setup1122.exe
This report is generated from a file or URL submitted to this webservice on April 30th 2019 13:04:59 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to implement anti-virtualization techniques - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://www.e-sword.net/files/setup1122.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"rundll32.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"rundll32.exe" wrote 52 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"rundll32.exe" wrote 4 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"rundll32.exe" wrote 8 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"iexplore.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 52 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 8 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 900)
"iexplore.exe" wrote 4 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 900) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "rundll32.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from setup1122.exe (PID: 2124) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"setup1122.exe" touched "K:"
"setup1122.exe" touched "L:"
"setup1122.exe" touched "M:"
"setup1122.exe" touched "N:"
"setup1122.exe" touched "O:"
"setup1122.exe" touched "P:"
"setup1122.exe" touched "Q:"
"setup1122.exe" touched "R:"
"setup1122.exe" touched "S:"
"setup1122.exe" touched "T:"
"setup1122.exe" touched "U:"
"setup1122.exe" touched "V:"
"setup1122.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 23
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "setup1122.exe" at 00101322-00002124-00000033-21100526111
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "trA:8y_DchJ%~wgNq(PC"s+qEMU(/}Ank-viX}=_VNiW_ )>?jE_n_IU^3($6MNiR83OFaEyVdMP6J9iRmV=g&nL]L0~jfW&[3Q^" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "setup1122.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
LoadResource@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"setup1122.exe" read file "%TEMP%\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\Setup.INI"
"setup1122.exe" read file "%TEMP%\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\_ISMSIDEL.INI"
"setup1122.exe" read file "%TEMP%\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"ISExternalUI.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI54B8.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setup1122.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\setup1122.exe" marked "%TEMP%\~311D.tmp" for deletion
"C:\setup1122.exe" marked "%TEMP%\~313D.tmp" for deletion
"C:\setup1122.exe" marked "%TEMP%\~4A35.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"setup1122.exe" opened "%TEMP%\_MSI5166._IS" with delete access
"setup1122.exe" opened "%TEMP%\~311D.tmp" with delete access
"setup1122.exe" opened "%TEMP%\~313D.tmp" with delete access
"setup1122.exe" opened "%TEMP%\~4A35.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSI54B8.tmp" claimed CRC 157984 while the actual is CRC 346073
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
RegOpenKeyW
GetFileAttributesW
GetThreadContext
GetTempPathW
WriteProcessMemory
OutputDebugStringW
GetModuleFileNameW
GetModuleFileNameA
TerminateProcess
LoadLibraryW
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
DeleteFileW
GetProcAddress
VirtualProtectEx
GetTempFileNameW
WriteFile
FindFirstFileW
CreateFileW
LockResource
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
FindResourceW
CreateProcessW
Sleep
VirtualAlloc
IsDebuggerPresent
UnhandledExceptionFilter
CreateToolhelp32Snapshot
OpenProcess
CreateFileA
Process32NextW
Process32FirstW
ShellExecuteW
ShellExecuteExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"setup1122.exe" wrote bytes "c0df54771cf95377ccf853770d64557700000000c011717500000000fc3e717500000000e0137175000000009457a47525e05477c6e0547700000000bc6aa37500000000cf317175000000009319a475000000002c32717500000000" to virtual address "0x75E31000" (part of module "NSI.DLL")
"setup1122.exe" wrote bytes "b436de74" to virtual address "0x74DF025C" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "d83ade74" to virtual address "0x74DF01FC" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "000000000000000000000000020002004c0100803000008030010080480000800a0000006000008010000000780000800000000000000000000000000000010001000000900000800000000000000000000000000000010001000000a8000080" to virtual address "0x73E51000" (part of module "MSIMSG.DLL")
"setup1122.exe" wrote bytes "b84013ab74ffe0" to virtual address "0x74DE3AD8" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "d83a0200" to virtual address "0x74DE4E38" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "d83a0200" to virtual address "0x74DE4D78" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "d83ade74" to virtual address "0x74DF0258" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "b436de74" to virtual address "0x74DF0278" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "b8c015ab74ffe0" to virtual address "0x74DE36B4" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "71114b027a3b4a02ab8b02007f950200fc8c0200729602006cc805001ecd47027d264702" to virtual address "0x750F07E4" (part of module "USER32.DLL")
"setup1122.exe" wrote bytes "d83ade74" to virtual address "0x74DF0274" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "6012ab74" to virtual address "0x760AE324" (part of module "WININET.DLL")
"setup1122.exe" wrote bytes "b4360200" to virtual address "0x74DE4D68" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "b83012ab74ffe0" to virtual address "0x753E1368" (part of module "WS2_32.DLL")
"setup1122.exe" wrote bytes "b4360200" to virtual address "0x74DE4EA4" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "b436de74" to virtual address "0x74DF01E4" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "68130000" to virtual address "0x753E1680" (part of module "WS2_32.DLL")
"setup1122.exe" wrote bytes "d83ade74" to virtual address "0x74DF01E0" (part of module "SSPICLI.DLL")
"setup1122.exe" wrote bytes "b436de74" to virtual address "0x74DF0200" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "setup1122.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 10 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 28
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API CorExitProcess@CLR.DLL from setup1122.exe (PID: 2124) (Show Stream)
Found reference to API GetDiskFreeSpaceExW@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
Found reference to API IsWow64Process@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
Found reference to API GetNativeSystemInfo@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
Found reference to API GetSystemDefaultUILanguage@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetVersion@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
GetVersion@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.DLL from setup1122.exe (PID: 2124) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from setup1122.exe (PID: 2124) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp word ptr [ebp+00000114h], 0001h" and "jnc 00425635h" from setup1122.exe (PID: 2124) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp+04h], 05h" and "jne 004283B4h" from setup1122.exe (PID: 2124) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from setup1122.exe (PID: 2124) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"setup1122.exe" queries volume information of "C:\" at 00101322-00002124-00000046-25701536377
"setup1122.exe" queries volume information of "C:\" at 00101322-00002124-00000046-27530190315 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"setup1122.exe" queries volume information of "C:\" at 00101322-00002124-00000046-25701536377
"setup1122.exe" queries volume information of "C:\" at 00101322-00002124-00000046-27530190315 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"rundll32.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE"; Key: "PATH"; Value: "00000000010000004800000043003A005C00500072006F006700720061006D002000460069006C00650073005C0049006E007400650072006E006500740020004500780070006C006F007200650072003B000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/71 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb"
"MSOOBCI: - Fail: SetupGetStringField(4), Error: 0x%08x- Fail: SetupGetStringField(3), Error: 0x%08xSoftware\Microsoft\Updates\Windows XP\SP%u\%sSoftware\Microsoft\Updates\Windows 2000\SP%u\%s -q -o -z -n- Cannot install QFE's for %u.%u- Fail: SetupGetStringField(5), Error: 0x%08x- Fail: SetupGetIntField(4), Error: 0x%08x- Fail: SetupGetIntField(2), Error: 0x%08x- Fail: SetupGetStringField(1), Error: 0x%08x- Fail: Invalid component typeFail: SetupGetStringField, Error: 0x%08xComponentsFail: SetupDiGetActualSectionToInstall, Error: 0x%08xFail: SetupOpenInfFileFail: SetupDiGetDriverInfoDetail, 0xError: %08xFail: SetupDiGetSelectedDriver, Error: 0x%08xSeShutdownPrivilege.ServicesRebootDefaultInstallNot copying "%s" (not subdirectory of "%s").Precopy.NT.NTx86VersionCatalogFile...\*.*$BACKUP$.%03u\$BACKUP$INF\%s\%sRegisteredPackages\ClassDriverVerComponentID{F5776D81-AE53-4935-8E84-B0B283D8BCEF}ClassGUIDDoInstall failed with error: 0x%08xDoInstallA was passed too big a command line,ProxyRemoteInstall 0x%08x rundll32.exeMMsyssetup.dllsetupapi.dllkernel32.dllSetupQueryRegisteredOsComponentSetupRegisterOsComponentSetupUnRegisterOsComponentGetSystemWindowsDirectoryWSetupQueryInfOriginalFileInformationWSetupCopyOEMInfWSetupDiGetDeviceInfoListDetailWCM_Set_DevNode_Problem_ExSub-VersionComponentGUIDFriendlyNameExceptionCatalogNameExceptionInfNameSoftware\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponentsComponentListComponentIdNB10>msoobci.pdbU`h@PEPuPEPh<PPD$HVWu?D$jG@p0pY3=V@puV@pt3@_^Uj@uEPuEPt$t$t$%WUE3ES]EVuWff= tf=uFFff;u3@f=0yf=9o=j"
"?J?`\0091@1(262283<3d3h333444455(666667'7Y7`7e7k77777^9h9999999p22H3L3P3T3X3p3t3x3|33333333333333333333333333333344 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444455555555 5$5(5,50545P5T5X5\5`5d5h5l5p5t5x5|55555555555555555555555555556666 6$6(6,6064686<6@6D6H6L6P6T6X6\6`66666777d7h7l7p7t7x7|77777777788888H8L8P8T8X8\8`8d8h8l8p8t8x8|888888888888888899999999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|99999999999999999999999999:::::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:x:|:::::::::::::::::::::::::::::::::;;;;;;;; ;$;(;,;01\1`1d1h1l1p1t1x1|1111112$2<2T2x222`333h4l4p4t4x4|4444444444444444444444444444h7L8P8NB10Co8E:\script51\obj\l5x86\bbtopt\scrrun.pdb"
":E:\script55\obj\l6x86.32\bbtopt\vbscript.pdbon package '[3]'.In order to complete the installation of [2], you must restart the computer. Other users are currently logged on to this computer, and restarting may cause them to lose their work. Do you want to restart now?The path [2] is not valid. Please specify a valid path.There is no disk in drive [2]. Please insert one and click Retry, or click Cancel to go back to the previously selected volume.There is no disk in drive [2]. Please insert one and click Retry, or click Cancel to return to the browse dialog and select a different volume.The folder [2] does not exist. Please enter a path to an existing folder.You have insufficient privileges to read this folder.A valid destination folder for the installation could not be determined.Error attempting to read from the source installation database: [2].Scheduling reboot operation: Renaming file [2] to [3]. Must reboot to complete operation.Scheduling reboot operation: Deleting file [2]. Must reboot to complete operation.Module [2] failed to register. HRESULT [3]. Contact your support personnel.Module [2] failed to unregister. HRESULT [3]. Contact your support personnel.Failed to cache package [2]. Error: [3]. Contact your support personnel.Could not register font [2]. Verify that you have sufficient permissions to install fonts, and that the system supports this font.Could not unregister font [2]. Verify that you have sufficient permissions to remove fonts.Could not create shortcut [2]. Verify that the destination folder exists and that you can access it.Could not remove shortcut [2]. Verify that the shortcut file exists and that you can access it.Could not register type library for file [2]. Contact your support personnel.Could not unregister type library for file [2]. Contact your support personnel.Could not update the INI file [2][3]. Verify that the file exists and that you can access it.Could not schedule file [2] to replace file [3] on reboot. Verify that you have write permissions to file [3].Error removing ODBC driver manager, ODBC error [2]: [3]. Contact your support personnel.Error installing ODBC driver manager, ODBC error [2]: [3]. Contact your support personnel.Error removing ODBC driver [4], ODBC error [2]: [3]. Verify that you have sufficient privileges to remove ODBC drivers.Error installing ODBC driver [4], ODBC error [2]: [3]. Verify that the file [4] exists and that you can access it.Error configuring ODBC data source [4], ODBC error [2]: [3]. Verify that the file [4] exists and that you can access it.Service [2] ([3]) failed to stardd PmZP.mz@zdmPmPmZTmZmmmmzZPmmZP48ZZZZ" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"setup1122.exe" created file "%TEMP%\_MSI5166._IS"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\Setup.INI"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\_ISMSIDEL.INI"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\0x0409.ini"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~311D.tmp"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~313D.tmp"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\e-Sword.msi"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~4A35.tmp"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2A41EF3E-2130-4251-96C9-DFB35F66B16D}\ISExternalUI.dll"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_bb513B.tmp"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_bb513C.tmp"
"setup1122.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_bb513D.tmp"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DFB67A972F1A092D77.TMP"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DF0A42C92B2E507041.TMP"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DF7CDE1A538AD9A6E9.TMP"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\JavaDeployReg.log"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\JavaDeployReg.log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"\Sessions\1\BaseNamedObjects\UpdatingNewTabPageData"
"Local\URLBLOCK_DOWNLOAD_MUTEX"
"IsoScope_4b8_IE_EarlyTabStart_0x8f8_Mutex"
"Local\URLBLOCK_FILEMAPSWITCH_MUTEX_1208"
"{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"IsoScope_4b8_IESQMMUTEX_0_303"
"UpdatingNewTabPageData"
"Local\VERMGMTBlockListFileMutex"
"{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"
"Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"IsoScope_4b8_IESQMMUTEX_0_331"
"IsoScope_4b8_ConnHashTable<1208>_HashTable_Mutex"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "ISExternalUI.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI54B8.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Launches a browser
- details
-
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "setup1122.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73740000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the visual basic runtime environment
- details
- "setup1122.exe" loaded module "%WINDIR%\SysWOW64\msvbvm60.dll" at 72940000
- source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"setup1122.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
"setup1122.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
"setup1122.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
"rundll32.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"rundll32.exe" touched "Network" (Path: "HKCU\WOW6432NODE\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"rundll32.exe" touched "Property System Both Class Factory" (Path: "HKCU\WOW6432NODE\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}")
"rundll32.exe" touched "Application Registration" (Path: "HKCU\WOW6432NODE\CLSID\{591209C7-767B-42B2-9FBA-44EE4615F2C7}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "iexplore.exe" (Show Process) was launched with new environment variables: "PATH="%PROGRAMFILES%\Internet Explorer;""
Process "iexplore.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "iexplore.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"setup1122.exe" searching for class "Shell_TrayWnd"
"rundll32.exe" searching for class "IEFrame" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "rundll32.exe" with commandline "url.dll,FileProtocolHandler https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:1208 CREDAT:275457 /prefetch:2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "rundll32.exe" with commandline "url.dll,FileProtocolHandler https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:1208 CREDAT:275457 /prefetch:2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"setup1122.exe" connecting to "\ThemeApiPort"
"rundll32.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"ISExternalUI.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"e-Sword.msi" has type "Composite Document File V2 Document Can't read SAT"
"~DF7CDE1A538AD9A6E9.TMP" has type "data"
"_59D0E8F2-6B49-11E9-A95D-3C002780F7E1_.dat" has type "Composite Document File V2 Document Cannot read section info"
"RecoveryStore._53ECE996-6B49-11E9-A95D-3C002780F7E1_.dat" has type "Composite Document File V2 Document Cannot read section info"
"_bb513C.tmp" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 72x72 segment length 16 baseline precision 8 499x281 frames 3"
"dnserror_1_" has type "HTML document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"_53ECE998-6B49-11E9-A95D-3C002780F7E1_.dat" has type "Composite Document File V2 Document Cannot read section info"
"MSI54B8.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"~DF0A42C92B2E507041.TMP" has type "data"
"~313D.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"~311D.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"httpErrorPagesScripts_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"errorPageStrings_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"~DFB67A972F1A092D77.TMP" has type "data"
"NewErrorPageTemplate_1_" has type "UTF-8 Unicode (with BOM) text with CRLF line terminators"
"~4A35.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_bb513B.tmp" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 72x72 segment length 16 baseline precision 8 499x281 frames 3" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"setup1122.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"setup1122.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\msimsg.dll"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\en-US\msimsg.dll.mui"
"setup1122.exe" touched file "%WINDIR%\AppPatch\msimain.sdb"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\sxs.dll"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\en-US\sxs.dll.mui"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\ar-SA\sxs.DLL.mui"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\bg-BG\sxs.DLL.mui"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\cs-CZ\sxs.DLL.mui"
"setup1122.exe" touched file "%WINDIR%\SysWOW64\da-DK\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "z^sY.$e.XN"
Heuristic match: "Xxi`P,I.bv"
Heuristic match: "h;
hCS.mp"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "https://www.e-sword.net/support.html"
Pattern match: "https://www.e-sword.net/support.htmlPrintScrollableText[%ALLUSERSPROFILE][%SystemRoot]\Profiles\All"
Pattern match: "RegQueryValueExArRegOpenKeyExAADVAPI32.dllOLEAUT32.dllmsi.dll/RtlUnwindRaiseExceptionGetCommandLineAtGetVersionHeapFree}ExitProcessTerminateProcessGetCurrentProcessHeapReAllocHeapAllocHeapSizeGetCurrentThreadIdTlsSetValueTlsAllocTlsFreeTlsGetValueInitializ"
Pattern match: "kD-kc-k.k.kL/k/k0k2k4k6k[9k9k"
Pattern match: "ek.ek/ek=ek"
Pattern match: "D-0.T.lH/t/"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DU"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0U#0k&p?-50`HB0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"setup1122.exe" opened "\Device\KsecDD"
"rundll32.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ISExternalUI.dll" was detected as "Armadillo v1.xx - v2.xx"
"MSI54B8.tmp" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
setup1122.exe
- Filename
- setup1122.exe
- Size
- 57MiB (59884666 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 64602b65839b4a6187967dcceaa27e0365e3ba70cdde466b820a37324d4d987c
- MD5
- 7765c9b42cf7fd2da319074211884aab
- SHA1
- 3ac9b722312847a1dc257af9ea5b0295326c05d3
Classification (TrID)
- 36.1% (.EXE) InstallShield setup
- 26.2% (.EXE) Win32 Executable MS Visual C++ (generic)
- 23.2% (.EXE) Win64 Executable (generic)
- 5.5% (.DLL) Win32 Dynamic Link Library (generic)
- 3.7% (.EXE) Win32 Executable (generic)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
setup1122.exe
(PID: 2124)
-
rundll32.exe
url.dll,FileProtocolHandler https://www.e-sword.net/support.html
(PID: 2340)
-
iexplore.exe
https://www.e-sword.net/support.html
(PID: 1208)
- iexplore.exe SCODEF:1208 CREDAT:275457 /prefetch:2 (PID: 1140)
-
iexplore.exe
https://www.e-sword.net/support.html
(PID: 1208)
-
rundll32.exe
url.dll,FileProtocolHandler https://www.e-sword.net/support.html
(PID: 2340)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00101322-00002124-64999-1089-00411FBD |
2.0.0.0 | Domain/IP reference | 00101322-00002124-64999-1472-0042A214 |
2.9.0.0 | Domain/IP reference | 00101322-00002124-64999-1473-00437A6D |
3.0.0.0 | Domain/IP reference | 00101322-00002124-64999-1472-0042A214 |
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 6 file(s) are available in the full version and XML/JSON reports.
-
Clean 2
-
-
ISExternalUI.dll
- Size
- 293KiB (300424 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- 535766c3f5345d8b33681d1027ab3c7c
- SHA1
- 7d13a9d7159fcce712292f774f08df6dd36512ca
- SHA256
- b2f98af105c82dc67768a270bb7974574474ab12533cbb3107604d5f36c95d2f
-
MSI54B8.tmp
- Size
- 139KiB (142216 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/92
- MD5
- b96cc173298220d17aa0932bf3047727
- SHA1
- 38b81f2f69916d52d5d8c95185150c20586fe0ea
- SHA256
- 69bdcb8dbad5145459bc64ee749e84d9e92171aeff5eea37f2145319c99bdf3e
-
-
Informative Selection 4
-
-
Setup.INI
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- d58c3d6ea3c52a3f010bcee68ec24789
- SHA1
- 23b2f1b45000346d69d0c62e813d7eaf6334bb08
- SHA256
