File name:	Splashtop_Business_Win_INSTALLER_v3.7.2.3.msi
Full analysis:	https://app.any.run/tasks/e175a421-9519-4aeb-ab14-aff1cf01cfd5
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 13:50:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Remote Client, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Client Installer, Create Time/Date: Tue Oct 29 14:53:52 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {CE24147F-F177-4370-85CB-39DFC5E7F2C4}3.7.203.0;{CE24147F-F177-4370-85CB-39DFC5E7F2C4}3.7.203.0;{221C0F53-5ACA-4651-8CF7-17046364B94E}, Number of Pages: 200, Number of Characters: 1
MD5:	27487ED4FEFFFD6F8601C3D84D82F549
SHA1:	8D5CEC80A5E6A05339DA0C75ACD8C4FC071996FA
SHA256:	309D3C316D45B6E4A0C3E7A0CBC5686A450A6C74945FBADA0340A4EE8C5AD846
SSDEEP:	393216:CGGTedoatDPTc33WgmmvdFs4QkKGCmXZdkOR+5UMtMrQC+X3+q:CpTed7cxdFs4QkXCmXZCoItzxH+q

.msi	\|	Microsoft Windows Installer (84.2)
.mst	\|	Windows SDK Setup Transform Script (9.5)
.msi	\|	Microsoft Installer (100)

Characters:	-
LastModifiedBy:	InstallShield
Words:	-
Title:	Installation Database
Comments:	Splashtop Client Installer
Keywords:	Installer,MSI,Database
Subject:	Splashtop Remote Client
Author:	Splashtop Inc.
Security:	Password protected
Pages:	200
Software:	InstallShield? 2021 27
ModifyDate:	2024:10:29 14:53:51
CreateDate:	2024:10:29 14:53:51
LastPrinted:	2024:10:29 14:53:51
RevisionNumber:	{8BBE7D31-739E-4D59-B06B-48EC2A68B26D}
CodePage:	Unknown (0)
Template:	Intel;1033,1028,1031,1034,1036,1040,1041,1042,1046,1049,2052


(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000F2994BD50DB9DB01AC1E0000381F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000F2994BD50DB9DB01AC1E0000381F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000FC5EF7D50DB9DB01AC1E0000381F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000FC5EF7D50DB9DB01AC1E0000381F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000005C1101D60DB9DB01AC1E0000381F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000C6FE07D60DB9DB01AC1E0000381F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000001EF8D4D60DB9DB01AC1E0000381F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8008) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 48000000000000004A21FBD60DB9DB01481F0000641F0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8008) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(8008) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000

PID	Process	Filename		Type
7852	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
7852	msiexec.exe	C:\Windows\Installer\11bfe2.msi		—
		MD5:—	SHA256:—
7580	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI3779.tmp		executable
		MD5:E80F90724939D4F85FC49DE2460B94B5	SHA256:8041D3CCBAFA491D35F70030C3AFEBA683B0235BED24F242878D04C7E87B8687
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651		binary
		MD5:D1E040431AFD7E2379F64833898DA325	SHA256:560FF593291C1DBC1BC9A2E51D4A0CF3972A145AC51A1405223A69B68378E72A
7908	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{18C75354-A84E-4B0D-B1C0-4E033A4E8408}\Description.xml		xml
		MD5:DB652FE052A41D46E204117799D3B613	SHA256:A45FB14A4BA17E523DA67995B052EA15176261DC65A12B2E875F9F4EE845BB32
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		binary
		MD5:2ED561D953559FC6459EDB2AD1276254	SHA256:73CEEB2CBA87C800169DFE2B114F2265D8D8E9707CA2B009F2DE131B8386DE9A
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651		binary
		MD5:86FFC8D93B8A6E5AB36728DD34B0F070	SHA256:1D1964277B161147460B0E15AE47FF9CD90D34097622BF1F23A34721BD61B54B
7852	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:3B72046F974A860F454F1467A95332E6	SHA256:7AFDF612E7F4917290AE71173BB62902A7858C2CFC3D627A67ECC220748A0F00
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:CDB4CBF3BC6C2A316482E7B9ECD54454	SHA256:CA20962C42333B8D409C9D12963A1CAF11882998779319242028D4D03C6511E2
7852	msiexec.exe	C:\Windows\Installer\MSID36A.tmp		executable
		MD5:86DD87C7ABD8582D9FA3906435F263EE	SHA256:537D1DBDBB95F90DE1F4E104D6E5D5A27D233B362AFF771E4C11660641803800

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	unknown
7580	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
7580	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
7580	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAx%2B7MjF4dH7UpJWotMQ8HE%3D	unknown	—	—	whitelisted
7588	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7588	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5496	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6544	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	95.101.149.131 2.23.246.101	whitelisted
login.live.com	40.126.32.138 20.190.160.66 20.190.160.67 40.126.32.74 40.126.32.76 40.126.32.140 20.190.160.130 20.190.160.131	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
ocsp.digicert.com	2.23.77.188 184.30.131.245	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
7792	strwinclt.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
7792	strwinclt.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
3028	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
3028	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2196	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)

Process	Message
SRUpdateService.exe	[ClientService][8044:7964]2025-04-29 13:52:52 StartService Begin Err:0
SRUpdateService.exe	[ClientService][8044:3784]2025-04-29 13:52:52 SetStatus to 2, err(0) Err:0
SRUpdateService.exe	[ClientService][8044:3784]2025-04-29 13:52:52 Run! Err:3
SRUpdateService.exe	[ClientService][8044:3784]2025-04-29 13:52:52 SetStatus to 4, err(3) Err:3

General Info

Splashtop_Business_Win_INSTALLER_v3.7.2.3.msi

27487ED4FEFFFD6F8601C3D84D82F549

8D5CEC80A5E6A05339DA0C75ACD8C4FC071996FA

309D3C316D45B6E4A0C3E7A0CBC5686A450A6C74945FBADA0340A4EE8C5AD846

393216:CGGTedoatDPTc33WgmmvdFs4QkKGCmXZdkOR+5UMtMrQC+X3+q:CpTed7cxdFs4QkXCmXZCoItzxH+q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executes as Windows Service

Starts CMD.EXE for commands execution

Drops a system driver (possible attempt to evade defenses)

Process drops legitimate windows executable

Node.exe was dropped

Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest

Executable content was dropped or overwritten

Stops a currently running service

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Executing commands from a ".bat" file

Application launched itself

INFO

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads the computer name

Reads the software policy settings

Checks supported languages

The sample compiled with english language support

Executable content was dropped or overwritten

Create files in a temporary directory

Manages system restore points

Application launched itself

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings