File name:

Plate 'n' Sheet Professional V4.msi

Full analysis: https://app.any.run/tasks/0f0561a2-da20-41e3-a33f-b1232cf7ec7c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 17, 2020, 11:43:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
loader
banload
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Plate 'n' Sheet Professional V4, Author: R&L CAD Services Pty Ltd, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2013 - Express Edition 20, Last Saved Time/Date: Tue Sep 24 16:47:26 2019, Create Time/Date: Tue Sep 24 16:47:26 2019, Last Printed: Tue Sep 24 16:47:26 2019, Revision Number: {2CA39A6A-0D02-472B-BA0F-80FF75C042C0}, Code page: 1252, Template: Intel;1033
MD5:

E64388CD86686DBC0974D3B57C798D8B

SHA1:

E0741E643BEBF33422702EC7A3516D8771C32C01

SHA256:

2694280EE9100C8468377D7B05A152B292A5EA9A6D33D83AF42FA5BAF7F14D51

SSDEEP:

196608:3hN79fXNXrRKnf7KIyUzwrvnpKgp78jEGukH8kriPOaq2JOaRfDrtM5vNpo9:xNRfd7EO2zupiEs8kDQJOWfDrt2Fp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Pns4.exe (PID: 1740)

    • Loads dropped or rewritten executable

      • Pns4.exe (PID: 1740)

    • BANDLOAD was detected

      • Pns4.exe (PID: 1740)

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 2808)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 1324)

    • Creates COM task schedule object

      • msiexec.exe (PID: 1324)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1324)

    • Creates files in the program directory

      • Pns4.exe (PID: 1740)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 1324)

    • Application launched itself

      • msiexec.exe (PID: 1324)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2808)

    • Creates files in the program directory

      • msiexec.exe (PID: 1324)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 1324)

    • Manual execution by user

      • Pns4.exe (PID: 1740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (78)
.mst | Windows SDK Setup Transform Script (8.8)
.msp | Windows Installer Patch (7.2)
.msi | Microsoft Installer (100)

EXIF

FlashPix

Characters: -
LastModifiedBy: InstallShield
Words: -
Title: Installation Database
Comments: Contact: Your local administrator
Keywords: Installer,MSI,Database
Subject: Plate 'n' Sheet Professional V4
Author: R&L CAD Services Pty Ltd
Security: Password protected
Pages: 200
Software: InstallShield? 2013 - Express Edition 20
ModifyDate: 2019:09:24 15:47:26
CreateDate: 2019:09:24 15:47:26
LastPrinted: 2019:09:24 15:47:26
RevisionNumber: {2CA39A6A-0D02-472B-BA0F-80FF75C042C0}
CodePage: Windows Latin 1 (Western European)
Template: Intel;1033
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs msiexec.exe no specs #BANLOAD pns4.exe

Process information

PID
CMD
Path
Indicators
Parent process
1324C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1740"C:\Program Files\Plate 'n' Sheet Professional\Plate 'n' Sheet Professional V4\Pns4.exe" C:\Program Files\Plate 'n' Sheet Professional\Plate 'n' Sheet Professional V4\Pns4.exe
explorer.exe
User:
admin
Company:
R & L CAD Services Pty Ltd
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\program files\plate 'n' sheet professional\plate 'n' sheet professional v4\pns4.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2088"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Plate 'n' Sheet Professional V4.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2808C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3216C:\Windows\system32\MsiExec.exe -Embedding A415220F5C31C4A11512856551F18127C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 943
Read events
571
Write events
1 360
Delete events
12

Modification events

(PID) Process:(1324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000002E9279A39C44D6012C050000000B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000002E9279A39C44D6012C050000000B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
37
(PID) Process:(1324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
4000000000000000C83FC8A39C44D6012C050000000B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1324) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000C83FC8A39C44D6012C05000054090000E803000001000000000000000000000041032AA45E33314591C1AD8FCC94197F0000000000000000
(PID) Process:(2808) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009852DBA39C44D601F80A0000280A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2808) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009852DBA39C44D601F80A0000F0050000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2808) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009852DBA39C44D601F80A0000F0090000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2808) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000009852DBA39C44D601F80A00003C060000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2808) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
40000000000000000E03ECA39C44D601F80A00003C060000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
14
Suspicious files
14
Text files
22
Unknown types
7

Dropped files

PID
Process
Filename
Type
1324msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1324msiexec.exeC:\Windows\Installer\16379f.msi
MD5:
SHA256:
1324msiexec.exeC:\Windows\Installer\MSI3EA4.tmp
MD5:
SHA256:
1324msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF8AB747F3D7264E47.TMP
MD5:
SHA256:
2808vssvc.exeC:
MD5:
SHA256:
1324msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
1324msiexec.exeC:\Windows\Installer\MSI404B.tmpbinary
MD5:
SHA256:
1324msiexec.exeC:\Program Files\Plate 'n' Sheet Professional\Plate 'n' Sheet Professional V4\Pns4.exeexecutable
MD5:
SHA256:
1324msiexec.exeC:\Program Files\Plate 'n' Sheet Professional\Plate 'n' Sheet Professional V4\Materials.mdbmdb
MD5:
SHA256:
1324msiexec.exeC:\Program Files\Plate 'n' Sheet Professional\Plate 'n' Sheet Professional V4\Pns4.optmdb
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
Pns4.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Pns4.exe
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Plate 'n' Sheet Professional V4.msi