File name:

setup.msi

Full analysis: https://app.any.run/tasks/a89c2b4a-797f-437c-a715-12e138c02a6b
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 22:03:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
adware
takemyfile
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {C3B9A22B-076D-42E4-A3E2-B6C408580DE0}, Number of Words: 2, Subject: Secure Downloader, Author: Internet Guardian, Name of Creating Application: Secure Downloader, Template: ;1033, Comments: This installer database contains the logic and data required to install Secure Downloader., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed Jun 26 22:43:54 2024, Last Saved Time/Date: Wed Jun 26 22:43:54 2024, Last Printed: Wed Jun 26 22:43:54 2024, Number of Pages: 450
MD5:

FA7EB2499B72EAC98E1A03FFDA68A4DD

SHA1:

343AF392550E03B21DBA66D40C42802363BEA917

SHA256:

035A0238921F260D165CFDBB8E991ACA3C99E5C90CC8F9226ECFE2005CF7B3B4

SSDEEP:

98304:L9Ijox/4QL5LYYqr0V5RZlTvJ9jwv3RmG6lkaKKHLRwQTmPOdBjDaa/:8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3428)

    • TAKEMYFILE has been detected (SURICATA)

      • msiexec.exe (PID: 3428)

    • The DLL Hijacking

      • msiexec.exe (PID: 3220)

    • Connects to the CnC server

      • msiexec.exe (PID: 3428)

  • SUSPICIOUS

    • Checks for Java to be installed

      • msiexec.exe (PID: 3220)

    • Reads the Internet Settings

      • msiexec.exe (PID: 3428)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3428)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3268)

    • An automatically generated document

      • msiexec.exe (PID: 3268)

    • Reads the computer name

      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 3428)
      • msiexec.exe (PID: 3220)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 3428)
      • msiexec.exe (PID: 3220)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3268)
      • msiexec.exe (PID: 3428)

    • Reads the software policy settings

      • msiexec.exe (PID: 3268)

    • Checks supported languages

      • msiexec.exe (PID: 3428)
      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 3220)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3428)
      • msiexec.exe (PID: 3268)

    • Reads Environment values

      • msiexec.exe (PID: 3428)
      • msiexec.exe (PID: 3220)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3428)

    • Application launched itself

      • msiexec.exe (PID: 3700)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3268)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 3220)

    • Process checks Powershell version

      • msiexec.exe (PID: 3220)

    • Checks proxy server information

      • msiexec.exe (PID: 3428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {C3B9A22B-076D-42E4-A3E2-B6C408580DE0}
Words: 2
Subject: Secure Downloader
Author: Internet Guardian
LastModifiedBy: -
Software: Secure Downloader
Template: ;1033
Comments: This installer database contains the logic and data required to install Secure Downloader.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:06:26 22:43:54
ModifyDate: 2024:06:26 22:43:54
LastPrinted: 2024:06:26 22:43:54
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe no specs #TAKEMYFILE msiexec.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3220C:\Windows\system32\MsiExec.exe -Embedding CF24A724DF810328BF295E59671CF327 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3268"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\setup.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3428C:\Windows\system32\MsiExec.exe -Embedding D0A35E85A785C0DC0533E617C04EF5C2 UC:\Windows\System32\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3700C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
5 429
Read events
5 376
Write events
44
Delete events
9

Modification events

(PID) Process:(3268) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000005D010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3428) msiexec.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
9
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3428msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI28488\InstallerAnalytics.dllexecutable
MD5:00C83FA0C15C4F912B2284BB8A3A8D79
SHA256:4EA1A93CD42013A60B64B497662DADA9650353A81DC059D91D5C97397D4161A0
3428msiexec.exeC:\Users\admin\AppData\Local\AdvinstAnalytics\665dd79920a59ade4c2aa809\1.0.0\tracking.initext
MD5:609234DCF0774F72247E3BD8225C28C5
SHA256:4325BECB79B638BE50397D0065C61070156635931F04DF59CCFA5C05C2258E16
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEC15.tmpexecutable
MD5:00C83FA0C15C4F912B2284BB8A3A8D79
SHA256:4EA1A93CD42013A60B64B497662DADA9650353A81DC059D91D5C97397D4161A0
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEE0B.tmpexecutable
MD5:3604517A3E6E69BA339239CF82FC94A5
SHA256:BDD1D14C9CB54B19F6A7F37ADBC7537CE8FD2F6FA59A74A4A90B08C7979708D2
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEB97.tmpexecutable
MD5:3604517A3E6E69BA339239CF82FC94A5
SHA256:BDD1D14C9CB54B19F6A7F37ADBC7537CE8FD2F6FA59A74A4A90B08C7979708D2
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEC73.tmpexecutable
MD5:CC048C7AADC4ADF3A29D429F1F5EEAD0
SHA256:D23C6AC751423FF6961694437E67D7B608102BD351E3E0CD10D34D026A1A08CA
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEE3B.tmpexecutable
MD5:00C83FA0C15C4F912B2284BB8A3A8D79
SHA256:4EA1A93CD42013A60B64B497662DADA9650353A81DC059D91D5C97397D4161A0
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI28488\embeddeduiproxy.dllexecutable
MD5:8F567EE56ADFF022729D1FDD5729FF44
SHA256:A7747206B2DC6C09163801D635EAFBB4EE8A7A59001B1DDF1BB46DA45DD70D62
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIEAD9.tmpexecutable
MD5:3604517A3E6E69BA339239CF82FC94A5
SHA256:BDD1D14C9CB54B19F6A7F37ADBC7537CE8FD2F6FA59A74A4A90B08C7979708D2
3268msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4eed1.LOGtext
MD5:4E1393E35FE575E8EE0D61EDC5625948
SHA256:C6E3AD7AB6B08120669AFF831362E57BC09C8DA445570EE21AA3B3CE5CE77B13
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
11
DNS requests
5
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3428
msiexec.exe
POST
402
54.224.49.0:80
http://collect.installeranalytics.com/
unknown
unknown
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fbe613066ac7852b
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
3428
msiexec.exe
54.224.49.0:80
collect.installeranalytics.com
AMAZON-AES
US
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
collect.installeranalytics.com
  • 54.224.49.0
  • 54.204.31.229
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.msi