Malware analysis spacedesk_driver_Win_10_64_v2121.msi Malicious activity

Add for printing

File name:	spacedesk_driver_Win_10_64_v2121.msi
Full analysis:	https://app.any.run/tasks/7f90413d-5f9a-4aaf-8495-f8982d727e1e
Verdict:	Malicious activity
Analysis date:	August 02, 2024, 10:19:47
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	generated-doc
Indicators:
MIME:	application/x-msi
File info:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: spacedesk 2.1.21 Driver Installer, Author: datronicsoft Inc., Keywords: Installer, Comments: Windows Network Display Monitor Software, Template: x64;1033, Revision Number: {D1358356-8938-4DFF-A4CB-8766A90A86CD}, Create Time/Date: Fri Jul 5 02:48:02 2024, Last Saved Time/Date: Fri Jul 5 02:48:02 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
MD5:	E00DEE77DD75292084D73B5FCD1F0F15
SHA1:	C97B6BE162AB4A73C710BC5284DDAEDF31DEA871
SHA256:	3896A7075794F18D559E16B1017EF34D79FF5764C822A0237E67EE567E6B1921
SSDEEP:	98304:oIQW7YZ9BLeGto8xKBl0ujO4AGzOjiTCiatdaYpUqZRFlv93YXSC+8C689o4Agi7:RcXFtvNtrHFq9U4Ui/Kh9cQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - drvinst.exe (PID: 5064)
  - MSIF2CB.tmp (PID: 1172)
  - msiexec.exe (PID: 6564)
  - drvinst.exe (PID: 3372)
  - MSIFBE5.tmp (PID: 2960)
  - drvinst.exe (PID: 2628)
  - MSIFE09.tmp (PID: 6872)
  - drvinst.exe (PID: 6304)
  - drvinst.exe (PID: 7120)
  - drvinst.exe (PID: 4592)
  - MSI4D2.tmp (PID: 7108)
  - drvinst.exe (PID: 2700)
  - MSID.tmp (PID: 3324)
  - drvinst.exe (PID: 6208)
  - MSI241.tmp (PID: 3184)
SUSPICIOUS
- Executable content was dropped or overwritten
  - MSIF2CB.tmp (PID: 1172)
  - MSIFBE5.tmp (PID: 2960)
  - drvinst.exe (PID: 3372)
  - drvinst.exe (PID: 6304)
  - drvinst.exe (PID: 2628)
  - MSIFE09.tmp (PID: 6872)
  - MSID.tmp (PID: 3324)
  - drvinst.exe (PID: 5064)
  - drvinst.exe (PID: 7120)
  - MSI4D2.tmp (PID: 7108)
  - drvinst.exe (PID: 4592)
  - drvinst.exe (PID: 2700)
  - MSI241.tmp (PID: 3184)
  - drvinst.exe (PID: 6208)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 6564)
  - MSIF2CB.tmp (PID: 1172)
  - drvinst.exe (PID: 5064)
  - drvinst.exe (PID: 2628)
  - drvinst.exe (PID: 3372)
  - MSIFBE5.tmp (PID: 2960)
  - drvinst.exe (PID: 7120)
  - MSI4D2.tmp (PID: 7108)
  - drvinst.exe (PID: 2700)
  - MSI241.tmp (PID: 3184)
  - drvinst.exe (PID: 4592)
- Executes as Windows Service
  - VSSVC.exe (PID: 5152)
  - spacedeskService.exe (PID: 5920)
INFO
- Creates files or folders in the user directory
  - msiexec.exe (PID: 6424)
- An automatically generated document
  - msiexec.exe (PID: 6424)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 6424)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 6564)
  - msiexec.exe (PID: 6424)
- Starts application with an unusual extension
  - msiexec.exe (PID: 6564)
- Reads the computer name
  - msiexec.exe (PID: 6376)
  - msiexec.exe (PID: 6564)
- Checks supported languages
  - msiexec.exe (PID: 6564)
  - msiexec.exe (PID: 6376)
- Checks proxy server information
  - msiexec.exe (PID: 6424)
- Drops the executable file immediately after the start
  - msiexec.exe (PID: 6424)
- Reads the software policy settings
  - msiexec.exe (PID: 6424)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.msi	\|	Microsoft Windows Installer (98.5)
.msi	\|	Microsoft Installer (100)

