File name:

spacedesk_driver_Win_10_64_v2126.msi

Full analysis: https://app.any.run/tasks/1b87d261-868c-4a96-8089-4aa40bafadeb
Verdict: Malicious activity
Analysis date: October 28, 2024, 13:48:37
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: spacedesk 2.1.26 Driver Installer, Author: datronicsoft Inc., Keywords: Installer, Comments: Windows Network Display Monitor Software, Template: x64;1033, Revision Number: {F6E00AC3-5E9D-40CF-B774-80BAC186239C}, Create Time/Date: Tue Oct 15 09:45:22 2024, Last Saved Time/Date: Tue Oct 15 09:45:22 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:

C3F3469EF12D56C5E4C27B493D9FD98D

SHA1:

EB2A61EC0DAE9A3F24984758466C4135CF816CCE

SHA256:

203D52E0445301C5EB36C5D9966111B9E8D7A1032790E772DC31E462B834FA78

SSDEEP:

98304:TiNZGKQOtTNeTd4GMUMGRUxVqIsPt5zERplC9ZzlqDrDQNBTX1/Mp0NknYBGJkW4:JbdP4Ui/Kh9cQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 6712)
      • spacedeskService.exe (PID: 7096)

    • Executable content was dropped or overwritten

      • MSID1FE.tmp (PID: 1376)
      • drvinst.exe (PID: 5612)
      • drvinst.exe (PID: 6520)
      • MSIDAD9.tmp (PID: 6256)
      • drvinst.exe (PID: 7156)
      • MSIDD0D.tmp (PID: 1584)
      • drvinst.exe (PID: 6440)
      • drvinst.exe (PID: 2100)
      • MSIDFAF.tmp (PID: 6488)
      • drvinst.exe (PID: 6556)
      • drvinst.exe (PID: 6964)
      • MSIDE46.tmp (PID: 4584)
      • drvinst.exe (PID: 1280)
      • MSIE127.tmp (PID: 4568)

    • Drops a system driver (possible attempt to evade defenses)

      • MSID1FE.tmp (PID: 1376)
      • MSIDAD9.tmp (PID: 6256)
      • drvinst.exe (PID: 5612)
      • drvinst.exe (PID: 7156)
      • msiexec.exe (PID: 6664)
      • drvinst.exe (PID: 6520)
      • MSIDFAF.tmp (PID: 6488)
      • drvinst.exe (PID: 2100)
      • drvinst.exe (PID: 6964)
      • drvinst.exe (PID: 1280)
      • MSIE127.tmp (PID: 4568)

  • INFO

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 2648)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2648)
      • msiexec.exe (PID: 6664)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 6664)

    • An automatically generated document

      • msiexec.exe (PID: 2648)

    • Reads the software policy settings

      • msiexec.exe (PID: 2648)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2648)

    • Manages system restore points

      • SrTasks.exe (PID: 608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: spacedesk 2.1.26 Driver Installer
Author: datronicsoft Inc.
Keywords: Installer
Comments: Windows Network Display Monitor Software
Template: x64;1033
RevisionNumber: {F6E00AC3-5E9D-40CF-B774-80BAC186239C}
CreateDate: 2024:10:15 09:45:22
ModifyDate: 2024:10:15 09:45:22
Pages: 500
Words: 2
Software: Windows Installer XML Toolset (3.11.2.4516)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
165
Monitored processes
34
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe sppextcomobj.exe no specs slui.exe no specs msiexec.exe no specs vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msicfd8.tmp no specs msid046.tmp no specs msid180.tmp no specs msid1fe.tmp drvinst.exe drvinst.exe no specs msid8b5.tmp no specs drvinst.exe msidad9.tmp drvinst.exe msidd0d.tmp drvinst.exe mside46.tmp slui.exe no specs drvinst.exe msidfaf.tmp drvinst.exe msie127.tmp drvinst.exe drvinst.exe msie2dd.tmp no specs spacedeskservice.exe no specs spacedeskservicetray.exe no specs msie35b.tmp no specs msie3ca.tmp no specs msie4d4.tmp no specs

