File name:

SMathStudioDesktop.1_1_8763.Setup.msi

Full analysis: https://app.any.run/tasks/14bbfab2-ebaa-40b2-ac8d-a2ade10c1e65
Verdict: Malicious activity
Analysis date: January 20, 2024, 11:20:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1251, Title: Installation Database, Subject: SMath Studio, Author: , Keywords: Installer, MSI, Database, Comments: , [|[ProductName]., Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 12.7.2 build 68656, Security: 0, Template: ;1033, Last Saved By: ;1049, Revision Number: {749A8F4C-24FB-4635-8368-D91F883E8370}1.1.8763;{749A8F4C-24FB-4635-8368-D91F883E8370}1.1.8763;{CCF079E0-097E-49B3-86C0-FFA1263C6653}, Number of Pages: 200, Number of Characters: 63
MD5:

03A944861177D708048F4801C1369D02

SHA1:

0BA424EE0DA64FD2300C90AFFA12EA6B8DE0C83B

SHA256:

FE023184EA82534A74E0DF22190F987E8A99233F209910C56F4D572431B96585

SSDEEP:

98304:OOgtUwBah183JpHUeF+4SNWbzQcXpKKRTulWmMqJ4E//J31tHN5fYawbPt4og4UP:Nc3A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 2124)
      • msiexec.exe (PID: 1356)

  • SUSPICIOUS

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 1356)

    • Changes default file association

      • msiexec.exe (PID: 1356)

    • Reads the Internet Settings

      • msiexec.exe (PID: 2068)
      • Solver.exe (PID: 844)

    • Reads settings of System Certificates

      • Solver.exe (PID: 844)

  • INFO

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2124)

    • Checks supported languages

      • msiexec.exe (PID: 1356)
      • msiexec.exe (PID: 2068)
      • wmpnscfg.exe (PID: 492)
      • msiexec.exe (PID: 1840)
      • Solver.exe (PID: 844)

    • Reads the computer name

      • msiexec.exe (PID: 1356)
      • msiexec.exe (PID: 2068)
      • wmpnscfg.exe (PID: 492)
      • msiexec.exe (PID: 1840)
      • Solver.exe (PID: 844)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2124)
      • msiexec.exe (PID: 1356)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1356)
      • msiexec.exe (PID: 2068)
      • msiexec.exe (PID: 1840)
      • Solver.exe (PID: 844)

    • Application launched itself

      • msiexec.exe (PID: 1356)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 492)

    • Create files in a temporary directory

      • msiexec.exe (PID: 1356)

    • Creates files or folders in the user directory

      • Solver.exe (PID: 844)
      • msiexec.exe (PID: 1356)

    • Reads Environment values

      • Solver.exe (PID: 844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (81.9)
.mst | Windows SDK Setup Transform Script (9.2)
.msp | Windows Installer Patch (7.6)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Title: Installation Database
Keywords: Installer, MSI, Database
LastPrinted: 2009:12:11 11:47:44
CreateDate: 2009:12:11 11:47:44
ModifyDate: 2009:12:11 11:47:44
Pages: 200
Security: None
CodePage: Windows Latin 1 (Western European)
RevisionNumber: {6AAE4F29-F3CE-4559-B2AC-55F06D0F0319}
Words: 2
Subject: SMath Studio
Author: SMath LLC
LastModifiedBy: -
Software: Advanced Installer 12.7.2 build 68656
Template: ;1033,1049
Comments: SMath Studio setup package.
Characters: 63
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs wmpnscfg.exe no specs msiexec.exe no specs solver.exe

Process information

PID
CMD
Path
Indicators
Parent process
492"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
844"C:\Users\admin\AppData\Local\Programs\SMath Studio\Solver.exe" C:\Users\admin\AppData\Local\Programs\SMath Studio\Solver.exe
msiexec.exe
User:
admin
Company:
SMath LLC
Integrity Level:
MEDIUM
Description:
Solver
Exit code:
0
Version:
1.1.8763.0
Modules
Images
c:\users\admin\appdata\local\programs\smath studio\solver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1356C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1840C:\Windows\system32\MsiExec.exe -Embedding 49178103F8DC39C0741627A8DCF3B631C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2068C:\Windows\system32\MsiExec.exe -Embedding A1718659C95E29AA767185A3CEBAD05F CC:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2124"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\SMathStudioDesktop.1_1_8763.Setup.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
15 018
Read events
14 955
Write events
53
Delete events
10

