JungUmGW_Viewer_20140220_v913_780.zip
This report is generated from a file or URL submitted to this webservice on March 8th 2018 17:21:51 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- f173f69aa4caa41785d740d2bbc9fc89e9977f23132699f75282b99a0acd9ea6
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 20
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00017637-00002352-00000105-49903943
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.98046943556
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "_Cfx9be8.rra.426358136")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
FindResourceW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
FindResourceW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\setup.ini"
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\setup.ini"
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0409.ini"
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0411.ini"
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0412.ini"
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0804.ini"
"<Input Sample>" read file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
- WriteProcessMemory@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Drops executable files
- details
-
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"_isr9f59.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_Cfx9be8.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_isr9e0f.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_isra176.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_isr9d8c.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "<Input Sample>" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Contains ability to write to a remote process
-
System Destruction
-
Marks file for deletion
- details
-
"C:\JungUmGW_Viewer_20140220_v913_780.exe" marked "%TEMP%\{FA938356-480C-420E-B446-E6342040CAB3}" for deletion
"C:\JungUmGW_Viewer_20140220_v913_780.exe" marked "%TEMP%\{6B2D1C86-37F1-443A-A735-F24DC1D0FB8F}" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\{FA938356-480C-420E-B446-E6342040CAB3}" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{6B2D1C86-37F1-443A-A735-F24DC1D0FB8F}" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\setup.inx" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\setu9b98.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\hun.ico" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\hun9bac.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\InstallImage_JungUmGlobal.bmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\Inst9bb6.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\CfxLim.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\CfxL9bc0.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\HunMin.ini" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\HunM9bca.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\InstallFlag_dll.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\Inst9bd4.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\_CfxLim.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\_Cfx9be8.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\license.txt" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\lice9bf2.rra" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\FontData.ini" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\Font9bfc.rra" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"ISSetup.dll" claimed CRC 605014 while the actual is CRC 28446886
"_isr9f59.rra" claimed CRC 391693 while the actual is CRC 844364
"_isr9e0f.rra" claimed CRC 331323 while the actual is CRC 92516
"_isra176.rra" claimed CRC 371590 while the actual is CRC 331323
"_isr9d8c.rra" claimed CRC 336194 while the actual is CRC 371590 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "ISSetup.dll" has an entrypoint in section ".rsrc"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegEnumKeyW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyExA
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
GetThreadContext
FindResourceExW
GetModuleFileNameW
GetVersionExA
GetModuleFileNameA
UnhandledExceptionFilter
CreateThread
ExitThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetStartupInfoA
GetFileSize
WriteProcessMemory
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
CreateFileA
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteExW
FindWindowExW
RegCreateKeyExA
FindFirstFileA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408") - source
- Registry Access
- relevance
- 3/10
-
Timestamp in PE header is very old or in the future
- details
- "_Cfx9be8.rra" claims program is from Thu Nov 26 00:21:35 1998
- source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 16
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetLocalTime@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersion@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersion@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersion@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersionExA@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
GetVersion@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.DLL from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetDiskFreeSpaceExW@KERNEL32.DLL (Target: "JungUmGW_Viewer_20140220_v913_780.exe"; Stream UID: "00017637-00002352-23551-475-0040E29C")
which is directly followed by "cmp ecx, esi" and "je 0040E39Ch". See related instructions: "...+150 mov ax, word ptr [eax+02h]+154 mov word ptr [ebp-00000430h], cx+161 mov word ptr [ebp-0000042Eh], ax+168 mov word ptr [ebp-0000042Ch], 005Ch+177 mov word ptr [ebp-0000042Ah], si+184 mov ecx, dword ptr [00475DBCh] ;GetDiskFreeSpaceExW+190 mov edi, dword ptr [ebp+10h]+193 mov ebx, dword ptr [ebp+0Ch]+196 cmp ecx, esi+198 mov esi, dword ptr [ebp+14h]+201 je 0040E39Ch" ... from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "JungUmGW_Viewer_20140220_v913_780.exe"; Stream UID: "00017637-00002352-23551-413-0042DD9E")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0042DE19h". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000114h+9 mov eax, dword ptr [ebp+08h]+12 push esi+13 mov esi, dword ptr [ebp+0Ch]+16 mov dword ptr [ebp-00000114h], 00000114h+26 and dword ptr [eax], 00000000h+29 lea eax, dword ptr [ebp-00000114h]+35 and dword ptr [esi], 00000000h+38 push eax+39 call dword ptr [00466288h] ;GetVersionExW+45 cmp dword ptr [ebp-00000104h], 01h+52 jne 0042DE19h" ... from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "JungUmGW_Viewer_20140220_v913_780.exe"; Stream UID: "00017637-00002352-23551-854-004375DB")
which is directly followed by "cmp eax, 80000000h" and "jbe 004375EBh". See related instructions: "...+0 call dword ptr [0046638Ch] ;GetVersion+6 cmp eax, 80000000h+11 jbe 004375EBh" ... from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "JungUmGW_Viewer_20140220_v913_780.exe"; Stream UID: "00017637-00002352-23551-1058-004375F7")
which is directly followed by "cmp eax, 80000000h" and "jbe 00437607h". See related instructions: "...+0 call dword ptr [0046638Ch] ;GetVersion+6 cmp eax, 80000000h+11 jbe 00437607h" ... from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "JungUmGW_Viewer_20140220_v913_780.exe"; Stream UID: "00017637-00002352-23551-1194-00431D95")
which is directly followed by "cmp eax, 80000000h" and "jbe 00432361h". See related instructions: "...+1372 call dword ptr [0046638Ch] ;GetVersion+1378 cmp eax, 80000000h+1383 jbe 00432361h" ... from JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA102")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA103")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA104") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/64 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0409.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0411.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0412.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\0x0804.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\data1.cab"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\data1.hdr"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\Fontdata.reg"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\ISSetup.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\layout.bin"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\setup.