FL2000-2.1.33788.0.exe
This report is generated from a file or URL submitted to this webservice on April 4th 2018 06:42:23 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Uses network protocols on unusual ports
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Possibly checks for the presence of an Antivirus engine
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 1 domain and 6 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET POLICY PE EXE or DLL Windows file download HTTP" (SID: 2018959, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
- source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
-
1/66 Antivirus vendors marked sample as malicious (1% detection rate)
1/14 Antivirus vendors marked sample as malicious (7% detection rate) - source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 1/64 Antivirus vendors marked spawned process "FL2000-2.1.34054.0.exe" (PID: 3136) as malicious (classified as "Trojan.Agent" with 1% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Installation/Persistance
-
Loads the task scheduler interface DLL
- details
- "FL2000-2.1.34054.0.exe" loaded module "%WINDIR%\SysWOW64\mstask.dll" at 742D0000
- source
- Loaded Module
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" (Handle: 1096)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\Downloads\FL2000-2.1.34054.0.exe" (Handle: 1096)
"<Input Sample>" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\Downloads\FL2000-2.1.34054.0.exe" (Handle: 1096)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\Downloads\FL2000-2.1.34054.0.exe" (Handle: 1096)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\Downloads\FL2000-2.1.34054.0.exe" (Handle: 1096)
"FL2000-2.1.34054.0.exe" wrote 1500 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 552)
"FL2000-2.1.34054.0.exe" wrote 4 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 552)
"FL2000-2.1.34054.0.exe" wrote 8 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 552)
"FL2000-2.1.34054.0.exe" wrote 32 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 552)
"FL2000-2.1.34054.0.exe" wrote 52 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 552) - source
- API Call
- relevance
- 6/10
-
Loads the task scheduler interface DLL
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "52.218.128.6": ...
URL: http://cirepo4.s3.amazonaws.com/release/Downloaders/IMDownloader_Bing/IMDownloader_Bing/IMDownloader_Bing_1.0.1.1_20171101013327767_OS201608243803DoveDelivery220617_skinSplash.exe (AV positives: 2/67 scanned on 03/18/2018 01:10:30)
URL: http://files-info.com.s3.amazonaws.com/x-view/1.0.2.353/ (AV positives: 1/64 scanned on 05/04/2017 09:39:15)
URL: http://files-info.com.s3.amazonaws.com/thx-view/1.0.3.521/ (AV positives: 1/64 scanned on 05/04/2017 09:31:49)
URL: http://files-info.com.s3.amazonaws.com/t-view/1.0.2.521/ (AV positives: 1/64 scanned on 05/04/2017 09:19:07)
URL: http://files-info.com.s3.amazonaws.com/x-view/1.0.1.273/ (AV positives: 1/64 scanned on 05/04/2017 09:15:38)
File SHA256: 56bcd8ac12dd7ffab654f12ac4a6184abe6621c5c35688ede7f2412b08f9b3a6 (AV positives: 29/71 scanned on 03/03/2018 18:06:49) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
- TCP traffic to 52.138.216.83 on port 52659
- source
- Network Traffic
- relevance
- 7/10
-
Malicious artifacts seen in the context of a contacted host
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtdllDefWindowProc_W@NTDLL.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Contains native function calls
-
Suspicious Indicators 34
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "00017184-00002000.00000002.21346.0131B000.00000002.mdmp")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"Mpu:1PM]EMuEPMEMI5uAuUM]YPME]EHatuMvVT]VQPMQEMuvV]VMPJEMpPEMIM3AM;M}PMW=j[Yf;t6MW,j%Yf;t MWj!Yf;EtG;|j[" (Indicator: "qemu")
"E]Wj\MNQMEPEEPuW}WSXEuu4::M<M;Ehd_E}qW;h_gqhP<h_KqxPMvuEEh|PDuV;NEtMhDPp}939p0tS:MIsMIs3Os3jZ]L}MUe]e9j9 ``DMP${M:M:EEEh_09pV:h`#pMhDPpS:8x0tV9MIrMIrMIr]}tEEtS\Elj\1GYYj3_}t{E+0xrVSMQEMUE]Et6NQMEP[uSSSS]VSPN},rS\MMIr77 ``EMPyMEF9M<9EEEh@`0nV.9h`nMhDPnS9" (Indicator: "qemu") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "ET POLICY Executable served from Amazon S3" (SID: 2013414, Rev: 10, Severity: 2) categorized as "Potentially Bad Traffic"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
FindResourceExW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
LockResource@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
FindResourceW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
FindResourceW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
FindResourceW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
FindResourceExW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
LockResource@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
FindResourceW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
FindResourceW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%USERPROFILE%\Users\%OSUSER%\Desktop\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Searches\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Videos\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Pictures\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Contacts\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Favorites\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Music\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"MSI7631.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI77F7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI7827.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"FL2000-2.1.34054.0.exe.part" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "version="5.1.0.0""
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
- InternetReadFile@WININET.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\FL2000-2.1.33788.0.exe" marked "%TEMP%\tin4487.tmp" for deletion
"C:\FL2000-2.1.33788.0.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\upd50EC.tmp" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\holder0.aiph" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\1028" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\2052" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\disk1.cab" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0" for deletion
"%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI7631.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI77F7.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI7827.tmp" for deletion
"%WINDIR%\System32\msiexec.exe" marked "C:\MSI567ea.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\tin4487.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\tin4487.tmp.part" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\upd50EC.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\upd50EC.tmp.part" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\Downloads\FL2000-2.1.34054.0.exe" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\Downloads\FL2000-2.1.34054.0.exe.part" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\holder0.aiph" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Windows\Tasks\C__Users_%OSUSER%_Downloads_FL2000-2.1.34054.0.exe.job" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\1028" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\2052" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\disk1.cab" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0" with delete access
"FL2000-2.1.34054.0.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\Fresco Logic" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
OpenProcessToken
RegOpenKeyExW
CreateToolhelp32Snapshot
LoadLibraryW
GetTickCount
Process32NextW
OpenProcess
DeleteFileW
GetProcAddress
Process32FirstW
GetTempFileNameW
FindNextFileW
GetTempPathW
FindFirstFileW
GetModuleHandleW
TerminateProcess
WriteFile
CreateFileW
CreateProcessW
Sleep
ShellExecuteW
ShellExecuteExW
GetWindowThreadProcessId
socket
bind
WSAStartup
closesocket - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "c0df63771cf96277ccf862770d64647700000000c011297600000000fc3e297600000000e0132976000000009457517625e06377c6e0637700000000bc6a507600000000cf3129760000000093195176000000002c32297600000000" to virtual address "0x76EB1000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "0efc667781ed6577ae866477c6e06377effd66772d166577c0fc6277da8f6d7760146777478d6477a8e263776089647700000000ad3776768b2d7676b641767600000000" to virtual address "0x741A1000" (part of module "WSHIP6.DLL")
"<Input Sample>" wrote bytes "f8112976201429760c112976f5162976a911297685482976b9342976a93429766834297600000000a56b1977e4851977e04d19779cc01977a3bf197792ae19770c7d197700000000" to virtual address "0x743B1000" (part of module "MSIMG32.DLL")
"<Input Sample>" wrote bytes "711122027a3b2102ab8b02007f950200fc8c0200729602006cc805001ecd1e027d261e02" to virtual address "0x754707E4" (part of module "USER32.DLL")
"<Input Sample>" wrote bytes "7d07677781ed6577ae866477c6e06377effd66772d16657760146777478d6477a8e263776089647700000000ad3776768b2d7676b641767600000000" to virtual address "0x73C31000" (part of module "WSHTCPIP.DLL")
"<Input Sample>" wrote bytes "75dc6476273e647651c16276ee9c6276949862760fb36876109962769097627600000000f5162976ead72a76d9172976698729760f772b760c112976a934297620142976f8112976ff10297600000000" to virtual address "0x7447E000" (part of module "MSLS31.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"FL2000-2.1.34054.0.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 16 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API IsWow64Process@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
Found reference to API DllGetVersion@COMCTL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
Found reference to API LoadIconMetric@COMCTL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
Found reference to API SleepConditionVariableCS@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
Found reference to API RegDeleteKeyExW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
Found reference to API IsWow64Process@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
Found reference to API DllGetVersion@COMCTL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
Found reference to API IsWow64Process@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
