Malware analysis setup.msi Malicious activity | ANY.RUN

Add for printing

File name:	setup.msi
Full analysis:	https://app.any.run/tasks/37136b24-b1f5-4346-afec-fafc1456fdcc
Verdict:	Malicious activity
Analysis date:	January 22, 2025, 01:06:32
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {8EC5BE9D-67EF-4CC2-B820-F8BAA8431490}, Number of Words: 10, Subject: Rotq App, Author: Viqwo Stars Ci, Name of Creating Application: Rotq App, Template: x64;2057, Comments: This installer database contains the logic and data required to install Rotq App., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Jan 21 08:34:06 2025, Last Saved Time/Date: Tue Jan 21 08:34:06 2025, Last Printed: Tue Jan 21 08:34:06 2025, Number of Pages: 450
MD5:	95690D4FD52889A957AE39BB8A162E10
SHA1:	5E4AFABC2EF0430988283703827115449BE7F043
SHA256:	D81CF7D7BEAF6571C3C19EB5A20D1EB151EF9479F283C0960E8DD370874DAF22
SSDEEP:	196608:38Lg3BAlF0ya3y6EpWaYsC+EZPneY9sE:scGH0yY0pWaBC+EVeY9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Reads the Windows owner or organization settings
  - msiexec.exe (PID: 2972)
- Process drops legitimate windows executable
  - msiexec.exe (PID: 2972)
- Executable content was dropped or overwritten
  - UnRar.exe (PID: 2280)
- The process drops C-runtime libraries
  - msiexec.exe (PID: 2972)
- Executes application which crashes
  - obs-ffmpeg-mux.exe (PID: 6188)
INFO
- Creates files or folders in the user directory
  - msiexec.exe (PID: 2972)
  - UnRar.exe (PID: 2280)
- Checks supported languages
  - msiexec.exe (PID: 5588)
  - msiexec.exe (PID: 2972)
  - UnRar.exe (PID: 2280)
  - createdump.exe (PID: 6180)
  - obs-ffmpeg-mux.exe (PID: 6188)
- Reads the computer name
  - msiexec.exe (PID: 2972)
  - msiexec.exe (PID: 5588)
- Reads Environment values
  - msiexec.exe (PID: 5588)
- The sample compiled with english language support
  - msiexec.exe (PID: 2972)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 2972)
- Creates a software uninstall entry
  - msiexec.exe (PID: 2972)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (88.6)
.mst	\|	Windows SDK Setup Transform Script (10)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

Security:	None
CodePage:	Windows Latin 1 (Western European)
RevisionNumber:	{8EC5BE9D-67EF-4CC2-B820-F8BAA8431490}
Words:	10
Subject:	Rotq App
Author:	Viqwo Stars Ci
LastModifiedBy:	-
Software:	Rotq App
Template:	x64;2057
Comments:	This installer database contains the logic and data required to install Rotq App.
Title:	Installation Database
Keywords:	Installer, MSI, Database
CreateDate:	2025:01:21 08:34:06
ModifyDate:	2025:01:21 08:34:06
LastPrinted:	2025:01:21 08:34:06
Pages:	450

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2280

"C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\UnRar.exe" x -p3809610121t -o+ "C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\iwhgjds.rar" "C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\"

C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\UnRar.exe

msiexec.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

Command line RAR

Exit code:

Version:

7.1.0

Modules

Images
c:\users\admin\appdata\roaming\viqwo stars ci\rotq app\unrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2632

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

UnRar.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2972

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

4724

"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\setup.msi

C:\Windows\System32\msiexec.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5588

C:\Windows\syswow64\MsiExec.exe -Embedding BC33630446D71076478088A7B2912E10

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6180

"C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\createdump.exe"

C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\createdump.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Runtime Crash Dump Generator

Exit code:

4294967295

Version:

6,0,2223,42425 @Commit: 4bb6dc195c0a3bc4c7e24ff54a8925b98db

Modules

Images
c:\users\admin\appdata\roaming\viqwo stars ci\rotq app\createdump.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\dbgcore.dll

6188

"C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\obs-ffmpeg-mux.exe"

C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\obs-ffmpeg-mux.exe

msiexec.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225477

Modules

Images
c:\users\admin\appdata\roaming\viqwo stars ci\rotq app\obs-ffmpeg-mux.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\viqwo stars ci\rotq app\obs.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6196

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

obs-ffmpeg-mux.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6204

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

createdump.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6328

C:\WINDOWS\SysWOW64\explorer.exe explorer.exe

C:\Windows\SysWOW64\explorer.exe

obs-ffmpeg-mux.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

Add for printing

Total events

2 541

Read events

2 397

Write events

135

Delete events

Modification events


(PID) Process:	(2972) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: 9C0B000047ED94F1696CDB01
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: BC16C3E4AA554473A60F60EBFFDFFD84C9C31257BA55C89CD2CF9729AD021A42
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\6D8E6B71400CBD04BBD221D5C7C12CE1
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-core-synch-l1-1-0.dll
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\9737E2B1877BA2647A4AC547869EDF03
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-core-synch-l1-2-0.dll
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\65624D8381D30F249B874F58E818676E
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-core-sysinfo-l1-1-0.dll
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\D63B3F7EA8654C24FB42180178BBBF34
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-crt-convert-l1-1-0.dll
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\C04D16F8CDF5F4543AC9A3616BA42840
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-crt-environment-l1-1-0.dll
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\74BFD8668DF9CDF4DAE798C67C0F5E07
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-crt-filesystem-l1-1-0.dll
(PID) Process:	(2972) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\E84195AD854B9A744A14CCC0101E24CE
Operation:	write	Name:	D0B21BB044C83344DB757CF0A2EF15B3
Value: C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\api-ms-win-core-console-l1-1-0.dll

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2972	msiexec.exe	C:\Windows\Installer\1391f2.msi		—
		MD5:—	SHA256:—
2972	msiexec.exe	C:\Windows\Installer\MSI94C1.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
2972	msiexec.exe	C:\Windows\Installer\MSI9F24.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
2972	msiexec.exe	C:\Windows\Installer\MSI9B0C.tmp		executable
		MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2	SHA256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
2972	msiexec.exe	C:\Windows\Installer\MSIA2EE.tmp		executable
		MD5:E83D774F643972B8ECCDB3A34DA135C5	SHA256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
2972	msiexec.exe	C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\msvcp140.dll		executable
		MD5:6DA7F4530EDB350CF9D967D969CCECF8	SHA256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
2972	msiexec.exe	C:\Windows\Installer\MSIC83C.tmp		binary
		MD5:E4F68ED9BE2EDCF357A041C76AD35929	SHA256:385EEA031AD4D3B03F8B56E06AE59F1FA203FBDEB512E684D7DFF922F5921A08
2972	msiexec.exe	C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\vcruntime140_1.dll		executable
		MD5:135359D350F72AD4BF716B764D39E749	SHA256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
2972	msiexec.exe	C:\Windows\Installer\inprogressinstallinfo.ipi		binary
		MD5:D9C5DED6C0C7D933BE62BB2AB6EDBDA0	SHA256:6563EB17D3AAB623FBD0E2173691A43F2205496E27F44742822D07598251158C
2972	msiexec.exe	C:\Users\admin\AppData\Roaming\Viqwo Stars Ci\Rotq App\vcruntime140.dll		executable
		MD5:F34EB034AA4A9735218686590CBA2E8B	SHA256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4120	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6328	explorer.exe	GET	200	169.150.247.36:80	http://vikincdesigns.com/front.php?a=PnMOLreWjITx0uY&id=0	unknown	—	—	unknown
2356	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	2.21.65.154:443	www.bing.com	Akamai International B.V.	NL	whitelisted
1076	svchost.exe	2.23.242.9:443	go.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
5064	SearchApp.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1176	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	2.23.246.101 184.30.21.171	whitelisted
google.com	142.250.186.110	whitelisted
www.bing.com	2.21.65.154 2.21.65.132 104.126.37.130 104.126.37.145 104.126.37.131 104.126.37.139 104.126.37.128	whitelisted
go.microsoft.com	2.23.242.9	whitelisted
ocsp.digicert.com	2.23.77.188 184.30.131.245	whitelisted
login.live.com	40.126.32.68 40.126.32.136 40.126.32.76 40.126.32.138 20.190.160.22 20.190.160.20 40.126.32.72 40.126.32.74	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
settings-win.data.microsoft.com	40.127.240.158	whitelisted

Threats

No threats detected

Add for printing

Process	Message
obs-ffmpeg-mux.exe	Operation failed.

General Info

setup.msi

95690D4FD52889A957AE39BB8A162E10

5E4AFABC2EF0430988283703827115449BE7F043

D81CF7D7BEAF6571C3C19EB5A20D1EB151EF9479F283C0960E8DD370874DAF22

196608:38Lg3BAlF0ya3y6EpWaYsC+EZPneY9sE:scGH0yY0pWaBC+EVeY9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Reads the Windows owner or organization settings

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Executes application which crashes

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Reads Environment values

The sample compiled with english language support

Executable content was dropped or overwritten

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings