File name:

msi12.msi

Full analysis: https://app.any.run/tasks/f66c939e-ee0f-4fe1-86b8-967238998708
Verdict: Malicious activity
Analysis date: April 09, 2025, 13:14:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
auto
generic
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Mon Feb 3 01:27:32 2025, Create Time/Date: Mon Feb 3 01:27:32 2025, Last Printed: Mon Feb 3 01:27:32 2025, Revision Number: {53E13A2A-DBAD-4467-84FE-CA78EB848095}, Code page: 1252, Template: Intel;1033
MD5:

A5A0FD7291AC3A018C1325A90FFB6390

SHA1:

1DEDABE3BD3BF53E8A449113AC51FA362E8B61CC

SHA256:

0622447EC83737692036BDC44F45326A48A1230B4F545B64968A4D9355114938

SSDEEP:

98304:N/ntTURdvDVP5H9QoJVj9+Zbn22poi3S17YvkiIpVsiVc7M+Xrdm3Qynjc9aJ6Ml:DO0/dUNSxlgf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Executing a file with an untrusted certificate

      • ISBEW64.exe (PID: 7928)
      • ISBEW64.exe (PID: 7964)
      • ISBEW64.exe (PID: 8004)
      • ISBEW64.exe (PID: 8044)
      • ISBEW64.exe (PID: 8084)
      • ISBEW64.exe (PID: 8132)
      • ISBEW64.exe (PID: 7260)
      • ISBEW64.exe (PID: 8168)
      • ISBEW64.exe (PID: 4208)
      • ISBEW64.exe (PID: 7440)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Executable content was dropped or overwritten

      • SplashWin.exe (PID: 7388)
      • cmd.exe (PID: 2504)

    • Starts itself from another location

      • SplashWin.exe (PID: 7388)

    • Starts CMD.EXE for commands execution

      • SplashWin.exe (PID: 4428)

    • The executable file from the user directory is run by the CMD process

      • Svcsuper.exe (PID: 5972)

    • Reads the date of Windows installation

      • Svcsuper.exe (PID: 5972)

  • INFO

    • Reads the computer name

      • msiexec.exe (PID: 7752)
      • msiexec.exe (PID: 7828)
      • ISBEW64.exe (PID: 7928)
      • ISBEW64.exe (PID: 7964)
      • ISBEW64.exe (PID: 8004)
      • ISBEW64.exe (PID: 8044)
      • ISBEW64.exe (PID: 7260)
      • ISBEW64.exe (PID: 8084)
      • ISBEW64.exe (PID: 8132)
      • ISBEW64.exe (PID: 8168)
      • SplashWin.exe (PID: 4428)
      • SplashWin.exe (PID: 7388)
      • ISBEW64.exe (PID: 4208)
      • ISBEW64.exe (PID: 7440)
      • Svcsuper.exe (PID: 5972)

    • Checks supported languages

      • msiexec.exe (PID: 7752)
      • msiexec.exe (PID: 7828)
      • ISBEW64.exe (PID: 7928)
      • ISBEW64.exe (PID: 7964)
      • ISBEW64.exe (PID: 8004)
      • ISBEW64.exe (PID: 8044)
      • ISBEW64.exe (PID: 8084)
      • ISBEW64.exe (PID: 8132)
      • ISBEW64.exe (PID: 8168)
      • ISBEW64.exe (PID: 7260)
      • ISBEW64.exe (PID: 7440)
      • SplashWin.exe (PID: 7388)
      • SplashWin.exe (PID: 4428)
      • ISBEW64.exe (PID: 4208)
      • Svcsuper.exe (PID: 5972)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7668)
      • msiexec.exe (PID: 7828)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7668)
      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Create files in a temporary directory

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 4428)

    • Creates files or folders in the user directory

      • SplashWin.exe (PID: 7388)

    • Checks proxy server information

      • Svcsuper.exe (PID: 5972)

    • Reads the machine GUID from the registry

      • Svcsuper.exe (PID: 5972)

