File name:	Splashtop_Business_Win_INSTALLER_v3.7.2.3.msi
Full analysis:	https://app.any.run/tasks/e175a421-9519-4aeb-ab14-aff1cf01cfd5
Verdict:	Malicious activity
Analysis date:	April 29, 2025, 13:50:42
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Remote Client, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Client Installer, Create Time/Date: Tue Oct 29 14:53:52 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {CE24147F-F177-4370-85CB-39DFC5E7F2C4}3.7.203.0;{CE24147F-F177-4370-85CB-39DFC5E7F2C4}3.7.203.0;{221C0F53-5ACA-4651-8CF7-17046364B94E}, Number of Pages: 200, Number of Characters: 1
MD5:	27487ED4FEFFFD6F8601C3D84D82F549
SHA1:	8D5CEC80A5E6A05339DA0C75ACD8C4FC071996FA
SHA256:	309D3C316D45B6E4A0C3E7A0CBC5686A450A6C74945FBADA0340A4EE8C5AD846
SSDEEP:	393216:CGGTedoatDPTc33WgmmvdFs4QkKGCmXZdkOR+5UMtMrQC+X3+q:CpTed7cxdFs4QkXCmXZCoItzxH+q

.msi	\|	Microsoft Windows Installer (84.2)
.mst	\|	Windows SDK Setup Transform Script (9.5)
.msi	\|	Microsoft Installer (100)

Characters:	-
LastModifiedBy:	InstallShield
Words:	-
Title:	Installation Database
Comments:	Splashtop Client Installer
Keywords:	Installer,MSI,Database
Subject:	Splashtop Remote Client
Author:	Splashtop Inc.
Security:	Password protected
Pages:	200
Software:	InstallShield? 2021 27
ModifyDate:	2024:10:29 14:53:51
CreateDate:	2024:10:29 14:53:51
LastPrinted:	2024:10:29 14:53:51
RevisionNumber:	{8BBE7D31-739E-4D59-B06B-48EC2A68B26D}
CodePage:	Unknown (0)
Template:	Intel;1033,1028,1031,1034,1036,1040,1041,1042,1046,1049,2052


(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000F2994BD50DB9DB01AC1E0000381F0000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000F2994BD50DB9DB01AC1E0000381F0000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000FC5EF7D50DB9DB01AC1E0000381F0000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000FC5EF7D50DB9DB01AC1E0000381F0000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000005C1101D60DB9DB01AC1E0000381F0000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000C6FE07D60DB9DB01AC1E0000381F0000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(7852) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000001EF8D4D60DB9DB01AC1E0000381F0000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8008) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer
Operation:	write	Name:	IDENTIFY (Leave)
Value: 48000000000000004A21FBD60DB9DB01481F0000641F0000E80300000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(8008) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(8008) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001
Operation:	write	Name:	Element
Value: 0000000000000000000000000000000006000000000000004800000000000000715E5C2FA985EB1190A89A9B763584210000000000000000745E5C2FA985EB1190A89A9B7635842100000000000000000000000000000000

