File name:

abc.msi

Full analysis: https://app.any.run/tasks/5863bfb4-0e90-4f03-a43b-e6a9927c9ea0
Verdict: Malicious activity
Analysis date: March 19, 2025, 15:31:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2021 - Premier Edition with Virtualization Pack 27, Last Saved Time/Date: Tue Mar 18 17:13:31 2025, Create Time/Date: Tue Mar 18 17:13:31 2025, Last Printed: Tue Mar 18 17:13:31 2025, Revision Number: {178F8BDA-8769-4BCF-9A0B-9ECDF828C1CD}, Code page: 1252, Template: Intel;1033
MD5:

E4D59F25997603B092E55B0041762565

SHA1:

1906CB0DA1F47FE137B284CC4C1F86ECA8912CB7

SHA256:

7DA1254753F2520D733F7DC27A5BBD7FCA239953154E1EB8ABF1C9981CEACC31

SSDEEP:

98304:5SngC5BEc/zQN2+nsZGgx+5QGN4zKRUVT/h0o0MzqOlg3kS765We0yWP7fuvqtwo:YJGj3obHJ/GMSgUs2FuyIZVIAg1pL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • ISBEW64.exe (PID: 3156)
      • ISBEW64.exe (PID: 6300)
      • ISBEW64.exe (PID: 2340)
      • ISBEW64.exe (PID: 3676)
      • ISBEW64.exe (PID: 2692)
      • ISBEW64.exe (PID: 3268)
      • ISBEW64.exe (PID: 7084)
      • ISBEW64.exe (PID: 6644)
      • ISBEW64.exe (PID: 4428)
      • ISBEW64.exe (PID: 5960)

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 4408)
      • QQPlayer.exe (PID: 5544)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 4408)
      • QQPlayer.exe (PID: 5544)

    • Executable content was dropped or overwritten

      • QQPlayer.exe (PID: 5544)
      • ftp.exe (PID: 6032)

    • Starts itself from another location

      • QQPlayer.exe (PID: 5544)

    • Reads the date of Windows installation

      • Launchdemo_1.exe (PID: 2268)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 1188)
      • msiexec.exe (PID: 4408)
      • ISBEW64.exe (PID: 3156)
      • ISBEW64.exe (PID: 6300)
      • ISBEW64.exe (PID: 2340)
      • ISBEW64.exe (PID: 2692)
      • ISBEW64.exe (PID: 3676)
      • ISBEW64.exe (PID: 3268)
      • ISBEW64.exe (PID: 6644)
      • ISBEW64.exe (PID: 4428)
      • ISBEW64.exe (PID: 7084)
      • ISBEW64.exe (PID: 5960)
      • QQPlayer.exe (PID: 5544)
      • QQPlayer.exe (PID: 6244)
      • Launchdemo_1.exe (PID: 2268)

    • An automatically generated document

      • msiexec.exe (PID: 4560)

    • Reads the computer name

      • msiexec.exe (PID: 1188)
      • msiexec.exe (PID: 4408)
      • ISBEW64.exe (PID: 3156)
      • ISBEW64.exe (PID: 6300)
      • ISBEW64.exe (PID: 2340)
      • ISBEW64.exe (PID: 3676)
      • ISBEW64.exe (PID: 2692)
      • ISBEW64.exe (PID: 7084)
      • ISBEW64.exe (PID: 3268)
      • ISBEW64.exe (PID: 6644)
      • ISBEW64.exe (PID: 4428)
      • ISBEW64.exe (PID: 5960)
      • QQPlayer.exe (PID: 5544)
      • QQPlayer.exe (PID: 6244)
      • Launchdemo_1.exe (PID: 2268)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 4408)
      • msiexec.exe (PID: 4560)

    • The sample compiled with chinese language support

      • msiexec.exe (PID: 4408)
      • QQPlayer.exe (PID: 5544)

    • The sample compiled with english language support

      • msiexec.exe (PID: 4560)
      • msiexec.exe (PID: 4408)
      • QQPlayer.exe (PID: 5544)

    • Create files in a temporary directory

      • msiexec.exe (PID: 4408)
      • QQPlayer.exe (PID: 6244)
      • ftp.exe (PID: 6032)

    • Creates files or folders in the user directory

      • QQPlayer.exe (PID: 5544)

    • Manual execution by a user

      • OpenWith.exe (PID: 7020)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7020)

    • Reads the machine GUID from the registry

      • Launchdemo_1.exe (PID: 2268)

    • Checks proxy server information

      • Launchdemo_1.exe (PID: 2268)

    • Reads the software policy settings

      • Launchdemo_1.exe (PID: 2268)
      • slui.exe (PID: 5436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (84.2)
.mst | Windows SDK Setup Transform Script (9.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Characters: -
LastModifiedBy: InstallShield
Words: -
Title: Installation Database
Comments: Contact: Your local administrator
Keywords: Installer,MSI,Database
Subject: Blank Project Template
Author: InstallShield
Security: Password protected
Pages: 200
Software: InstallShield? 2021 - Premier Edition with Virtualization Pack 27
ModifyDate: 2025:03:18 17:13:31
CreateDate: 2025:03:18 17:13:31
LastPrinted: 2025:03:18 17:13:31
RevisionNumber: {178F8BDA-8769-4BCF-9A0B-9ECDF828C1CD}
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
21
Malicious processes
2
Suspicious processes
11

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe no specs msiexec.exe isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs isbew64.exe no specs qqplayer.exe qqplayer.exe no specs ftp.exe conhost.exe no specs openwith.exe no specs launchdemo_1.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeftp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188C:\WINDOWS\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268C:\Users\admin\AppData\Local\Temp\Launchdemo_1.exeC:\Users\admin\AppData\Local\Temp\Launchdemo_1.exe
ftp.exe
User:
admin
Company:
Nenad Hrg (SoftwareOK.com)
Integrity Level:
MEDIUM
Description:
Q-Dir
Version:
11,4,4,0
Modules
Images
c:\users\admin\appdata\local\temp\llemkysxsktr
c:\users\admin\appdata\local\temp\launchdemo_1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
2340C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B5E93B2-2794-49D8-8F35-AD94A5B56B15}C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{e710bd60-5c23-4c9c-ba69-e5292eb0b150}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2692C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5FB2A5E7-E868-41D0-8DD2-E2CD7C1D7F2B}C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{e710bd60-5c23-4c9c-ba69-e5292eb0b150}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3156C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BED261B4-251A-42A5-982A-D464D2941005}C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{e710bd60-5c23-4c9c-ba69-e5292eb0b150}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
3268C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00DC2077-4C8A-42F3-9B2A-4AED163DBC12}C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{e710bd60-5c23-4c9c-ba69-e5292eb0b150}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3676C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9FA7BA4A-7BC6-44BB-8551-46A79EB29FD2}C:\Users\admin\AppData\Local\Temp\{E710BD60-5C23-4C9C-BA69-E5292EB0B150}\ISBEW64.exemsiexec.exe
User:
admin
Company:
Flexera
Integrity Level:
MEDIUM
Description:
InstallShield (R) 64-bit Setup Engine
Exit code:
0
Version:
27.0.58
Modules
Images
c:\users\admin\appdata\local\temp\{e710bd60-5c23-4c9c-ba69-e5292eb0b150}\isbew64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4408C:\Windows\syswow64\MsiExec.exe -Embedding A05A06C418EF905295041F65DE23BDDC CC:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
8 336
Read events
8 336
Write events
0
Delete events
0

Modification events

No data
Executable files
47
Suspicious files
5
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\cerebrotonia.xls
MD5:
SHA256:
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\AsyncTask.dllexecutable
MD5:8AD07F53E87FCC18D62BD016AE18607D
SHA256:10AD2B5CEE7CF2BE73C8B5E33DB376BF51AF570E7365F7F8681670F8410F5883
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\QQPlayer.exeexecutable
MD5:597385A4D031B1CE29EB149E109D2056
SHA256:9FFE2EE8C28ECD306328D61092CCA5270C2C6F73B37C75D51C4F83D56BF02F56
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\libeay32.dllexecutable
MD5:E709374BFC5D26439A4B626520D2DBBB
SHA256:7CEE2F68FA47F8F1657E9F5238B203B4966BD20CB3B506CB69C5DA645A1CFFDE
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\QQPlayerBase.dllexecutable
MD5:FD0D21AFAA1112D34F2317FFD17431C6
SHA256:D0FEC47C045E08635D0AE5459CAE2CE6A4A9F75A38D0AA44C8AFD4478C7F9A44
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\Common.dllexecutable
MD5:DB7F889A32083695AD19C0328F31503F
SHA256:E3786CEEF2B7207512140843702A2782F0C8351C486FDA4C89081430C2980F55
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\campo.wavbinary
MD5:9B88E10A397EDC32D62C8356C71DF06C
SHA256:B6135D3D9A66E39BA10CC381D833B0FF5BFB66B29D9A195FCC0FAE0E9F145F9D
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\LIBCURL.dllexecutable
MD5:9C7232E92A2936844D753239233246CD
SHA256:7DE31F5ACE824EA7DD845B71A6EEDB921A04DED24BD4172D21D849879DE17129
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\libexpat.dllexecutable
MD5:E92990C951FDF5ADF27348C42EE4FD87
SHA256:D5C80D353FA48FE010F0652CD92C571DACDED2F8321C83210A37A633F3EA8172
4408msiexec.exeC:\Users\admin\AppData\Local\Temp\{D834CE9F-665F-4B59-A2FD-050F1355C2C3}\LogManager.dllexecutable
MD5:02DDDBE5C5305916B0D09566011D5C50
SHA256:D25CB56B0090A015E4C759F44766A411203C01C3E76F02E5AD2B257954FD4E5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
204
104.21.73.174:443
https://tastedata.shop/ag-ap.php?z9nroyvgbw=gQ6ChFCc2mogCbPX74cABgkhnZF3P%2BsYo%2F7lDl4tw6plkbJ9O6tyQGzfwdXoS%2BI6
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.190:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
1760
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2268
Launchdemo_1.exe
104.21.73.174:443
tastedata.shop
CLOUDFLARENET
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.190
  • 23.48.23.180
  • 23.48.23.171
  • 23.48.23.176
  • 23.48.23.183
  • 23.48.23.179
  • 23.48.23.191
  • 23.48.23.169
  • 23.48.23.178
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
tastedata.shop
  • 104.21.73.174
  • 172.67.146.161
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
abc.msi