File name:

install.msi

Full analysis: https://app.any.run/tasks/3a4ff217-32d4-4f67-8f7e-45a2c870979f
Verdict: Malicious activity
Analysis date: February 17, 2024, 08:45:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {0E253F34-F71A-488F-8E96-892E01DBC8AC}, Number of Words: 2, Subject: Global Installs, Author: GlobalCo, Name of Creating Application: Global Installs, Template: ;1033, Comments: This installer database contains the logic and data required to install Global Installs., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 31 04:33:53 2023, Last Saved Time/Date: Sun Dec 31 04:33:53 2023, Last Printed: Sun Dec 31 04:33:53 2023, Number of Pages: 450
MD5:

B63BD820A14D8ACFBDA0EEDD7A884268

SHA1:

207CBDA7E194C02E076984B3EE8EDDE9475AE426

SHA256:

BC7CACF8352F528B20702CD768F57927F7B4C5B697F61942A8574EEE9A7DE050

SSDEEP:

98304:/9Iy5tVgKRFnETxBhBYfIgm/2D7BXdXAXWGULRJ0+3mwHsqmsoj:Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 4052)

  • SUSPICIOUS

    • Reads the Internet Settings

      • cmd.exe (PID: 4052)
      • msiexec.exe (PID: 3692)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2900)

    • Connects to FTP

      • RobustService.exe (PID: 2940)

    • The process hides Powershell's copyright startup banner

      • powershell.exe (PID: 2900)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2900)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3948)
      • RobustService.exe (PID: 2940)

    • Unusual connection from system programs

      • powershell.exe (PID: 2900)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2900)

    • Application launched itself

      • powershell.exe (PID: 2900)

    • Connects to unusual port

      • RobustOperator.exe (PID: 1824)
      • RobustOperator.exe (PID: 3432)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3692)

    • Reads the software policy settings

      • msiexec.exe (PID: 3692)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {0E253F34-F71A-488F-8E96-892E01DBC8AC}
Words: 2
Subject: Global Installs
Author: GlobalCo
LastModifiedBy: -
Software: Global Installs
Template: ;1033
Comments: This installer database contains the logic and data required to install Global Installs.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:01:31 04:33:53
ModifyDate: 2024:01:31 04:33:53
LastPrinted: 2024:01:31 04:33:53
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
78
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe robustservice.exe robustoperator.exe powershell.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs robustoperator.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
1824"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe
RobustService.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RobustOptimizer
Exit code:
0
Version:
2.1.20.10
1864msiexec.exe /i "C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\Required Application\GlobalInstaller.msi"C:\Windows\System32\msiexec.exe
aipackagechainer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1976"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2616"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2900"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_6F9D.ps1 -paths 'C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\file_deleter.ps1','C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\aipackagechainer.exe','C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs','C:\Users\admin\AppData\Roaming\GlobalCo' -retry_count 10"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
aipackagechainer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2940"C:\Program Files\Miicrosoft\MS Info\RobustService.exe"C:\Program Files\Miicrosoft\MS Info\RobustService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
RobustService
Exit code:
0
Version:
4.1.40.10
3432"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe
RobustService.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RobustOptimizer
Exit code:
0
Version:
2.1.20.10
3660"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3692"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\install.msi" C:\Windows\System32\msiexec.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
8 712
Read events
8 548
Write events
164
Delete events
0

Modification events

(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3692) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F0000AC0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F00004C080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F0000D4050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F000024090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000340640BB7D61DA016C0F0000D4050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
0
Suspicious files
21
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
1976powershell.exeC:\Users\admin\AppData\Local\Temp\pylb0k4s.wnh.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3692msiexec.exeC:\Users\admin\AppData\Local\Temp\CabF608.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
664powershell.exeC:\Users\admin\AppData\Local\Temp\kyqys24b.o0h.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:FFA079BE6AE83E3FC47E6543CE11330A
SHA256:BB9A01EA7B3FCA99B0E69FD8780D1325FE536B69B0185E5B5FC953528604CD0B
2900powershell.exeC:\Users\admin\AppData\Local\Temp\jo0tvcsn.3u1.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2900powershell.exeC:\Users\admin\AppData\Local\Temp\gt2oudkq.hox.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2616powershell.exeC:\Users\admin\AppData\Local\Temp\qt2bifcd.wdq.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1976powershell.exeC:\Users\admin\AppData\Local\Temp\olgwoc0e.fc2.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3660powershell.exeC:\Users\admin\AppData\Local\Temp\uuuzb432.mnq.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
32
DNS requests
29
Threats
148

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
848
msiexec.exe
GET
304
173.222.108.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bbf2aa07487ce33b
unknown
unknown
3692
msiexec.exe
GET
200
173.222.108.243:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c7431b466fa8017c
unknown
compressed
65.2 Kb
unknown
848
msiexec.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
848
msiexec.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3692
msiexec.exe
173.222.108.243:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
848
msiexec.exe
104.21.70.114:443
globalinstaller.io
CLOUDFLARENET
unknown
848
msiexec.exe
173.222.108.210:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
848
msiexec.exe
142.250.186.67:80
ocsp.pki.goog
GOOGLE
US
unknown
2320
msedge.exe
239.255.255.250:1900
unknown
2620
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2620
msedge.exe
172.67.179.201:443
typagesee.io
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 173.222.108.243
  • 173.222.108.195
  • 173.222.108.249
  • 173.222.108.210
  • 173.222.108.226
  • 23.32.238.241
  • 23.32.238.178
  • 23.32.238.201
  • 23.32.238.171
  • 23.32.238.243
  • 23.32.238.179
  • 23.32.238.195
  • 23.32.238.210
  • 23.32.238.168
whitelisted
globalinstaller.io
  • 104.21.70.114
  • 172.67.223.21
unknown
ocsp.pki.goog
  • 142.250.186.67
whitelisted
typagesee.io
  • 172.67.179.201
  • 104.21.72.96
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
trackingints.io
  • 217.20.112.104
unknown
downloaddowname.cfd
  • 188.114.96.3
  • 188.114.97.3
unknown
downalekaemazo.pics
  • 38.128.66.115
unknown
campaignkeepy.buzz
  • 38.128.66.115
unknown

Threats

PID
Process
Class
Message
2620
msedge.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2620
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
146 ETPRO signatures available at the full report
Process
Message
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
install.msi