File name:

install.msi

Full analysis: https://app.any.run/tasks/3a4ff217-32d4-4f67-8f7e-45a2c870979f
Verdict: Malicious activity
Analysis date: February 17, 2024, 08:45:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {0E253F34-F71A-488F-8E96-892E01DBC8AC}, Number of Words: 2, Subject: Global Installs, Author: GlobalCo, Name of Creating Application: Global Installs, Template: ;1033, Comments: This installer database contains the logic and data required to install Global Installs., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Dec 31 04:33:53 2023, Last Saved Time/Date: Sun Dec 31 04:33:53 2023, Last Printed: Sun Dec 31 04:33:53 2023, Number of Pages: 450
MD5:

B63BD820A14D8ACFBDA0EEDD7A884268

SHA1:

207CBDA7E194C02E076984B3EE8EDDE9475AE426

SHA256:

BC7CACF8352F528B20702CD768F57927F7B4C5B697F61942A8574EEE9A7DE050

SSDEEP:

98304:/9Iy5tVgKRFnETxBhBYfIgm/2D7BXdXAXWGULRJ0+3mwHsqmsoj:Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cmd.exe (PID: 4052)

  • SUSPICIOUS

    • Reads the Internet Settings

      • cmd.exe (PID: 4052)
      • msiexec.exe (PID: 3692)

    • The process hides Powershell's copyright startup banner

      • powershell.exe (PID: 2900)

    • Application launched itself

      • powershell.exe (PID: 2900)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 2900)

    • Executes as Windows Service

      • RobustService.exe (PID: 2940)
      • VSSVC.exe (PID: 3948)

    • Connects to FTP

      • RobustService.exe (PID: 2940)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2900)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2900)

    • Connects to unusual port

      • RobustOperator.exe (PID: 1824)
      • RobustOperator.exe (PID: 3432)

    • Unusual connection from system programs

      • powershell.exe (PID: 2900)

  • INFO

    • Create files in a temporary directory

      • msiexec.exe (PID: 3692)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 3692)

    • Reads the software policy settings

      • msiexec.exe (PID: 3692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {0E253F34-F71A-488F-8E96-892E01DBC8AC}
Words: 2
Subject: Global Installs
Author: GlobalCo
LastModifiedBy: -
Software: Global Installs
Template: ;1033
Comments: This installer database contains the logic and data required to install Global Installs.
Title: Installation Database
Keywords: Installer, MSI, Database
CreateDate: 2024:01:31 04:33:53
ModifyDate: 2024:01:31 04:33:53
LastPrinted: 2024:01:31 04:33:53
Pages: 450
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
78
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe robustservice.exe robustoperator.exe powershell.exe powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs robustoperator.exe

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
1824"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe
RobustService.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RobustOptimizer
Exit code:
0
Version:
2.1.20.10
1864msiexec.exe /i "C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\Required Application\GlobalInstaller.msi"C:\Windows\System32\msiexec.exe
aipackagechainer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1976"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2616"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2900"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Windows\SystemTemp\AI_6F9D.ps1 -paths 'C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\file_deleter.ps1','C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs\prerequisites\aipackagechainer.exe','C:\Users\admin\AppData\Roaming\GlobalCo\Global Installs','C:\Users\admin\AppData\Roaming\GlobalCo' -retry_count 10"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
aipackagechainer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2940"C:\Program Files\Miicrosoft\MS Info\RobustService.exe"C:\Program Files\Miicrosoft\MS Info\RobustService.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
RobustService
Exit code:
0
Version:
4.1.40.10
3432"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe"C:\Program Files\Miicrosoft\MS Info\RobustOperator.exe
RobustService.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RobustOptimizer
Exit code:
0
Version:
2.1.20.10
3660"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3692"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\install.msi" C:\Windows\System32\msiexec.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
8 712
Read events
8 548
Write events
164
Delete events
0

Modification events

(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4052) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3692) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F0000AC0D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F00004C080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F0000D4050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000DAA33DBB7D61DA016C0F000024090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3948) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000340640BB7D61DA016C0F0000D4050000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
0
Suspicious files
21
Text files
0
Unknown types
1

Dropped files

PID
Process
Filename
Type
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
3692msiexec.exeC:\Users\admin\AppData\Local\Temp\TarF609.tmpcat
MD5:9C0C641C06238516F27941AA1166D427
SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
2900powershell.exeC:\Users\admin\AppData\Local\Temp\gt2oudkq.hox.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2900powershell.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\86844F70250DD8EF225D6B4178798C21_44AD5D0C299F1D4EE038B125B5E5863Ader
MD5:1DAFF63DDF861DC3318AE9C427492598
SHA256:38D2C0E3DD2A4001CFC461022143622E9F3E9670C2DBC3CE8AB4A26FFE950A5E
2900powershell.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77003E887FC21E505B9E28CBA30E18ED_8ACE642DC0A43382FABA7AE806561A50binary
MD5:DA20F8D67959D2E3D9EDC51C214ECDFE
SHA256:2AF1C0B9B4A71CF4EE74EA49410508448DA0A95F3C80A67CE98F3D7C8E71EC76
3692msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:FFA079BE6AE83E3FC47E6543CE11330A
SHA256:BB9A01EA7B3FCA99B0E69FD8780D1325FE536B69B0185E5B5FC953528604CD0B
2900powershell.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:6C5AC39863B1C0CAE272C92A55D693AE
SHA256:D8FF7705B6342EBCC1C84E8FC0C31D0EE8A1C5FCAED14B828ED48E8EEF52E0F3
3692msiexec.exeC:\Users\admin\AppData\Local\Temp\CabF608.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
2900powershell.exeC:\Users\admin\AppData\Local\Temp\jo0tvcsn.3u1.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2900powershell.exeC:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D97B1EC1F43DD6ED4FE7AB95E144BC_8DDC04EFB297854B49541C723EC3D642der
MD5:4D42D8BB0665C1571FC60FCE2AEFF906
SHA256:C6A6ED7532A83D4A4677D67BF67514B32AD37D7B02ED6DC1E673DC8A0F51193E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
32
DNS requests
29
Threats
148

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3692
msiexec.exe
GET
200
173.222.108.243:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c7431b466fa8017c
unknown
compressed
65.2 Kb
unknown
848
msiexec.exe
GET
304
173.222.108.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bbf2aa07487ce33b
unknown
unknown
848
msiexec.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
848
msiexec.exe
GET
200
142.250.186.67:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFCjJ1PwkYAi7fE%3D
unknown
binary
724 b
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
3576
msiexec.exe
POST
200
54.156.181.99:80
http://collect.installeranalytics.com/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3692
msiexec.exe
173.222.108.243:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
848
msiexec.exe
104.21.70.114:443
globalinstaller.io
CLOUDFLARENET
unknown
848
msiexec.exe
173.222.108.210:80
ctldl.windowsupdate.com
Akamai International B.V.
CH
unknown
848
msiexec.exe
142.250.186.67:80
ocsp.pki.goog
GOOGLE
US
unknown
2320
msedge.exe
239.255.255.250:1900
unknown
2620
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2620
msedge.exe
172.67.179.201:443
typagesee.io
CLOUDFLARENET
US
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 173.222.108.243
  • 173.222.108.195
  • 173.222.108.249
  • 173.222.108.210
  • 173.222.108.226
  • 23.32.238.241
  • 23.32.238.178
  • 23.32.238.201
  • 23.32.238.171
  • 23.32.238.243
  • 23.32.238.179
  • 23.32.238.195
  • 23.32.238.210
  • 23.32.238.168
whitelisted
globalinstaller.io
  • 104.21.70.114
  • 172.67.223.21
unknown
ocsp.pki.goog
  • 142.250.186.67
whitelisted
typagesee.io
  • 172.67.179.201
  • 104.21.72.96
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
trackingints.io
  • 217.20.112.104
unknown
downloaddowname.cfd
  • 188.114.96.3
  • 188.114.97.3
unknown
downalekaemazo.pics
  • 38.128.66.115
unknown
campaignkeepy.buzz
  • 38.128.66.115
unknown

Threats

PID
Process
Class
Message
2620
msedge.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2620
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
146 ETPRO signatures available at the full report
Process
Message
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
RobustOperator.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
install.msi