Found reference to API LoadIconMetric@COMCTL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
Found reference to API SleepConditionVariableCS@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
Found reference to API RegDeleteKeyExW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetSystemTime@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetSystemTime@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetSystemTime@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetLocalTime@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetSystemTime@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetSystemTime@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
DllGetVersion@COMCTL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetVersionExW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
DllGetVersion@COMCTL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetVersionExW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream)
GetProcessHeap@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00022639-00003804-00000046-80492784
"msiexec.exe" queries volume information of "C:\share" at 00022639-00003804-00000046-81484692
"msiexec.exe" queries volume information of "C:\" at 00022639-00003804-00000046-87140771 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00022639-00003804-00000046-80492784
"msiexec.exe" queries volume information of "C:\" at 00022639-00003804-00000046-87140771 - source
- API Call
- relevance
- 8/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\FL2000-2.1.34054.0.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\FL2000-2.1.34054.0.EXE")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MSIEXEC.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
- "updates.frescologic.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"2.21.242.227:80"
"2.21.242.237:80"
"2.20.131.136:80"
"184.25.216.99:80"
"52.218.128.6:80"
"52.138.216.83:52659" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\Branch\win\Release\stubs\x86\setup.pdb"
"C:\Branch\win\Release\custact\x86\AICustAct.pdb"
"DIFxAppA.pdb"
"DIFxApp.pdb"
"!"#$%&'()*+,-./0123456789:;<=>?@Aaicustact.dllAI_AuthorSinglePackageAI_ResolveKnownFoldersAI_SearchOfficeAddinsAddCaspolSecurityPolicyBrowseForFileCheckFreeTCPPortCheckIfUserExistsChooseTextStylesCloseApplicationCollectFeaturesWithoutCabComputeReplaceProductsListConfigureServFailActionsCreateExeProcessDeleteEmptyDirectoryDeleteFromComboBoxDeleteFromListBoxDeleteShortcutsDetectModernWindowsDetectProcessDetectServiceDisableFeaturesDoEventsDpiContentScaleEnableDebugLogEnumStartedServicesExtractComboBoxDataExtractListBoxDataGetArpIconPathGetFreeTCPPortGetLocalizedCredentialsGetPathFreeSpaceInstanceMajorUpgradeJoinFilesLaunchAppLaunchLogFileLoadShortcutDirsLogOnAsAServiceMixedAllUsersInstallLocationMsgBoxMsmTrialMessagePlayAudioFilePopulateComboBoxPopulateListBoxPrepareUpgradePreserveInstallTypePreventInstancesUpgradePrintRTFProcessFailActionsRemoveCaspolSecurityPolicyResolveKnownFolderResolveServicePropertiesRestoreLocationRunAllExitActionsRunAsAdminRunFinishActionsSetLatestVersionPathStopProcessStopWinServiceTrialMessageUninstallPreviousVersionsUpdateFeatureStatesUpdateInstallModeUpdateMsiEditControlsValidateInstallFolderViewReadMeWarningMessageBoxRSDS;iqxNg4=C:\Branch\win\Release\custact\x86\AICustAct.pdb>GCTL.text$mn.idata$5S.rdata6l.edata>X.rdata$zzzdbgd?.idata$2@@.idata$3T@.idata$4C.idata$6P0.data0P0.bss`.rsrc$01`.rsrc$02|BC(ACTBCA0DxBPD@GBH@:I@dIxT@KCLKKKdKTK<K"KKJJJJJJJxJ`JHJ4J JJJIIIIIIrIPIDI*III", "f"L|gZi"7lOn"$q)r8"QpsRuh"xx "'y1Lz"N{Pl~""ot<"X18p"\dQDRSDSZD,91DIFxAppA.pdbHVWATH0HD$(HXHhLf`@ H"
"AA(null)(null)EEE00P('8PW700PP (```hhhxppwppUserSIDDIFXAPP: INFO: user SID of user performing the install is '%s'.DIFXAPP: ERROR: 0x%X occurred while determining the SID of the user that is performing the install.SELECT `Component`.`ComponentId` FROM `Component` WHERE `Component`.`Component`='%s'ProductNameManufacturerDebugDIFxAppDIFXAPP: ENTER: ProcessDriverPackages()DIFXAPP: ERROR - The operating system you are running on is not supported. Only Windows 2000, Windows XP, Windows Server 2003 and Windows codenamed Longhorn are supported.SELECT `Component`, `Flags` FROM `MsiDriverPackages` ORDER BY `Sequence`DIFXAPP: INFO: MsiDriverPackages table is not present!DIFXAPP: ERROR 0x%X reading MsiDriverPackages tableUILevelDIFXAPP: ERROR 0x%X determining the UI Level for this installDIFXAPP: ERROR 0x%X reading 'Component' from the 'MsiDriverPackages' table!DIFXAPP: INFO: 'Component' is '%ws'DIFXAPP: ERROR 0x%X encountered getting the component state for '%ws'DIFXAPP: INFO: Component state 0x%X -> 0x%XDIFXAPP: ERROR 0X%x encountered trying to retrieve the ComponentId for '%ws'DIFXAPP: INFO: 'ComponentId' is %wsDriverFlags.DIFXAPP: ERROR 0x%X encountered while trying to retrieve the property %wsDIFXAPP: INFO: The flags for component %ws in the MsiDriverPackages table have been overridden by the property %wsDIFXAPP: ERROR 0x%X reading 'Flags' from the 'MsiDriverPackages' table!DIFXAPP: INFO: 'Flags' is %ws[$%ws]DIFXAPP: ERROR 0x%X getting the component pathDIFXAPP: INFO: component path is %wsDIFXAPP: WARNING: DIFXAPP does not know about install state 0x%X. Rollback may not be able to delete all files.2.1.1%s%c%s%c%s%c%s%c%s%c%s%c%sSoftware\Microsoft\Windows\CurrentVersion\DIFxApp\ComponentsDIFXAPP: INFO: creating HKEY_USERS\%s (User's SID: '%s') ...DIFXAPP: ERROR 0x%X encountered while creating subkey for component '%ws'%s%c%s%c%s%c%s%c%s%c%s%c%s%c%sMsiRollbackInstallDIFXAPP: ERROR 0x%X setting the custom action data property for %wsDIFXAPP: ERROR 0x%X creating %ws custom action for %wsMsiInstallDrivers%s%c%s%c%s%c%s%c%s%c%sMsiUninstallDriversNoOp_TRUEDIFXAPP: ERROR 0x%X setting the NoOp property for %wsDIFXAPP: INFO: This is a no-op custom action for component %ws. The %ws property has been set to TRUE.DIFXAPP: INFO: MsiDriverPackages table has no rows!DIFXAPP: ERROR AtlException 0x%XDIFXAPP: ERROR SEHException 0x%XDIFXAPP: RETURN: ProcessDriverPackages() %u (0x%X)DIFXAPP: ENTER: CleanupOnSuccess()DIFXAPP: ERROR 0x%X occurred while retrieving the NoOp property for component %wsDIFXAPP: INFO: This is a no-op for component %ws. The %ws property has been set to TRUE.DIFXAPP: INFO: Skipping cleanup for component %ws, since it is a no-op.DIFXAPP: ERROR 0x%X occurred while clearing the UpgradeNoOp property for component %wsDIFXAPP: INFO: opening HKEY_USERS\%s (User's SID: '%s') ...DIFXAPP: ERROR 0x%X encountered while opening DIFxApp key for component '%ws'CleanupNeededDIFXAPP: ERROR 0x%X encountered while querying the cleanup flag for component '%ws'NoRollbackConnectHardwareDIFXAPP: ERROR 0x%X encountered while querying 'connect hardware prompt' value in the registry for component '%ws'RebootDIFXAPP: ERROR 0x%X encountered while querying reboot value in the registry for component '%ws'UninstallErrorDIFXAPP: ERROR 0x%X encountered while querying 'uninstall error' value in the registry for component '%ws'DIFXAPP: ERROR 0x%X encountered while deleting DIFxApp key for component '%s'DIFXAPP: ERROR 0x%X determining the UI Level for this install. The user might need to plug in their hardware, but we won't promptDIFXAPP: INFO: successfully showed Message Box to inform user to plug in their hardware.DIFXAPP: ERROR 0x%X. Failed to show Message Box to inform user to plug in their hardware.DIFXAPP: ERROR MsiRecordSetString failed. Failed to show Message Box to inform user to plug in their hardware.DIFXAPP: ERROR MsiCreateRecord failed. Failed to show Message Box to inform user to plug in their hardware.DIFXAPP: INFO: The hardware for the driver that was just installed is currently not plugged into the computer. Could not prompt the user to plug-in their hardware because the install is in no-UI modeUPGRADINGPRODUCTCODEDIFXAPP: WARNING: The uninstall phase of this upgrade required a reboot. This may result in errors during the subsequent install phase. If such errors do occur, please reboot your system and run the upgrade again.ScheduleRebootDIFXAPP: ERROR 0x%X encountered while scheduling a rebootDIFXAPP: ERROR - at least one of the driver packages failed to uninstall cleanly.DIFXAPP: RETURN: CleanupOnSuccess() %u (0x%X)0123456789ABCDEFDRVSTORE.\\/Software\Microsoft\Windows\CurrentVersion\DIFXDebugger, attach to process '%u' !Attached debugger detected!Attach DebuggerNo debugger attached!DIFX: Unknown DebugInstall options, NOT breaking to debugger."(" " ( "HP "8"8" ("\d("("<H" "8X("8"=t{h"0RSDSBy9M[j9DIFxApp.pdbHVWATH0HD$(HXHhLf`@ H", "RSDSIE>KDIFxApp.pdbz`}" - source
- File/Memory
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
-
CreateNamedPipeW@KERNEL32.DLL from FL2000-2.1.33788.0.exe (PID: 2000) (Show Stream)
CreateNamedPipeW@KERNEL32.DLL from FL2000-2.1.34054.0.exe (PID: 3136) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\tin4487.tmp.part"
"<Input Sample>" created file "%TEMP%\upd50EC.tmp.part"
"msiexec.exe" created file "%TEMP%\MSI567e9.LOG"
"msiexec.exe" created file "%TEMP%\MSI7631.tmp"
"msiexec.exe" created file "%TEMP%\MSI77F7.tmp"
"msiexec.exe" created file "%TEMP%\MSI7827.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_5cacb0b61d3cbd0GOL.9e765ISM_pmeT_lacoL_ataDppA_Xwwvh3y_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "FL2000.x64.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 10.0 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {3D2B03E4-C548-41A7-B779-868A9CC4500B} Number of Words: 2 Subject: Fresco Logic USB Display Driver Author: Fresco Logic Name of Creating Application: Advanced Installer 13.1 build 71115 Template: x64;1033 Comments: This installer database contains the logic and data required to install Fresco Logic USB Display Driver.")
Antivirus vendors marked dropped file "FL2000.msi" as clean (type is "Composite Document File V2 Document Little Endian Os: Windows Version 10.0 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {3D2B03E4-C548-41A7-B779-868A9CC4500B} Number of Words: 2 Subject: Fresco Logic USB Display Driver Author: Fresco Logic Name of Creating Application: Advanced Installer 13.1 build 71115 Template: ;1033 Comments: This installer database contains the logic and data required to install Fresco Logic USB Display Driver.")
