VIPAccessSetup.exe
This report is generated from a file or URL submitted to this webservice on April 27th 2017 12:56:19 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
-
Modifies System Certificates Settings
Spawns a lot of processes - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Possibly checks for the presence of an Antivirus engine
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://s3-us-east-2.amazonaws.com/com-symantec-vip-us-east-2-prd-idcenter-downloads/VIPAccessSetup.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/40 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 1/84 Antivirus vendors marked spawned process "<Input Sample>" (PID: 2528) as malicious (classified as "Adware.AddLyrics.BB.rsuo.dll" with 1% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
System Security
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "1392E4C7FF25B9517E931077BBE2664DC87EF70D")
"msiexec.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1392E4C7FF25B9517E931077BBE2664DC87EF70D"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from install.exe (PID: 2776) (Show Stream)
ExitWindowsEx@USER32.dll at 9535-1559-0041A564 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "setup.exe" (Show Process)
Spawned process "vcred" with commandline "ist_x86.exe /qn" (Show Process)
Spawned process "install.exe" with commandline "c:\c3d932d433ab9061c5e3d435\.\install.exe /qn" (Show Process)
Spawned process "msiexec.exe" with commandline "/i "%TEMP%\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "%TEMP%\VIPSetup.log"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 28
-
Anti-Detection/Stealthyness
-
Possibly checks for the presence of an Antivirus engine
- details
- "Symantec" (Indicator: "symantec")
- source
- String
- relevance
- 3/10
-
Process deletes itself
- details
- "%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" deletes itself
- source
- API Call
- relevance
- 10/10
-
Queries kernel debugger information
- details
-
"vcred" at 00014914-00002832-00000105-41430466
"install.exe" at 00015071-00002776-00000105-41852829 - source
- API Call
- relevance
- 6/10
-
Possibly checks for the presence of an Antivirus engine
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "MWVVOuSffu+ujCPh8uSVWEWEjPPVMNEt3M;t" (Indicator: "vmnet")
- source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"vcred" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"install.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from VIPAccessSetup.exe (PID: 2528) (Show Stream)
FindResourceExW@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
LockResource@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
FindResourceW@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
FindResourceW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
FindResourceW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
LockResource@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
FindResourceW@KERNEL32.dll at 9535-2434-00437130
LockResource@KERNEL32.dll at 9535-2406-0043267C
FindResourceW@KERNEL32.dll at 9535-1949-0041A052 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%WINDIR%\win.ini"
"install.exe" read file "C:\c3d932d433ab9061c5e3d435\install.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"install.res.1031.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"install.res.2052.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"install.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
"& strComputer & "\root\cimv2")" (Indicator: "root\cimv2")
"& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")" (Indicator: "root\cimv2") - source
- String
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
- details
- "install.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "PERSESSIONTEMPDIR")
- source
- Registry Access
- relevance
- 10/10
-
Contains references to WMI/WMIC
-
System Destruction
-
Marks file for deletion
- details
-
"C:\VIPAccessSetup.exe" marked "%TEMP%\RarSFX0\__tmp_rar_sfx_access_check_3746700" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\_750506_" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\vcredist.bmp" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\install.ini" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\globdata.ini" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.2052.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1028.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1031.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.3082.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1036.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1040.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1049.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1041.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1042.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\eula.1033.txt" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\install.res.2052.dll" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\install.res.1028.dll" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\install.res.1031.dll" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\install.res.3082.dll" for deletion
"%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcred" marked "C:\c3d932d433ab9061c5e3d435\install.res.1036.dll" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\RarSFX0\__tmp_rar_sfx_access_check_3746700" with delete access
"vcred" opened "c:\_750506_" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\vcredist.bmp" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\install.ini" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\globdata.ini" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.2052.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1028.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1031.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.3082.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1036.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1040.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1049.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1041.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1042.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\eula.1033.txt" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\install.res.2052.dll" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\install.res.1028.dll" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\install.res.1031.dll" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\install.res.3082.dll" with delete access
"vcred" opened "c:\c3d932d433ab9061c5e3d435\install.res.1036.dll" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from install.exe (PID: 2776) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Tries to obtain the highest possible privilege level without UAC dialog
- details
-
"xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="X86"
name="Microsoft.VisualStudio.UIHandler"
type="win32"
/>
<description>External UI handler.</description>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"
/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="highestAvailable" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>" (Indicator: "requestedExecutionLevel level="highestAvailable"") - source
- String
- relevance
- 7/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "CreateObject" which indicates: "May create an OLE object"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "CopyFile" which indicates: "May copy a file" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
OpenProcessToken
RegOpenKeyExW
GetFileAttributesA
GetVersionExW
FindNextFileA
GetFileAttributesW
GetCommandLineW
CreateDirectoryA
DeleteFileA
MapViewOfFile
CreateDirectoryW
DeleteFileW
GetProcAddress
CreateFileMappingW
WriteFile
GetModuleFileNameW
FindNextFileW
GetTempPathW
FindFirstFileA
FindFirstFileW
GetModuleHandleW
LoadLibraryW
OpenFileMappingW
FindResourceW
CreateFileW
Sleep
CreateFileA
GetTickCount
ShellExecuteExW
FindWindowExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"vcred" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 27
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll at 9535-1282-004459CE - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.DLL from VIPAccessSetup.exe (PID: 2528) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
GetLocalTime@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetLocalTime@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from VIPAccessSetup.exe (PID: 2528) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetVersionExW@KERNEL32.dll at 9535-1468-00439E3A
GetVersionExW@KERNEL32.dll at 9535-2396-00430C54
GetVersionExW@KERNEL32.dll at 9535-1559-0041A564
GetVersionExW@KERNEL32.dll at 9535-2466-00437EC1
GetVersionExW@KERNEL32.dll at 9535-2924-00415570 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultUILanguage@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.DLL from setup.exe (PID: 2620) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.DLL (Target: "install.exe"; Stream UID: "00015071-00002776-1819-433-00271C7D")
which is directly followed by "cmp eax, 02h" and "je 00271CE2h". See related instructions: "...