    • Reads the software policy settings

      • slui.exe (PID: 6040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.mst | Windows SDK Setup Transform Script (60.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Characters: -
LastModifiedBy: InstallShield
Words: -
Title: Installation Database
Comments: Contact: Your local administrator
Keywords: Installer,MSI,Database
Subject: Blank Project Template
Author: InstallShield
Security: Password protected
Pages: 200
Software: InstallShield? 2021 - Premier Edition with Virtualization Pack 27
ModifyDate: 2025:02:03 01:27:32
CreateDate: 2025:02:03 01:27:32
LastPrinted: 2025:02:03 01:27:32
RevisionNumber: {53E13A2A-DBAD-4467-84FE-CA78EB848095}
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
19
Malicious processes
3
Suspicious processes
10

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe no specs #GENERIC msiexec.exe isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs #GENERIC splashwin.exe splashwin.exe no specs cmd.exe conhost.exe no specs svcsuper.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2504C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
SplashWin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4208C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A01ADF56-C58B-4F0D-8179-A2BDE025BFAA}C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{d9e9fdab-4a35-4a77-b7f2-8df1b3fbb35d}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4428C:\Users\admin\AppData\Roaming\NI_download\SplashWin.exeC:\Users\admin\AppData\Roaming\NI_download\SplashWin.exeSplashWin.exe
User:
admin
Company:
AOMEI International Network Limited
Integrity Level:
MEDIUM
Description:
Splash Window
Exit code:
1
Version:
4.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\ni_download\splashwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5972C:\Users\admin\AppData\Local\Temp\Svcsuper.exeC:\Users\admin\AppData\Local\Temp\Svcsuper.execmd.exe
User:
admin
Company:
Nenad Hrg (SoftwareOK.com)
Integrity Level:
MEDIUM
Description:
Q-Dir
Exit code:
0
Version:
11,4,4,0
Modules
Images
c:\users\admin\appdata\local\temp\vrypavrf
c:\users\admin\appdata\local\temp\svcsuper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7260C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5D47BE1-DEA3-4F32-876B-BEDEF4A4DAB8}C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{d9e9fdab-4a35-4a77-b7f2-8df1b3fbb35d}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7388C:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\SplashWin.exe C:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\SplashWin.exe
msiexec.exe
User:
admin
Company:
AOMEI International Network Limited
Integrity Level:
MEDIUM
Description:
Splash Window
Exit code:
0
Version:
4.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\{ad1f90dd-6e1e-4384-9a28-2af72ab8dc1f}\splashwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7440C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4954419E-81AB-43AD-88E3-F03E468E1E46}C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{d9e9fdab-4a35-4a77-b7f2-8df1b3fbb35d}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7668"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\msi12.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
4 639
Read events
4 639
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\sailor.dmg
MD5:
SHA256:
7388SplashWin.exeC:\Users\admin\AppData\Roaming\NI_download\sailor.dmg
MD5:
SHA256:
4428SplashWin.exeC:\Users\admin\AppData\Local\Temp\edb98abe
MD5:
SHA256:
2504cmd.exeC:\Users\admin\AppData\Local\Temp\vrypavrf
MD5:
SHA256:
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\msvcp140.dllexecutable
MD5:E9F00DD8746712610706CBEFFD8DF0BD
SHA256:4CB882621A3D1C6283570447F842801B396DB1B3DCD2E01C2F7002EFD66A0A97
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\DuiLib_u.dllexecutable
MD5:E3C87800FBFCFA74C6E71F0AC0DCC129
SHA256:2613C5B224769FD099789B1881A3E828E3F115F5CE2CD6C24C40A1BE2FE2F32B
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\SplashWin.exeexecutable
MD5:4D20B83562EEC3660E45027AD56FB444
SHA256:C5E650B331FA5292872FDAEDE3A75C8167A0F1280CE0CD3D58B880D23854BDB1
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\vcruntime140.dllexecutable
MD5:A554E4F1ADDC0C2C4EBB93D66B790796
SHA256:E610CDAC0A37147919032D0D723B967276C217FF06EA402F098696AB4112512A
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\setup.inxbinary
MD5:CC766146F6907075915B4E55F616A035
SHA256:84E0B6745AF9647AB5B32279C452FFF336E5236A07D93FC65C012E087C5DF0A1
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\_isres_0x0409.dllexecutable
MD5:7DE024BC275F9CDEAF66A865E6FD8E58
SHA256:BD32468EE7E8885323F22EABBFF9763A0F6FFEF3CC151E0BD0481DF5888F4152
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
49
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.130
  • 20.190.159.68
  • 40.126.31.3
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 104.119.109.218
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
msi12.msi