Antivirus vendors marked dropped file "MSI7631.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI77F7.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI7827.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows") - source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /FL2000/FL2000_Updates.txt HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: updates.frescologic.comConnection: Keep-AliveCache-Control: no-cache"
"GET /FL2000/FL2000-2.1.34054.0.exe HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: updates.frescologic.comConnection: Keep-AliveCache-Control: no-cache" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 741C0000
"FL2000-2.1.34054.0.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 731F0000
"msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at F2A30000 - source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "Shell_TrayWnd"
"FL2000-2.1.34054.0.exe" searching for class "Shell_TrayWnd" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "FL2000-2.1.34054.0.exe" with commandline "/exenoupdates" (Show Process)
Spawned process "msiexec.exe" with commandline "/i "%APPDATA%\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi" AI_SETUPEXEPATH="%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" SETUPEXEDIR="%USERPROFILE%\Downloads\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "msiexec.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"FL2000.x64.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 10.0 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {3D2B03E4-C548-41A7-B779-868A9CC4500B} Number of Words: 2 Subject: Fresco Logic USB Display Driver Author: Fresco Logic Name of Creating Application: Advanced Installer 13.1 build 71115 Template: x64;1033 Comments: This installer database contains the logic and data required to install Fresco Logic USB Display Driver."
"FL2000.msi" has type "Composite Document File V2 Document Little Endian Os: Windows Version 10.0 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {3D2B03E4-C548-41A7-B779-868A9CC4500B} Number of Words: 2 Subject: Fresco Logic USB Display Driver Author: Fresco Logic Name of Creating Application: Advanced Installer 13.1 build 71115 Template: ;1033 Comments: This installer database contains the logic and data required to install Fresco Logic USB Display Driver."
"MSI7631.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CMGKGAU6.txt" has type "ASCII text"
"disk1.cab" has type "Microsoft Cabinet archive data 4573311 bytes 27 files"
"upd50EC.tmp.part" has type "ASCII text with CRLF line terminators"
"1028" has type "Composite Document File V2 Document Little Endian Os: Windows Version 10.0 Code page: 950 Title: Installation Database Subject: Fresco Logic USB Display Driver Author: Fresco Logic Keywords: Installer MSI Database Comments: In Installer I Dawa]ateFDwiv Fresco Logic USB Display Driver Create Time/Date: Fri Dec 11 11:47:46 2009 Name of Creating Application: Advanced Installer 13.1 build 71115 Security: 0 Template: ;1033 Last Saved By: ;1028 Revision Number: {FC11E022-A625-48EA-85EB-AF2AFEF05B06}2.1.34054.0;{E1F96EEF-35B2-48B0-AA2A-440D8980A112}2.1.34054.0;{5D395DA6-5928-4E55-A83C-2C25C0132F62} Number of Pages: 200 Number of Characters: 63"
"MSI77F7.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI7827.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"2052" has type "Composite Document File V2 Document Little Endian Os: Windows Version 10.0 Code page: 936 Title: Installation Database Subject: Fresco Logic USB Display Driver Author: Fresco Logic Keywords: Installer MSI Database Comments: In Installer I Database Create Time/Date: Fri Dec 11 11:47:46 2009 Name of Creating Application: Advanced Installer 13.1 build 71115 Security: 0 Template: ;1033 Last Saved By: ;2052 Revision Number: {FC11E022-A625-48EA-85EB-AF2AFEF05B06}2.1.34054.0;{1F2B11B1-C3FF-4033-A57A-1109B075CA36}2.1.34054.0;{5D395DA6-5928-4E55-A83C-2C25C0132F62} Number of Pages: 200 Number of Characters: 63"
"GUGQL9UM.txt" has type "ASCII text"
"tin4487.tmp.part" has type "HTML document ISO-8859 text with very long lines"
"FL2000-2.1.34054.0.exe.part" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "C:\Windows\SysWOW64\wshqos.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\CMGKGAU6.txt"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\GUGQL9UM.txt"
"<Input Sample>" touched file "C:\Windows\SysWOW64\imageres.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "updates.frescologic.com/No_Updates.txtPROMPTROLLBACKCOSTPProductCode{255B8FBB-90AB-41E1-9596-D5E618E4D3FB}ProductLanguage1033ProductNameFresco"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://sf.symcb.com/sf.crl0f"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sf.symcd.com0&"