Modification events

(PID) Process:(2124) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1356) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1356) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\SMath LLC.SMath Studio\shell\printto\command
Operation:writeName:command
Value:
i=QPMoP~W=cD*8-4Ff1LCore>]nLw1u`Rd=uHpJWl_xHE -silent "%1" -p "%2"
(PID) Process:(1356) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\SMath LLC.SMath Studio.sm\shell\printto\command
Operation:writeName:command
Value:
i=QPMoP~W=cD*8-4Ff1LCore>i2a`Cxam998063koCMZk -silent "%1" -p "%2"
(PID) Process:(1356) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\SMath LLC.SMath Studio.smz\shell\printto\command
Operation:writeName:command
Value:
i=QPMoP~W=cD*8-4Ff1LCore>i2a`Cxam998063koCMZk -silent "%1" -p "%2"
(PID) Process:(1356) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\182\52C64B7E
Operation:delete keyName:(default)
Value:
(PID) Process:(1356) msiexec.exeKey:HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\182
Operation:delete keyName:(default)
Value:
(PID) Process:(1356) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete valueName:C:\Config.Msi\e65eb.rbs
Value:
31083410
(PID) Process:(1356) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:delete keyName:(default)
Value:
(PID) Process:(1356) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback
Operation:delete keyName:(default)
Value:
Executable files
36
Suspicious files
9
Text files
113
Unknown types
0

Dropped files

PID
Process
Filename
Type
2124msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4B.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
2124msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI8A.tmpexecutable
MD5:458D5F11A3ACF768C9FEB816D8E6EBCB
SHA256:8FD3BF286E149B31E68CFB8446C8060327A700CF8C92930DED5FB6185D0392D8
2124msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIAA.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
2124msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI4D55.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
2124msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIFD4C.tmpexecutable
MD5:0DB8E2406D4581F8FA1106AE19DC1B25
SHA256:3FFBA4D5E3DDFB15EA92C9C48C188FE9A488EEEE2D8D3403B7850BBF12FD1085
1356msiexec.exeC:\Windows\Installer\MSI687C.tmpbinary
MD5:D5DC3EB1F55AFEA631658868F1813378
SHA256:3638D1293A041F92B833919C3BA3FBD0E1544BC9D2A3C21585CBE550BE6CFD26
1356msiexec.exeC:\Users\admin\AppData\Local\Programs\SMath Studio\book\1.smxml
MD5:CC40415FE360F39CF04EF6393723877C
SHA256:556E05298764B562A46D84ADE24A84EE1C9D1ACFA0A46FF38BE8F4C6775E0F27
1356msiexec.exeC:\Users\admin\AppData\Local\Programs\SMath Studio\book\10_1.smxml
MD5:40FA0BCF41557F010D7088EDE675BDF0
SHA256:36F563B166BDC5F5C64C03296A47D26E0C4A0BFB2E10AB9BD1E243A14B148EA1
1356msiexec.exeC:\Users\admin\AppData\Local\Programs\SMath Studio\book\10.smxml
MD5:E9EAB44458A6F5695BF21EE1536F3659
SHA256:6455169FD46568C84C476A5157CA172C87B1E9C322D63E7562ED3B0625B41DA5
1356msiexec.exeC:\Users\admin\AppData\Local\Programs\SMath Studio\book\16.smxml
MD5:556856024946DD24B542880F27DA4059
SHA256:675A4AD20F451FC3D2FC0FF7F3250D33AD0775B6B4762C957C245B91FC4B50AA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
844
Solver.exe
93.191.60.124:443
smath.com
OBIT Ltd.
RU
unknown

DNS requests

Domain
IP
Reputation
smath.com
  • 93.191.60.124
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SMathStudioDesktop.1_1_8763.Setup.msi