+58 call edi ;GetVersionExW
+60 mov ecx, dword ptr [ebp-00000120h]
+66 mov eax, dword ptr [ebp-00000114h]
+72 mov dword ptr [esi+08h], ecx
+75 mov ecx, dword ptr [ebp-0000011Ch]
+81 mov dword ptr [esi+04h], eax
+84 cmp eax, 02h
+87 mov eax, dword ptr [ebp-00000118h]
+93 mov dword ptr [esi+0Ch], ecx
+96 je 00271CE2h" ... from install.exe (PID: 2776) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "install.exe"; Stream UID: "00015071-00002776-1819-2516-0027C44B")
which is directly followed by "cmp eax, ecx" and "jne 0027C4DAh". See related instructions: "...
+100 call esi ;GetVersionExW
+102 xor ecx, ecx
+104 mov dword ptr [ebp-000003D0h], eax
+110 cmp eax, ecx
+112 jne 0027C4DAh" ... from install.exe (PID: 2776) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from VIPAccessSetup.exe (PID: 2528) (Show Stream)
GetProcessHeap@KERNEL32.DLL from VIPAccessSetup.exe (PID: 2528) (Show Stream)
GetProcessHeap@KERNEL32.DLL from VIPAccessSetup.exe (PID: 2528) (Show Stream)
GetProcessHeap@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetProcessHeap@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetProcessHeap@KERNEL32.DLL from install.exe (PID: 2776) (Show Stream)
GetProcessHeap@KERNEL32.dll at 9535-1417-0044B502 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{787660F4-7FAC-47E8-925B-96858E57B7EA}")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7EB5B9B6-E7BF-4E8F-B478-1266A78CF231}")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{95EDD0CF-5438-4323-88AB-D4ABE6B84587}")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{E8D46836-CD55-453C-A107-A59EC51CB8DC}")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{9A25302D-30C0-39D9-BD6F-21E6EC160475}") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/61 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb"
"C:\bld\dvip_vipaccess_2_2_3\d10\0003_dvip_vipaccess_2_2_3_20161202092049\dvip\vipclient\VIPClient\Installer\setup\Release\setup.pdb"
"install.pdb"
"install.res.1033.pdb" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\RarSFX0\__tmp_rar_sfx_access_check_3746700"
"<Input Sample>" created file "%TEMP%\RarSFX0\setup.exe"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{8D61397C-2AD6-4210-8E43-C2793010DC35}\vcredist_x64.exe"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcredist_x86.exe"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{10A618C2-1D42-46F5-8722-8DEB58FFFF99}\vcredist_x86.exe"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{57bcd1d4-2de9-49d9-bc0c-3f4263e9970e}\WindowsInstaller-KB893803-v2-x86.exe"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\VIPSetup.msi"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1031.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1032.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1033.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1034.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1040.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1041.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\1046.mst"
"<Input Sample>" created file "%TEMP%\RarSFX0\VIPAccess_Installer\3084.mst" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_7a0074d01d2bf90txt.5F87ISMtsidercv_dd_pmeT_lacoL_ataDppA_UPcFrLx_sresU_:C"
"\Sessions\1\BaseNamedObjects\SetupWatson_Mutex_Name" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "install.res.1031.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "3084.mst" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;3084 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"), Antivirus vendors marked dropped file "1032.mst" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1253 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;1032 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"), Antivirus vendors marked dropped file "install.res.2052.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "1034.mst" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;1034 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"), Antivirus vendors marked dropped file "vc_red.