544)
      • setup.exe (PID: 244)

    • Manages system restore points

      • SrTasks.exe (PID: 5556)

    • Checks supported languages

      • msiexec.exe (PID: 6308)
      • msiexec.exe (PID: 6760)
      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7156)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3652)
      • MicrosoftEdgeUpdate.exe (PID: 6856)
      • MicrosoftEdgeUpdate.exe (PID: 6868)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdate.exe (PID: 5208)
      • MicrosoftEdge_X64_131.0.2903.146.exe (PID: 6544)
      • setup.exe (PID: 6736)
      • setup.exe (PID: 244)
      • MicrosoftEdgeUpdate.exe (PID: 7072)
      • msedgewebview2.exe (PID: 2324)
      • msedgewebview2.exe (PID: 2572)
      • msedgewebview2.exe (PID: 6588)
      • eva-pacs-offline.exe (PID: 1448)
      • msedgewebview2.exe (PID: 648)
      • msedgewebview2.exe (PID: 6684)
      • msedgewebview2.exe (PID: 6628)
      • msedgewebview2.exe (PID: 3564)

    • Reads the computer name

      • msiexec.exe (PID: 6308)
      • msiexec.exe (PID: 6760)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 6848)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 3652)
      • MicrosoftEdgeUpdateComRegisterShell64.exe (PID: 7156)
      • MicrosoftEdgeUpdate.exe (PID: 6868)
      • MicrosoftEdgeUpdate.exe (PID: 5208)
      • setup.exe (PID: 244)
      • msedgewebview2.exe (PID: 648)
      • msedgewebview2.exe (PID: 2744)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3688)
      • msiexec.exe (PID: 6308)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 6308)

    • The executable file from the user directory is run by the Powershell process

      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)

    • Checks proxy server information

      • powershell.exe (PID: 6516)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdate.exe (PID: 3984)
      • MicrosoftEdgeUpdate.exe (PID: 7072)
      • msedgewebview2.exe (PID: 648)

    • Create files in a temporary directory

      • MicrosoftEdgeWebview2Setup.exe (PID: 7016)
      • svchost.exe (PID: 5916)
      • msedgewebview2.exe (PID: 648)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 3984)
      • msedgewebview2.exe (PID: 648)

    • Reads the software policy settings

      • MicrosoftEdgeUpdate.exe (PID: 3984)
      • MicrosoftEdgeUpdate.exe (PID: 2092)
      • MicrosoftEdgeUpdate.exe (PID: 7072)

    • Reads the machine GUID from the registry

      • MicrosoftEdgeUpdate.exe (PID: 2092)

    • Creates files or folders in the user directory

      • MicrosoftEdge_X64_131.0.2903.146.exe (PID: 6544)
      • setup.exe (PID: 244)
      • setup.exe (PID: 6736)
      • msedgewebview2.exe (PID: 2324)
      • msedgewebview2.exe (PID: 648)
      • msedgewebview2.exe (PID: 6588)
      • msedgewebview2.exe (PID: 2744)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 6856)
      • setup.exe (PID: 244)
      • msedgewebview2.exe (PID: 648)
      • msedgewebview2.exe (PID: 6684)

    • Manual execution by a user

      • eva-pacs-offline.exe (PID: 1448)

    • Sends debugging messages

      • msedgewebview2.exe (PID: 648)
      • eva-pacs-offline.exe (PID: 1448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: eva-pacs-offline
Author: com.evacenter.viewer
Keywords: Installer
Comments: This installer database contains the logic and data required to install eva-pacs-offline.
Template: x64;1033
RevisionNumber: {960D73FD-964F-4EEA-BE38-2BB2EE1AAA18}
CreateDate: 2023:04:04 21:12:32
ModifyDate: 2023:04:04 21:12:32
Pages: 450
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
33
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdatecomregistershell64.exe no specs microsoftedgeupdate.exe microsoftedgeupdate.exe no specs microsoftedgeupdate.exe svchost.exe microsoftedge_x64_131.0.2903.146.exe setup.exe setup.exe no specs microsoftedgeupdate.exe eva-pacs-offline.exe msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe msedgewebview2.exe no specs msedgewebview2.exe no specs msedgewebview2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
244"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{008663D4-45B6-4CD6-BE30-64026FD593C7}\EDGEMITMP_3D9EA.tmp\setup.exe" --install-archive="C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{008663D4-45B6-4CD6-BE30-64026FD593C7}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --user-levelC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\Install\{008663D4-45B6-4CD6-BE30-64026FD593C7}\EDGEMITMP_3D9EA.tmp\setup.exe
MicrosoftEdge_X64_131.0.2903.146.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Installer
Exit code:
0
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\install\{008663d4-45b6-4cd6-be30-64026fd593c7}\edgemitmp_3d9ea.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
648"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=eva-pacs-offline.exe --webview-exe-version=0.1.0 --user-data-dir="C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --mojo-named-platform-channel-pipe=1448.6012.327095334172843878C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe
eva-pacs-offline.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1224"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView" --webview-exe-name=eva-pacs-offline.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4696,i,7537555545632410220,6910229793323619232,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe
msedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1448"C:\Program Files\eva-pacs-offline\eva-pacs-offline.exe" C:\Program Files\eva-pacs-offline\eva-pacs-offline.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
eva-pacs-offline
Version:
0.1.0
Modules
Images
c:\program files\eva-pacs-offline\eva-pacs-offline.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2092"C:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" -EmbeddingC:\Users\admin\AppData\Local\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge Update
Exit code:
0
Version:
1.3.195.43
Modules
Images
c:\users\admin\appdata\local\microsoft\edgeupdate\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
2324C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 --annotation=exe=C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=131.0.2903.146 --initial-client-data=0x1a0,0x1a4,0x1a8,0x17c,0x1b0,0x7ff81fe56070,0x7ff81fe5607c,0x7ff81fe56088C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2572"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView" --webview-exe-name=eva-pacs-offline.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1876,i,7537555545632410220,6910229793323619232,262144 --variations-seed-version --mojo-platform-channel-handle=1868 /prefetch:2C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2744"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView" --webview-exe-name=eva-pacs-offline.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2324,i,7537555545632410220,6910229793323619232,262144 --variations-seed-version --mojo-platform-channel-handle=4788 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
3564"C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\com.evacenter.viewer\EBWebView" --webview-exe-name=eva-pacs-offline.exe --webview-exe-version=0.1.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4768,i,7537555545632410220,6910229793323619232,262144 --variations-seed-version --mojo-platform-channel-handle=3820 /prefetch:8C:\Users\admin\AppData\Local\Microsoft\EdgeWebView\Application\131.0.2903.146\msedgewebview2.exemsedgewebview2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge WebView2
Exit code:
0
Version:
131.0.2903.146
Modules
Images
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedgewebview2.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\microsoft\edgewebview\application\131.0.2903.146\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
31 851
Read events
28 619
Write events
3 137
Delete events
95

Modification events

(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000E0D004A7CA66DB01A4180000E81A0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000E0D004A7CA66DB01A4180000E81A0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
4800000000000000422945A7CA66DB01A4180000E81A0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
4800000000000000422945A7CA66DB01A4180000E81A0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
4800000000000000F38C47A7CA66DB01A4180000E81A0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000B4F049A7CA66DB01A4180000E81A0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000CC3FD4A7CA66DB01A4180000E81A0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6308) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000C1FED8A7CA66DB01A4180000B41B0000E803000001000000000000000000000030346949980B3F4FBA6206192929F75700000000000000000000000000000000
(PID) Process:(6904) VSSVC.exeKey:HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:delete keyName:(default)
Value:
Executable files
224
Suspicious files
217
Text files
34
Unknown types
14