- dda67b166e81bb5a3337c581e00561abb84dc0e297b26e90bc8e5fbb3f27514c
-
~311D.tmp
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- d58c3d6ea3c52a3f010bcee68ec24789
- SHA1
- 23b2f1b45000346d69d0c62e813d7eaf6334bb08
- SHA256
- dda67b166e81bb5a3337c581e00561abb84dc0e297b26e90bc8e5fbb3f27514c
-
~4A35.tmp
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- d58c3d6ea3c52a3f010bcee68ec24789
- SHA1
- 23b2f1b45000346d69d0c62e813d7eaf6334bb08
- SHA256
- dda67b166e81bb5a3337c581e00561abb84dc0e297b26e90bc8e5fbb3f27514c
-
desktop.ini
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- iexplore.exe (PID: 1208)
-
-
Informative 14
-
-
e-Sword.msi
- Size
- 5MiB (5233530 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- 09788a3d740f06af35ee20f5cbbaf22a
- SHA1
- 875a7770dd18778ed05c3a81e205d68523fc2009
- SHA256
- 7f1fb396d3c3bbf4f686be110277848cb3daba786238251bdc5916ff4c60a47d
-
_bb513B.tmp
- Size
- 38KiB (39012 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 499x281, frames 3
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- fde8d2fe482146d1e735a292eeda1ed5
- SHA1
- e76eb075feca1fb005de603ff1169ead2b346a12
- SHA256
- 6d11ee7c70bb3281416c55a86e9a9f65cec06e9c714097223964ffa4daa4705e
-
_bb513C.tmp
- Size
- 36KiB (36765 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 499x281, frames 3
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- 798780eb443e16d596fbf395578a57d9
- SHA1
- 933724cb982fd9a0df6e33fb2762bb51eb7679c7
- SHA256
- a19f8505971ae9d08ef99d73fd32b12a1bb7dcb1b5bb2d8bf271327da8684e2d
-
_bb513D.tmp
- Size
- 40KiB (41268 bytes)
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- f95a05b6877be714b8ce3d316fa9ab37
- SHA1
- ee87fb5a1c932810e997c8c19e2f97a666c0760d
- SHA256
- 0c751382893bb55eacb6d1f9eb0e60049ac40b141954f19e6d75af60c7154dfc
-
0x0409.ini
- Size
- 22KiB (22492 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- be345d0260ae12c5f2f337b17e07c217
- SHA1
- 0976ba0982fe34f1c35a0974f6178e15c238ed7b
- SHA256
- e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
-
_ISMSIDEL.INI
- Size
- 828B (828 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- 93cc7af5e8216f0d0883bd4a33f4e1c3
- SHA1
- d6b4c9d708d2ca9fb2a225bb973f307b3d139a7a
- SHA256
- c8f8556b2ba79e989403758e55c6797b12af04f884cc4ea693f0333c0c6fe222
-
~313D.tmp
- Size
- 5.3KiB (5436 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup1122.exe (PID: 2124)
- MD5
- d58c3d6ea3c52a3f010bcee68ec24789
- SHA1
- 23b2f1b45000346d69d0c62e813d7eaf6334bb08
- SHA256
- dda67b166e81bb5a3337c581e00561abb84dc0e297b26e90bc8e5fbb3f27514c
-
~DF0A42C92B2E507041.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 1208)
- MD5
- 9c0b93c9144f0e4c897a62dc94527679
- SHA1
- 22f77e80b2b44bfb0a7b66f4237facd2a56de749
- SHA256
- 6163e5331a1182271c49471b44ef8fbc576256561a2500acec56c875f0ef7fac
-
~DF7CDE1A538AD9A6E9.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 1208)
- MD5
- 269e49177a5928a6ed56361650946a83
- SHA1
- 6347f15cf149e00d8f4a590f3de020e9eeac4664
- SHA256
- d000ef41ecc1f0f39a6ffe00a1f691418b356d67fb720c576e91fc06e36ebad2
-
~DFB67A972F1A092D77.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 1208)
- MD5
- b20ed06dc48255bb2651fbd761708289
- SHA1
- ea8f427446b795b28f65c88788b0d65622b6e7d7
- SHA256
- 3c43a1bcbaa4cfe10b63e40323d2c30d62b7f9d0bd93cbb5190dc176576b1cc3
-
_59D0E8F2-6B49-11E9-A95D-3C002780F7E1_.dat
- Size
- 4.5KiB (4608 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- MD5
- 01df8ae1290bb8ab3136baf6763ea718
- SHA1
- 66415f9e0b6774afe2b15eb11083b26251939a88
- SHA256
- bfa1e55d26236531042b55599e0be6e1f5e1dd40c431d7c5b90f58253847dc23
-
RecoveryStore._53ECE996-6B49-11E9-A95D-3C002780F7E1_.dat
- Size
- 5.5KiB (5632 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- MD5
- 686b440b4d65b65db7f060a3a16bc79a
- SHA1
- 50780c2870883e1362150f3eded367b819ab3af0
- SHA256
- 70e0207514e943553d09c17f39649ad813e6fa9ae7b67b6fdd19e372d494502f
-
dnserror_1_
- Size
- 1.8KiB (1857 bytes)
- Type
- html
- Description
- HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- MD5
- 73c70b34b5f8f158d38a94b9d7766515
- SHA1
- e9eaa065bd6585a1b176e13615fd7e6ef96230a9
- SHA256
- 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
-
_53ECE998-6B49-11E9-A95D-3C002780F7E1_.dat
- Size
- 4.5KiB (4608 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- MD5
- 306d6dde35936f0e142d0927cb203753
- SHA1
- ce0e0d9cfd5394fc09d0566bfcf6d42126c13fc7
- SHA256
- b9dfcc3e9cd4fb33346fca65d538cd8814e685a10aa49feac869fe2386b5d70b
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report