PID	Process	Filename		Type
7852	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
7852	msiexec.exe	C:\Windows\Installer\11bfe2.msi		—
		MD5:—	SHA256:—
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651		binary
		MD5:D1E040431AFD7E2379F64833898DA325	SHA256:560FF593291C1DBC1BC9A2E51D4A0CF3972A145AC51A1405223A69B68378E72A
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:F59BE0E1182F6E3F9D06C9E2B1BEE856	SHA256:BD4592F1B2D0F30332FE8F9989ECC69EC429E73BC9C59F59484ED5C4FA1C0277
7580	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		binary
		MD5:CDB4CBF3BC6C2A316482E7B9ECD54454	SHA256:CA20962C42333B8D409C9D12963A1CAF11882998779319242028D4D03C6511E2
7200	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{FDFBC62B-5C04-400F-8F46-C34592DE06A6}\ISRT.dll		executable
		MD5:85315AD538FA5AF8162F1CD2FCE1C99D	SHA256:70735B13F629F247D6AF2BE567F2DA8112039FBCED5FBB37961E53A2A3EC1EC7
7852	msiexec.exe	C:\Windows\Installer\MSID36A.tmp		executable
		MD5:86DD87C7ABD8582D9FA3906435F263EE	SHA256:537D1DBDBB95F90DE1F4E104D6E5D5A27D233B362AFF771E4C11660641803800
7200	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{FDFBC62B-5C04-400F-8F46-C34592DE06A6}\setup.inx		binary
		MD5:559E46B48ACE152340EFC790AF6E0DD0	SHA256:7C51262A10596420607732688E2AF0C6D4A3C0950701C22A17EA102720770F43
7852	msiexec.exe	C:\System Volume Information\SPP\OnlineMetadataCache\{5f09ceb9-65eb-4a1b-b945-841659990448}_OnDiskSnapshotProp		binary
		MD5:3B72046F974A860F454F1467A95332E6	SHA256:7AFDF612E7F4917290AE71173BB62902A7858C2CFC3D627A67ECC220748A0F00
7200	msiexec.exe	C:\Users\admin\AppData\Local\Temp\{FDFBC62B-5C04-400F-8F46-C34592DE06A6}\IsConfig.ini		text
		MD5:9FA2A198E47E353CAA603C795A8F9C1C	SHA256:1C403218FD0B2236C0E9FDEF576258619F44274ADF85D6C27E8F0C81B98C3B3E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	172.202.163.200:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
7580	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
7580	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
7580	msiexec.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAx%2B7MjF4dH7UpJWotMQ8HE%3D	unknown	—	—	whitelisted
7588	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7588	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
—	—	GET	200	13.85.23.206:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5496	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5496	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
—	—	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6544	svchost.exe	40.126.32.138:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
google.com	142.250.185.174	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120	whitelisted
www.microsoft.com	95.101.149.131 2.23.246.101	whitelisted
login.live.com	40.126.32.138 20.190.160.66 20.190.160.67 40.126.32.74 40.126.32.76 40.126.32.140 20.190.160.130 20.190.160.131	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
ocsp.digicert.com	2.23.77.188 184.30.131.245	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
7792	strwinclt.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
7792	strwinclt.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
3028	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
3028	msedge.exe	Misc activity	ET INFO Splashtop Domain (splashtop .com) in TLS SNI
3028	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
2196	svchost.exe	Misc activity	ET INFO Splashtop Domain in DNS Lookup (splashtop .com)

Process	Message
SRUpdateService.exe	[ClientService][8044:7964]2025-04-29 13:52:52 StartService Begin Err:0
SRUpdateService.exe	[ClientService][8044:3784]2025-04-29 13:52:52 SetStatus to 2, err(0) Err:0
SRUpdateService.exe	[ClientService][8044:3784]2025-04-29 13:52:52 Run! Err:3
SRUpdateService.exe	[ClientService][8044:3784]2025-04-29 13:52:52 SetStatus to 4, err(3) Err:3

General Info

Splashtop_Business_Win_INSTALLER_v3.7.2.3.msi

27487ED4FEFFFD6F8601C3D84D82F549

8D5CEC80A5E6A05339DA0C75ACD8C4FC071996FA

309D3C316D45B6E4A0C3E7A0CBC5686A450A6C74945FBADA0340A4EE8C5AD846

393216:CGGTedoatDPTc33WgmmvdFs4QkKGCmXZdkOR+5UMtMrQC+X3+q:CpTed7cxdFs4QkXCmXZCoItzxH+q

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executes as Windows Service

Stops a currently running service

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Process drops legitimate windows executable

Drops a system driver (possible attempt to evade defenses)

Node.exe was dropped

Uses WEVTUTIL.EXE to remove publishers and event logs from the manifest

Executable content was dropped or overwritten

Uses WEVTUTIL.EXE to install publishers and event logs from the manifest

Application launched itself

INFO

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads the computer name

Checks supported languages

Reads the software policy settings

Executable content was dropped or overwritten

The sample compiled with english language support

Create files in a temporary directory

Manages system restore points

Application launched itself

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings