File name:

Sentinel Protection Installer 7.5.0.zip

Full analysis: https://app.any.run/tasks/d8659a22-63dd-4366-8177-00b0d8115503
Verdict: Malicious activity
Analysis date: November 20, 2023, 09:06:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

413C647AB6F17843F994EF4F88E77B82

SHA1:

E1F255605EB634B4FE9A794E1A2CFF2E1A3BB8AF

SHA256:

3E7D3E91FD6DD014BDF5FA7FE20C66343E5EAFE91BC0AFB9D930B449C5FF6C76

SSDEEP:

98304:2JjuDJdfSBgTUen7CITUgmIkXO24R49vPMKy9Rr4Rjpg5Ozgnc9TE856c5k2dzjE:8sLbbMu19hP8IEc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file the system directory

      • msiexec.exe (PID: 3680)
      • drvinst.exe (PID: 1808)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1760)
      • msiexec.exe (PID: 3680)
      • drvinst.exe (PID: 1808)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3632)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3728)
      • sntlkeyssrvr.exe (PID: 1816)
      • spnsrvnt.exe (PID: 1360)

    • Process drops legitimate windows executable

      • msiexec.exe (PID: 3680)

    • Drops a system driver (possible attempt to evade defenses)

      • msiexec.exe (PID: 3680)
      • msiexec.exe (PID: 1760)
      • drvinst.exe (PID: 1808)

    • Creates files in the driver directory

      • msiexec.exe (PID: 3680)
      • drvinst.exe (PID: 1808)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 1808)

    • Reads the Internet Settings

      • msiexec.exe (PID: 3600)
      • InstParLauncher.exe (PID: 1988)
      • MSID512.tmp (PID: 1936)
      • MSID66A.tmp (PID: 2560)

    • Suspicious use of NETSH.EXE

      • MSID512.tmp (PID: 1936)
      • MSID66A.tmp (PID: 2560)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 3208)
      • msiexec.exe (PID: 3680)
      • msiexec.exe (PID: 3856)
      • msiexec.exe (PID: 3600)
      • msiexec.exe (PID: 1760)
      • sntlkeyssrvr.exe (PID: 1816)
      • spnsrvnt.exe (PID: 1360)
      • InstParLauncher.exe (PID: 1988)
      • InstAndStartNTParService.exe (PID: 2336)
      • MSID512.tmp (PID: 1936)
      • MSID66A.tmp (PID: 2560)
      • drvinst.exe (PID: 1808)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3208)
      • msiexec.exe (PID: 3680)
      • Sentinel Protection Installer 7.5.0.exe (PID: 3380)
      • msiexec.exe (PID: 3856)
      • MSI8B6D.tmp (PID: 3932)
      • msiexec.exe (PID: 1760)
      • drvinst.exe (PID: 1808)
      • msiexec.exe (PID: 3600)
      • sntlkeyssrvr.exe (PID: 1816)
      • spnsrvnt.exe (PID: 1360)
      • SentinelDrv32Support.exe (PID: 1232)
      • InstParLauncher.exe (PID: 1988)
      • InstAndStartNTParService.exe (PID: 2336)
      • MSID512.tmp (PID: 1936)
      • MSID66A.tmp (PID: 2560)

    • Create files in a temporary directory

      • Sentinel Protection Installer 7.5.0.exe (PID: 3380)
      • msiexec.exe (PID: 3680)
      • msiexec.exe (PID: 1760)
      • MSID512.tmp (PID: 1936)
      • MSID66A.tmp (PID: 2560)

    • Reads the machine GUID from the registry

      • Sentinel Protection Installer 7.5.0.exe (PID: 3380)
      • wmpnscfg.exe (PID: 3208)
      • msiexec.exe (PID: 3680)
      • msiexec.exe (PID: 3856)
      • msiexec.exe (PID: 3600)
      • msiexec.exe (PID: 1760)
      • drvinst.exe (PID: 1808)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3308)
      • msiexec.exe (PID: 3632)

    • Application launched itself

      • msiexec.exe (PID: 3680)

