Setup_WinThruster_2018.exe
This report is generated from a file or URL submitted to this webservice on March 22nd 2018 13:04:44 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
- Reads the active computer name
- Network Behavior
- Contacts 1 domain. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
External Systems
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 12/59 Antivirus vendors marked sample as malicious (20% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 12/59 Antivirus vendors marked sample as malicious (20% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a large number of Antivirus engines
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 2/63 Antivirus vendors marked dropped file "WinThrusterSetup.exe" as malicious (classified as "PUP.Optional" with 3% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
- 2/63 Antivirus vendors marked spawned process "WinThrusterSetup.exe" (PID: 2396) as malicious (classified as "PUP.Optional" with 3% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"WinThrusterSetup.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 356)
"WinThrusterSetup.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 356)
"WinThrusterSetup.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 356)
"WinThrusterSetup.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 356) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 22
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "Setup_WinThruster_2018.exe.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
cpuid from WinThrusterSetup.exe (PID: 2396) (Show Stream)
cpuid (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"WinThrusterSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
FindResourceW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
FindResourceW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"WinThrusterSetup.exe" read file "%TEMP%\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\Setup.INI"
"WinThrusterSetup.exe" read file "%TEMP%\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\_ISMSIDEL.INI" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"WinThrusterSetup_x64.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"WinThrusterSetup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "1.1.91.0.0IS_UPGRADE_FROM_BEFORE_1_7_191.7.181.1.10ISACTIONPROP11.7.19SetupFile1subpartner_1001901.pktSetupFile2subpartner_1001902.pktSetupFile3subpartner_1001903.pktSetupFile4subpartner_1001904.pktSetupFile52057{{Fatal error: }}Text1PushButt"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"%TEMP%\SLOW-PCF1521749196\WinThrusterSetup.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"%TEMP%\SLOW-PCF1521749196\WinThrusterSetup.exe" marked "%TEMP%\~1954.tmp" for deletion
"%TEMP%\SLOW-PCF1521749196\WinThrusterSetup.exe" marked "%TEMP%\~19AF.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"WinThrusterSetup.exe" opened "%TEMP%\_MSI5166._IS" with delete access
"WinThrusterSetup.exe" opened "%TEMP%\~1954.tmp" with delete access
"WinThrusterSetup.exe" opened "%TEMP%\~19AF.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"msiexec.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"WinThrusterSetup_x64.exe" claimed CRC 2100607 while the actual is CRC 4608410
"WinThrusterSetup.exe" claimed CRC 2089307 while the actual is CRC 2100607 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
SetSecurityDescriptorDacl
RegCloseKey
RegOpenKeyExW
GetFileAttributesA
GetTempPathA
WriteFile
CopyFileA
GetModuleFileNameA
UnhandledExceptionFilter
GetModuleHandleA
TerminateProcess
GetTickCount
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
FindFirstFileA
FindNextFileA
GetProcAddress
IsDebuggerPresent
CreateFileA
GetCommandLineA
GetModuleHandleW
Sleep
VirtualAlloc
ShellExecuteExA
RegCreateKeyExW
RegCreateKeyW
RegEnumKeyW
RegDeleteKeyW
OpenProcessToken
RegOpenKeyW
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
LoadLibraryExW
GetThreadContext
FindResourceExW
CopyFileW
GetModuleFileNameW
CreateThread
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
VirtualProtect
WriteProcessMemory
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
FindNextFileW
FindFirstFileW
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
Process32FirstW
MapViewOfFile
GetTempPathW
CreateProcessW
ShellExecuteW
ShellExecuteExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"WinThrusterSetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 27
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00020799-00003000-00000105-58782934
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "msiexec.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetLocalTime@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetLocalTime@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersion@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersion@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersion@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.DLL from WinThrusterSetup.exe (PID: 2396) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL (Target: "Setup_WinThruster_2018.exe"; Stream UID: "00016770-00003040-49620-422-0135138C")
which is directly followed by "cmp dword ptr [esp+000000C4h], 04h" and "jbe 01351450h". See related instructions: "...+81 call dword ptr [0137B00Ch] ;SetSecurityDescriptorDacl+87 lea eax, dword ptr [esp+000000C0h]+94 push eax+95 mov dword ptr [esp+000000C4h], 00000094h+106 call dword ptr [0137B188h] ;GetVersionExA+112 cmp dword ptr [esp+000000C4h], 04h+120 push dword ptr [ebp+08h]+123 lea ecx, dword ptr [esp+0Ch]+127 jbe 01351450h" ... from Setup_WinThruster_2018.exe (PID: 3040) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "WinThrusterSetup.exe"; Stream UID: "00017096-00002396-62555-1146-0045B436")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...+0 call dword ptr [004B0188h] ;GetVersion+6 mov ecx, 80000000h+11 cmp ecx, eax+13 sbb eax, eax+15 neg eax+17 ret " ... from WinThrusterSetup.exe (PID: 2396) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "WinThrusterSetup.exe"; Stream UID: "00017096-00002396-62555-1531-0042817D")