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 MSI Installer Code page: 1252 Title: Installation Database Subject: Visual C++ 2008 Redistributable US English Intel x86 IExpress Author: Microsoft Corporation Keywords: Installer Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148. Template: Intel;1033 Revision Number: {B870907F-D8C0-4418-816F-4D2873511B28} Create Time/Date: Sun Jul 12 20:11:20 2009 Last Saved Time/Date: Sun Jul 12 20:11:20 2009 Number of Pages: 200 Name of Creating Applicatio%WINDIR%\Installer XML v3.0.2921.0 Security: 2 Number of Words: 2"), Antivirus vendors marked dropped file "VIPSetup.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: VIP Access Installer Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: VIP Access Author: Symantec Corporation Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Last Saved Time/Date: Fri Dec 2 09:29:25 2016 Create Time/Date: Fri Dec 2 09:29:25 2016 Last Printed: Fri Dec 2 09:29:25 2016 Revision Number: {F757EE36-BF1B-494C-84B7-D15D3199E0D9} Code page: 0 Template: Intel;010333084103110321040104110461034"), Antivirus vendors marked dropped file "1033.mst" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;1033 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"), Antivirus vendors marked dropped file "install.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 6A700000
"<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6A680000
"msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6A680000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "setup.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="ElevateCreateProcess", sfxname="C:\VIPAccessSetup.exe", sfxcmd=""C:\VIPAccessSetup.exe"""
Process "vcred" (Show Process) was launched with new environment variables: "__PROCESS_HISTORY="%TEMP%\RarSFX0\setup.exe""
Process "install.exe" (Show Process) was launched with new environment variables: "_SFX_CAB_SHUTDOWN_REQUEST="c:\c3d932d433ab9061c5e3d435\$shtdwn$.req", _SFX_CAB_EXE_PARAMETERS=" /qn", _SFX_CAB_EXE_PATH="c:\c3d932d433ab9061c5e3d435", _SFX_CAB_EXE_PACKAGE="%TEMP%\RarSFX0\VIP_Redistributables\ISSetupPrerequisites\{EA1AA586-7954-45EE-B357-E77B5C00D47E}\vcredist_x86.exe""
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "_SFX_CAB_SHUTDOWN_REQUEST, _SFX_CAB_EXE_PARAMETERS, _SFX_CAB_EXE_PATH, _SFX_CAB_EXE_PACKAGE" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "EDIT"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "setup.exe" (Show Process)
Spawned process "vcred" with commandline "ist_x86.exe /qn" (Show Process)
Spawned process "install.exe" with commandline "c:\c3d932d433ab9061c5e3d435\.\install.exe /qn" (Show Process)
Spawned process "msiexec.exe" with commandline "/i "%TEMP%\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "%TEMP%\VIPSetup.log"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
- The input sample is signed with a certificate issued by "CN=Symantec Class 3 SHA256 Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US" (SHA1: B5:1A:C8:EE:D0:AB:21:5C:A7:96:5C:96:EC:49:FC:07:A2:DD:34:8B; see report for more information)
- source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"vcred" connecting to "\ThemeApiPort"
"install.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"install.res.1031.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"eula.3082.txt" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"eula.1049.txt" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"BC7973775040549F571A0D173E891434" has type "data"
"eula.1040.txt" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"CabBF6E.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"VIPAccessSetupWrapper.log" has type "ASCII text with CRLF line terminators"
"eula.2052.txt" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"eula.1031.txt" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"3084.mst" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;3084 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"
"7B8944BA8AD0EFDF0E01A43EF62BECD0_2BE3B75C85B59B23969C05E69919635C" has type "data"
"vcredist.bmp" has type "PC bitmap Windows 3.x format 96 x 48 x 8"
"1032.mst" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1253 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;1032 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"
