File name:

SpineTrialSetup.exe

Full analysis: https://app.any.run/tasks/c631d5e8-2794-43a7-a2c0-4b98f6a9e50f
Verdict: Malicious activity
Analysis date: March 01, 2025, 03:00:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
antivm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

90222BDC8AD871D656A7B1D87DE9B3B7

SHA1:

994EB133DD830138D14643307CACF17B7BA68D6D

SHA256:

0BDD6FF2B8495BC2D4FBEE74DE75F6FE6226E6C2332B3BAA5543DBA40D9016B6

SSDEEP:

393216:Dpe01CTINF/h00fiwxxssE/nwJp0rNlopAK3vcA/DeG4X5OeRcN8xGTIc1vIzRb:DpO0b2nnMcNiuK/cArDJ2dSIhb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • SpineTrialSetup.exe (PID: 6388)

    • Executable content was dropped or overwritten

      • SpineTrialSetup.exe (PID: 6388)
      • SpineTrial.exe (PID: 5156)

    • There is functionality for taking screenshot (YARA)

      • SpineTrialSetup.exe (PID: 6388)
      • SpineTrial.exe (PID: 5156)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SpineTrialSetup.exe (PID: 6388)

    • Process drops legitimate windows executable

      • SpineTrialSetup.exe (PID: 6388)

    • The process drops C-runtime libraries

      • SpineTrialSetup.exe (PID: 6388)

    • Creates a software uninstall entry

      • SpineTrialSetup.exe (PID: 6388)

    • Checks for Java to be installed

      • SpineTrial.exe (PID: 5156)

    • Reads the BIOS version

      • SpineTrial.exe (PID: 5156)

    • There is functionality for VM detection antiVM strings (YARA)

      • SpineTrial.exe (PID: 5156)

    • The process checks if it is being run in the virtual environment

      • SpineTrial.exe (PID: 5156)

    • There is functionality for VM detection VMWare (YARA)

      • SpineTrial.exe (PID: 5156)

    • There is functionality for VM detection VirtualBox (YARA)

      • SpineTrial.exe (PID: 5156)

  • INFO

    • The sample compiled with english language support

      • SpineTrialSetup.exe (PID: 6388)

    • Checks supported languages

      • SpineTrialSetup.exe (PID: 6388)
      • SpineTrial.exe (PID: 5156)

    • Reads the computer name

      • SpineTrialSetup.exe (PID: 6388)
      • SpineTrial.exe (PID: 5156)

    • Create files in a temporary directory

      • SpineTrialSetup.exe (PID: 6388)
      • SpineTrial.exe (PID: 5156)

    • Creates files in the program directory

      • SpineTrialSetup.exe (PID: 6388)
      • SpineTrial.exe (PID: 5156)

    • Creates files or folders in the user directory

      • SpineTrialSetup.exe (PID: 6388)

    • Reads product name

      • SpineTrial.exe (PID: 5156)

    • Reads CPU info

      • SpineTrial.exe (PID: 5156)

    • Process checks computer location settings

      • SpineTrial.exe (PID: 5156)

    • Checks proxy server information

      • slui.exe (PID: 2268)

    • Reads the software policy settings

      • slui.exe (PID: 2268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 00:55:18+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 28160
InitializedDataSize: 152576
UninitializedDataSize: 2048
EntryPoint: 0x3990
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.3.0.0
ProductVersionNumber: 4.3.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Esoteric Software LLC
FileDescription: Installs the Spine Trial launcher
FileVersion: 4.3.00
LegalCopyright: Copyright (c) 2013-2025, Esoteric Software LLC
ProductName: Spine
ProductVersion: 4.3.00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start spinetrialsetup.exe spinetrial.exe slui.exe spinetrialsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Users\admin\Desktop\SpineTrialSetup.exe" C:\Users\admin\Desktop\SpineTrialSetup.exeexplorer.exe
User:
admin
Company:
Esoteric Software LLC
Integrity Level:
MEDIUM
Description:
Installs the Spine Trial launcher
Exit code:
3221226540
Version:
4.3.00
Modules
Images
c:\users\admin\desktop\spinetrialsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2268C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5156"C:\Program Files\Spine Trial\SpineTrial.exe"C:\Program Files\Spine Trial\SpineTrial.exe
SpineTrialSetup.exe
User:
admin
Company:
Esoteric Software LLC
Integrity Level:
HIGH
Description:
Spine, 2D animation for games
Modules
Images
c:\program files\spine trial\spinetrial.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
6388"C:\Users\admin\Desktop\SpineTrialSetup.exe" C:\Users\admin\Desktop\SpineTrialSetup.exe
explorer.exe
User:
admin
Company:
Esoteric Software LLC
Integrity Level:
HIGH
Description:
Installs the Spine Trial launcher
Exit code:
0
Version:
4.3.00
Modules
Images
c:\users\admin\desktop\spinetrialsetup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 960
Read events
3 943
Write events
17
Delete events
0