which is directly followed by "cmp dword ptr [ebp+04h], 05h" and "jne 004282FEh". See related instructions: "...+34 call 00466D40h+39 mov esi, dword ptr [ebp+00000190h]+45 lea eax, dword ptr [ebp+00h]+48 push eax+49 mov dword ptr [ebp-14h], ecx+52 mov dword ptr [ebp+00h], 0000011Ch+59 call dword ptr [004B00F8h] ;GetVersionExW+65 cmp dword ptr [ebp+04h], 05h+69 jne 004282FEh" ... from WinThrusterSetup.exe (PID: 2396) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "WinThrusterSetup.exe"; Stream UID: "00017096-00002396-62555-1484-004254B5")
which is directly followed by "cmp word ptr [ebp+00000114h], 0001h" and "jnc 0042557Fh". See related instructions: "...+210 lea eax, dword ptr [ebp+00h]+213 push eax+214 mov dword ptr [ebp+00h], 0000011Ch+221 call dword ptr [004B00F8h] ;GetVersionExW+227 cmp word ptr [ebp+00000114h], 0001h+235 jnc 0042557Fh" ... from WinThrusterSetup.exe (PID: 2396) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "WinThrusterSetup.exe"; Stream UID: "00017096-00002396-62555-1648-00435F72")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...+0 call dword ptr [004B0188h] ;GetVersion+6 mov ecx, 80000000h+11 cmp ecx, eax+13 sbb eax, eax+15 neg eax+17 ret " ... from WinThrusterSetup.exe (PID: 2396) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "WinThrusterSetup.exe"; Stream UID: "00017096-00002396-52930-8409-0045531D")
which is directly followed by "cmp eax, 80000000h" and "jbe 00455661h". See related instructions: "...+784 call dword ptr [004B0188h] ;GetVersion+790 cmp eax, 80000000h+795 jbe 00455661h" ... from WinThrusterSetup.exe (PID: 2396) (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "WinThrusterSetup_x64.exe.649267850"; Stream UID: "1202-8531-0045531D")
which is directly followed by "cmp eax, 80000000h" and "jbe 00455661h". See related instructions: "...+784 call dword ptr [004B0188h] ;GetVersion+790 cmp eax, 80000000h+795 jbe 00455661h" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "WinThrusterSetup_x64.exe.649267850"; Stream UID: "1202-8556-0044F9D1")
which is directly followed by "cmp dword ptr [ebp-70h], 01h" and "jne 0044FA55h". See related instructions: "...+0 push ebp+1 lea ebp, dword ptr [esp-00000098h]+8 sub esp, 00000118h+14 mov eax, dword ptr [004DB020h]+19 xor eax, ebp+21 mov dword ptr [ebp+00000094h], eax+27 mov eax, dword ptr [ebp+000000A0h]+33 and dword ptr [eax], 00000000h+36 push esi+37 mov esi, dword ptr [ebp+000000A4h]+43 and dword ptr [esi], 00000000h+46 lea eax, dword ptr [ebp-80h]+49 push eax+50 mov dword ptr [ebp-80h], 00000114h+57 call dword ptr [004B00F8h] ;GetVersionExW+63 cmp dword ptr [ebp-70h], 01h+67 jne 0044FA55h" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINTHRUSTERSETUP.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WINTHRUSTERSETUP.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "www.solvusoft.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"D:\Builds\Agent3\Binaries\Win32\Release\Reader.pdb"
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb"
"D:\Builds\Agent4\Sources\Builds\Win32\Release\wiHelper.pdb"
"RSDSiYV#gAUhyD:\Builds\Agent3\Binaries\Win32\Release\Helper.pdb"
"RSDSAGflJB10D:\Builds\Agent3\Binaries\x64\Release\Helper.pdb@zz{({P{{|@@z@@x{{P{{|@@{{|0|@@{AMX|p||A@X|AMX|@A||}8}`}{|@A@|A@}}`}{|B}}~~pB@}Ch~@~~~~{|C@h~pC@~~{|CX0pP{{|C@XD(P{{|D@`ExPP{{|`E@xE H~{|E@Fp~{|F@G(@h~{|G@(GP{{|G@`HH `~{|`H@HHH@0IX0p8}`}{|0I@XIHp(P0XI@J@p|(K@|AOX|pK!@x|pK@xL@|L!@A!BX|Lp((0XL@`M!@Ph|`M@P N0p(X0X N@N!@|N@O `p(0XO@`O!@|`O@O8PO@8pP(p(P0XpP@P!@x|P@xR h(p(P0XR@`SHp(P0X`S@Th@p((0XT@hPU0x0p(X0XPU@U(`p(0XU@@pVxPpV@x PV 8h~~{|V@ PWH~{|PW@XP(h~{|X@P`Y0h~{|`Y@ZX~{|Z@Z0`Z@Z({P{{|Z@[H `P{{|[@H\((P{{|\@]xPP{{|]@x@^(XP{{|@^@``@A@X|`P(h`@P0a0a@@x{8A}`aa@a0Hha@0pVPxpC~J(K 0X@b(b@hexPhe@x08`0@@@88`(@(h@@P@0xh0@X@0@X@0@X@(0(@PXP@x@P(h@P@X0p@XHH@x`8xx@`pp@h@ @@h8PpP@8P@8P@ @ xhH@@ 8h@p@`(@h`@(((@H `@H@`8x@`@ @X @@pp@X0p@@`XP@X`8x@`XX@`8x@@@`PX0p@P@X(@@xP@@x @ @h@@`8xH@`h0Hh@XH@(H@ p` @h(@`h@(`@P@X`P@@@H `0@H0@h@0@h0@HX`@@8PH@HH@8Pp@8p(p@ X0p( @X`8(`@`(@ 8h(@ (@P(h(@P0(0@Px@8H `@H@ h@ @h080@```@(@p@hp`p8H(@@`p8@8@@0Hp@0``@H `p@H((@8P`@8@`0H``@0" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\Reader.log.txt"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\SLOW-PCF1521749196\WinThrusterSetup_x64.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\SLOW-PCF1521749196\WinThrusterSetup.exe"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\Setup.INI"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\_ISMSIDEL.INI"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0402.ini"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0404.ini"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0405.ini"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0406.ini"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0407.ini"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0408.ini"
"WinThrusterSetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\0x0409.ini" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Global\SLOW-PCfighter.Installation"
"Global\log-C:_Users_BWFfVC8_AppData_Local_Temp_Reader"
"\Sessions\1\BaseNamedObjects\Global\log-C:_Users_BWFfVC8_AppData_Local_Temp_Reader"
"\Sessions\1\BaseNamedObjects\Global\SLOW-PCfighter.Installation"
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_5f5c8c201d3c219txt.gol.ism_ORPCR_pmeT_lacoL_ataDppA_SWBUPSP_sresU_:C"
"\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_"
"\Sessions\1\BaseNamedObjects\Local\c:!users!bwffvc8!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!bwffvc8!appdata!roaming!microsoft!windows!cookies!"
"\Sessions\1\BaseNamedObjects\Local\c:!users!bwffvc8!appdata!local!microsoft!windows!history!history.ie5!" - source
- Created Mutant
- relevance
- 3/10
-
Spawns new processes
- details
-
Spawned process "WinThrusterSetup.exe" with commandline "/V"/l*v \"%TEMP%\RCPRO_msi.log.txt\" USER_PARTNER_IDENTITY=10019 SCAN=1 WEBINSTALLER=1 USER_BRAND_NAME=\"Solvusoft\""" (Show Process)
Spawned process "msiexec.exe" with commandline "/i "http://www.solvusoft.com/file-downloads/builds/winthruster/spamfighter/build-assets/1.31.0/WinThruster.msi" /l*v "%TEMP%\RCPRO_msi.log.txt" USER_PARTNER_IDENTITY=10019 SCAN=1 WEBINSTALLER=1 USER_BRAND_NAME="Solvusoft" TRANSFORMS="%TEMP%\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\1033.MST" SETUPEXEDIR="%TEMP%\SLOW-PCF1521749196" SETUPEXENAME="WinThrusterSetup.exe"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B7:A5:CB:5E:19:D2:96:D8:4D:0E:54:8E:74:44:17:7A:98:81:93:D4; see report for more information)
The input sample is signed with a certificate issued by "CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"WinThrusterSetup.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"WinThrusterSetup_x64.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"WinThrusterSetup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"1033.MST" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: WinThruster Installer Subject: WinThruster Installer Author: SPAMfighter ApS Keywords: Comments: WinThruster Installer Create Time/Date: Thu Mar 15 17:11:00 2018 Name of Creating Application: InstallShield 2012 - Premier Edition 18 Security: 1 Template: Intel;0103310262052102810501029103010432057103510361031103210381057104010411042104410452070104810491034105310541055 Last Saved By: Intel;1033 Revision Number: {773A8CA8-3876-4AA1-AB78-EECA231BFF3A}1.31.0;{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}1.31.0;{69036555-8D32-4CAE-873D-2BF4A6867D0B} Number of Pages: 200 Number of Characters: 1"
"urlref_httpwww.solvusoft.comfile-downloadsbuildswinthrusterspamfighterbuild-assets1.31.0WinThruster.msi" has type "Composite Document File V2 Document Little Endian Os: Windows Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: WinThruster Installer Comments: WinThruster Installer Keywords: Subject: WinThruster Installer Author: SPAMfighter ApS Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2012 - Premier Edition 18 Last Saved Time/Date: Thu Mar 15 17:10:59 2018 Create Time/Date: Thu Mar 15 17:10:59 2018 Last Printed: Thu Mar 15 17:10:59 2018 Revision Number: {C9DB8C55-A382-4F72-AA53-24A039797F88} Code page: 0 Template: Intel;0103310262052102810501029103010432057103510361031103210381057104010411042104410452070104810491034105310541055"
"0x041d.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x0421.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x0415.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x041f.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x041e.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0411.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0408.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x040e.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x041a.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0414.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x0412.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~19AF.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x040a.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"0x0407.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"WinThrusterSetup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WinThrusterSetup.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"WinThrusterSetup.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WinThrusterSetup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WinThrusterSetup.exe" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "C:\Windows\System32\msiexec.exe"
"msiexec.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "C:\Windows\System32\rsaenh.dll"
"msiexec.exe" touched file "C:\Windows\System32\msxml3r.dll"
"msiexec.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "www.solvusoft.com"
Pattern match: "www.solvusoft.com/ARPHELPLINKARPNOMODIFYARPPRODUCTICON.exeARPPRODUCTICONARPSYSTEMCOMPONENTARPURLINFOABOUTARPURLUPDATEINFOCOMMONTRAYSHORTCUTNAME30DWUSINTERVALCE0C500FDEBBA00F3EACD0FF9EFC978FD9CCA78F691B80BFCE9CA028BE9BA7A899FBD00FEEACDWUSLINKDefaultUIFontIn"
Heuristic match: "ile [3]. A directory with this name already exists. Cancel the installation and try installing to a different location.Pl"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0"
Pattern match: "https://www.verisign.com/cps0*"
Pattern match: "http://logo.verisign.com/vslo"
Pattern match: "http://ocsp.verisign.com01"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "http://www.flexerasoftware.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestamping"
Pattern match: "http://logo.verisign.com/vslogo.gif0"
Pattern match: "kP.kP.hO/hO/dL.cK"
Pattern match: "pS.nR/mQ.kP.jO-gN.eL,aI+`H*_G"
Pattern match: "mQ.lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/lQ/nS1nS1nS1nS1nS1nS1nS1nS1nR4nR4nR4nR4nR4nR4nR4nR4pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6pT6rV8rV8rV8rV8rV8r"
Pattern match: "hL-hL.hL.iM/iM/jN0kO1kO1lP2iM/jN0jN0kO1lP2lP2mQ3mQ3kO1lP2lP2lP2mQ3mQ3nR4nR4lP2mQ3mQ3mQ3nR4nR4oS5mS5lT6lT6mU7mU7nV8nV8oW9oW9mU7nV8oW9qY;s[=u]?v^@w_Aw_Ax`ByaC{cE}eG~fH"
Pattern match: "gN.gN.gN.gN.gN.gN.gN.gN.gM/gL1gL1hM2iN3jO4jO4jO4fK0fK0fK0gL1hM2iN3iN3iN3hM2hM2iN3jO4kP5lQ6mR7mR7kP5lQ6lQ6mR7nS8oT9pU:pU:rZ"
Pattern match: "nO.oP/oP/oP/oP/pQ0pQ0nR0nR3lS3lS3lS3lS3lS3lS3lS3rY9rY9sZ:u\"
Pattern match: "oS0oS0oS0oS0oS0oS0oS0oS0mQ.mQ.nR/oS0oS0pT1qU2pU3rW"
Pattern match: "0oS0oS0mQ.mQ.nR/oS0oS0pT1qU2qU3rU:qV"
Pattern match: "oR-oR-pS.qT/qT/rU0sV1qU2pT6oT9pU:rW"
Pattern match: "oR-oR-pS.qT/qT/rU0sV1qU2oS5mR7mR7oT9qV;uZ?x]Bz_D}bG"
Pattern match: "oR-oR-pS.qT/qT/rU0sV1qU2nR3nR4mQ3nR4pT6sW9uY;w[=vZ"
Pattern match: "oQ.qT/qT/qT/qT/qT/qT/qT/qT/oR-oR-pS.qT/qT/rU0sV1sU2oR3nR4mQ3mQ3nR4pT6rV8sW9rV8uY;y"
Pattern match: "oQ.sS/sT-sT-sT-sT-sT-sT-sT-qR+qR+rS,sT-sT-tU.uV/sV1pS4oQ4nP3mO2nP3oQ4qS6rT7vX;vX;wY"
Pattern match: "oQ.sS/sS/sS/sS/sS/sS/sS/sS/qQ-qQ-rR.sS/sS/tT0uU1sU2sT5pS4nP3mP1mO2nQ2pR5qT5z\?x"
Pattern match: "oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oQ.oP/qR1qR1qR3qR1qR3qR1qR3qR1vW8uV5uV7vW6xY:{\;}^?}`A"
Pattern match: "nO.oP/pQ0rS2tU4nQ2sV7z"
Pattern match: "mN-mN-nO.oP/oP/pQ0qR1qR1oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/sS0sS0tT1sU2sT3rV4sV7rV7y"
Pattern match: "mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-mN-nO.nO.nO.nO.nO.nO.nO.nO.mN-mN-nO.nO.oP/pQ0pQ0qR1oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/sS0sS0tT1tT1uT3tU4tU6sV7uW:}aC"
Pattern match: "mN-nO.nO.oP/pQ0pQ0oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/rR/tR.uS/tT0tT1sU2tU4rV4oR3uY:~bD"
Pattern match: "mN-nO.nO.oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/qQ.sQ-tR.tR.uS/vS1tT1uT3sT3nO0qT5xZ=}aC"
Pattern match: "mN-nO.nO.oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/qQ.sQ-uQ+vR.tR.uS/tT0tT1sU2oP/pT2tW8w"
Pattern match: "mN-nO.nO.oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/qQ.rP,tP*uQ-vR.tR.uS/tT1tT1pQ0rS2rU6tW8w[="
Pattern match: "sQ-tR.rR/sS0sS0lM,mN-lO0kN/kN/oR3wY"
Pattern match: "qQ.qQ.qQ.qQ.qQ.oP/oP/oP/kL+lM,nO.pQ0rS2tU4vW8tX9"
Pattern match: "mN-nO.oP/pQ0qR1sT3tU4rU6~cH"
Pattern match: "nO.nO.kN/kP5pW=|cI"
Pattern match: "mN-nO.nO.nO.nO.nO.oP/oP/nO.nO.nO.mN-mN-mN-mN-mN-mN-mN-mN-qR1qR1pQ0oP/oP/nO.mN-mN-iL-jM.jM.kN/oQ4w[="
Pattern match: "mN-mN-nO.oP/oP/mN-mN-mN-mN-mN-mN-nO.nO.mN-mN-mN-mN-mN-mN-mN-mN-qR1qR1pQ0oP/oP/nO.mN-mN-hI(iJ)iJ"
Pattern match: "mN-mN-nO.oP/oP/nO.mN-lM,lM,lM,lM,mN-nO.mN-mN-mN-mN-mN-mN-mN-mN-qR1qR1pQ0oP/oP/nO.mN-mN-iJ"
Pattern match: "mN-mN-nO.oP/oP/pQ0pQ0rS2pQ0nO.lM,kL+kL+mN-nO.mN-mN-mN-mN-mN-mN-mN-mN-qR1qR1pQ0oP/oP/nO"
Pattern match: "mN-nO.nO.oP/pQ0pQ0qR1qR1sT3sT3sT3tU4uV5vW6vW6vW6yZ9vW6qR1mN-kL+kL+lM,mN-m"
Pattern match: "nO.oP/pQ0qR1wX7wX7xY8xY8yZ9z[:z[:{\;|"
Pattern match: "qR1qS0pQ0oQ.oP/nP-mN-mO,pP-rR/rR/oO,kM*kL+nR0sV7|`A"
Pattern match: "bJ.eJ/eM1hM2fN2iN3gO3kP5jR6mR7mU9pU:oW;u]As]Av^Bv`DyaExbF|dHzdH"
Pattern match: "qQ-qQ-oR-oR-oR-oQ.mQ.mQ/w\:~bC"
Pattern match: "hJ-iK.iM/hM3fM3gN4iP6jQ7lS9mT:mT:nU;oV"
Pattern match: "gK-hL.iM/jN0lP2mQ3nR4oS5pU;oV"
Pattern match: "fL.hL.hL.iM/jN0kO1kO1kO1mQ3nR4oS5qU7rV8sW9uY;sX=sZ@t[Au\Bv]Cx_Ey`FzaG{bH}dJ~eK"
Pattern match: "oR-oR-oR-oR-mQ.mQ.lQ/pU3w^"
Pattern match: "mQ.lQ/lQ/lQ/lP1jQ1jP2hP2kS7iS7jS9iT9jU:iU"
Pattern match: "oR-oR-oR-oR-mQ.mQ.lQ/oT2rY9zaA"
Pattern match: "mQ.pT1sW4uY6vZ7mQ.mQ.mQ.mQ.mQ.mQ.mQ.oR-oR-oR-oR-oR-oR-oR-oR-oR-oQ.oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/oP/mQ/nQ2gO3]L7"
Pattern match: "oQ.oP/oQ.oP/oQ.oP/oP/nR0gO1_M6"
Pattern match: "qQ.uS/qO+jH$cB"
Pattern match: "www.flexerasoftware.com0"
Pattern match: "http://www.solvusoft.com/file-downloads/builds/winthruster/spamfighter/build-assets/1.31.0/WinThruster.msi"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DU"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0U#0k&p?-50`HB0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://secure.comodo.net/CPS0CU"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0"
Pattern match: "http://https://True1YYesp|#8p|ycccv4}m{}J~zz"
Heuristic match: "8tEE1EJAy(ujPp)EuHUtAy(ujP<)E:uH?EQD2(tH.Md"
Pattern match: "XjjPME.jjM/1$E1E"
Pattern match: "http://login.backup.spamfighter.com:80/LoginSystem/ProfileInstalledVersionLangFS_releaseSynchronizeResultFS_synchronizeFS_releaseLicenseHandleFS_createLicenseHandlerboost::filesystem::removeboost::filesystem::basic_directory_iterator"
Pattern match: "f.THOf.HOf/rfWf/r"
Pattern match: "http://login.backup.spamfighter.com:80/LoginSystem/ProfileInstalledVersionLangFS_releaseSynchronizeResultFS_synchronizeFS_releaseLicenseHandleFS_createLicenseHandleLT"
Pattern match: "http://login.spamfighter.com:80/LoginSystem/useproductkey"
Pattern match: "login.globalloginsystem.com/Loginsystem/Gotopage/5USER_LANGUAGE_ISO639on"
Pattern match: "login.globalloginsystem.com/Loginsystem/Gotopage/?Login_Product=RCPROCANCELDLGIDTrack"
Pattern match: "http://login.spamfighter.com/Loginsystem/EmailValidate/Validating"
Heuristic match: "34Mf.Gw"
Pattern match: "www./ywwwwwwwvvvvvvvvuuuuuuuuuuuutttttttttttttsssssssssssssssssssssssssssssssssrrrrrrrrrrrrrrrrrrrrssssssssssssssssssssssssssssssopu$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$########################%;G-#################$&&@K####/S'1=+1T"
Pattern match: "www./ywwwwwwwvvvvvvvvuuuuuuuuuuuutttttttttttttsssssssssssssssssssssssssssssssssrrrrrrrrrrrrrrrrrrrrssssssssssssssssssssssssssssssu$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$########################%;G-#################$&&@K####/S'1=+1T"
Pattern match: "F.wv/FE5u}']|1ho!?6inpstt{$F8sw;C|&suD"
Pattern match: "F.wv/EF5u}'K|1ho!?C7oqstt{$F8sw;C|&suD"
Pattern match: "qCT9.Il/drEkD\*"
Pattern match: "7gxb.qPt/xiBofeT-ZKm\"
Pattern match: "www.solvusoft.com/en/winthruster/privacy/}}{\fldrslt"
Pattern match: "https://www.solvusoft.com/en/guarantee/}}{\fldrslt" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"msiexec.exe" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"msiexec.exe" had access to "%APPDATA%\Microsoft\Windows\IETldCache\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"WinThrusterSetup.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Matched Compiler/Packer signature
- details
-
"Setup_WinThruster_2018.exe.bin" was detected as "VC8 -> Microsoft Corporation"
"WinThrusterSetup_x64.exe" was detected as "VC8 -> Microsoft Corporation"
"WinThrusterSetup.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
-
Installs hooks/patches the running process
File Details
Setup_WinThruster_2018.exe
- Filename
- Setup_WinThruster_2018.exe
- Size
- 4.4MiB (4577888 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 22f5ed9b2f9e66c75588ab76999e3472134aa291302a989f8182581c28117f96
- MD5
- 087719646398bfa5ab4508781898b650
- SHA1
- cbd4e0fe169df3cf7f1212f73eaed87900b62218
- ssdeep
- 98304:nO4kYF4xFfWb52L1GZsC9EbxFfWb52L1GZarG/RKfa84:zk7Fg25EslFg25E4mRBl
- imphash
- 64f9eff108d6116d0212d088459bc7a5
- authentihash
- 22e57f00c03517f1a67da2b2eb5cdfbc0acbdd430e22e9d514c0131e5a7893f7
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (c) Solvusoft Corporation
- InternalName
- WinThruster Setup
- FileVersion
- 1.31.0.0
- CompanyName
- Solvusoft Corporation
- ProductName
- WinThruster
- ProductVersion
- 1.31.0.0
- FileDescription
- WinThruster Installation Package
- OriginalFilename
- WinThruster_Setup.exe
- Translation
- 0x0000 0x04e4
Classification (TrID)
- 67.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 14.2% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.3% (.EXE) Generic Win/DOS Executable
- 4.3% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6.2KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Solvusoft Corporation, O=Solvusoft Corporation, STREET=848 N. Rainbow Blvd., STREET=Suite 3321, L=Las Vegas, ST=NV, OID.2.5.4.17=89107, C=US | CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 7f75a618f07737266cdc2d5f6d5d0d26 |
03/01/2018 01:00:00 03/02/2019 00:59:59 |
84:A1:13:FD:96:3A:17:DE:8C:BE:1B:B5:C5:82:DE:4D B7:A5:CB:5E:19:D2:96:D8:4D:0E:54:8E:74:44:17:7A:98:81:93:D4 |
CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 01:00:00 05/09/2028 00:59:59 |
AA:37:4C:C0:0B:ED:2E:1E:A6:91:EF:41:5B:80:8F:E1 B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
Setup_WinThruster_2018.exe
(PID: 3040)
12/59
-
WinThrusterSetup.exe
/V"/l*v \"%TEMP%\RCPRO_msi.log.txt\" USER_PARTNER_IDENTITY=10019 SCAN=1 WEBINSTALLER=1 USER_BRAND_NAME=\"Solvusoft\""
(PID: 2396)
2/63
- msiexec.exe /i "http://www.solvusoft.com/file-downloads/builds/winthruster/spamfighter/build-assets/1.31.0/WinThruster.msi" /l*v "%TEMP%\RCPRO_msi.log.txt" USER_PARTNER_IDENTITY=10019 SCAN=1 WEBINSTALLER=1 USER_BRAND_NAME="Solvusoft" TRANSFORMS="%TEMP%\{2FCA55D5-E8D4-429C-9FAE-F7B20AB49070}\1033.MST" SETUPEXEDIR="%TEMP%\SLOW-PCF1521749196" SETUPEXENAME="WinThrusterSetup.exe" (PID: 3000)
-
WinThrusterSetup.exe
/V"/l*v \"%TEMP%\RCPRO_msi.log.txt\" USER_PARTNER_IDENTITY=10019 SCAN=1 WEBINSTALLER=1 USER_BRAND_NAME=\"Solvusoft\""
(PID: 2396)
2/63
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.solvusoft.com
OSINT |
104.123.19.17
TTL: 6244 |
- | United States |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 00017096-00002396-62555-1482-0042A15E |
2.0.0.0 | Domain/IP reference | 00017096-00002396-62555-1482-0042A15E |
2.5.4.3 | Domain/IP reference | 00017096-00002396-52930-6081-0045E08A |
2.5.4.11 | Domain/IP reference | 00017096-00002396-52930-6081-0045E08A |
2.9.0.0 | Domain/IP reference | 00017096-00002396-62555-1483-004379B7 |
2.5.4.10 | Domain/IP reference | 00017096-00002396-52930-6081-0045E08A |
49.1.9.1 | Domain/IP reference | 00017096-00002396-52930-6081-0045E08A |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00017096-00002396-62555-1088-00411EE2 |
Extracted Strings
Extracted Files
Displaying 24 extracted file(s). The remaining 12 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
WinThrusterSetup.exe
- Size
- 2MiB (2062120 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "PUP.Optional" (2/63)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- ac3a7176a9f71427f9323093ee9a8f4c
- SHA1
- 85b447bb8b6962d8e3708184f7fdb0fc208bbdbc
- SHA256
- 1a829005a1ae52c681bdaee8f247054c2685d514d16c6e4591fa5b2602504cb9
-
-
Informative Selection 3
-
-
1033.MST
- Size
- 20KiB (20480 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: WinThruster Installer, Subject: WinThruster Installer, Author: SPAMfighter ApS, Keywords: , Comments: WinThruster Installer, Create Time/Date: Thu Mar 15 17:11:00 2018, Name of Creating Application: InstallShield 2012 - Premier Edition 18, Security: 1, Template: Intel;0,1033,1026,2052,1028,1050,1029,1030,1043,2057,1035,1036,1031,1032,1038,1057,1040,1041,1042,1044,1045,2070,1048,1049,1034,1053,1054,1055, Last Saved By: Intel;1033, Revision Number: {773A8CA8-3876-4AA1-AB78-EECA231BFF3A}1.31.0;{773A8CA8-3876-4AA1-AB78-EECA231BFF3A}1.31.0;{69036555-8D32-4CAE-873D-2BF4A6867D0B}, Number of Pages: 200, Number of Characters: 1
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 0e852bcbae9af3f499fad02d6bf5a791
- SHA1
- 444637432c2806f3263d17d18c8d2719e4a0aff5
- SHA256
- 0dd998b41e68c873d9f34bc7fa5815d14cc541717d5dab701f0a5a9b0fc30d2e
-
Setup.INI
- Size
- 5.5KiB (5616 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 606fa768fcbc3dc1b8b8d03db59ee764
- SHA1
- fe7d1fd9c2f7e55110bdb1f0a5d0e7de67b061e0
- SHA256
- 1459364dd885e34297be2130a7ff6870c9f991771b159eae47c5c237835c5737
-
~1954.tmp
- Size
- 5.5KiB (5616 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 606fa768fcbc3dc1b8b8d03db59ee764
- SHA1
- fe7d1fd9c2f7e55110bdb1f0a5d0e7de67b061e0
- SHA256
- 1459364dd885e34297be2130a7ff6870c9f991771b159eae47c5c237835c5737
-
-
Informative 20
-
-
Reader.log.txt
- Size
- 346B (346 bytes)
- Runtime Process
- Setup_WinThruster_2018.exe (PID: 3040)
- MD5
- e2b2ac5b5a16f3df0f3672da70db5040
- SHA1
- aa1806350ddb19bf32cec639f21fa880c4327b18
- SHA256
- b33c699a24ab38dbb0a76331d2a06d492b55dece995ba9bf53df5c213f69b9c3
-
WinThrusterSetup_x64.exe
- Size
- 2MiB (2062168 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- Setup_WinThruster_2018.exe (PID: 3040)
- MD5
- efbcaa2a61ec0aa0510172f050139807
- SHA1
- 6b17de55b4df7c7bc8fae93d2cd799165e9a55ff
- SHA256
- a0fcf004df8c465cfa4ec9c20cd7583f0a8a4fde1b98002ff77e828a588465ab
-
0x0402.ini
- Size
- 24KiB (24652 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 8846b9a3a28df070a511988dccc86f58
- SHA1
- 819cd7045350d6962f0ddbb896bbcc9b8f903bd8
- SHA256
- 5d3b6e8e93f00f45599c8ea292302ec94b317f0b00248071879cde194bdbe6e3
-
0x0404.ini
- Size
- 11KiB (10758 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 2d7d122afa033b989b703888cdb9edab
- SHA1
- 04e32e313d07d1d0e9ed9221b7eb924aa39202fc
- SHA256
- fba2c4c13a7e2bcc15c090b24a28dcce848210e46dd71e57dc07eb9854bd5345
-
0x0405.ini
- Size
- 23KiB (23410 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- e66f855502b409a2eaa50ef9bc66acbd
- SHA1
- 3907e12fe11fc447bd230448a7d43a222156c3cf
- SHA256
- bbe50a141bb622513c4117ef72dabbbbd152f83393490a6b61173025bcbed188
-
0x0406.ini
- Size
- 23KiB (23994 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 2934637bf3cccdc7097c72044de19f98
- SHA1
- c7085f5d6ca6d0e86f872f1e0a44b983b9d7f177
- SHA256
- 47bf75b72ea1581b567f4517b9fd4e6f718e39fbb4c751e5213e94b5312942bb
-
0x0407.ini
- Size
- 25KiB (25960 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- c19f30caaa751082474e2153f5124693
- SHA1
- 94d6ce533b74de20b8324f67a7ca03120e57df44
- SHA256
- ab9b5b21487355c975c975e6ba88c1eb881e27657d5caabe9ccb2ef8421d459e
-
0x0408.ini
- Size
- 27KiB (27482 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 4d368f255c256faa23d59172a4ba5cd3
- SHA1
- a7fff82ea4d1c2e683cccbd67b68bf8c1a7b6a50
- SHA256
- 878ba297669cf123eae71e771c4bce0658c21dce6d47d4f36d4294233e2c2c66
-
0x0409.ini
- Size
- 22KiB (22558 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- fb2887df5a359468851a7080b9140311
- SHA1
- 43e6a362e270007fa38021b922f88754078637f9
- SHA256
- a9cf5b5a4303ca758bdeff308cbd59fc98cf918c3d51cd62913e2fc75d2e4339
-
0x040a.ini
- Size
- 25KiB (25236 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 4af55ae1a38156139694b8a772e2661d
- SHA1
- 70bf0b1c1e7845428a14de8c964408c922af38f1
- SHA256
- 5cbc55bf53b318a7c95865fdf161d9405eaecdc4047a0f23e4e9a6d1e6857021
-
0x040b.ini
- Size
- 22KiB (22824 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 37698fff4f4d3392110353d3fee3fa62
- SHA1
- 3939a4914f7ef14b3f0701e74a82e4ff40c2f245
- SHA256
- d7c5b75d769218c3bd8e536182c5eaac634a4bbe713527aeee71c14ecb7f51d3
-
0x040c.ini
- Size
- 26KiB (26368 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 7bb5953630616d454f4f41329de4ef12
- SHA1
- 0eea5793b3d01f71c4abecfefa608881d2661d0f
- SHA256
- 791823ee36f4f47bc0b2952cf07723ee021370d467c78adfc99417f4868e3ed3
-
0x040e.ini
- Size
- 23KiB (23388 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 2b849fa545ba8794c28042d368315cdc
- SHA1
- f49e73de1bcdb58b85407ca490d586f08d33fae0
- SHA256
- 1ddc00835c35b75538e3476e3dacf45b3523e36a56b84ff0be628c238a43528d
-
0x0410.ini
- Size
- 25KiB (25286 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 3a9215222e93fd03dba99fc02bb45f45
- SHA1
- 48a854d975dbae049bbb5ddbc1275e42fa23fce3
- SHA256
- d2567e46f8f3cd98b89866b1c3743db14178b12e22c45552ec4edd60e873d6cb
-
0x0411.ini
- Size
- 15KiB (14972 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 83dda9c05226e03d6c30b15df2302299
- SHA1
- fe0c1d9ee2b96d57da49e0e245d6d7eade663055
- SHA256
- bd14396c20ef830b2020dc55d11a2460c7dc08ec4150daf9fa1dc49c8c436a8d
-
0x0412.ini
- Size
- 14KiB (14196 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- ea1fe197ff8838cdf76d5edf01772521
- SHA1
- 04b75267b84452e9d18df0d00330bebe12fb04ea
- SHA256
- 26345f5ca9cd84f01847dff88ea3c0e95114de8f5e747c48fa98d95ad07b9db3
-
0x0413.ini
- Size
- 25KiB (25096 bytes)
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 7c7d709578f0f363d437693d819ba731
- SHA1
- 44efb7dc35e9fe88e353dba4f89a0d2289257e44
- SHA256
- eb7235a4d5264b61cb749c8be9d678faeda8120706ebd39154df4e95d35ae991
-
0x0414.ini
- Size
- 24KiB (24088 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 4beffe334c0f3a99e166eb0875448100
- SHA1
- b01e3e3938153cdabb9ad991ae19de4872afa49b
- SHA256
- 56c712fa85fcfbe2065370afaf89741d634480ee2b542f1d902c0d79e040495b
-
0x0415.ini
- Size
- 24KiB (24432 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- WinThrusterSetup.exe (PID: 2396)
- MD5
- 880fa69dc3f8a4eaef9bd3404fdd5fb4
- SHA1
- 011d2604b333b9c69ea27e8176a0608d5b1bbb03
- SHA256
- c7ce5fce5c794c48cb854a4543de500fc865896a56e8941930ca1c4a9ff1b3d1
-
urlref_httpwww.solvusoft.comfile-downloadsbuildswinthrusterspamfighterbuild-assets1.31.0WinThruster.msi
- Size
- 10MiB (10730744 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: WinThruster Installer, Comments: WinThruster Installer, Keywords: , Subject: WinThruster Installer, Author: SPAMfighter ApS, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2012 - Premier Edition 18, Last Saved Time/Date: Thu Mar 15 17:10:59 2018, Create Time/Date: Thu Mar 15 17:10:59 2018, Last Printed: Thu Mar 15 17:10:59 2018, Revision Number: {C9DB8C55-A382-4F72-AA53-24A039797F88}, Code page: 0, Template: Intel;0,1033,1026,2052,1028,1050,1029,1030,1043,2057,1035,1036,1031,1032,1038,1057,1040,1041,1042,1044,1045,2070,1048,1049,1034,1053,1054,1055
- Context
- http://www.solvusoft.com/file-downloads/builds/winthruster/spamfighter/build-assets/1.31.0/WinThruster.msi
- MD5
- 3800646309f4f4d4b18675f453692015
- SHA1
- 008147d75d3cbe27486cfa99fc7827ae3ebac989
- SHA256
- de1a867028185e16c9a6f676a150ac5a3a133f4afa2fc50f5db405393f23a738
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Extracted file "WinThrusterSetup_x64.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a0fcf004df8c465cfa4ec9c20cd7583f0a8a4fde1b98002ff77e828a588465ab/analysis/1521720793/")
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "stream-3" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report