    • Creates or modifies Windows services

      • msiexec.exe (PID: 3680)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2008:07:11 08:05:00
ZipCRC: 0x8dcb937b
ZipCompressedSize: 5298870
ZipUncompressedSize: 6453816
ZipFileName: Sentinel Protection Installer 7.5.0.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
21
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sentinel protection installer 7.5.0.exe no specs sentinel protection installer 7.5.0.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msi8b6d.tmp no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs drvinst.exe no specs sntlkeyssrvr.exe no specs spnsrvnt.exe no specs sentineldrv32support.exe no specs instparlauncher.exe no specs instandstartntparservice.exe no specs msid512.tmp no specs netsh.exe no specs msid66a.tmp no specs netsh.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1232"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDrv32Support.exe" -c MakeVDDRegEntryC:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver\SentinelDrv32Support.exemsiexec.exe
User:
admin
Company:
SafeNet, Inc.
Integrity Level:
HIGH
Description:
SentinelDrv32Support
Exit code:
0
Version:
7, 5, 0, 0
Modules
Images
c:\program files\common files\safenet sentinel\sentinel system driver\sentineldrv32support.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1360"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exeservices.exe
User:
SYSTEM
Company:
SafeNet, Inc
Integrity Level:
SYSTEM
Description:
Sentinel Protection Server for SuperPro and UltraPro network keys
Exit code:
0
Version:
7, 5, 0, 5
Modules
Images
c:\program files\common files\safenet sentinel\sentinel protection server\winnt\spnsrvnt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
1644"C:\Windows\System32\netsh.exe" exec "C:\Users\admin\AppData\Local\Temp\SPSScript.dat"C:\Windows\System32\netsh.exeMSID512.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1760C:\Windows\system32\MsiExec.exe -Embedding A1BA5E29A457AD34B1B274A76DC40ED0 E Global\MSI0000C:\Windows\System32\msiexec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1808DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{20678d98-88e9-718e-ca64-543cebeae463}\sntnlusb.inf" "0" "6dd04a27f" "00000540" "WinSta0\Default" "00000548" "208" "C:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1816"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exeservices.exe
User:
SYSTEM
Company:
SafeNet, Inc.
Integrity Level:
SYSTEM
Exit code:
0
Version:
1, 2, 1, 3
Modules
Images
c:\program files\common files\safenet sentinel\sentinel keys server\sntlkeyssrvr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
1848"C:\Windows\System32\netsh.exe" exec "C:\Users\admin\AppData\Local\Temp\script.dat"C:\Windows\System32\netsh.exeMSID66A.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
1936"C:\Windows\Installer\MSID512.tmp" -c disableC:\Windows\Installer\MSID512.tmpmsiexec.exe
User:
admin
Company:
SafeNet, Inc.
Integrity Level:
HIGH
Description:
SPNSrvSupport
Exit code:
0
Version:
7, 5, 0, 3
Modules
Images
c:\windows\installer\msid512.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1988"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver\InstParLauncher.exe" -c installandstartC:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver\InstParLauncher.exemsiexec.exe
User:
admin
Company:
SafeNet Inc.
Integrity Level:
HIGH
Description:
InstParLauncher
Exit code:
0
Version:
7, 5, 0, 0
Modules
Images
c:\program files\common files\safenet sentinel\sentinel system driver\instparlauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2336"C:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver\InstAndStartNTParService.exe" -c installandstartC:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver\InstAndStartNTParService.exeInstParLauncher.exe
User:
admin
Company:
SafeNet Inc.
Integrity Level:
HIGH
Description:
InstAndStartNTParService
Exit code:
0
Version:
7, 5, 0, 0
Modules
Images
c:\program files\common files\safenet sentinel\sentinel system driver\instandstartntparservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
Total events
9 833
Read events
9 621
Write events
194
Delete events
18

Modification events

(PID) Process:(3208) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D8145605-09C3-4F44-AF6F-267102B6D22B}\{E484809C-27F3-467D-88A4-DEEDBE311F21}
Operation:delete keyName:(default)
Value:
(PID) Process:(3208) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D8145605-09C3-4F44-AF6F-267102B6D22B}
Operation:delete keyName:(default)
Value:
(PID) Process:(3208) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{ADA2D2C1-5D74-47C7-8C9D-49273AAF4C05}
Operation:delete keyName:(default)
Value:
(PID) Process:(3308) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3308) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3308) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3308) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3308) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3308) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3308) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
47
Suspicious files
63
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
3380Sentinel Protection Installer 7.5.0.exeC:\Users\admin\AppData\Local\Temp\_is7D44\Sentinel Protection Installer 7.5.0.msi
MD5:
SHA256:
3380Sentinel Protection Installer 7.5.0.exeC:\Windows\Downloaded Installations\{B0369E3A-3DE6-4DBD-B658-F52334198E6E}\Sentinel Protection Installer 7.5.0.msi
MD5:
SHA256:
3680msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3680msiexec.exeC:\Windows\Installer\16c345.msi
MD5:
SHA256:
3380Sentinel Protection Installer 7.5.0.exeC:\Users\admin\AppData\Local\Temp\_is7D44\Setup.INIbinary
MD5:C59CEFC7E2DA59953F9877A3C3F58362
SHA256:F87669F2B1EAB9861C5DC6956A5AF749A49FBC2F94E1E9CA06182E2E61D88075
3380Sentinel Protection Installer 7.5.0.exeC:\Users\admin\AppData\Local\Temp\_is7D44\_ISMSIDEL.INItext
MD5:204AB3829F75AF51C5911DDD830EF828
SHA256:9625F61EC0952475499C2B542DF3A0CBB5E2C1BC3B4EDE1EA5DEED8D910486D0
3380Sentinel Protection Installer 7.5.0.exeC:\Users\admin\AppData\Local\Temp\~7D33.tmpbinary
MD5:C59CEFC7E2DA59953F9877A3C3F58362
SHA256:F87669F2B1EAB9861C5DC6956A5AF749A49FBC2F94E1E9CA06182E2E61D88075
3380Sentinel Protection Installer 7.5.0.exeC:\Users\admin\AppData\Local\Temp\_is7D44\0x0409.inibinary
MD5:CF9BD8FDD8ED91EBCD0D73DD97DE41A3
SHA256:121C1209BD2B0F2755DEBEAD7B9DC4B5F39B9E87F3C105A38DBDF7920DE45544
3308WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3308.17517\Sentinel Protection Installer 7.5.0.exeexecutable
MD5:0A0DA779F9C830485D8E85364CC6B5CF
SHA256:97C7947D56841681B33B5507A734D3E060D496B2AB370FE374D2178CDE39B4A1
3632msiexec.exeC:\Users\admin\AppData\Local\Temp\MSI8B9D.tmpexecutable
MD5:14D1D2FE7A36E58D6E1A9465C323604B
SHA256:809CA7B39F4A1B49DC0ADEE682CE6E1CE9259F1E5B563BC2DEF38430F368A569
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sentinel Protection Installer 7.5.0.zip