File name:

SDK320.msi

Full analysis: https://app.any.run/tasks/a8e9e637-08c4-4944-9f85-878065df6b0e
Verdict: Suspicious activity
Analysis date: May 02, 2020, 18:53:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: XFS 3.20 SDK, Author: CEN XFS Workshop, Keywords: Installer, Comments: Version 3.20, Template: Intel;1033, Revision Number: {933C6EF6-D8FE-4020-BB82-E3211F953444}, Create Time/Date: Thu Feb 23 15:54:20 2012, Last Saved Time/Date: Thu Feb 23 15:54:20 2012, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2
MD5:

32D5CCA418B81E002BB3FDD8E4062BC9

SHA1:

798D6D8ADB449DE0A3903AF062C8EDD8E401C2E4

SHA256:

6303EE28660F9D8BFF4A494F96D681A2CEBC72E5ABC1AC3B0FDEBCDDBB7E0B8D

SSDEEP:

6144:RmWfO38XsmuHi8LGK3s+3XN8s5nChu76Gdu8hPt4hAVxNB+j25p2rT:c/38XnQPLGKc+nN8sMuddTPOh0xaj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed as Windows Service

      • vssvc.exe (PID: 3996)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3480)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3480)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3996)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3480)

    • Searches for installed software

      • msiexec.exe (PID: 3480)

    • Creates files in the program directory

      • msiexec.exe (PID: 3480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (88.6)
.mst | Windows SDK Setup Transform Script (10)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: XFS 3.20 SDK
Author: CEN XFS Workshop
Keywords: Installer
Comments: Version 3.20
Template: Intel;1033
RevisionNumber: {933C6EF6-D8FE-4020-BB82-E3211F953444}
CreateDate: 2012:02:23 15:54:20
ModifyDate: 2012:02:23 15:54:20
Pages: 200
Words: 2
Software: Windows Installer XML (3.0.5419.0)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3480C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3664"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\SDK320.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3996C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
821
Read events
559
Write events
250
Delete events
12

Modification events

(PID) Process:(3480) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000BCCA7B15B320D601980D00004C0B0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3480) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000BCCA7B15B320D601980D00004C0B0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3480) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
34
(PID) Process:(3480) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000001864D615B320D601980D00004C0B0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3480) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000001864D615B320D601980D00002C0B0000E80300000100000000000000000000005FA551FBFCCAE04DB35615E9A229ECCE0000000000000000
(PID) Process:(3996) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000E876E915B320D6019C0F0000900F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3996) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000E876E915B320D6019C0F0000300C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3996) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000E876E915B320D6019C0F0000780B0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3996) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer
Operation:writeName:IDENTIFY (Enter)
Value:
4000000000000000E876E915B320D6019C0F0000840F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
(PID) Process:(3996) vssvc.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer
Operation:writeName:IDENTIFY (Leave)
Value:
4000000000000000B889FC15B320D6019C0F0000780B0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000
Executable files
5
Suspicious files
6
Text files
21
Unknown types
5

Dropped files

PID
Process
Filename
Type
3480msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3480msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFBFB11088A426CA52.TMP
MD5:
SHA256:
3480msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{fb51a55f-cafc-4de0-b356-15e9a229ecce}_OnDiskSnapshotPropbinary
MD5:
SHA256:
3480msiexec.exeC:\Windows\Installer\MSI54CA.tmpbinary
MD5:
SHA256:
3480msiexec.exeC:\Windows\Installer\a74d2a.ipibinary
MD5:
SHA256:
3480msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:
SHA256:
3480msiexec.exeC:\Program Files\Common Files\XFS\SDK\INCLUDE\XFSDEP.Htext
MD5:E7DC57D34FE05D383950ECCAA75E3713
SHA256:AB713A818EF6EB1519CCB4689F617E06784C12BE82A607FA2F8A10ACF079C709
3480msiexec.exeC:\Program Files\Common Files\XFS\SDK\INCLUDE\XFSCIM.Htext
MD5:AA1486F00535010B153C43275B75421D
SHA256:563075B386F4D8834B56C1CF6858B0934E1B2206C2CCCAEAB8A39FC5D36E899C
3480msiexec.exeC:\Program Files\Common Files\XFS\SDK\DOC\LICENSE.pdfpdf
MD5:AA0F5037BB7F7F1655403E7FBDEDDB77
SHA256:6EB0091340F1BFAEE42F6224038EB4759ADBED51E04E284ACEC1CA2FCC0D14A0
3480msiexec.exeC:\Program Files\Common Files\XFS\SDK\INCLUDE\XFSADMIN.Htext
MD5:477814A946901AD058ABF6B337847E41
SHA256:24EAE227CD840B0E98C89EF639EEA3442824A2793CDC238CF971CC0CEB0BE72F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SDK320.msi