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\setup.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\Disk1\setup.inx"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\setup.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\0x0409.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\0x0411.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\0x0412.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{B891DEC5-5171-4CDD-B5CE-5332B5947C34}\0x0804.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\9a4d.rra"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\setu9b98.rra"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{56DF6A9B-56D6-4BF4-B7A9-D21BF7205B0C}\{87BE7D50-7CBE-48D8-9555-88CD17178DCA}\hun9bac.rra" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\87BE7D50-7CBE-48D8-9555-88CD17178DCA"
"87BE7D50-7CBE-48D8-9555-88CD17178DCA" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "ISSetup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"), Antivirus vendors marked dropped file "setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isr9f59.rra" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_Cfx9be8.rra" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isr9e0f.rra" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isra176.rra" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isr9d8c.rra" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 72FC0000
"<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6CA10000 - source
- Loaded Module
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"Fontdata.reg" has type "ISO-8859 text with CRLF line terminators"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"setup.inx" has type "data"
"layout.bin" has type "data"
"0x0412.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Stri9fd1.rra" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_isr9f59.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Font9bfc.rra" has type "ASCII text with CRLF line terminators"
"Stri9e5f.rra" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_Cfx9be8.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"0x0411.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Stria130.rra" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0804.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_isr9e0f.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_isra176.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"_isr9d8c.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Stria16c.rra" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Stria0cc.rra" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\Fonts\desktop.ini"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"<Input Sample>" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini"
"<Input Sample>" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
"<Input Sample>" touched file "C:\Windows\System32\stdole2.tlb"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "/z z(z$z,zz*z&z.zW"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "http://www.Samsung.com"
Pattern match: "www.zaigen.co.kr"
Heuristic match: "Ovaj tekst se mjenja uslijed parametra 'szMsg' .Mo"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"JungUmGW_Viewer_20140220_v913_780.exe.bin" was detected as "Microsoft visual C++ 5.0"
"ISSetup.dll" was detected as "PeCompact 2.53 DLL --> BitSum Technologies"
"setup.exe" was detected as "Microsoft visual C++ 5.0"
"_isr9f59.rra" was detected as "Armadillo v1.xx - v2.xx"
"_isr9e0f.rra" was detected as "Armadillo v1.xx - v2.xx"
"_isra176.rra" was detected as "Armadillo v1.xx - v2.xx"
"_isr9d8c.rra" was detected as "Armadillo v1.xx - v2.xx" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
JungUmGW_Viewer_20140220_v913_780.exe
- Filename
- JungUmGW_Viewer_20140220_v913_780.exe
- Size
- 27MiB (28442182 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 77417db60ec1ba795f7bf41e9691057ffc11c7ed33d0ae8d77ae8534f52447fb
- MD5
- f0f08c6eecef0c10f3142613d3175786
- SHA1
- d2d4bec17abfd06c294e741bec72b48d936792e8
- ssdeep
- 786432:GxdlYRkjZDH7Q5nCZSHu0jefgolMCL751:GxE0ZDHMk3udo2EV1
- imphash
- 1eb8fbcd945460311f3dfde5ffb28c90
- authentihash
- 86da10be7668c4bbb0ce2b7372029944c39cf5511db2a301aac8fe76184bd572
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (C) 2010 Flexera Software, Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- ISInternalVersion
- 17.0.717
- InternalName
- Setup
- FileVersion
- 1.00.000
- CompanyName
- Samsung
- Internal Build Number
- 99584
- ProductName
- JungUm Global Viewer
- ProductVersion
- 1.00.000
- FileDescription
- InstallScript Setup Launcher
- ISInternalDescription
- InstallScript Setup Launcher
- OriginalFilename
- InstallShield Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 42.8% (.AX) DirectShow filter
- 24.7% (.OCX) Windows ActiveX control
- 12.5% (.EXE) Win32 EXE PECompact compressed (v2.x)
- 9.1% (.EXE) InstallShield setup
- 8.8% (.EXE) Win32 EXE PECompact compressed (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 26 extracted file(s). The remaining 78 file(s) are available in the full version and XML/JSON reports.
-
Clean 2
-
-
ISSetup.dll
- Size
- 566KiB (579584 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/68
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- c5e7c495ed4644f46dec884cdd2acd54
- SHA1
- 836acfe7444bd6589adf78b14058430724d67da1
- SHA256
- da30a9e6304c22feb626e5fb41f44aed11ae3ad36d50676f97250c6a1da6d052
-
setup.exe
- Size
- 796KiB (814592 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- efa0a2cd68bcab1a8a131fdbb93475f2
- SHA1
- c2214468a375ebf66d0ffae4624f59cf86bb7b45
- SHA256
- 52ace5454aa5119ccdf76f4051c82af4825e57dbb0e2e1fbf53b91c3cd000b6a
-
-
Informative Selection 1
-
-
0x0411.ini
- Size
- 15KiB (14884 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 172d4d355115b38848d2d99f57aecf2c
- SHA1
- a5fcd9b612146e3182dd897a2a9a2d19029f302e
- SHA256
- b04655ea596d27e6eac5f96ddfad84954be42dad223931a3ed081d569d02f290
-
-
Informative 23
-
-
core9c10.rra
- Size
- 64KiB (65503 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 09d38ceca6a012f4ce5b54f03db9b21a
- SHA1
- 01fcb72f22205e406ff9a48c5b98d7b7457d7d98
- SHA256
- f6d7bc8ca6550662166f34407968c7d3669613e50e98a4e40bec1589e74ff5d1
-
dotn9c10.rra
- Size
- 11KiB (11152 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 8f50951dc767385e6e9801ecacc621e3
- SHA1
- 468a8e65ebcf871198a67b478941645089a72557
- SHA256
- f3c2471df257575d0668dddfd0c2f805e4b3236bc546255e6caa2c813e914a52
-
Defa9c42.rra
- Size
- 1.1KiB (1168 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 0abafe3f69d053494405061de2629c82
- SHA1
- e414b6f1e9eb416b9895012d24110b844f9f56d1
- SHA256
- 8075162db275eb52f5d691b15fc0d970cb007f5bece33ce5db509edf51c1f020
-
Isrt9ca6.rra
- Size
- 259KiB (265080 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 6f23bbb542f8e0999b4d9c9f123850fb
- SHA1
- a25f34d296f3179a00cb1bf6f4c23728824bf477
- SHA256
- 6b5ad22837f58fcf24b2c4c27c0a46517d7a72495f8859062ffb98455582d42b
-
MMOba19e.rra
- Size
- 53KiB (54664 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- f3f5505a97600dac85b418627f079bc4
- SHA1
- 15100b40d4b86e45d303572dbf45df8c552d3a5c
- SHA256
- ad012867390c62fa7d8d4a1a6a7c0c4fdbf0ceaed8bf18cafb01ab9e4924a7e6
-
Setu9c92.rra
- Size
- 186KiB (190184 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 55a3ddc93e7d712458b5f6d62fc005a1
- SHA1
- a0208bc1c885227e8825a54a579bfb0bf7843549
- SHA256
- cda45226881acc82ae24aa5423d34f8abd5262bc7da2032a7284020b16743afe
-
Stri9ce2.rra
- Size
- 4.2KiB (4336 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- dc44bd4f445ec0fbfcde6b81b69341fb
- SHA1
- 924a596d813d65c3d3d6c16057d8da5abf2fbab4
- SHA256
- 0a26a322483ae1a87d9b0cb50aae05dcc97496066e0665509966a0e40ed78fdd
-
Stri9d00.rra
- Size
- 4KiB (4088 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- b0e5311ce9db3f68de549e6d7adc4767
- SHA1
- 151c59a13b810070a466efff3f4370d2d87db21c
- SHA256
- bb81906f08b9df1abec43320935266505897e5e41ed2aad84ac119f714dca203
-
Stri9d1e.rra
- Size
- 4KiB (4114 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 5eb4e4fe0c7c8d6b332dd02d7215de76
- SHA1
- 110b934d6953fff5ea26709a4cf4de79d75cdd82
- SHA256
