IEM_RANDEVU_KURULUM.exe
This report is generated from a file or URL submitted to this webservice on September 27th 2017 09:35:17 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.91 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/59 Antivirus vendors marked sample as malicious (3% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 2/59 Antivirus vendors marked spawned process "<Input Sample>" (PID: 564) as malicious (classified as "Trojan.DustySky" with 3% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Installation/Persistance
-
Loads the task scheduler interface DLL
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\mstask.dll" at 6F930000
- source
- Loaded Module
- relevance
- 5/10
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 32 bytes to a remote process "C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" (Handle: 852)
"<Input Sample>" wrote 52 bytes to a remote process "C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" (Handle: 852)
"<Input Sample>" wrote 4 bytes to a remote process "C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" (Handle: 852) - source
- API Call
- relevance
- 6/10
-
Loads the task scheduler interface DLL
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "<Input Sample>" with commandline "/i "%APPDATA%\CETIN YAZILIM\IEM RANDEVU 1.0.0\install\IEM ANDEVU.msi" APPDIR="%PROGRAMFILES%\CETIN YAZILIM\IEM RANDEVU" SHORTCUTDIR="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\IEM RANDEVU" CLIENTPROCESSID="3616" SECONDSEQUENCE="1" CHAINERUIPROCESSID="3616Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_FOUND_PREREQS=".NET Framework 4.0 Client Profile|Windows Installer 4.5 for Windows XP x86" AI_SETUPEXEPATH="C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates " AI_INSTALL="1" TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" (Show Process), Spawned process "cmd.exe" with commandline ""cmd /c ""%TEMP%\EXE4FFC.tmp.bat" """ (Show Process), Spawned process "cmd.exe" with commandline ""cmd /c ""%TEMP%\EXE5039.tmp.bat" """ (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "\\?\%APPDATA%\CETNYA~1\EMRAND~1.0\install\EMANDE~1.MSI" "" (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "\\?\%APPDATA%\CETNYA~1\EMRAND~1.0\install\EMANDE~1.MSI" "" (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "%TEMP%\EXE5039.tmp.bat" "" (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "%TEMP%\EXE4FFC.tmp.bat" "" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" del "%TEMP%\EXE5039.tmp.bat" "" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" del "%TEMP%\EXE4FFC.tmp.bat" "" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" cls"" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" cls"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 22
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
- Found 39 calls to GetProcAddress@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
-
"<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_LOCK" (0x8)
"<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
- "<Input Sample>" called "OpenService" to access the "Schedule" service
- source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"aicustact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"lzmaextractor.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Prereq.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI56B0.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI5669.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI556B.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI565E.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI56BB.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- "13.8.0.0"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"lzmaextractor.dll" claimed CRC 47468 while the actual is CRC 273968
"Prereq.dll" claimed CRC 432542 while the actual is CRC 47468 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
OpenProcessToken
RegOpenKeyExW
StartServiceW
FindNextFileA
FindResourceExW
OutputDebugStringW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetTickCount
OpenProcess
GetStartupInfoW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
FindFirstFileExA
FindNextFileW
FindFirstFileW
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
GetCommandLineA
Process32FirstW
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
ShellExecuteW
ShellExecuteExW
GetWindowThreadProcessId
bind (Ordinal #2)
closesocket (Ordinal #3)
WSAStartup (Ordinal #115)
socket (Ordinal #23)
GetUserNameW
GetComputerNameW
RegDeleteKeyW
SetSecurityDescriptorDacl
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
ConnectNamedPipe
CopyFileW
GetModuleFileNameW
LoadLibraryExA
VirtualProtect
GetFileSize
CreateDirectoryW
CopyFileExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "c4ca3c7780bb3c77aa6e3d779fbb3c7708bb3c7746ce3c7761383d77de2f3d77d0d93c770000000017790f774f910f777f6f0f77f4f70f7711f70f77f2830f77857e0f7700000000" to virtual address "0x6A7C1000" (part of module "MSIMG32.DLL")