Dropped files

PID
Process
Filename
Type
6308msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6308msiexec.exeC:\Windows\Installer\13d0c1.msi
MD5:
SHA256:
6308msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{49693430-0b98-4f3f-ba62-06192929f757}_OnDiskSnapshotPropbinary
MD5:C29B76B22E9252DEE10C05C9B70446FF
SHA256:C8FA96EF845B6785C6925C06269FCBBE5BDEDA8502C00FC4AFB53DBEAAB8348A
6308msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:C29B76B22E9252DEE10C05C9B70446FF
SHA256:C8FA96EF845B6785C6925C06269FCBBE5BDEDA8502C00FC4AFB53DBEAAB8348A
6308msiexec.exeC:\Windows\Installer\$PatchCache$\Managed\E930CC027E77D354490A80AC39727C64\0.1.0\msvcp140_1.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3executable
MD5:00BCBB58255D6CBD712E89A3DD0D1810
SHA256:E10FB192620193CB721516C30533F71CA6B2A4396B48F3858B571143E94ABA31
6308msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipibinary
MD5:91E43E0A5A22597DAA4CA92EF581C34B
SHA256:818278677711425C36E60721F78664D98E7754C08BEDB764391CD55E7BA309B0
6308msiexec.exeC:\Windows\Installer\13d0c3.msi
MD5:
SHA256:
6308msiexec.exeC:\Program Files\eva-pacs-offline\eva-pacs-offline.exeexecutable
MD5:BDC1D37F91A06AD9A087D1BF8364AB94
SHA256:814A6F278994B718CE9666209CFED7C5FEA9221C9D1954C5F78966E5DBB87183
6308msiexec.exeC:\Windows\Installer\$PatchCache$\Managed\E930CC027E77D354490A80AC39727C64\0.1.0\msvcp140.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3executable
MD5:5CDE3AED10412762E83B7FE43694A22B
SHA256:10DDFF48D704C6007E4C2D53FB4856B5E5E79479503366236246A323AAA76E9D
6308msiexec.exeC:\Windows\Installer\$PatchCache$\Managed\E930CC027E77D354490A80AC39727C64\0.1.0\msvcp140_2.dll.DFEFC2FE_EEE6_424C_841B_D4E66F0C84A3executable
MD5:5338E18979B5DBC62235AAB52307B820
SHA256:046739D24A8253914EA8048E2C136CBBA668E62FE5284CC0FF5DB5F350B9DA2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
47
DNS requests
37
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
whitelisted
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
whitelisted
5916
svchost.exe
HEAD
200
217.20.57.36:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8f8ef676-acb3-4f15-a854-16344ca03e90?P1=1737494675&P2=404&P3=2&P4=WtqSNGntiCpxBUlL7cAF9plfD5TtjO6uMp5GavT39Hbc%2bPv2lBAEvibmv5Sm5wCmFsIP5REcDaUsFM%2bJnW%2b85g%3d%3d
US
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
DE
binary
313 b
whitelisted
5916
svchost.exe
HEAD
200
217.20.57.18:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2132f61f-f790-4ae6-a355-8cf9a1533800?P1=1737490526&P2=404&P3=2&P4=hxyBOZ4TJw1X3feza8VMGKgRbcX3bnO2JifRrk3qfp5%2f4Xh5t7J7rXDMKDGZarXq2sN5WrAUh1Uaf92vjP%2blJA%3d%3d
US
whitelisted
4164
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
QA
binary
408 b
whitelisted
5916
svchost.exe
GET
200
217.20.57.36:80
http://msedge.f.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/8f8ef676-acb3-4f15-a854-16344ca03e90?P1=1737494675&P2=404&P3=2&P4=WtqSNGntiCpxBUlL7cAF9plfD5TtjO6uMp5GavT39Hbc%2bPv2lBAEvibmv5Sm5wCmFsIP5REcDaUsFM%2bJnW%2b85g%3d%3d
US
executable
168 Mb
whitelisted
6192
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
DE
binary
471 b
whitelisted
4164
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
QA
binary
419 b
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.178:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2040
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 23.218.209.163
  • 2.23.246.101
whitelisted
www.bing.com
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.145
  • 104.126.37.171
  • 104.126.37.163
  • 104.126.37.130
  • 104.126.37.176
  • 104.126.37.136
  • 104.126.37.123
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.0
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.23
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.73
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 2.23.242.9
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
fd.api.iris.microsoft.com
  • 20.223.35.26
whitelisted

Threats

PID
Process
Class
Message
5916
svchost.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
msedgewebview2.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\com.evacenter.viewer directory exists )
eva-pacs-offline.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
eva-pacs-offline.exe
Warning: AddWebResourceRequestedFilter without SourceKind parameter is deprecated! It does not behave as expected for iframes.Please use AddWebResourceRequestedFilterWithRequestSourceKinds instead. For more information, please see https://go.microsoft.com/fwlink/?linkid=2286319
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Visor Local Windows Installer.msi