- d8adba9b80d06b53aba45d7b70fa8b9746d055ee346eab30361843741d600b9d
-
Stri9d3c.rra
- Size
- 4KiB (4050 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 13f0a201cc47a57f915c49326741e5fa
- SHA1
- a78d2b6062343f469e6f4fb544fae54166079692
- SHA256
- a3e67edb4a26f6e6326190dc115598aa594bf1fe34737e43ab65ad505abd3931
-
Stri9d64.rra
- Size
- 4.2KiB (4284 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 49b60bc07ef4bb0349ab0e230a33ef0f
- SHA1
- 29682b4b4bbd569af3259ba9e5adf8cbe2a8421a
- SHA256
- ac9aa7cad76a8c62c955225c216105db89bf5070681a67e1c533f30ebbb99e8f
-
Stri9d82.rra
- Size
- 3.9KiB (3966 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 9febcb92e2796e3db643a98cd6a8048f
- SHA1
- 91a8ad2d11594dc64fa5f79473cbe7e56418e0ef
- SHA256
- 6c365b18aa0936af8cad22cb59574728a84c406fcc272e15597c5ad4dd786365
-
Stri9da0.rra
- Size
- 4KiB (4144 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 610e8cbf4583a43517cd4a454633ea14
- SHA1
- f078248d8c2c2e0b5b30466886f1712c4acc7ec3
- SHA256
- 87e995bd1edf944b94e9965165d3e771098300980c5611b0e074f5f872daa132
-
Stri9dbe.rra
- Size
- 4.1KiB (4208 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- bd9f3ac351222469ed8737d18dc8be9e
- SHA1
- 3d8c753c4205a9ebb94debe85790f551cda2f58f
- SHA256
- ddb2ae8e37ddbdeb975a81fc2a2530128394ed7b575326da333d3dd1a86951e8
-
Stri9de6.rra
- Size
- 4.1KiB (4224 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- d7ce1d1c15336ca221c3582b75b612e8
- SHA1
- 169a027f3fd01e4791176d5dde9cb82467026b35
- SHA256
- ce46fd9f9a892311f1a088b351b12299dced570e6d29b60ba289129e049d4265
-
Stri9e05.rra
- Size
- 4KiB (4084 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 4b75b170bd6d4a8bc9a00c24f1e69370
- SHA1
- f8a437c31f4bd8773be70ac1f0c4f74e14182d0d
- SHA256
- 88e3c5a90ef88a9e56cbad049e1c301bb0591cbf110d1e72e2ff2a22aeb30826
-
Stri9e23.rra
- Size
- 3.9KiB (3970 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 9913e3283688e61025d3804c56c451b1
- SHA1
- c70c6cba4df874d9ce1aa032bb34aa09dfdac8fe
- SHA256
- 2cad6dced29395ac2ed56696c03b0b3580ade1b59ab21cef8b3583e89347eb67
-
Stri9e41.rra
- Size
- 4KiB (4116 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 15f6ddd3d701dcc9bc3d8d0dc972338e
- SHA1
- 48d60b3eefc2841e41983dd46ceb052d67896734
- SHA256
- 6bc7ff846aea9d6f6ba446feb0b01ad84cc53cd575705eed754389fb6b60bd2f
-
Stri9e5f.rra
- Size
- 4KiB (4066 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- e249c8af20c688c103414db347ac22e2
- SHA1
- 9428dbc7e2ed5f934b94597a50ff4ee01e11f1af
- SHA256
- 2cc62aeaa5a549dd4ee54d260828007d7c5ff7cd9c8d47c92225df2501d5eca0
-
Stri9e7d.rra
- Size
- 4.1KiB (4178 bytes)
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- e24cad8451a5f6911b0e31d0e0c9f9ef
- SHA1
- 9f58e9b57bac5bc8ffbc16591c2f1133fd0084aa
- SHA256
- 33964e48ed968d8eb3b7aaa3fc4a1818db43ad1469253ac5e7a6f71f9bb8d5bd
-
setup.inx
- Size
- 261KiB (267200 bytes)
- Type
- data
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 901a05c2cd43c1742c88a31a5153fb31
- SHA1
- 49e23581824cf67a78b59274805ce4866d0c0d10
- SHA256
- 5a70f3a5a3549183d169a173ad396a39ea3b28a3bd287ce40b3595105f45a3e1
-
Fontdata.reg
- Size
- 11KiB (10877 bytes)
- Type
- text
- Description
- ISO-8859 text, with CRLF line terminators
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- 159e09b736b8cfed0a731b7b0cfb5443
- SHA1
- 3e05fbc862f97ffebececab9b6c915d2dcdb6e3a
- SHA256
- 4e3bc378ebd55f669c39c439d5ee05dab4b3f3a023d5baa00ab5f57817612723
-
layout.bin
- Size
- 674B (674 bytes)
- Type
- data
- Runtime Process
- JungUmGW_Viewer_20140220_v913_780.exe (PID: 2352)
- MD5
- ec28a7bec7acf3bd441f0040a6c07168
- SHA1
- 4b6b6cec0fb1b81b2780e0ef627061fce0ea41c2
- SHA256
- c8685621f947585077da6137006bb5ee1cc1a8128911ca58a6f28c8dbc00db79
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "layout.bin" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c8685621f947585077da6137006bb5ee1cc1a8128911ca58a6f28c8dbc00db79/analysis/1520526687/")
- Extracted file "setup.inx" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/5a70f3a5a3549183d169a173ad396a39ea3b28a3bd287ce40b3595105f45a3e1/analysis/1520526686/")
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report