"install.res.2052.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"eula.1042.txt" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"CDE89F9DCB25D8AC547E3CEFDA4FB6C2_35F3A43FE13E15F0E3E2AE1591CF5649" has type "data"
"1034.mst" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: VIP Access Installer Subject: VIP Access Author: Symantec Corporation Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Fri Dec 2 09:29:26 2016 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Security: 1 Template: Intel;010333084103110321040104110461034 Last Saved By: Intel;1034 Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4} Number of Pages: 200 Number of Characters: 1"
"vc_red.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 MSI Installer Code page: 1252 Title: Installation Database Subject: Visual C++ 2008 Redistributable US English Intel x86 IExpress Author: Microsoft Corporation Keywords: Installer Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148. Template: Intel;1033 Revision Number: {B870907F-D8C0-4418-816F-4D2873511B28} Create Time/Date: Sun Jul 12 20:11:20 2009 Last Saved Time/Date: Sun Jul 12 20:11:20 2009 Number of Pages: 200 Name of Creating Applicatio%WINDIR%\Installer XML v3.0.2921.0 Security: 2 Number of Words: 2"
"VIPSetup.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: VIP Access Installer Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: VIP Access Author: Symantec Corporation Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21 Last Saved Time/Date: Fri Dec 2 09:29:25 2016 Create Time/Date: Fri Dec 2 09:29:25 2016 Last Printed: Fri Dec 2 09:29:25 2016 Revision Number: {F757EE36-BF1B-494C-84B7-D15D3199E0D9} Code page: 0 Template: Intel;010333084103110321040104110461034" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\USER32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\PROPSYS.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%WINDIR%\SYSTEM32\en-US\ntdll.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates"
"setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
"setup.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
"setup.exe" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"setup.exe" touched file "%WINDIR%\system32\msiexec.exe"
"setup.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://rb.symcb.com/rb.crl0W"
Pattern match: "http://rb.symcd.com0&"
Pattern match: "http://rb.symcb.com/rb.crt0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=119537"
Pattern match: "www.microsoft.com"
Heuristic match: "oft.com"
Pattern match: "www.microsoft.com/exporting"
Pattern match: "http://go.microsoft.com/fwlink/?linkid=19446"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=47062"
Pattern match: "www.microsoft.com/worldwide"
Pattern match: "www.microsoft.com/germany"
Pattern match: "www.microsoft.com/exporting0"
Pattern match: "Wiii...pWA/!-PjF"
Pattern match: "www.n}-bu&"
Heuristic match: "[wK&<```}R.CX"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DU"
Pattern match: "https://www.verisign.com/rpa0U%0"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0U#0{&K&0`HB0"
Pattern match: "www.verisign.com"
Pattern match: "https://G%"
Pattern match: "http://www.flexerasoftware.com0"
Heuristic match: "path = FSfolder + \ + objSubfolder.Name"
Pattern match: "http://schemas.m"
Pattern match: "icrosoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1440\margr1440\margt1440\margb1440\gutter0\ltrsect"
Pattern match: "http://www.symantec.com/content/en/us/about/media/repository/vip-authentication-network-policy.pdf}{\rtlch\fcs1"
Pattern match: "http://www.symantec.com/content/en/us/about/media/repository/vip-authentication-networ"
Pattern match: "http://www.symantec.com/content/en/us/about/media/repository/vip-end-user-agreement.pdf"
Pattern match: "www.symantec.com/content/en/us/about/media/repository/vip-end-user-agreement.pdf}}}\sectd"
Pattern match: "Yf.Ff/!V3DkT"
Heuristic match: "h_u.my"
Heuristic match: "w(.AI"
Heuristic match: "8&{6>Lc4\MwZT$iCFJ}fM*y_{g)Wg\p4zil3eXnZf4uI9fTFy%Vu9NTFL\2qmd'zpz4d3nmxBRSEquUQ6%t}[hpbrIM_O=8QQqo.bo"
Pattern match: "VNq.1.CnAQ/P67AOwm"
Heuristic match: "6j;K/;O6pjx4$D!db5pG+Y7#qHWZvQB1NJ+)eOq!`GRMF)]'MThf+~Q.bV"
Heuristic match: "Y&aV/()' j&Om_a9Wc9GpdR5&blA]$I+Ihryes}xg!7HB`{I.MsmV[Z-Kq[73UqCmUd7xDW:c{UDbL9_TR|$30#>p%cciiy-.kL%4.IL"
Pattern match: "a.miU/E'|[Y'09gEGiYJ*K]129+0QY.hIVn?Bc"
Pattern match: "5.COa/XO=G"
Pattern match: "8.jid/GJ6ZQ*WK-A9a[Hv',[xhO_6\ST@"
Heuristic match: "pCUn*:vyv8FMr3c\:Z1.M2en$2Ecu:Q.HT"
Pattern match: "lo.QIKT/J.Ypchruiu"
Heuristic match: "K{U#. E;^$3D`=Y}$.`|zxG!]iy`_M[8-mOe/!QLl/ohj<1@eX^P%Ou,{w\UkvaQvu&4.*k6Bnp-WA w8LcA}n%=/,+.>*E.Nz"
Heuristic match: "q]fjG$;.&H*gh2!X(c\ :T!bQR,y<J0d.vA"
Heuristic match: "d TU[4A2=t%xg91<)OzFAvz$Os#^PTr6l1|=1M_.W?u_mvdQnTOnP T(CUL*.mE"
Heuristic match: "m/izp8 4jDH+dC@M7fhVY.Ve"
Heuristic match: "l&@w#~v<m[w|ys8\A]tf-.mq"
Pattern match: "D.Os/!z6&C#-/m?pE%2M"
Pattern match: "r.LU/[6,qp"
Heuristic match: "Aq9i+I)C]EA7!=we64&uvTp4Z$f\Lp\0uPi,yH>C_@.TD"
Heuristic match: "e[I*@=8G-]UULuO-K%&ImgU~&&$t{u- .tC"
Heuristic match: "n!Ru^ 9]1.AL"
Pattern match: "Pey.kXng/EFMF.-0`Gy96giC9D;D`6_.1k"
Pattern match: "d.jmtZ/ho\]Fl`gOxBA+x]X`RT84W6#~}h7?$By4-O65/^MLYx~260/"
Pattern match: "D.Tu/sO9pVxOV-o%8ckdG~"
Heuristic match: "f~\}&tn,Yi0/]UL3_Ne8r$T?R[Qi`KQk;C1S(Y=[E<Uy!X_UKET#1'H.br"
Pattern match: "k.pZ/=E!%,0vT[f#LHR"
Pattern match: "K.ME/8k"
Pattern match: "3g.acj/U^g`7Y3="
Heuristic match: "<E132w^n'w:W+uAZv62k>?Lp{NvSum>s3#l9l^yg0L^r?c.>}]sYYtkFrjBwVs:296OF'.CM"
Heuristic match: "a&L<bCbP1Z3+Y\v._^CAO$(P/( Jp(5jiJsosj@$<71u5PHuP&?E@0G)s*%| Wi!T;#JUSW.Ee"
Pattern match: "I.dI/GQd*g-W]g"
Pattern match: "DZiD.BJ/YYWY[YTS^V"
Pattern match: "c.LbJ/JLbJ/&1^#}.E4X~WjP.XB"
Pattern match: "G1g.fz/zlg591"
Heuristic match: "lq\&/l_{FsP.bH"
Pattern match: "e..OTCx/mn"
Pattern match: "l.sfN.Fus/jVy~$Wf,_l_u5^Nv-ES9SF"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0U#0I9K\GvrX0+U$00"
Pattern match: "http://rb.symcb.com/rb.crl0W+K0I0+0http://rb.symcd.com0&+0http://rb.symcb.com/rb.crt0`HPmZ@mmPmTPmZZmZmmmmmzZmB0"
Pattern match: "http://rb.symcb.com/rb.crl0W+K0I0+0http://rb.symcd.com0&+0http://rb.symcb.com/rb.crt0`HB0"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0U00"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0U%0"
Pattern match: "go.microsoft.com/fwlink/?LinkId=47062"
Pattern match: "www.microsoft.com/exportingD"
Pattern match: "http://www.microsoft.com/licensing/userights" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"vcred" opened "\Device\KsecDD"
"install.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
VIPAccessSetup.exe
- Filename
- VIPAccessSetup.exe
- Size
- 19MiB (20158568 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 227cc40d8e7b1934c856c134916f09ed96480fd528bbd1daa74bbd372ed5ead2
- MD5
- 0c93dd7beea332bc81428700aeff0af1
- SHA1
- 13a89b41770c2222315fb27c5bc2bcb47ec3a61b
- ssdeep
- 393216:bF9Uv6hiSKypvic24Gpl94OZU/EDdJitXL1kMgf79zt5GOPVcZOvI:bFmv6iypv/DKyGjitXOMgz9zt5EII
- imphash
- f19aeae11d9d963788633d0dd7683ca4
- authentihash
- 4a2372e38b615b6e2e998fb7d72c6688e23f0844b34871b6f30035792a49af32
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (5.8KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Corporation, OU=Enterprise Security Products, O=Symantec Corporation, L=Mountain View, ST=California, C=US | CN=Symantec Class 3 SHA256 Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US Serial: 1af00ee1c53cd080e8f1eafe1d9fb8af |
02/29/2016 01:00:00 03/02/2019 00:59:59 |
24:24:D4:64:DB:96:86:56:F0:B6:32:1C:FB:1B:4F:61 B5:1A:C8:EE:D0:AB:21:5C:A7:96:5C:96:EC:49:FC:07:A2:DD:34:8B |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
VIPAccessSetup.exe
(PID: 2528)
1/84
-
setup.exe
(PID: 2620)
-
vcred
ist_x86.exe /qn
(PID: 2832)
- install.exe c:\c3d932d433ab9061c5e3d435\.\install.exe /qn (PID: 2776)
- msiexec.exe /i "%TEMP%\RarSFX0\VIPAccess_Installer\VIPSetup.msi" TRANSFORMS=1033.mst /lv "%TEMP%\VIPSetup.log" (PID: 3540)
-
vcred
ist_x86.exe /qn
(PID: 2832)
-
setup.exe
(PID: 2620)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
microsoft.com | Domain/IP reference | 00015071-00002776-1819-427-00271D3F |
www.microsoft.com | Domain/IP reference | 00015071-00002776-1819-1345-0025CD1E |
Extracted Strings
Extracted Files
Displaying 33 extracted file(s). The remaining 26 file(s) are available in the full version and XML/JSON reports.