"<Input Sample>" wrote bytes "9498ab7651c1ab76efb2b176ee9cab7675dcad769097ab761099ab7600000000013d3d7738ed3d77cfcd3c7731233c77de2f3d77c4ca3c7780bb3c77aa6e3d779fbb3c77707f3b7792bb3c7746ba3c770abf3c7700000000" to virtual address "0x70CC1000" (part of module "MSLS31.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"<Input Sample>" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"attrib.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 8 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of ".data" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetLocalTime@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\490D209708116861D5F6D558BDBC8DD81FD38E778EE6195BE5ABFEE604FDF6FD.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\490D209708116861D5F6D558BDBC8DD81FD38E778EE6195BE5ABFEE604FDF6FD.EXE")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE5039.TMP.BAT")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE5039.TMP.BAT")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE4FFC.TMP.BAT")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE4FFC.TMP.BAT") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Contains PDB pathways
- details
-
"C:\Branch\win\Release\stubs\x86\ExternalUi.pdb"
"C:\Branch\win\Release\custact\x86\AICustAct.pdb"
"&X\`B@@ 0<@ $8**01$6Np=Wi![(BTt9[)E-G"RSDS+6QhBO-C:\Branch\win\Release\custact\x86\AICustAct.pdbGCTL0.text$di0l.text$mn" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\MSI556B.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\printico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\background"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\folderlogoicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\installlogoicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\prereqlogoicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\waitlogoicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\exclamic"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\info"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\tabback"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\removico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\Up"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\New"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\whitebackground"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\completi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\optionslogoicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\repairic"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\applogoicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\custicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_3616\insticon" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "aicustact.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IEM ANDEVU.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1254 Revision Number: {73A7BC6D-4396-44B9-ACC6-CE551DF53152} Number of Words: 2 Subject: EM RANDEVU Author: CETN YAZILIM Name of Creating Application: Advanced Installer 13.8 build 77241 Template: ;1055 Comments: Randevunuz Kolay ve Hzl"), Antivirus vendors marked dropped file "lzmaextractor.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Prereq.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI56B0.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI5669.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI556B.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI565E.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI56BB.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6A5D0000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
-
""cmd /c ""%TEMP%\EXE4FFC.tmp.bat" """ on 2017-9-27.09:41:57.712
""cmd /c ""%TEMP%\EXE5039.tmp.bat" """ on 2017-9-27.09:41:57.742
"/S /D /c" del "%TEMP%\EXE5039.tmp.bat" "" on 2017-9-27.09:41:57.992
"/S /D /c" del "%TEMP%\EXE4FFC.tmp.bat" "" on 2017-9-27.09:41:58.023
"/S /D /c" cls"" on 2017-9-27.09:41:58.033
"/S /D /c" cls"" on 2017-9-27.09:41:58.013 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "<Input Sample>" with commandline "/i "%APPDATA%\CETIN YAZILIM\IEM RANDEVU 1.0.0\install\IEM ANDEVU.msi" APPDIR="%PROGRAMFILES%\CETIN YAZILIM\IEM RANDEVU" SHORTCUTDIR="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\IEM RANDEVU" CLIENTPROCESSID="3616" SECONDSEQUENCE="1" CHAINERUIPROCESSID="3616Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_FOUND_PREREQS=".NET Framework 4.0 Client Profile|Windows Installer 4.5 for Windows XP x86" AI_SETUPEXEPATH="C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates " AI_INSTALL="1" TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" (Show Process), Spawned process "cmd.exe" with commandline ""cmd /c ""%TEMP%\EXE4FFC.tmp.bat" """ (Show Process), Spawned process "cmd.exe" with commandline ""cmd /c ""%TEMP%\EXE5039.tmp.bat" """ (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "\\?\%APPDATA%\CETNYA~1\EMRAND~1.0\install\EMANDE~1.MSI" "" (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "\\?\%APPDATA%\CETNYA~1\EMRAND~1.0\install\EMANDE~1.MSI" "" (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "%TEMP%\EXE5039.tmp.bat" "" (Show Process), Spawned process "attrib.exe" with commandline ""ATTRIB -r "%TEMP%\EXE4FFC.tmp.bat" "" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" del "%TEMP%\EXE5039.tmp.bat" "" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" del "%TEMP%\EXE4FFC.tmp.bat" "" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" cls"" (Show Process), Spawned process "cmd.exe" with commandline "/S /D /c" cls"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"aicustact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"IEM ANDEVU.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1254 Revision Number: {73A7BC6D-4396-44B9-ACC6-CE551DF53152} Number of Words: 2 Subject: EM RANDEVU Author: CETN YAZILIM Name of Creating Application: Advanced Installer 13.8 build 77241 Template: ;1055 Comments: Randevunuz Kolay ve Hzl"
"EXE5039.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"EXE4FFC.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"lzmaextractor.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Prereq.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"repairic" has type "MS Windows icon resource - 3 icons 48x48"
"waitlogoicon" has type "MS Windows icon resource - 3 icons 48x48 16 colors"
"MSI56B0.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"disk1.cab" has type "Microsoft Cabinet archive data 2440672 bytes 3 files"
"background" has type "JPEG image data JFIF standard 1.02 aspect ratio density 100x100 segment length 16 baseline precision 8 600x480 frames 3"
"custicon" has type "MS Windows icon resource - 4 icons 48x48"
"prereqlogoicon" has type "MS Windows icon resource - 3 icons 48x48"
"whitebackground" has type "JPEG image data JFIF standard 1.02 aspect ratio density 100x100 segment length 16 baseline precision 8 400x300 frames 3"
"info" has type "MS Windows icon resource - 6 icons 48x48"
"exclamic" has type "MS Windows icon resource - 2 icons 48x48"
"minbackground" has type "JPEG image data JFIF standard 1.02 aspect ratio density 100x100 segment length 16 baseline precision 8 600x100 frames 3"
"optionslogoicon" has type "MS Windows icon resource - 3 icons 48x48"
"completi" has type "MS Windows icon resource - 3 icons 48x48"
"Up" has type "MS Windows icon resource - 1 icon 16x16 16 colors" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\system32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\Fonts\staticcache.dat"
"<Input Sample>" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "C:\Windows\system32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\system32\MsiMsg.dll"
"<Input Sample>" touched file "C:\Windows\system32\en-US\MsiMsg.dll.mui"
"<Input Sample>" touched file "C:\Windows\system32\sxs.DLL"
"<Input Sample>" touched file "C:\Windows\system32\en-US\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\system32\ar-SA\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\system32\bg-BG\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\system32\cs-CZ\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\system32\da-DK\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://t2.symcb.com0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0"
Pattern match: "http://tl.symcb.com/tl.crl0"
Pattern match: "https://www.thawte.com/cps0/"
Pattern match: "https://www.thawte.com/repository0W"
Pattern match: "http://tl.symcd.com0&"
Pattern match: "http://tl.symcb.com/tl.crt0"
Pattern match: "http://www.advancedinstaller.com0"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://s.symcd.com06"
Pattern match: "http://s.symcb.com/universal-root.crl0"
Pattern match: "https://d.symcb.com/rpa0@"
Pattern match: "http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.google.com"
Pattern match: "http://www.example.com"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=33342"
Pattern match: "wwwf.bzgf.csjh/lzzzk"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0U%0++0U0"
Pattern match: "http://tl.symcb.com/tl.crl0U0U%0"
Pattern match: "https://www.thawte.com/cps0/+0#!https://www.thawte.com/repository0W+K0I0+0http://tl.symcd.com0&+0http://tl.symcb.com/tl.crt0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0.+0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0@U9070531/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0U%0"
Pattern match: "http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(U!0010UTimeStamp-2048-50Ur)C/0U#0cNrA"
Heuristic match: "SUW|$j'[|$f;-Q3f;tsf;uPf;udf;uPPD$L$ +\$SW;~l$+f/fu-3f;tj'[3f;tq3f6`.Er"
Heuristic match: "MT$Bt3J3x^MMT$BJ3MJ3C)uuxYYT$BJ3,#T$BJ3X#uu4YYT$BJ3#MM{MsMkMM[MSMMCM;M3M+M#MMMMMMMMMT$BJ3J3$[MM@5M}MuMbMOMGM?M7M/M'MMMMMMME4MMMMMMMT$BJ3 3$M!MT$BJ3J3&uM<MMM$MuMMMMMT$BJ3$J3X&MT$BJ3&MsFM3(MpM]M?M7MTMMMV.Mh"
Pattern match: "succesfully.iprm/groupsextract" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"aicustact.dll" was detected as "Borland Delphi 3.0 (???)"
"Prereq.dll" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
IEM_RANDEVU_KURULUM.exe
- Filename
- IEM_RANDEVU_KURULUM.exe
- Size
- 49MiB (51780814 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd
- MD5
- 0cbc627bb33b58cc398c40bd42907719
- SHA1
- ac34b1fac59da77d0556373ca2fbd00fef52d4ad
Classification (TrID)
- 93.1% (.OCX) Windows ActiveX control
- 3.6% (.EXE) Win32 Executable (generic)
- 1.6% (.EXE) Generic Win/DOS Executable
- 1.5% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 12 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3616)
2/59
- Input Sample /i "%APPDATA%\CETIN YAZILIM\IEM RANDEVU 1.0.0\install\IEM ANDEVU.msi" APPDIR="%PROGRAMFILES%\CETIN YAZILIM\IEM RANDEVU" SHORTCUTDIR="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\IEM RANDEVU" CLIENTPROCESSID="3616" SECONDSEQUENCE="1" CHAINERUIPROCESSID="3616Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_FOUND_PREREQS=".NET Framework 4.0 Client Profile|Windows Installer 4.5 for Windows XP x86" AI_SETUPEXEPATH="C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates " AI_INSTALL="1" TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 564) 2/59
-
cmd.exe
"cmd /c ""%TEMP%\EXE4FFC.tmp.bat" ""
(PID: 3904)
- attrib.exe "ATTRIB -r "\\?\%APPDATA%\CETNYA~1\EMRAND~1.0\install\EMANDE~1.MSI" " (PID: 3964)
- attrib.exe "ATTRIB -r "%TEMP%\EXE4FFC.tmp.bat" " (PID: 3976)
- cmd.exe /S /D /c" del "%TEMP%\EXE4FFC.tmp.bat" " (PID: 3884)
- cmd.exe /S /D /c" cls" (PID: 3900)
-
cmd.exe
"cmd /c ""%TEMP%\EXE5039.tmp.bat" ""
(PID: 3872)
- attrib.exe "ATTRIB -r "\\?\%APPDATA%\CETNYA~1\EMRAND~1.0\install\EMANDE~1.MSI" " (PID: 3920)
- attrib.exe "ATTRIB -r "%TEMP%\EXE5039.tmp.bat" " (PID: 4016)
- cmd.exe /S /D /c" del "%TEMP%\EXE5039.tmp.bat" " (PID: 3968)
- cmd.exe /S /D /c" cls" (PID: 3956)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 27 extracted file(s). The remaining 8 file(s) are available in the full version and XML/JSON reports.
-
Clean 9
-
-
IEM ANDEVU.msi
- Size
- 1.3MiB (1333248 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1254, Revision Number: {73A7BC6D-4396-44B9-ACC6-CE551DF53152}, Number of Words: 2, Subject: EM RANDEVU, Author: CETN YAZILIM, Name of Creating Application: Advanced Installer 13.8 build 77241, Template: ;1055, Comments: Randevunuz Kolay ve Hzl
- AV Scan Result
- 0/58
- Runtime Process
- attrib.exe (PID: 3964)
- MD5
- 6ea526b62ec015b64a77d7ee1b5e6694
- SHA1
- 5dcc9bab5db7669701976c98ce1fd5e4e06576fd
- SHA256
- 1021500483f4207b27fdaa137a8f276008192fc848fd7b3baabf363d6106596b
-
Prereq.dll
- Size
- 363KiB (371872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 9d4205d84a7e6c7b307fac9ba39b9495
- SHA1
- 610c4c95385fe22c2e3df333765806850cf50fb9
- SHA256
- 301a4eee2262018fea659315352756cd6661759547c358918dbc189147e78a1a
-
aicustact.dll
- Size
- 206KiB (211096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 16c4efd01bf58273fd64528d9265d817
- SHA1
- a8885ba2ac953c9616ba13ed083d9a01e1141993
- SHA256
- 562eb399c053186cf7a25fc2a8b97712f47bd9cde7ba0121805764af14d7df3c
-
lzmaextractor.dll
- Size
- 13KiB (12960 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/60
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- c98935b8c4b7c9040421b75fca5f9829
- SHA1
- 055d324a72b952ad6991dcd0b7abe50b9f06c2a5
- SHA256
- 8a839f09f330e16cb8c186cef5a741ee64463cbc224c553ce7ef96cd0654f3fc
-
MSI556B.tmp
- Size
- 206KiB (211096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 16c4efd01bf58273fd64528d9265d817
- SHA1
- a8885ba2ac953c9616ba13ed083d9a01e1141993
- SHA256
- 562eb399c053186cf7a25fc2a8b97712f47bd9cde7ba0121805764af14d7df3c
-
MSI565E.tmp
- Size
- 206KiB (211096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 16c4efd01bf58273fd64528d9265d817
- SHA1
- a8885ba2ac953c9616ba13ed083d9a01e1141993
- SHA256
- 562eb399c053186cf7a25fc2a8b97712f47bd9cde7ba0121805764af14d7df3c
-
MSI5669.tmp
- Size
- 206KiB (211096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 16c4efd01bf58273fd64528d9265d817
- SHA1
- a8885ba2ac953c9616ba13ed083d9a01e1141993
- SHA256
- 562eb399c053186cf7a25fc2a8b97712f47bd9cde7ba0121805764af14d7df3c
-
MSI56B0.tmp
- Size
- 363KiB (371872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 9d4205d84a7e6c7b307fac9ba39b9495
- SHA1
- 610c4c95385fe22c2e3df333765806850cf50fb9
- SHA256
- 301a4eee2262018fea659315352756cd6661759547c358918dbc189147e78a1a
-
MSI56BB.tmp
- Size
- 206KiB (211096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 16c4efd01bf58273fd64528d9265d817
- SHA1
- a8885ba2ac953c9616ba13ed083d9a01e1141993
- SHA256
- 562eb399c053186cf7a25fc2a8b97712f47bd9cde7ba0121805764af14d7df3c
-
-
Informative Selection 3
-
-
Up
- Size
- 318B (318 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 1 icon, 16x16, 16 colors
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 83730ac00391fb0f02f56fe2e4207a10
- SHA1
- 139fed8f0216132450e66bda0fbbdc2a5bd333af
- SHA256
- 573e3260eed63604f24f6f10ce5294e25e22fda9e5bfd9010134de6e684bab98
-
EXE4FFC.tmp.bat
- Size
- 425B (425 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 294f2475928495fe6463745a510b1b00
- SHA1
- 8e75f2a18194ee2563bbd8ed3d656ba07a8ed10d
- SHA256
- 8c7999a9309018d07302983f03c5a874563317d2d9202444ee404ef580f5b940
-
EXE5039.tmp.bat
- Size
- 425B (425 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 3968)
- MD5
- 215b5008490fdb839c25bdaecf498365
- SHA1
- 8180afddc9a6ed3ce72190e7108089f4d6c81878
- SHA256
- 9cd1645bd23cedc9b1ec8e26075b49441b41ecdda0de93e573582614a23e6271
-
-
Informative 15
-
-
disk1.cab
- Size
- 2.3MiB (2440672 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 2440672 bytes, 3 files
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 6ff9655406246e920467e3a89f4f7609
- SHA1
- dfdb607befa82e0d2e63caeba40772cbba19ef41
- SHA256
- da973764095c8d205f9a9c8e5f198c4fabc0c7a7be750ba8b6ca544bc928b0f5
-
New
- Size
- 318B (318 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- c23cbf002d82192481b61ed7ec0890f4
- SHA1
- dd373901c73760ca36907ff04691f5504ff00abe
- SHA256
- 4f92e804a11453382ebff7fb0958879bae88fe3366306911dec9d811cd306eed
-
applogoicon
- Size
- 67KiB (68790 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- f99659a4e27d88a6482891f7e9a6f7c0
- SHA1
- f7e1eb0bddc5c7c4bc41eafaea98b6b215280ba8
- SHA256
- 34e0d23ec2d955f9e64118b71f067fcfd45730cca14b57e0c66fdc1a326d6245
-
background
- Size
- 14KiB (14090 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 600x480, frames 3
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 536c141d33166050c1070d246b84ec6d
- SHA1
- f2cd64d3c6e34d989bb66d388436c87e42d31636
- SHA256
- 7ca4c29985838d1be2649c9f5456d54f233828176ef7af8562789018279a95ca
