File name:

msi12.msi

Full analysis: https://app.any.run/tasks/f66c939e-ee0f-4fe1-86b8-967238998708
Verdict: Malicious activity
Analysis date: April 09, 2025, 13:14:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
generated-doc
auto
generic
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Mon Feb 3 01:27:32 2025, Create Time/Date: Mon Feb 3 01:27:32 2025, Last Printed: Mon Feb 3 01:27:32 2025, Revision Number: {53E13A2A-DBAD-4467-84FE-CA78EB848095}, Code page: 1252, Template: Intel;1033
MD5:

A5A0FD7291AC3A018C1325A90FFB6390

SHA1:

1DEDABE3BD3BF53E8A449113AC51FA362E8B61CC

SHA256:

0622447EC83737692036BDC44F45326A48A1230B4F545B64968A4D9355114938

SSDEEP:

98304:N/ntTURdvDVP5H9QoJVj9+Zbn22poi3S17YvkiIpVsiVc7M+Xrdm3Qynjc9aJ6Ml:DO0/dUNSxlgf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Executing a file with an untrusted certificate

      • ISBEW64.exe (PID: 7928)
      • ISBEW64.exe (PID: 7964)
      • ISBEW64.exe (PID: 8004)
      • ISBEW64.exe (PID: 8044)
      • ISBEW64.exe (PID: 8084)
      • ISBEW64.exe (PID: 7260)
      • ISBEW64.exe (PID: 8132)
      • ISBEW64.exe (PID: 8168)
      • ISBEW64.exe (PID: 4208)
      • ISBEW64.exe (PID: 7440)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Executable content was dropped or overwritten

      • SplashWin.exe (PID: 7388)
      • cmd.exe (PID: 2504)

    • Starts CMD.EXE for commands execution

      • SplashWin.exe (PID: 4428)

    • Starts itself from another location

      • SplashWin.exe (PID: 7388)

    • The executable file from the user directory is run by the CMD process

      • Svcsuper.exe (PID: 5972)

    • Reads the date of Windows installation

      • Svcsuper.exe (PID: 5972)

  • INFO

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7668)
      • msiexec.exe (PID: 7828)

    • The sample compiled with english language support

      • msiexec.exe (PID: 7668)
      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 7388)

    • Reads the computer name

      • msiexec.exe (PID: 7752)
      • msiexec.exe (PID: 7828)
      • ISBEW64.exe (PID: 7928)
      • ISBEW64.exe (PID: 7964)
      • ISBEW64.exe (PID: 8004)
      • ISBEW64.exe (PID: 8044)
      • ISBEW64.exe (PID: 8132)
      • ISBEW64.exe (PID: 8084)
      • ISBEW64.exe (PID: 8168)
      • ISBEW64.exe (PID: 7260)
      • SplashWin.exe (PID: 7388)
      • SplashWin.exe (PID: 4428)
      • ISBEW64.exe (PID: 4208)
      • ISBEW64.exe (PID: 7440)
      • Svcsuper.exe (PID: 5972)

    • Checks supported languages

      • msiexec.exe (PID: 7752)
      • msiexec.exe (PID: 7828)
      • ISBEW64.exe (PID: 7928)
      • ISBEW64.exe (PID: 7964)
      • ISBEW64.exe (PID: 8044)
      • ISBEW64.exe (PID: 8084)
      • ISBEW64.exe (PID: 8132)
      • ISBEW64.exe (PID: 7260)
      • ISBEW64.exe (PID: 8168)
      • ISBEW64.exe (PID: 8004)
      • ISBEW64.exe (PID: 7440)
      • SplashWin.exe (PID: 7388)
      • SplashWin.exe (PID: 4428)
      • ISBEW64.exe (PID: 4208)
      • Svcsuper.exe (PID: 5972)

    • Create files in a temporary directory

      • msiexec.exe (PID: 7828)
      • SplashWin.exe (PID: 4428)

    • Creates files or folders in the user directory

      • SplashWin.exe (PID: 7388)

    • Reads the software policy settings

      • slui.exe (PID: 6040)

    • Checks proxy server information

      • Svcsuper.exe (PID: 5972)

    • Reads the machine GUID from the registry

      • Svcsuper.exe (PID: 5972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.mst | Windows SDK Setup Transform Script (60.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Characters: -
LastModifiedBy: InstallShield
Words: -
Title: Installation Database
Comments: Contact: Your local administrator
Keywords: Installer,MSI,Database
Subject: Blank Project Template
Author: InstallShield
Security: Password protected
Pages: 200
Software: InstallShield? 2021 - Premier Edition with Virtualization Pack 27
ModifyDate: 2025:02:03 01:27:32
CreateDate: 2025:02:03 01:27:32
LastPrinted: 2025:02:03 01:27:32
RevisionNumber: {53E13A2A-DBAD-4467-84FE-CA78EB848095}
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
19
Malicious processes
3
Suspicious processes
10

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe no specs #GENERIC msiexec.exe isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs #GENERIC splashwin.exe splashwin.exe no specs cmd.exe conhost.exe no specs svcsuper.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2504C:\WINDOWS\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
SplashWin.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4208C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A01ADF56-C58B-4F0D-8179-A2BDE025BFAA}C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{d9e9fdab-4a35-4a77-b7f2-8df1b3fbb35d}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4428C:\Users\admin\AppData\Roaming\NI_download\SplashWin.exeC:\Users\admin\AppData\Roaming\NI_download\SplashWin.exeSplashWin.exe
User:
admin
Company:
AOMEI International Network Limited
Integrity Level:
MEDIUM
Description:
Splash Window
Exit code:
1
Version:
4.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\ni_download\splashwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5972C:\Users\admin\AppData\Local\Temp\Svcsuper.exeC:\Users\admin\AppData\Local\Temp\Svcsuper.execmd.exe
User:
admin
Company:
Nenad Hrg (SoftwareOK.com)
Integrity Level:
MEDIUM
Description:
Q-Dir
Exit code:
0
Version:
11,4,4,0
Modules
Images
c:\users\admin\appdata\local\temp\vrypavrf
c:\users\admin\appdata\local\temp\svcsuper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7260C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5D47BE1-DEA3-4F32-876B-BEDEF4A4DAB8}C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{d9e9fdab-4a35-4a77-b7f2-8df1b3fbb35d}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7388C:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\SplashWin.exe C:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\SplashWin.exe
msiexec.exe
User:
admin
Company:
AOMEI International Network Limited
Integrity Level:
MEDIUM
Description:
Splash Window
Exit code:
0
Version:
4.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\{ad1f90dd-6e1e-4384-9a28-2af72ab8dc1f}\splashwin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7440C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4954419E-81AB-43AD-88E3-F03E468E1E46}C:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{d9e9fdab-4a35-4a77-b7f2-8df1b3fbb35d}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
7668"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\Desktop\msi12.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
4 639
Read events
4 639
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\sailor.dmg
MD5:
SHA256:
7388SplashWin.exeC:\Users\admin\AppData\Roaming\NI_download\sailor.dmg
MD5:
SHA256:
4428SplashWin.exeC:\Users\admin\AppData\Local\Temp\edb98abe
MD5:
SHA256:
2504cmd.exeC:\Users\admin\AppData\Local\Temp\vrypavrf
MD5:
SHA256:
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\msvcp140.dllexecutable
MD5:E9F00DD8746712610706CBEFFD8DF0BD
SHA256:4CB882621A3D1C6283570447F842801B396DB1B3DCD2E01C2F7002EFD66A0A97
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\ISRT.dllexecutable
MD5:8AF02BF8E358E11CAEC4F2E7884B43CC
SHA256:58A724D23C63387A2DDA27CCFDBC8CA87FD4DB671BEA8BB636247667F6A5A11E
7668msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE2C1.tmpexecutable
MD5:A0E940A3D3C1523416675125E3B0C07E
SHA256:B8FA7AA425E4084EA3721780A13D11E08B8D53D1C5414B73F22FAECA1BFD314F
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{D9E9FDAB-4A35-4A77-B7F2-8DF1B3FBB35D}\setup.inxbinary
MD5:CC766146F6907075915B4E55F616A035
SHA256:84E0B6745AF9647AB5B32279C452FFF336E5236A07D93FC65C012E087C5DF0A1
7828msiexec.exeC:\Users\admin\AppData\Local\Temp\{AD1F90DD-6E1E-4384-9A28-2AF72AB8DC1F}\vcruntime140.dllexecutable
MD5:A554E4F1ADDC0C2C4EBB93D66B790796
SHA256:E610CDAC0A37147919032D0D723B967276C217FF06EA402F098696AB4112512A
7668msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE6F8.tmpexecutable
MD5:2F927997CFE930C6E0971572D913480B
SHA256:5BF0A9098B60F5FF90D242A6A7E09ADC3BE5E832171DBF36D17E43177C3A3BF1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
49
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7172
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
400
20.190.159.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
  • 40.127.240.158
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.130
  • 20.190.159.68
  • 40.126.31.3
  • 20.190.159.4
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 104.119.109.218
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
msi12.msi