File name:

x64__installer___v4.8.6.msi

Full analysis: https://app.any.run/tasks/7dfa159b-86f1-4c80-a381-a998f4795a57
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: September 02, 2024, 15:41:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
adware
advancedinstaller
robotdropper
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {2BB5763E-C053-4972-96C8-EF57D2A96066}, Number of Words: 10, Subject: IcuApp, Author: Icuuq Cmpq, Name of Creating Application: IcuApp, Template: x64;2057, Comments: This installer database contains the logic and data required to install IcuApp., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Sep 1 18:21:22 2024, Last Saved Time/Date: Sun Sep 1 18:21:22 2024, Last Printed: Sun Sep 1 18:21:22 2024, Number of Pages: 450
MD5:

07997444061E4ED5F9B6274C4420F261

SHA1:

37CF9557DC424709D4FA2E99014979EB1FC868FE

SHA256:

75CDF91E7F10807B81E9CC9754DC37D447D46912537F585E6F6B3E2A84FDB7DF

SSDEEP:

196608:FTKDHPKOFfXWZQHvOJgdbOIkVBqjgnMn86M0WFd5ljUaWR261zVzaWM:crJZm7xBJnM86Q/BUaW/Jph

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ROBOTDROPPER has been detected

      • msiexec.exe (PID: 3236)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3236)

  • INFO

    • An automatically generated document

      • msiexec.exe (PID: 5708)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 3236)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3236)

    • Checks supported languages

      • msiexec.exe (PID: 3236)

    • Create files in a temporary directory

      • msiexec.exe (PID: 5708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {2BB5763E-C053-4972-96C8-EF57D2A96066}
Words: 10
Subject: IcuApp
Author: Icuuq Cmpq
LastModifiedBy: -
Software: IcuApp
Template: x64;2057
Comments: This installer database contains the logic and data required to install IcuApp.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:09:01 18:21:22
ModifyDate: 2024:09:01 18:21:22
LastPrinted: 2024:09:01 18:21:22
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs #ROBOTDROPPER msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
3236C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\cabinet.dll
5708"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\x64__installer___v4.8.6.msiC:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
1 409
Read events
1 290
Write events
119
Delete events
0

Modification events

(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Config.Msi\
Value:
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\12b7a2.rbs
Value:
31128910
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:writeName:C:\Config.Msi\12b7a2.rbsLow
Value:
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:writeName:C:\Users\admin\AppData\Roaming\Microsoft\Installer\
Value:
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\9821981A3ABF4934796C95EB5BF10CDC
Operation:writeName:C7F8AA5646AE2E84BB4875C28F903973
Value:
C:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\9B8489ABA9DF66F42A0653B3A19343A4
Operation:writeName:C7F8AA5646AE2E84BB4875C28F903973
Value:
21:\Software\Icuuq Cmpq\IcuApp\Version
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\CA79783BE2CAD1241B088F1E5885EEF2
Operation:writeName:C7F8AA5646AE2E84BB4875C28F903973
Value:
C:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\jmods\java.base.jmod
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\911C6C1FEF2985240B3EB6BA5D94FDB7
Operation:writeName:C7F8AA5646AE2E84BB4875C28F903973
Value:
C:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\srv\classes.jsa
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\7D935B04105F5C949AEAA7124AD493B6
Operation:writeName:C7F8AA5646AE2E84BB4875C28F903973
Value:
C:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\srv\jvm.dll
(PID) Process:(3236) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\1D0C93C778D295D4C9F53D5B33CAB5EE
Operation:writeName:C7F8AA5646AE2E84BB4875C28F903973
Value:
C:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\instrument.dll
Executable files
69
Suspicious files
19
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3236msiexec.exeC:\Windows\Installer\12b7a0.msi
MD5:
SHA256:
3236msiexec.exeC:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\jmods\java.base.jmod
MD5:
SHA256:
3236msiexec.exeC:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\srv\classes.jsa
MD5:
SHA256:
3236msiexec.exeC:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\srv\classes_nocoops.jsa
MD5:
SHA256:
3236msiexec.exeC:\Windows\Installer\MSIB9B4.tmpexecutable
MD5:B158D8D605571EA47A238DF5AB43DFAA
SHA256:CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
3236msiexec.exeC:\Windows\Installer\MSICBF9.tmpexecutable
MD5:54D74546C6AFE67B3D118C3C477C159A
SHA256:F9956417AF079E428631A6C921B79716D960C3B4917C6B7D17FF3CB945F18611
3236msiexec.exeC:\Windows\Installer\MSIBA51.tmpexecutable
MD5:B158D8D605571EA47A238DF5AB43DFAA
SHA256:CA763693CC25D316F14A9EBAD80EBF00590329550C45ADB7E5205486533C2504
3236msiexec.exeC:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\jmods\java.rmi.jmodbinary
MD5:C4BF3C85D5A2B5A2482D29682F937339
SHA256:25FDC4D19B9F9BFF599212307C35ADE3C5B14D8FA326352837E2AC1919A27679
3236msiexec.exeC:\Users\admin\AppData\Roaming\Icuuq Cmpq\IcuApp\j2pcsc.dllexecutable
MD5:731811B3A5BA6801F96DB51FB861FF19
SHA256:16435097037A3992761ABB2E0C389AF8EC824B4A7E5798D17E9BC93FCA228B37
3236msiexec.exeC:\Windows\Installer\MSID282.tmpbinary
MD5:8F118E10C1C970E6E651DD43A3C574E1
SHA256:1EDF2DCE1761E83983E1F244FA1B6CEF8946BBC2A8729EDA2F7C6F1CC63679D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
15
DNS requests
4
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
403
188.114.96.3:443
https://to-license2.com/licenseUser.php
unknown
html
4.41 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
6880
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5768
msiexec.exe
188.114.97.3:443
to-license2.com
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
to-license2.com
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] RobotDropper HTTP C2 Request
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x64__installer___v4.8.6.msi