-
Clean 10
-
-
1032.mst
- Size
- 116KiB (118784 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1253, Title: VIP Access Installer, Subject: VIP Access, Author: Symantec Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Fri Dec 2 09:29:26 2016, Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21, Security: 1, Template: Intel;0,1033,3084,1031,1032,1040,1041,1046,1034, Last Saved By: Intel;1032, Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4}, Number of Pages: 200, Number of Characters: 1
- AV Scan Result
- 0/77
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 0d3914155b3b3b2c41813527d6f469f1
- SHA1
- 574e152c066ccc5ef41960db1b4ffa59437b750e
- SHA256
- 204cedce562e4d3d83f20f7e6c82bfe740e7e193108c292c9ca867d00d2db17e
-
1033.mst
- Size
- 28KiB (28672 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: VIP Access Installer, Subject: VIP Access, Author: Symantec Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Fri Dec 2 09:29:26 2016, Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21, Security: 1, Template: Intel;0,1033,3084,1031,1032,1040,1041,1046,1034, Last Saved By: Intel;1033, Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4}, Number of Pages: 200, Number of Characters: 1
- AV Scan Result
- 0/77
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- ad2fd362a60b85b3ce2ef0df02651124
- SHA1
- 05eb09f76d0f2f61e8288f6b41b4eed4610379c3
- SHA256
- 09f8e09f3b4f756b577543cdd5ef733b3a2a234a54864701f19449c9d4d03afa
-
1034.mst
- Size
- 112KiB (114688 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: VIP Access Installer, Subject: VIP Access, Author: Symantec Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Fri Dec 2 09:29:26 2016, Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21, Security: 1, Template: Intel;0,1033,3084,1031,1032,1040,1041,1046,1034, Last Saved By: Intel;1034, Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4}, Number of Pages: 200, Number of Characters: 1
- AV Scan Result
- 0/77
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- a133e7a5543d155579c669e6c67a8af0
- SHA1
- 0e43e3a3628742062bfc5d262b7d367c241a6fb3
- SHA256
- f65c11058919e0163a3782d0a524530436e709a8a10fa3861af51c3cf3e74e57
-
3084.mst
- Size
- 116KiB (118784 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: VIP Access Installer, Subject: VIP Access, Author: Symantec Corporation, Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Fri Dec 2 09:29:26 2016, Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21, Security: 1, Template: Intel;0,1033,3084,1031,1032,1040,1041,1046,1034, Last Saved By: Intel;3084, Revision Number: {DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{DA8CD0CD-E922-457F-8F8B-9F801A1D2062}2.2.3.3;{D6AAB9BF-E438-4724-B423-B406C3D099A4}, Number of Pages: 200, Number of Characters: 1
- AV Scan Result
- 0/77
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 4601190536d99580a31ed596ab58a52a
- SHA1
- e7741bad704a05692bb1a4380daf04e89f4dbd99
- SHA256
- 4cef1131c000db024a68ccaaae5e061e25b9a14a1c52d0c3eadfeb25d15436bc
-
VIPSetup.msi
- Size
- 3.9MiB (4104704 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: VIP Access Installer, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: VIP Access, Author: Symantec Corporation, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2014 - Premier Edition with Virtualization Pack 21, Last Saved Time/Date: Fri Dec 2 09:29:25 2016, Create Time/Date: Fri Dec 2 09:29:25 2016, Last Printed: Fri Dec 2 09:29:25 2016, Revision Number: {F757EE36-BF1B-494C-84B7-D15D3199E0D9}, Code page: 0, Template: Intel;0,1033,3084,1031,1032,1040,1041,1046,1034
- AV Scan Result
- 0/55
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- fadbd2f64e1086b9037d9d7a632d44c2
- SHA1
- b2eee12e7862aa9440c1b04d622ad578266b1d9d
- SHA256
- cdc6512b836d9b922906f27da77e174ea0ee19041e8fcda8517bb72067018db6
-
setup.exe
- Size
- 405KiB (414288 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/83
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- bbaefbb99b3e9248bf5df5c734b7841a