-
cmdlinkarrow
- Size
- 2.8KiB (2862 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 983358ce03817f1ca404befbe1e4d96a
- SHA1
- 75ce6ce80606bbb052dd35351ed95435892baf8d
- SHA256
- 7f0121322785c107bfdfe343e49f06c604c719baff849d07b6e099675d173961
-
completi
- Size
- 14KiB (14574 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 3 icons, 48x48
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 86a2409fde30090be1b843bd5a9cf222
- SHA1
- d5986a0fe4dfa2a8fa49ced2d35918267d74b9a2
- SHA256
- 999a589bf9023a9ac9ae6b99ccdd2e8375b1452cca7b77cb7c00eea2e032bf40
-
custicon
- Size
- 18KiB (18854 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 4 icons, 48x48
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- ad01671efdb909885dba41fe0000e7a8
- SHA1
- a47f789bf4c819b5dedc91cb6f78b590dc7c3388
- SHA256
- f878250fbd9b41935a1f53cc475bafcf8074f45de528ebdeafb424c5f491a1a5
-
exclamic
- Size
- 13KiB (13430 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 2 icons, 48x48
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 93d722fa20a988a5c257a58bf155dc66
- SHA1
- 30c0d19f02cb39f8804dafe6af483a09c76e2338
- SHA256
- f587867eed0bec33ef150f3a8525bde9b6746c705543874e56653aa80ea53225
-
exitbackground
- Size
- 10KiB (10472 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- d686a75e0501e2da6a245d7472368147
- SHA1
- 18c7c83e76550549b6700a04ce2daf6f37eaaf91
- SHA256
- b725b36b0ac4865b464e6dc2592663c54309f1b9b2ddab3c7f271e873214e4d9
-
folderlogoicon
- Size
- 14KiB (14574 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 17780b507a253c687f744fd9b2627864
- SHA1
- 9cd8b0b9847cae223d9e2433572e10c1eb38244b
- SHA256
- 451331950ff77fc77e7e58c8f1ac8a099268c75a872dfae3b7b475f33f9a5e70
-
info
- Size
- 22KiB (22486 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 6 icons, 48x48
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- fd535e63f539eacb3f11d03b52b39a80
- SHA1
- a7f8c942e5672f2972c82210a38cc8861435f643
- SHA256
- 0086bc01150989f553a0a4ae0e14926c6e247cedda312e1f946ae35d575742ab
-
installlogoicon
- Size
- 13KiB (13430 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 2d030bb775a8d74cc5d39910601fa7d6
- SHA1
- ce30f7e4f5913a85bc363331f883e5f6f5bf7dad
- SHA256
- fa387d12aef97734a3b8a079b462447fb977abeef5987d5ee5b4217f1057cc2d
-
insticon
- Size
- 13KiB (13430 bytes)
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- ca3157bfe3ca87f93fa28a2770a31065
- SHA1
- d4dabe5945a1b378c3dbb8a19d6781ab0152eaad
- SHA256
- 6eb09814ad8c1f41ea70ed9f924171199a433574930a7d56e04dea9f6a46d780
-
minbackground
- Size
- 7.3KiB (7485 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 600x100, frames 3
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 5935862462060502220b20d468f798c9
- SHA1
- 0f6d634229a85e092cf66ac129954fdb1ecdfe22
- SHA256
- 31c70aa6501fb992464687dcc88620e9554ba1ebd3d99622ba0075d4ef0f73ca
-
optionslogoicon
- Size
- 14KiB (14574 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 3 icons, 48x48
- Runtime Process
- 490d209708116861d5f6d558bdbc8dd81fd38e778ee6195be5abfee604fdf6fd.exe (PID: 3616)
- MD5
- 373eff7c71d2499b52d742200f53d5a0
- SHA1
- 4b172d3f45156fd1b51ccd0a282d9020e74be47d
- SHA256
- 82e35d8d4a476052b677f6faa1ff7c6770a62cc2289783dfc1e7d794466c08f9
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)