File name:

SMathStudioDesktop.1_0_8348.Setup.msi

Full analysis: https://app.any.run/tasks/5a0c40ee-1d1e-4512-949d-a32040fbe186
Verdict: Malicious activity
Analysis date: November 27, 2023, 05:54:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1251, Title: Installation Database, Subject: SMath Studio, Author: Andrey Ivashov, Keywords: Installer, MSI, Database, Comments: , [|[ProductName]., Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 12.7.2 build 68656, Security: 0, Template: ;1033, Last Saved By: ;1049, Revision Number: {555B4C90-3F02-433D-8EFA-5B1368512FDC}1.0.8348;{555B4C90-3F02-433D-8EFA-5B1368512FDC}1.0.8348;{CCF079E0-097E-49B3-86C0-FFA1263C6653}, Number of Pages: 200, Number of Characters: 63
MD5:

AC73A7B6F44FD1670943C7DE8E5ABA58

SHA1:

BBA458E4D3C493F6AAAEA4FC8F184F436DC1B61B

SHA256:

A470F0E666755788E7894F7D290183FE3CAE91BA1508D3D2F1D2C7ED57DD647A

SSDEEP:

98304:g6Mt0wBah183JMfv3jquSWTxdLqw85FSK17+qSIO0H+BbbAUB/yM4rOZN1wxYbNw:jV1Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 3376)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 3376)

    • Changes default file association

      • msiexec.exe (PID: 3376)

    • Reads Internet Explorer settings

      • Solver.exe (PID: 2304)

    • Reads the Internet Settings

      • Solver.exe (PID: 2304)
      • msiexec.exe (PID: 2476)

    • Reads settings of System Certificates

      • Solver.exe (PID: 2304)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 2476)
      • msiexec.exe (PID: 3376)
      • msiexec.exe (PID: 1452)
      • msiexec.exe (PID: 3984)
      • Solver.exe (PID: 2304)
      • wmpnscfg.exe (PID: 3108)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 844)

    • Application launched itself

      • msiexec.exe (PID: 3376)

    • Reads the computer name

      • msiexec.exe (PID: 3376)
      • msiexec.exe (PID: 2476)
      • msiexec.exe (PID: 1452)
      • msiexec.exe (PID: 3984)
      • Solver.exe (PID: 2304)
      • wmpnscfg.exe (PID: 3108)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 3376)
      • msiexec.exe (PID: 1452)
      • msiexec.exe (PID: 2476)
      • msiexec.exe (PID: 3984)
      • Solver.exe (PID: 2304)
      • wmpnscfg.exe (PID: 3108)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 844)

    • Create files in a temporary directory

      • msiexec.exe (PID: 3376)

    • Creates files or folders in the user directory

      • Solver.exe (PID: 2304)

    • Reads Environment values

      • Solver.exe (PID: 2304)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Title: Installation Database
Keywords: Installer, MSI, Database
LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Pages: 200
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {163D9656-3A8A-49BC-B026-CD5A84A186E5}
Words: 2
Subject: SMath Studio
Author: Andrey Ivashov
LastModifiedBy: -
Software: Advanced Installer 12.7.2 build 68656
Template: ;1033,1049
Comments: SMath Studio setup package.
Characters: 63
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs solver.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\SMathStudioDesktop.1_0_8348.Setup.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1452C:\Windows\system32\MsiExec.exe -Embedding 7153DC63510EDFCE33AD27172924C256C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2304"C:\Program Files\SMath Studio\Solver.exe" C:\Program Files\SMath Studio\Solver.exe
msiexec.exe
User:
admin
Company:
SMath LLC
Integrity Level:
MEDIUM
Description:
Solver
Exit code:
0
Version:
1.0.8348.30405
Modules
Images
c:\program files\smath studio\solver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2476C:\Windows\system32\MsiExec.exe -Embedding 152443DE22C1C4C0A4B105275981C115 CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3108"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3376C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3984C:\Windows\system32\MsiExec.exe -Embedding 67EE312E52D4D9861B0389B65EE932DB E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
11 535
Read events
11 474
Write events
48
Delete events
13

Modification events

(PID) Process:(844) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3376) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3376) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Andrey Ivashov.SMath Studio\shell\printto\command
Operation:writeName:command
Value:
a1qLC?`u[9vCs6)CU5joCore>]nLw1u`Rd=uHpJWl_xHE -silent "%1" -p "%2"
(PID) Process:(3376) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Andrey Ivashov.SMath Studio.sm\shell\printto\command
Operation:writeName:command
Value:
a1qLC?`u[9vCs6)CU5joCore>i2a`Cxam998063koCMZk -silent "%1" -p "%2"
(PID) Process:(3376) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Andrey Ivashov.SMath Studio.smz\shell\printto\command
Operation:writeName:command
Value:
a1qLC?`u[9vCs6)CU5joCore>i2a`Cxam998063koCMZk -silent "%1" -p "%2"
(PID) Process:(3376) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings
Operation:writeName:StringCacheGeneration
Value:
383
(PID) Process:(3376) msiexec.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:delete keyName:(default)
Value:
(PID) Process:(3376) msiexec.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F
Operation:delete keyName:(default)
Value:
(PID) Process:(3376) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\1c1547.rbs
Value:
31072502
(PID) Process:(3376) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete keyName:(default)
Value:
Executable files
36
Suspicious files
9
Text files
113
Unknown types
0

Dropped files

PID
Process
Filename
Type
3376msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFC127E472CB013FF7.TMPbinary
MD5:420096E979D57204EA825C0C59A8AC35
SHA256:9DAA5DDF256ECE8E3F443F6F364CE8706966D211D051A8BC03DABDC2008E60BC
3376msiexec.exeC:\Windows\Installer\MSI1805.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
844msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE474.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
844msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIE453.tmpexecutable
MD5:458D5F11A3ACF768C9FEB816D8E6EBCB
SHA256:8FD3BF286E149B31E68CFB8446C8060327A700CF8C92930DED5FB6185D0392D8
844msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIA8.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
3376msiexec.exeC:\Program Files\SMath Studio\book\10_2.smxml
MD5:ACD1254A0BF603764FB18A4A007539CD
SHA256:E87B89C3A6B0CB2DBCE2D3376087827926A800CA16AC2EB35E6C86D3FB16F24D
3376msiexec.exeC:\Windows\Installer\MSI1777.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
3376msiexec.exeC:\Windows\Installer\1c1546.ipibinary
MD5:8F7ED233E20B78C222FD9298BD102694
SHA256:894610A6B43FA5A57A866956B690079D0E614599A4EF387A738B3A4917E6B454
3376msiexec.exeC:\Program Files\SMath Studio\book\13_2.smxml
MD5:ABF19AA4E9D1CEA648642D5565071783
SHA256:BFFD92CD65966F73202858CC6F11EDCE013E5E198C3096793391AB2476E616B2
3376msiexec.exeC:\Windows\Installer\MSI1892.tmpbinary
MD5:F0D99962C66AA2E906E88FFD27FDB9B3
SHA256:784DF5D295827A5C5555BCAB3E7753C556DCB6E8908F06D77586EA7519E99609
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted
2304
Solver.exe
93.191.60.124:443
smath.com
OBIT Ltd.
RU
unknown

DNS requests

Domain
IP
Reputation
smath.com
  • 93.191.60.124
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SMathStudioDesktop.1_0_8348.Setup.msi