- SHA1
- edfa56ae5d220cfd84c665c70115226442e69c60
- SHA256
- bea7c9de780ed709709657a08af6618c2b361dc1f5265cc5a7260711a45b57ec
-
install.exe
- Size
- 547KiB (560464 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- vcred (PID: 2832)
- MD5
- 828f082302e94cbfbb1f3f13e491c706
- SHA1
- bfd17b3f08461e501fd625518de8660ea8b4f4db
- SHA256
- e63a5274b437b55c65bf1259a25bbf602335f466f5d01e4ad0291be21e3edf3c
-
install.res.1031.dll
- Size
- 91KiB (93008 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/50
- Runtime Process
- vcred (PID: 2832)
- MD5
- de3591fbd976bbc0006e09148b345059
- SHA1
- 3a88b08dc00946046d82872e87fc88911a2d73f2
- SHA256
- a4ed9ad6352cfa6accccf50dc103f6bde4e8d78367ab8f0ef17c497b2d6c6030
-
install.res.2052.dll
- Size
- 71KiB (72528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/51
- Runtime Process
- vcred (PID: 2832)
- MD5
- 37937b4fb2351a95704982b0b4af6088
- SHA1
- c10adb8f1d19318ab3f04c684c7aae7562c4dd15
- SHA256
- d949ee3b60bbb5037d7ad3c196cb7e195e9936c0f26f3a11cbf51a9b8e38b32f
-
vc_red.msi
- Size
- 218KiB (223232 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2008 Redistributable US English Intel x86 IExpress, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148., Template: Intel;1033, Revision Number: {B870907F-D8C0-4418-816F-4D2873511B28}, Create Time/Date: Sun Jul 12 20:11:20 2009, Last Saved Time/Date: Sun Jul 12 20:11:20 2009, Number of Pages: 200, Name of Creating Application: Windows Installer XML v3.0.2921.0, Security: 2, Number of Words: 2
- AV Scan Result
- 0/80
- Runtime Process
- vcred (PID: 2832)
- MD5
- e493a21c57d160f4fa023c63145fe580
- SHA1
- f57a601c422201ec70650afcd987c132bef26d52
- SHA256
- 2cc196bed01619b5498a974c19cfcba6a04b7746e84808f06d9e4de3129ab4db
-
-
Informative 23
-
-
1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B
- Size
- 388B (388 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- 001a382d2b54897f8bca2fea49097c04
- SHA1
- 32fb203bf0870f00cb702e2d255cf9aced1f4ec5
- SHA256
- ef5ae0530d0809f595a00437a6a3d9fa67e5042610f961ad24d65feaf6b9117d
-
62B5AF9BE9ADC1085C3C56EC07A82BF6
- Size
- 152KiB (155606 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- f8b63105b06e898321a79aa65e4f30eb
- SHA1
- 654a8918a308f332df72209706aabdb6d46e6dd8
- SHA256
- c15cca65cc77beccd1f8e9f587f7ca0251b6c53a1d955bde8c4ede5adf383758
-
7B8944BA8AD0EFDF0E01A43EF62BECD0_2BE3B75C85B59B23969C05E69919635C
- Size
- 1.6KiB (1660 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- dabb84f6ff4cb9f7a45d33f809c0f333
- SHA1
- 41b5251a4a64a865a5a93567c9777e252286aede
- SHA256
- 36779df223aa9f1c68abdd82da2d4615d25b5c8c6b8e52c2faa7e92c4ddb435f
-
7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6
- Size
- 1.7KiB (1763 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- 88ec07b1cc8fac405c74362b70842677
- SHA1
- 2c3c41d02e6be18456870fab0a40378273d487ec
- SHA256
- ee545ed59a453914b64589037f0e72d55650653675a33e5e4af910f0b9db8dd2
-
BC7973775040549F571A0D173E891434
- Size
- 262B (262 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- 860d511e6a89d1431ffa58ec5a18b391
- SHA1
- 4d4cabcae9769d9e8deb109e1975b5f05b28a96f
- SHA256
- 2b4c13a570332eb64843f9a1f14f23c16d161827849cf7ab29a7ebe5e730e336
-
CDE89F9DCB25D8AC547E3CEFDA4FB6C2_35F3A43FE13E15F0E3E2AE1591CF5649
- Size
- 1.6KiB (1616 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- 3cae42cdca2599f89bc0f7090e9f5867
- SHA1
- 07eb97993492ebc7dff10955297958a176dc1fe4
- SHA256
- 36d045bfbc13880101de18804d393425fff9cd3ce175a53163645d40afa38982
-
D47DBD2F9E3365FBBE008D71FB06716F_D33192D58AA9CA2B9097E848E9FE86DE
- Size
- 1.4KiB (1454 bytes)
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- 04701ca4be3e352c16b4156c288a6251
- SHA1
- 9e74a90f62582f49754556a47f0ed5784e4b1096
- SHA256
- 522ef68190a8a31e923c3c438118eed31f49f1b911eea3bbfe75a58f39d60bdd
-
CabBF6E.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3540)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
1031.mst
- Size
- 116KiB (118784 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 9322eec30d7bccdb528602d147dfe670
- SHA1
- 18a9ded6fbb224a1db6b192036599b6adb5f09aa
- SHA256
- 986cfdb67fbb3c3845a7e4817551926cc19192092c54b05885278a23629b8f04
-
1040.mst
- Size
- 116KiB (118784 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 4c374730ded7b5666c4cb8c4259bd3c9
- SHA1
- 779ba84f1e5aa9559f7df8163072926f96d75b13
- SHA256
- 5162ba6a6487868e400f2147b991e9b6f45ac2ad636ba1ac7fbebd04ea33aca8
-
1041.mst
- Size
- 108KiB (110592 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 1984c152968eed9e28748b0441c74d55
- SHA1
- 023151d576c7318a5ee51a6afca9859d55fdbc12
- SHA256
- 1dacb4e3dd0970f043aee9985bae59ab4498c72b7548901783c98425ceb77038
-
1046.mst
- Size
- 108KiB (110592 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- a5dc7799a47c5eee49ae66064b3c4477
- SHA1
- 2f7b3395e6f7e67593443e2ad169227668eb38fc
- SHA256
- 64f307aaab1b1167e2f3c233d99aad5b7d465bce1102e3712381bc9161c9533b
-
vcredist_x86.exe
- Size
- 4.3MiB (4485976 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- fd30acc7a696c32f661b33668e73bf7b
- SHA1
- bd18409cfe75b88c2a9432d36d96f4bf125a3237
- SHA256
- 97c260d35bcfe18e046a1c413b9fc5a2754b8f790f7ace669a3be2500c0df229
-
WindowsInstaller-KB893803-v2-x86.exe
- Size
- 2.5MiB (2585872 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 342f79337765760ad4e392eb67d5ed2c
- SHA1
- 8318455b36ba0a748307459279d46f2f4cdb5a0e
- SHA256
- 69b61b2c00323cea3686315617d0f452e205dae10c47e02cbe1ea96fea38f582
-
vcredist_x64.exe
- Size
- 5MiB (5225304 bytes)
- Runtime Process
- VIPAccessSetup.exe (PID: 2528)
- MD5
- 3abb5efe9ad4d9728406a1a90a47575f
- SHA1
- 5da9a064b1fc505beef0d06e7d10baf8e5d92d09
- SHA256
- 7451ba5c6c05347789717561e871a303a4d171850790a3cdc99d4ddbf07e320b
-
install.res.1028.dll
- Size
- 71KiB (73040 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- 12c90dcbe3990439b30a1750d7d6a838
- SHA1
- fa0d6dd105a694260c42c9ca96e08b33fec76fc9
- SHA256
- 365555c74e0d81b0ae886b229810512171644d8985b7e56f4f60b777ec893fa8
-
install.res.1033.dll
- Size
- 86KiB (87904 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- 267642394c0d8b1c9a2dc279ce21ef43
- SHA1
- b69de3e259c264f0650018c6fa3bcc1ccab5bb2e
- SHA256
- 597151959d4264234fa25ebe470516125d36ed57c13baa1df7933b4019b3f314
-
install.res.1036.dll
- Size
- 92KiB (94048 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- c4edff7bc690871dad6372fe82f1818a
- SHA1
- 31938b640faec058767ed652c0e997d44fe423ab
- SHA256
- 66515bfcf8398a5abc7659ec8ef42e9b0de5db0d1f8147aa5fde5169d41b23b5
-
install.res.1040.dll
- Size
- 90KiB (91984 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- e154e908fea2658dd8e68b85f1d12c9e
- SHA1
- 8dc6a5ffb6e96c7ef52b610895ee1ae7ebb9a1ea
- SHA256
- d2323ad38dc863226c4fc4b0ad49a621100e96265ba17c361603a613f9a8faa1
-
install.res.1041.dll
- Size
- 76KiB (78160 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- cc764b52a03340e5291b6c6a00eb6726
- SHA1
- e099cf148a4584502a106c7746caa0797d343d69
- SHA256
- 0aeb96829c7350da4519de3667a0202b8be83f6236bd10ab1f3960426eba4ccd
-
install.res.1042.dll
- Size
- 75KiB (76640 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- 0cf1ce042664ed53231a1abd3c3acd4a
- SHA1
- 90f17cc1b9d2765d61d7b7488b180661460ea7da
- SHA256
- d1871469703578f35fb770f295d705ed54e2257ad4daf8cc319d15d4792f9723
-
install.res.1049.dll
- Size
- 88KiB (89936 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- bb8cc77eed188b459ad376a2fe755acd
- SHA1
- be984ee3091dc7e3800780e3dc95131660b8be41
- SHA256
- aa4b5c8c52df5482c9c9c51ea95fd0408da5856dfa0da24363c03d07dfab72ee
-
install.res.3082.dll
- Size
- 91KiB (93024 bytes)
- Runtime Process
- vcred (PID: 2832)
- MD5
- 492875bc841bf1931070d31b748c58c5
- SHA1
- 591aa5d209a210b53fc0ab6ace1add3fd7cf6ef6
- SHA256
- 85dc1c7dee6436b4816b3b853b2d16ae8615eb8378b2f2ebdb9187bd49ed7294
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-26" are available in the report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)