Modification events

(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Spine Trial
Operation:writeName:install
Value:
C:\Program Files\Spine Trial
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:DisplayName
Value:
Spine Trial
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:UninstallString
Value:
"C:\Program Files\Spine Trial\UninstallSpineTrial.exe"
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:QuietUninstallString
Value:
"C:\Program Files\Spine Trial\UninstallSpineTrial.exe" /S
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:InstallLocation
Value:
"C:\Program Files\Spine Trial"
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:InstallDate
Value:
20250225
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:DisplayIcon
Value:
"C:\Program Files\Spine Trial\SpineTrial.exe"
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:Publisher
Value:
Esoteric Software LLC
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:URLInfoAbout
Value:
http://esotericsoftware.com
(PID) Process:(6388) SpineTrialSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpineTrial
Operation:writeName:DisplayVersion
Value:
4.3.00
Executable files
74
Suspicious files
10
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\launcher\1\fonts\NotoSansJP-Regular.otf
MD5:
SHA256:
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\launcher\1\fonts\NotoSansKR-Regular.otf
MD5:
SHA256:
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\launcher\1\fonts\NotoSansSC-Regular.otf
MD5:
SHA256:
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\launcher\1\fonts\NotoSansTC-Regular.otf
MD5:
SHA256:
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\SpineTrial.exeexecutable
MD5:E22F956D2FE01C0BC48F2D8CF028A872
SHA256:C2369BDD7F5325B411734D2701E24079FC3B5B8E46ACE8166BFDAC10898ADAB2
6388SpineTrialSetup.exeC:\Users\admin\AppData\Local\Temp\nsmFA04.tmp\UserInfo.dllexecutable
MD5:DC90F96B169DCC9151EE6E93B47446EA
SHA256:AFC939EBFD66A6C972D2D6BBCB978559AB3427D1582935E45392F9912EF186AD
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\launcher\2\bin\WinFallbackLookup.dllexecutable
MD5:B6B25A940B59F1A97CACD709B619C0CB
SHA256:C6AC78632760A5FA656075FD1CD3D2A8B3B3B849ADF50F028591390F68534F4E
6388SpineTrialSetup.exeC:\Program Files\Spine Trial\license.pdfpdf
MD5:81B270F44D1C5166D230BF0FEEDAC8FC
SHA256:3FC0DF5646ABC48B1434202B0B352BD9BA145621B8FC675B9F3E023BEF451908
6388SpineTrialSetup.exeC:\Users\admin\AppData\Local\Temp\nsmFA04.tmp\nsDialogs.dllexecutable
MD5:EC9640B70E07141FEBBE2CD4CC42510F
SHA256:C5BA017732597A82F695B084D1AA7FE3B356168CC66105B9392A9C5B06BE5188
6388SpineTrialSetup.exeC:\Users\admin\AppData\Local\Temp\nsmFA04.tmp\modern-header.bmpimage
MD5:5898BC92D80CCC2DA81604BA608B4EC9
SHA256:96D1EF26BE5401F1073971D3F293EA928798FA1F209D126AB88458CB9E4C5B90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
28
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
5156
SpineTrial.exe
139.162.66.173:443
jpapi.esotericsoftware.com
Linode, LLC
JP
whitelisted
5156
SpineTrial.exe
172.104.155.234:443
euapi.esotericsoftware.com
Linode, LLC
DE
whitelisted
5156
SpineTrial.exe
198.58.124.9:443
usapi.esotericsoftware.com
Linode, LLC
US
whitelisted
6476
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2268
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
jpapi.esotericsoftware.com
  • 139.162.66.173
whitelisted
euapi.esotericsoftware.com
  • 172.104.155.234
whitelisted
usapi.esotericsoftware.com
  • 198.58.124.9
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SpineTrialSetup.exe