Pattern match: "http://sf.symcb.com/sf.crt0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://t2.symcb.com0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://tl.symcb.com/tl.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0"
Pattern match: "http://tl.symcd.com0&"
Pattern match: "http://tl.symcb.com/tl.crt0"
Pattern match: "http://www.advancedinstaller.com0"
Pattern match: "http://s.symcd.com06"
Pattern match: "http://s.symcb.com/universal-root.crl0"
Pattern match: "https://d.symcb.com/rpa0@"
Pattern match: "http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0"
Pattern match: "crl.microsoft.com/pki/crl/products/tspca.crl0H"
Pattern match: "http://www.microsoft.com/pki/certs/tspca.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/WinPCA.crl"
Pattern match: "www.microsoft.com/pki/crl/products/WinPCA.crl0R"
Pattern match: "www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T"
Pattern match: "www.microsoft.com/pki/certs/MicrosoftRootCert.crt0"
Pattern match: "http://www.microsoft.com0"
Pattern match: "https://www.verisign.com/cps0*"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "http://logo.verisign.com/vslogo.gif04"
Pattern match: "http://crl.verisign.com/pca3-g5.crl04"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "www.google.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.example.com"
Pattern match: "https://www.google.com/logos/doodles/2018/dr-maya-angelous-90th-birthday-5544539824586752.3-2xa.gif"
Pattern match: "http://www.google.de/imghp?hl=de&tab=wi"
Pattern match: "https://mail.google.com/mail/?tab=wm"
Pattern match: "https://plus.google.com/117570067846637741468"
Pattern match: "http://www.google.com/setprefdomain?prefdom=DE&prev=http://www.google.de/&sig=__XBoCi70fqWVAyqHEgjl1I96p5t4%3D"
Pattern match: "http://updates.frescologic.com/FL2000/FL2000-2.1.34054.0.exe"
Pattern match: "http://updates.frescologic.com/FL2000/FL2000-2.1.33581.0.exe"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.verisign.com"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAubDR3UJcBFCIVoVo4J2lY%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sf.symcd.com"
Pattern match: "https://www.verisign.c"
Pattern match: "http://tl.sy"
Pattern match: "mcb.com/tl.crl0"
Pattern match: "www.microsoft.com/pki/certs/Microsof"
Pattern match: "http://crl.microsoft.com/pki/crl/pro"
Pattern match: "updates.frescologic.com/No_Updates.txtPROMPTROLLBACKCOSTPProductCode{FC11E022-A625-48EA-85EB-AF2AFEF05B06}ProductLanguage1033ProductNameFresco"
Heuristic match: "o_iddcx.dll_3fresco_iddcx.inf_1{5F628935-F256-4DB2-B167-08278107DB2A}fresco_iddcx_Dirfresco_monitor_tool.exe{5B059E7E-840F-43B7-A444-0FB4566BE5B7}fresco_monitor_tool.exe_1{08F2DABF-9ECB-4207-8037-ACDF50A11782}lci_proxykmd.inf{AED9E1AC-DCFE-43C6-98E4-F795A0"
Heuristic match: "he ordering of the items within one list. The integers do not have to be consecutive.A named property to be tied to this item. All the items tied to the same property become part of the same combobox.The visible text to be assigned to the item. Optional. I"
Pattern match: "www.microsoft"
Pattern match: "http://www.google.com"
Heuristic match: "updates.frescologic.com"
Pattern match: "http://schema.org/WebPage"
Pattern match: "http://updates.frescologic.com/No_Updates.txt"
Pattern match: "http://updates.frescologic.com/FL2000/FL2000_Updates.txt"
Pattern match: "http://sf.symcb.com/sf.crl0fU"
Pattern match: "sf.symcb.com/sf.crt0U#0{&K&0UL#uj1Ivf0`HB0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0U%0++0U0"
Pattern match: "http://tl.symcb.com/tl.crl0U0U%0"
Pattern match: "https://www.thawte.com/cps0/+0#!https://www.thawte.com/repository0U000"
Pattern match: "tl.symcb.com/tl.crt0`HB0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0.+0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0@U9070531/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0U%0"
Heuristic match: "SUW|$j'[|$f;-Q3f;tsf;uPf;udf;uPPD$L$ +\$SW;~l$+f/fu-3f;tj'[3f;tq3f6`.Er"
Pattern match: "succesfully.ipm/groupsextract"
Heuristic match: ".3t$h$ HcH$L$3H1l$hDt$@Ht$`L|$XDl$@ADl$@D$(D$ E3EAH$I&1LH;$$H$HD$(H$HD$ L$E3HpI,|$(HD$xHD$ DL$.bH"
Pattern match: "crl.microsoft.com/pki/crl/products/tspca.crl0H+"
Pattern match: "crl.microsoft.com/pki/crl/products/WinPCA.crl4http://www.microsoft.com/pki/crl/products/WinPCA.crl0R+F0D0B+06http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T+H0F0D+08http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0U"
Pattern match: "www.microsoft.com0"
Heuristic match: ")-IyY\]#5sjI#whAAAAAC.]< A++.SY"
Pattern match: "http://updates.frescologic.com/FL2000/FL2000-2.1.33788.0.exe"
Pattern match: "http://updates.frescologic.com/FL2000/FL2000-2.1.33676.0.exe" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "ck!" name="btnI" onclick="if(this.form.q.value)this.checked=1; else top.location='/doodles/'" type="submit"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=de&authuser=0">Erweiterte Suche</a><a href="/language_tools?hl=de&authuser=0">Sprachoptionen</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="fll"><a href="/intl/de/ads/">Werben mit Google</a><a href="/services/">Unternehmensangebote</a><a href="https://plus.google.com/117570067846637741468" rel="publisher">+Google</a><a href="/intl/de/about.html">" (Indicator: "plus.google.com")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Creates or modifies windows services
- details
- "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"FL2000-2.1.34054.0.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "MSI7631.tmp" was detected as "Morphine v1.2 (DLL)"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
FL2000-2.1.33788.0.exe
- Filename
- FL2000-2.1.33788.0.exe
- Size
- 7.7MiB (8057920 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 191fba01d775d1baa5567342502139495339fa46d1d5f9fcc2cdeab820a2b575
- MD5
- a26f77605f5a6bab00280f039e9b359c
- SHA1
- 1ecca39270b5dbd899959ff75b0d93423fbf9d04
Classification (TrID)
- 67.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 14.2% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.3% (.EXE) Generic Win/DOS Executable
- 4.3% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
FL2000-2.1.33788.0.exe
(PID: 2000)
2/75
-
FL2000-2.1.34054.0.exe
/exenoupdates
(PID: 3136)
1/64
- msiexec.exe /i "%APPDATA%\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi" AI_SETUPEXEPATH="%USERPROFILE%\Downloads\FL2000-2.1.34054.0.exe" SETUPEXEDIR="%USERPROFILE%\Downloads\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " (PID: 3804)
-
FL2000-2.1.34054.0.exe
/exenoupdates
(PID: 3136)
1/64
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
updates.frescologic.com
OSINT |
52.218.128.6
TTL: 473 |
GoDaddy.com, LLC
Organization: Domains By Proxy, LLC Name Server: NS25.DOMAINCONTROL.COM Creation Date: Thu, 06 Dec 2007 18:20:05 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
2.21.242.227 |
80
TCP |
svchost.exe PID: 1356 |
European Union |
2.21.242.237 |
80
TCP |
svchost.exe PID: 1356 |
European Union |
2.20.131.136 |
80
TCP |
svchost.exe PID: 1356 |
European Union |
184.25.216.99 |
80
TCP |
- | United States |
52.218.128.6 |
80
TCP |
fl2000-2.1.33788.0.exe PID: 2000 |
United States |
52.138.216.83 |
52659
TCP |
svchost.exe PID: 1356 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
52.218.128.6:80 (updates.frescologic.com) | GET | updates.frescologic.com/FL2000/FL2000_Updates.txt | GET /FL2000/FL2000_Updates.txt HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Host: updates.frescologic.com
Connection: Keep-Alive
Cache-Control: no-cache More Details |
52.218.128.6:80 (updates.frescologic.com) | GET | updates.frescologic.com/FL2000/FL2000-2.1.34054.0.exe | GET /FL2000/FL2000-2.1.34054.0.exe HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Host: updates.frescologic.com
Connection: Keep-Alive
Cache-Control: no-cache More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.yahoo.com | Domain/IP reference | 00021646-00003136-43214-839-0103A12A |
http://www.example.com | Domain/IP reference | 00021646-00003136-43214-839-0103A12A |
http://www.google.com | Domain/IP reference | 00021646-00003136-43214-839-0103A12A |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
52.218.128.6 -> local:52671 (TCP) | Potentially Bad Traffic | ET POLICY Executable served from Amazon S3 | 2013414 |
52.218.128.6 -> local:52671 (TCP) | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP | 2018959 |
Extracted Strings
Extracted Files
-
Clean 5
-
-
FL2000.msi
- Size
- 1.2MiB (1212416 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {3D2B03E4-C548-41A7-B779-868A9CC4500B}, Number of Words: 2, Subject: Fresco Logic USB Display Driver, Author: Fresco Logic, Name of Creating Application: Advanced Installer 13.1 build 71115, Template: ;1033, Comments: This installer database contains the logic and data required to install Fresco Logic USB Display Driver.
- AV Scan Result
- 0/60
- Runtime Process
- FL2000-2.1.34054.0.exe (PID: 3136)
- MD5
- 5916f5514cc847acb97d317027c31d87
- SHA1
- 88c5ba45c37fb597209ecdd8cc849e15e32b756c
- SHA256
- 18001f8e8ff7428dfe7540fbadbdadc5d4db4aaa0f0797b4bfa245148fe56253
-
FL2000.x64.msi
- Size
- 1.5MiB (1593344 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {3D2B03E4-C548-41A7-B779-868A9CC4500B}, Number of Words: 2, Subject: Fresco Logic USB Display Driver, Author: Fresco Logic, Name of Creating Application: Advanced Installer 13.1 build 71115, Template: x64;1033, Comments: This installer database contains the logic and data required to install Fresco Logic USB Display Driver.
- AV Scan Result
- 0/59
- Runtime Process
- FL2000-2.1.34054.0.exe (PID: 3136)
- MD5
- 1b361eb7757090d8d5998981313133a4
- SHA1
- 656866e62c7861f0272d5212f6bfa2806b743442
- SHA256
- d73499dc84fa75d6fdc2078ec73aec6b0dee0a66bbfa653d5ac5e449d09f9821
-
MSI7631.tmp
- Size
- 95KiB (97280 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/74
- Runtime Process
- msiexec.exe (PID: 3804)
- MD5
- 3056644ace6294c801a8010e99888525
- SHA1
- bbb622450269b1918e9fe11ed32deecf65e7e0e2
- SHA256
- 77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b
-
MSI77F7.tmp
- Size
- 95KiB (97280 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/74
- Runtime Process
- msiexec.exe (PID: 3804)
- MD5
- 3056644ace6294c801a8010e99888525
- SHA1
- bbb622450269b1918e9fe11ed32deecf65e7e0e2
- SHA256
- 77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b
-
MSI7827.tmp
- Size
- 95KiB (97280 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/74
- Runtime Process
- msiexec.exe (PID: 3804)
- MD5
- 3056644ace6294c801a8010e99888525
- SHA1
- bbb622450269b1918e9fe11ed32deecf65e7e0e2
- SHA256
- 77abff1b7322eca3dd35cbadf268d06c9ef920cf923ee3a77e97edd050c28a1b
-
-
Informative 8
-
-
1028
- Size
- 56KiB (57344 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 950, Title: Installation Database, Subject: Fresco Logic USB Display Driver, Author: Fresco Logic, Keywords: Installer, MSI, Database, Comments: In Installer I, Dawa]ateFDwiv Fresco Logic USB Display Driver , Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 13.1 build 71115, Security: 0, Template: ;1033, Last Saved By: ;1028, Revision Number: {FC11E022-A625-48EA-85EB-AF2AFEF05B06}2.1.34054.0;{E1F96EEF-35B2-48B0-AA2A-440D8980A112}2.1.34054.0;{5D395DA6-5928-4E55-A83C-2C25C0132F62}, Number of Pages: 200, Number of Characters: 63
- Runtime Process
- FL2000-2.1.34054.0.exe (PID: 3136)
- MD5
- 17007c6953b2fabb5679e861591bde6e
- SHA1
- a15dddf0cb0a5703ee25fedab5de16ed0c482a49
- SHA256
- 00e88c374fc7b914504510636c8c8bc0ba107ea67ac8dbebcaca82e6de1adc9d
-
2052
- Size
- 56KiB (57344 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 936, Title: Installation Database, Subject: Fresco Logic USB Display Driver, Author: Fresco Logic, Keywords: Installer, MSI, Database, Comments: In Installer I, Database, Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 13.1 build 71115, Security: 0, Template: ;1033, Last Saved By: ;2052, Revision Number: {FC11E022-A625-48EA-85EB-AF2AFEF05B06}2.1.34054.0;{1F2B11B1-C3FF-4033-A57A-1109B075CA36}2.1.34054.0;{5D395DA6-5928-4E55-A83C-2C25C0132F62}, Number of Pages: 200, Number of Characters: 63
- Runtime Process
- FL2000-2.1.34054.0.exe (PID: 3136)
- MD5
- 6209228054eec293f511680dac7db3b0
- SHA1
- ecf66185dc489a176dfd3fec3abd276d387aaaad
- SHA256
- a808b1e0839f1bd8938057827bf2edf7a94ea8c8f4c16d9aebe0eb88c902c3c6
-
disk1.cab
- Size
- 4.4MiB (4579719 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 4573311 bytes, 27 files
- Runtime Process
- FL2000-2.1.34054.0.exe (PID: 3136)
- MD5
- 8b403fda0043dab5461049c3d3894ff1
- SHA1
- fdefdd9c37b8ada6c46a7627d5264c70842f2f56
- SHA256
- 87be7a04d57d84f2e768a2747055290e227746ab806b960db8716a2162d8a46f
-
CMGKGAU6.txt
- Size
- 78B (78 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- FL2000-2.1.33788.0.exe (PID: 2000)
- MD5
- e756a134d2d10765e52d033689941b13
- SHA1
- b864fab0ad74daa17ce0f45676ecc915152e0054
- SHA256
- 72ee290d85f753cf6b2679ecb125fa33a9f5192b51d8c6d24e94d544f23ec763
-
GUGQL9UM.txt
- Size
- 271B (271 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- FL2000-2.1.33788.0.exe (PID: 2000)
- MD5
- d4b12aca326969658363f11e321212b6
- SHA1
- 48fb669b2b75eb047e772bdcafa6f4416dc692c9
- SHA256
- 96c0144c9df98bf2f0f0621b91ef15e43957bdf0db721543462f50bd2a921253
-
tin4487.tmp.part
- Size
- 11KiB (11720 bytes)
- Type
- html
- Description
- HTML document, ISO-8859 text, with very long lines
- Runtime Process
- FL2000-2.1.33788.0.exe (PID: 2000)
- MD5
- cb5e689ab4fdb1465f10bb3138243063
- SHA1
- f13c80bf5fec5b1e096e160cef2491a84aa534c8
- SHA256
- cd28b1f2960a82f5f1204eadef3cc20033f1784dea2e7690fe095ae539c47f1a
-
upd50EC.tmp.part
- Size
- 1.8KiB (1831 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- FL2000-2.1.33788.0.exe (PID: 2000)
- MD5
- 54ab87d570346f70eae42abac0cee76b
- SHA1
- a4cb1890225f6e37e2488b4e69fb6bf00f168baa
- SHA256
- 7fbd8678415bf9f7a462a290f74fa32b148fe05c54b73f9c6fb01b38d919c690
-
FL2000-2.1.34054.0.exe.part
- Size
- 5MiB (5241993 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- FL2000-2.1.33788.0.exe (PID: 2000)
- MD5
- 7a29d1de9d6cc2f6da17e93891674ee6
- SHA1
- 4c5f2c57942c42e29edcbacf5989e58f87d31a09
- SHA256
- f296fd3ae71381509dad82f7ce800f22a8024e0a3c768e96d0b4be0c742d5418
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report
lino1codes commented 1 year ago updated