EXIF

FlashPix

CodePage:	Windows Latin 1 (Western European)
Title:	Installation Database
Subject:	spacedesk 2.1.21 Driver Installer
Author:	datronicsoft Inc.
Keywords:	Installer
Comments:	Windows Network Display Monitor Software
Template:	x64;1033
RevisionNumber:	{D1358356-8938-4DFF-A4CB-8766A90A86CD}
CreateDate:	2024:07:05 02:48:02
ModifyDate:	2024:07:05 02:48:02
Pages:	500
Words:	2
Software:	Windows Installer XML Toolset (3.11.2.4516)
Security:	Read-only recommended

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

167

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1172

"C:\WINDOWS\Installer\MSIF2CB.tmp" -install_android_control,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\

C:\Windows\Installer\MSIF2CB.tmp

msiexec.exe

User:

admin

Company:

datronicsoft

Integrity Level:

MEDIUM

Description:

spacedesk Setup Custom Action

Exit code:

Version:

0.2.1.21

Modules

Images
c:\windows\installer\msif2cb.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1716

"C:\WINDOWS\Installer\MSI8AE.tmp" -spacedeskProgramFilesDelete,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\

C:\Windows\Installer\MSI8AE.tmp

—

msiexec.exe

User:

admin

Company:

datronicsoft

Integrity Level:

MEDIUM

Description:

spacedesk Setup Custom Action

Exit code:

Version:

0.2.1.21

Modules

Images
c:\windows\installer\msi8ae.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2132

"C:\WINDOWS\Installer\MSI830.tmp" -openFirewall,C:\Program Files\datronicsoft\spacedesk\

C:\Windows\Installer\MSI830.tmp

—

msiexec.exe

User:

admin

Company:

datronicsoft

Integrity Level:

MEDIUM

Description:

spacedesk Setup Custom Action

Exit code:

Version:

0.2.1.21

Modules

Images
c:\windows\installer\msi830.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2336

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11

C:\Windows\System32\SrTasks.exe

—

msiexec.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2628

DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{d406ddff-6556-c348-870f-9d5071fafabe}\spacedeskKtmInputmouse.inf" "9" "431da1b7b" "000000000000021C" "WinSta0\Default" "0000000000000220" "208" "C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles"

C:\Windows\System32\drvinst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

2700

DrvInst.exe "2" "1" "ROOT\SPACEDESK_VIRTUAL_BUS\0000" "C:\WINDOWS\System32\DriverStore\FileRepository\spacedeskdriverbus.inf_amd64_97eac36ebcea4166\spacedeskdriverbus.inf" "oem11.inf:*:*:1.0.455.42:Root\VID_DATRONICSOFT_PID_SPACEDESK_VIRTUAL_BUS_0001," "4522ade83" "000000000000021C"

C:\Windows\System32\drvinst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\drvstore.dll

2700

"C:\WINDOWS\Installer\MSI9C8.tmp" -otherFirewallCheck

C:\Windows\Installer\MSI9C8.tmp

—

msiexec.exe

User:

admin

Company:

datronicsoft

Integrity Level:

MEDIUM

Description:

spacedesk Setup Custom Action

Exit code:

Version:

0.2.1.21

Modules

Images
c:\windows\installer\msi9c8.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

2960

"C:\WINDOWS\Installer\MSIFBE5.tmp" -install_ktm,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\

C:\Windows\Installer\MSIFBE5.tmp

msiexec.exe

User:

admin

Company:

datronicsoft

Integrity Level:

MEDIUM

Description:

spacedesk Setup Custom Action

Exit code:

Version:

0.2.1.21

Modules

Images
c:\windows\installer\msifbe5.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

3144

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3184

"C:\WINDOWS\Installer\MSI241.tmp" -install_audio,C:\Program Files\datronicsoft\spacedesk\spacedeskTemporarySetupFiles\

C:\Windows\Installer\MSI241.tmp

msiexec.exe

User:

admin

Company:

datronicsoft

Integrity Level:

MEDIUM

Description:

spacedesk Setup Custom Action

Exit code:

Version:

0.2.1.21

Modules

Images
c:\windows\installer\msi241.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