Process information

PID
CMD
Path
Indicators
Parent process
608C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1084"C:\WINDOWS\Installer\MSIE35B.tmp" -openFirewall,C:\Program Files\datronicsoft\spacedesk\C:\Windows\Installer\MSIE35B.tmpmsiexec.exe
User:
admin
Company:
datronicsoft
Integrity Level:
MEDIUM
Description:
spacedesk Setup Custom Action
Exit code:
0
Version:
0.2.1.26
1280DrvInst.exe "2" "1" "ROOT\SPACEDESK_VIRTUAL_BUS\0000" "C:\WINDOWS\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_866ccd67be8813b9\spacedeskdriverbus.inf" "oem11.inf:*:*:1.0.462.45:Root\VID_DATRONICSOFT_PID_SPACEDESK_VIRTUAL_BUS_0001," "4522ade83" "0000000000000228"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1376"C:\WINDOWS\Installer\MSID1FE.tmp" -install_android_control,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\C:\Windows\Installer\MSID1FE.tmp
msiexec.exe
User:
admin
Company:
datronicsoft
Integrity Level:
MEDIUM
Description:
spacedesk Setup Custom Action
Exit code:
0
Version:
0.2.1.26
1376 This is spacedesk Service calling.C:\Program Files\datronicsoft\spacedesk\spacedeskServiceTray.exespacedeskService.exe
User:
admin
Company:
datronicsoft
Integrity Level:
MEDIUM
Description:
spacedesk Notification Application
Version:
0.2.1.26
1584"C:\WINDOWS\Installer\MSIDD0D.tmp" -install_hid,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\C:\Windows\Installer\MSIDD0D.tmp
msiexec.exe
User:
admin
Company:
datronicsoft
Integrity Level:
MEDIUM
Description:
spacedesk Setup Custom Action
Exit code:
0
Version:
0.2.1.26
1804"C:\WINDOWS\Installer\MSID180.tmp" -qWaveCheckC:\Windows\Installer\MSID180.tmpmsiexec.exe
User:
admin
Company:
datronicsoft
Integrity Level:
MEDIUM
Description:
spacedesk Setup Custom Action
Exit code:
0
Version:
0.2.1.26
2100DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{1fecf26b-ce1a-0c44-9c33-c138d577c584}\spacedeskDriverAudio.inf" "9" "447268673" "0000000000000228" "WinSta0\Default" "000000000000022C" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
2620C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2648"C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\spacedesk_driver_Win_10_64_v2126.msiC:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
5 015
Read events
4 981
Write events
25
Delete events
9

Modification events

(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000C4A1103E4029DB01081A000094150000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000C4A1103E4029DB01081A000094150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000008F3D4C3E4029DB01081A000094150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000008F3D4C3E4029DB01081A000094150000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000009FA14E3E4029DB01081A000094150000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
48000000000000006804513E4029DB01081A000094150000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4800000000000000FD17C13E4029DB01081A000094150000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(6664) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
48000000000000006597C33E4029DB01081A0000D41B0000E80300000100000000000000000000001C47AE79DF8DFE4B9093C271395B314B00000000000000000000000000000000
(PID) Process:(6712) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4800000000000000905ECF3E4029DB01381A000010020000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
59
Suspicious files
95
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
6664msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
6664msiexec.exeC:\Windows\Installer\9c44e.msi
MD5:
SHA256:
6664msiexec.exeC:\Windows\Installer\MSIC9DC.tmp
MD5:
SHA256:
2648msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141der
MD5:FB3AD0052022397D5A1C8B766288D0EC
SHA256:050E59F261304198054BE1E0205F2570C07F4E51E87E2C6109E660EF3120FDE9
2648msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_74F67001B3C2D533D99B6A2860970A04binary
MD5:E797A3412BE8FB3DF443C9DAC8ABDF0E
SHA256:9E3C4D5395F3DC355A6164E318FA8A22DA7AABEE1DB068DFC98EBEA17358590E
2648msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_74F67001B3C2D533D99B6A2860970A04der
MD5:683BA4F345890BDFEB3A5A9FC18FF015
SHA256:8DFCE4B654E9ED00FF3DE842CDC7D958D82496EC8A140CC7F41456965386EB59
2648msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBder
MD5:8448623C7D1F6C84C80A09A8B06475D9
SHA256:6770FC53CBE1F3CD17E3005DBDD6A01DE7DD0C97C59277AF7BE9251436D4AADE
6664msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:D6B2C669DD3840A280C234E416DA16F7
SHA256:DF5DF60456BCAB7B0662052444983216CF1394AA60CE93A455E27A1FA6741B1D
2648msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBbinary
MD5:8DE05A5628F339F17B97D60FB7C32661
SHA256:91841534FE1009DC30FC4CAB812DE6413CAEE640999C6FC401221824F2A4DE4C
2648msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:D62415CBF59D466FC8FD6DC83133C097
SHA256:40EE9E92C07A3D0A1623310F6AD926F751CA97CF43000D4EF3D6C9678F1E5A8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
50
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2648
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2648
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEA4bLnp0JeaKiM0Z462JHJc%3D
unknown
whitelisted
2648
msiexec.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
3948
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7140
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7140
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6212
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6944
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
2.23.209.160:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
2648
msiexec.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.164.43
  • 2.16.164.106
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.169.152
whitelisted
www.bing.com
  • 2.23.209.160
  • 2.23.209.169
  • 2.23.209.173
  • 2.23.209.167
  • 2.23.209.162
  • 2.23.209.166
  • 2.23.209.174
  • 2.23.209.168
  • 2.23.209.159
  • 2.23.209.181
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.185
  • 2.23.209.182
  • 2.23.209.183
  • 2.23.209.186
  • 2.23.209.191
  • 2.23.209.192
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 142.250.185.78
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.71
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.73
whitelisted
th.bing.com
  • 2.19.96.19
  • 2.19.96.24
  • 2.19.96.35
  • 2.19.96.27
  • 2.19.96.49
  • 2.19.96.40
  • 2.19.96.41
  • 2.19.96.25
  • 2.19.96.42
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
spacedesk_driver_Win_10_64_v2126.msi