36 740

Read events

36 386

Write events

318

Delete events

Modification events


(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 48000000000000009EBBDD8DC5E4DA01A41900008C050000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 4800000000000000461FE08DC5E4DA01A41900008C050000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000007B68448EC5E4DA01A41900008C050000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000007B68448EC5E4DA01A41900008C050000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000000703498EC5E4DA01A41900008C050000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000AC35508EC5E4DA01A41900008C050000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000001512F78EC5E4DA01A41900008C050000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6564) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 480000000000000065D9FB8EC5E4DA01A4190000B8100000E80300000100000000000000000000006427682A5714AF4C881E68EED2713FB800000000000000000000000000000000
(PID) Process:	(5152) VSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000497F0C8FC5E4DA0120140000B0190000E80300000100000001000000000000000000000000000000000000000000000000000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6564	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
6564	msiexec.exe	C:\Windows\Installer\eea3c.msi		—
		MD5:—	SHA256:—
6564	msiexec.exe	C:\Windows\Installer\MSIEE05.tmp		—
		MD5:—	SHA256:—
6424	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB		der
		MD5:2FE44C94E0E9C088AE4E21BCB0856A1C	SHA256:5884545BE81CD89EC21374E05E8387DFC9E66CEEE63874C592C3038326D07F08
6424	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_15A751EAC52E3BDD7E5151D6C1F63C61		binary
		MD5:391B254D61ECA7E5996C7D4AD8E75C08	SHA256:868458E84A657479AF291F77CF25460B996A8419E049149319D7F3B2EA540F1A
6424	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141		der
		MD5:DD365E25F759F7328480EA16EB5A323D	SHA256:57799C176863FCE4C6E82E041434139F84F7EB3724A210255A6E1F2CF93B9651
6564	msiexec.exe	C:\System Volume Information\SPP\snapshot-2		binary
		MD5:9EAC697012082AA5D487974FA7F6EE2C	SHA256:3F355EB396C5ABC71126A835F8CD5E346918EFCED02AF6854AA71BCEF7DDB4D3
6424	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_15A751EAC52E3BDD7E5151D6C1F63C61		der
		MD5:5F80038D615D97A139954FB71C000E31	SHA256:B59F2E5E1D0097F2A3A4605C45411B825C9489CF1336C15D4C5DD93EBA4D5ED2
6564	msiexec.exe	C:\Program Files\datronicsoft\spacedesk\spacedeskConsole.exe		executable
		MD5:8CC59EC59E8D0D4ECAD7EAC5258560CF	SHA256:693E0197D65653C941626DEC007B3DBA913BB743427965555D29868BBCB2C4AE
6424	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSI8DD4.tmp		executable
		MD5:4FDD16752561CF585FED1506914D73E0	SHA256:AECD2D2FE766F6D439ACC2BBF1346930ECC535012CF5AD7B3273D2875237B7E7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6424	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D	unknown	—	—	whitelisted
6424	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D	unknown	—	—	whitelisted
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
6424	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAq%2BqAfaXHhvH37WHUuH6xY%3D	unknown	—	—	whitelisted
6816	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5300	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5300	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6868	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4232	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2632	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6424	msiexec.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4232	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	104.126.37.186:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.184.238	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
www.bing.com	104.126.37.186 104.126.37.131 104.126.37.136 104.126.37.128 104.126.37.139 104.126.37.130 104.126.37.146 104.126.37.123 104.126.37.137 2.23.209.175 2.23.209.160 2.23.209.158 2.23.209.162 2.23.209.179 2.23.209.182 2.23.209.176 2.23.209.183 2.23.209.177	whitelisted
client.wns.windows.com	40.113.103.199 40.115.3.253	whitelisted
login.live.com	20.190.159.2 20.190.159.64 20.190.159.73 40.126.31.71 40.126.31.67 40.126.31.73 20.190.159.23 20.190.159.4	whitelisted
th.bing.com	104.126.37.155 104.126.37.162 104.126.37.170 104.126.37.168 104.126.37.163 104.126.37.161 104.126.37.169 104.126.37.153 104.126.37.160	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
arc.msn.com	20.223.35.26	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

spacedesk_driver_Win_10_64_v2121.msi

E00DEE77DD75292084D73B5FCD1F0F15

C97B6BE162AB4A73C710BC5284DDAEDF31DEA871

3896A7075794F18D559E16B1017EF34D79FF5764C822A0237E67EE567E6B1921

98304:oIQW7YZ9BLeGto8xKBl0ujO4AGzOjiTCiatdaYpUqZRFlv93YXSC+8C689o4Agi7:RcXFtvNtrHFq9U4Ui/Kh9cQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executable content was dropped or overwritten

Drops a system driver (possible attempt to evade defenses)

Executes as Windows Service

INFO

Creates files or folders in the user directory

An automatically generated document

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Starts application with an unusual extension

Reads the computer name

Checks supported languages

Checks proxy server information

Drops the executable file immediately after the start

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

FlashPix

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings