setup1200.exe
This report is generated from a file or URL submitted to this webservice on August 14th 2019 00:41:17 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to implement anti-virtualization techniques - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 3 domains and 3 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"rundll32.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"rundll32.exe" wrote 52 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"rundll32.exe" wrote 4 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"rundll32.exe" wrote 8 bytes to a remote process "%PROGRAMFILES%\Internet Explorer\iexplore.exe" (Handle: 436)
"iexplore.exe" wrote 32 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 912)
"iexplore.exe" wrote 52 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 912)
"iexplore.exe" wrote 8 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 912)
"iexplore.exe" wrote 4 bytes to a remote process "%PROGRAMFILES%\(x86)\Internet Explorer\iexplore.exe" (Handle: 912) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from setup1200.exe (PID: 2484) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"setup1200.exe" touched "K:"
"setup1200.exe" touched "L:"
"setup1200.exe" touched "M:"
"setup1200.exe" touched "N:"
"setup1200.exe" touched "O:"
"setup1200.exe" touched "P:"
"setup1200.exe" touched "Q:"
"setup1200.exe" touched "R:"
"setup1200.exe" touched "S:"
"setup1200.exe" touched "T:"
"setup1200.exe" touched "U:"
"setup1200.exe" touched "V:"
"setup1200.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 27
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "setup1200.exe" at 00055408-00002484-00000033-20478657074
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "iexplore.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "trA:8y_DchJ%~wgNq(PC"s+qEMU(/}Ank-viX}=_VNiW_ )>?jE_n_IU^3($6MNiR83OFaEyVdMP6J9iRmV=g&nL]L0~jfW&[3Q^" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "setup1200.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
LoadResource@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
LoadResource@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"setup1200.exe" read file "%TEMP%\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\Setup.INI"
"setup1200.exe" read file "%TEMP%\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\_ISMSIDEL.INI"
"setup1200.exe" read file "%TEMP%\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"ISExternalUI.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI6018.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 69.39.239.211 on port 443 is sent without HTTP header
TCP traffic to 184.51.50.36 on port 443 is sent without HTTP header
TCP traffic to 104.18.20.226 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setup1200.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\setup1200.exe" marked "%TEMP%\~3FA9.tmp" for deletion
"C:\setup1200.exe" marked "%TEMP%\~3FC9.tmp" for deletion
"C:\setup1200.exe" marked "%TEMP%\~567F.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"setup1200.exe" opened "%TEMP%\_MSI5166._IS" with delete access
"setup1200.exe" opened "%TEMP%\~3FA9.tmp" with delete access
"setup1200.exe" opened "%TEMP%\~3FC9.tmp" with delete access
"setup1200.exe" opened "%TEMP%\~567F.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSI6018.tmp" claimed CRC 157984 while the actual is CRC 346073
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCloseKey
RegOpenKeyW
GetFileAttributesW
GetThreadContext
GetTempPathW
WriteProcessMemory
OutputDebugStringW
GetModuleFileNameW
GetModuleFileNameA
TerminateProcess
LoadLibraryW
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
DeleteFileW
GetProcAddress
VirtualProtectEx
GetTempFileNameW
WriteFile
FindFirstFileW
CreateFileW
LockResource
GetCommandLineA
GetModuleHandleA
GetModuleHandleW
FindResourceW
CreateProcessW
Sleep
VirtualAlloc
IsDebuggerPresent
UnhandledExceptionFilter
CreateToolhelp32Snapshot
OpenProcess
CreateFileA
Process32NextW
Process32FirstW
ShellExecuteW
ShellExecuteExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"setup1200.exe" wrote bytes "b436bb74" to virtual address "0x74BC025C" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "d83abb74" to virtual address "0x74BC01FC" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "68130000" to virtual address "0x74C01680" (part of module "WS2_32.DLL")
"setup1200.exe" wrote bytes "b840139274ffe0" to virtual address "0x74BB3AD8" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "d83a0200" to virtual address "0x74BB4E38" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "d83a0200" to virtual address "0x74BB4D78" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "7111d7017a3bd601ab8b02007f950200fc8c0200729602006cc805001ecdd3017d26d301" to virtual address "0x756007E4" (part of module "USER32.DLL")
"setup1200.exe" wrote bytes "000000000000000000000000020002004c0100803000008030010080480000800a0000006000008010000000780000800000000000000000000000000000010001000000900000800000000000000000000000000000010001000000a8000080" to virtual address "0x73C41000" (part of module "MSIMSG.DLL")
"setup1200.exe" wrote bytes "d83abb74" to virtual address "0x74BC0258" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "b436bb74" to virtual address "0x74BC0278" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "d83abb74" to virtual address "0x74BC0274" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "b830129274ffe0" to virtual address "0x74C01368" (part of module "WS2_32.DLL")
"setup1200.exe" wrote bytes "c0df31771cf93077ccf830770d64327700000000c011707500000000fc3e707500000000e0137075000000009457817525e03177c6e0317700000000bc6a807500000000cf3170750000000093198175000000002c32707500000000" to virtual address "0x772C1000" (part of module "NSI.DLL")
"setup1200.exe" wrote bytes "b8c0159274ffe0" to virtual address "0x74BB36B4" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "b4360200" to virtual address "0x74BB4D68" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "b436bb74" to virtual address "0x74BC01E4" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "d83abb74" to virtual address "0x74BC01E0" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "b436bb74" to virtual address "0x74BC0200" (part of module "SSPICLI.DLL")
"setup1200.exe" wrote bytes "60129274" to virtual address "0x75BAE324" (part of module "WININET.DLL")
"setup1200.exe" wrote bytes "b4360200" to virtual address "0x74BB4EA4" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "setup1200.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 12 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 31
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API CorExitProcess@CLR.DLL from setup1200.exe (PID: 2484) (Show Stream)
Found reference to API GetDiskFreeSpaceExW@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
Found reference to API IsWow64Process@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
Found reference to API GetSystemDefaultUILanguage@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
Found reference to API GetNativeSystemInfo@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetVersion@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
GetVersion@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceW@KERNEL32.DLL from setup1200.exe (PID: 2484) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from setup1200.exe (PID: 2484) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp word ptr [ebp+00000114h], 0001h" and "jnc 00425635h" from setup1200.exe (PID: 2484) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL directly followed by "cmp dword ptr [ebp+04h], 05h" and "jne 004283B4h" from setup1200.exe (PID: 2484) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ecx, eax" and "ret " from setup1200.exe (PID: 2484) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"setup1200.exe" queries volume information of "C:\" at 00055408-00002484-00000046-24456714003
"setup1200.exe" queries volume information of "C:\" at 00055408-00002484-00000046-26547352428 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"setup1200.exe" queries volume information of "C:\" at 00055408-00002484-00000046-24456714003
"setup1200.exe" queries volume information of "C:\" at 00055408-00002484-00000046-26547352428 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"rundll32.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE")
"rundll32.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IEXPLORE.EXE"; Key: "PATH"; Value: "00000000010000004800000043003A005C00500072006F006700720061006D002000460069006C00650073005C0049006E007400650072006E006500740020004500780070006C006F007200650072003B000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/62 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
-
"seal.alphassl.com"
"www.e-sword.net"
"www.paypalobjects.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"69.39.239.211:443"
"184.51.50.36:443"
"104.18.20.226:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb"
"MSOOBCI: - Fail: SetupGetStringField(4), Error: 0x%08x- Fail: SetupGetStringField(3), Error: 0x%08xSoftware\Microsoft\Updates\Windows XP\SP%u\%sSoftware\Microsoft\Updates\Windows 2000\SP%u\%s -q -o -z -n- Cannot install QFE's for %u.%u- Fail: SetupGetStringField(5), Error: 0x%08x- Fail: SetupGetIntField(4), Error: 0x%08x- Fail: SetupGetIntField(2), Error: 0x%08x- Fail: SetupGetStringField(1), Error: 0x%08x- Fail: Invalid component typeFail: SetupGetStringField, Error: 0x%08xComponentsFail: SetupDiGetActualSectionToInstall, Error: 0x%08xFail: SetupOpenInfFileFail: SetupDiGetDriverInfoDetail, 0xError: %08xFail: SetupDiGetSelectedDriver, Error: 0x%08xSeShutdownPrivilege.ServicesRebootDefaultInstallNot copying "%s" (not subdirectory of "%s").Precopy.NT.NTx86VersionCatalogFile...\*.*$BACKUP$.%03u\$BACKUP$INF\%s\%sRegisteredPackages\ClassDriverVerComponentID{F5776D81-AE53-4935-8E84-B0B283D8BCEF}ClassGUIDDoInstall failed with error: 0x%08xDoInstallA was passed too big a command line,ProxyRemoteInstall 0x%08x rundll32.exeMMsyssetup.dllsetupapi.dllkernel32.dllSetupQueryRegisteredOsComponentSetupRegisterOsComponentSetupUnRegisterOsComponentGetSystemWindowsDirectoryWSetupQueryInfOriginalFileInformationWSetupCopyOEMInfWSetupDiGetDeviceInfoListDetailWCM_Set_DevNode_Problem_ExSub-VersionComponentGUIDFriendlyNameExceptionCatalogNameExceptionInfNameSoftware\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponentsComponentListComponentIdNB10>msoobci.pdbU`h@PEPuPEPh<PPD$HVWu?D$jG@p0pY3=V@puV@pt3@_^Uj@uEPuEPt$t$t$%WUE3ES]EVuWff= tf=uFFff;u3@f=0yf=9o=j"
"?J?`\0091@1(262283<3d3h333444455(666667'7Y7`7e7k77777^9h9999999p22H3L3P3T3X3p3t3x3|33333333333333333333333333333344 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|444444444444444444444444455555555 5$5(5,50545P5T5X5\5`5d5h5l5p5t5x5|55555555555555555555555555556666 6$6(6,6064686<6@6D6H6L6P6T6X6\6`66666777d7h7l7p7t7x7|77777777788888H8L8P8T8X8\8`8d8h8l8p8t8x8|888888888888888899999999 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|99999999999999999999999999:::::: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:x:|:::::::::::::::::::::::::::::::::;;;;;;;; ;$;(;,;01\1`1d1h1l1p1t1x1|1111112$2<2T2x222`333h4l4p4t4x4|4444444444444444444444444444h7L8P8NB10Co8E:\script51\obj\l5x86\bbtopt\scrrun.pdb"
":E:\script55\obj\l6x86.32\bbtopt\vbscript.pdb2], location: [3], command: [4]There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action [2], location: [3], command: [4]There is a problem with this Windows Installer package. A DLL required for this install to complete could not be run. Contact your support personnel or package vendor. Action [2], entry: [3], library: [4]Removal completed successfully.Removal failed.Advertisement completed successfully.Advertisement failed.Configuration completed successfully.Configuration failed.You must be an Administrator to remove this application. To remove this application, you can log on as an administrator, or contact your technical support group for assistance.The source installation package for the product [2] is out of sync with the client package. Try the installation again using a valid copy of the installation package '[3]'.In order to complete the installation of [2], you must restart the computer. Other users are currently logged on to this computer, and restarting may cause them to lose their work. Do you want to restart now?The path [2] is not valid. Please specify a valid path.There is no disk in drive [2]. Please insert one and click Retry, or click Cancel to go back to the previously selected volume.There is no disk in drive [2]. Please insert one and click Retry, or click Cancel to return to the browse dialog and select a different volume.The folder [2] does not exist. Please enter a path to an existing folder.You have insufficient privileges to read this folder.A valid destination folder for the installation could not be determined.Error attempting to read from the source installation database: [2].Scheduling reboot operation: Renaming file [2] to [3]. Must reboot to complete operation.Scheduling reboot operation: Deleting file [2]. Must reboot to complete operation.Module [2] failed to register. HRESULT [3]. Contact your support personnel.Module [2] failed to unregister. HRESULT [3]. Contact your support personnel.Failed to cache package [2]. Error: [3]. Contact your support personnel.Could not register font [2]. Verify that you have sufficient permissions to install fonts, and that the system supports this font.Could not unregister font [2]. Verify that you have sufficient permissions to remove fonts.Could not create shortcut [2]. Verify that the destination folder exists and that you can access it.Could not remove shortcut [2]. Verify that the shortcut file exists and that you can dd PmZP.mz@zdmPmPmZTmZmmmmzZPmmZP8ZZZZZZZZZc#c'c'c'c'ccccccTccschchccsc'ccccTchchccchcccccccc%%%+++,,,---7788PPPPPPPPTTZZZZZZZZ``dddddddddddddmmmmmmzz555666????BBBBBQQQQQQbbb5555555555555555;;EEEEEEEEEVVVVV````````hhkkkkkkk{{{{{{{{{{nnnnnnCC\\ # ') ') ') ')8:8b>PU)>Zl" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"setup1200.exe" created file "%TEMP%\_MSI5166._IS"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\Setup.INI"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\_ISMSIDEL.INI"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\0x0409.ini"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~3FA9.tmp"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~3FC9.tmp"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\e-Sword.msi"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~567F.tmp"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{537E2BD9-7AE8-4580-8E8E-18C37A914E03}\ISExternalUI.dll"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_bb5C5C.tmp"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_bb5C6D.tmp"
"setup1200.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_bb5C6E.tmp"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DF7345DBD54BE585C3.TMP"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DF8CBEB982963C5D0C.TMP"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DF0C2090F2B7E6B2E8.TMP"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\JavaDeployReg.log"
"iexplore.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\JavaDeployReg.log" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\IsoScope_ad4_IESQMMUTEX_0_519"
"{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"
"Local\ZonesLockedCacheCounterMutex"
"{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"Local\URLBLOCK_FILEMAPSWITCH_MUTEX_2772"
"IsoScope_ad4_IESQMMUTEX_0_519"
"IsoScope_ad4_IESQMMUTEX_0_331"
"IsoScope_ad4_IESQMMUTEX_0_303"
"IsoScope_ad4_ConnHashTable<2772>_HashTable_Mutex"
"Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"Local\URLBLOCK_DOWNLOAD_MUTEX"
"Local\ZonesCacheCounterMutex"
"IsoScope_ad4_IE_EarlyTabStart_0x9cc_Mutex"
"UpdatingNewTabPageData"
"Local\VERMGMTBlockListFileMutex"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "ISExternalUI.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data"), Antivirus vendors marked dropped file "MSI6018.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Launches a browser
- details
-
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "setup1200.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73530000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the visual basic runtime environment
- details
- "setup1200.exe" loaded module "%WINDIR%\SysWOW64\msvbvm60.dll" at 72940000
- source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"setup1200.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
"setup1200.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
"setup1200.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
"rundll32.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"rundll32.exe" touched "Network" (Path: "HKCU\WOW6432NODE\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"rundll32.exe" touched "Property System Both Class Factory" (Path: "HKCU\WOW6432NODE\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}")
"rundll32.exe" touched "Application Registration" (Path: "HKCU\WOW6432NODE\CLSID\{591209C7-767B-42B2-9FBA-44EE4615F2C7}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "iexplore.exe" (Show Process) was launched with new environment variables: "PATH="%PROGRAMFILES%\Internet Explorer;""
Process "iexplore.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "iexplore.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"setup1200.exe" searching for class "Shell_TrayWnd"
"rundll32.exe" searching for class "IEFrame" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "rundll32.exe" with commandline "url.dll,FileProtocolHandler https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:2772 CREDAT:275457 /prefetch:2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "rundll32.exe" with commandline "url.dll,FileProtocolHandler https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "https://www.e-sword.net/support.html" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:2772 CREDAT:275457 /prefetch:2" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"setup1200.exe" connecting to "\ThemeApiPort"
"rundll32.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"ISExternalUI.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"urlblockindex_1_.bin" has type "data"
"e-Sword.msi" has type "Composite Document File V2 Document Can't read SAT"
"header-logo_1_.png" has type "PNG image data 91 x 83 8-bit/color RGBA non-interlaced"
"_bb5C5C.tmp" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 72x72 segment length 16 baseline precision 8 499x281 frames 3"
"~DF8CBEB982963C5D0C.TMP" has type "data"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
"B039FEA45CB4CC4BBACFC013C7C55604_6DFE27C9802832CAC46BC915125192F6" has type "data"
"RecoveryStore._D19DFCD7-BE2C-11E9-97AD-3C0027B82311_.dat" has type "Composite Document File V2 Document Cannot read section info"
"BC570EC0DE58335AFAF92FDC8E3AA330_B0CE1266D4057E7D64FB659E1B9B7E67" has type "data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"MSI6018.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"~DF0C2090F2B7E6B2E8.TMP" has type "data"
"siteSeal_1_.js" has type "exported SGML document ASCII text with CRLF line terminators"
"header-bg_1_.png" has type "PNG image data 297 x 297 4-bit colormap non-interlaced"
"support_1_.htm" has type "HTML document ASCII text with very long lines with CRLF line terminators"
"suggestions_1_.en-US" has type "data"
"50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B" has type "data"
"_D19DFCD9-BE2C-11E9-97AD-3C0027B82311_.dat" has type "Composite Document File V2 Document Cannot read section info"
"CQFN6YND.txt" has type "ASCII text" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"setup1200.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"setup1200.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\msimsg.dll"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\en-US\msimsg.dll.mui"
"setup1200.exe" touched file "%WINDIR%\AppPatch\msimain.sdb"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\sxs.dll"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\en-US\sxs.dll.mui"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\ar-SA\sxs.DLL.mui"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\bg-BG\sxs.DLL.mui"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\cs-CZ\sxs.DLL.mui"
"setup1200.exe" touched file "%WINDIR%\SysWOW64\da-DK\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "z
rVW+.NI"
Heuristic match: "13Sp_'.Ma"
Heuristic match: "JG\AX5'.mP"
Heuristic match: "E:q`lQ.sJ"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Heuristic match: "seal.alphassl.com"
Pattern match: "www.e-sword.net"
Pattern match: "www.paypalobjects.com"
Pattern match: "https://www.e-sword.net/support.html"
Pattern match: "https://www.e-sword.net/"
Pattern match: "http://html5shiv.googlecode.com/svn/trunk/html5.js"
Pattern match: "http://www.mozilla.org/en-US/firefox/fx/#desktop"
Pattern match: "https://www.paypal.com/cgi-bin/webscr"
Pattern match: "https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif"
Pattern match: "https://www.paypalobjects.com/en_US/i/scr/pixel.gif"
Pattern match: "http://www.alphassl.com/ssl-certificates/wildcard-ssl.html"
Pattern match: "www.e-sword.net/feedback.htmlIS_PROGMSG_TEXTFILECHANGS_REPLACECE0BB7EFF9BB078FFEAC179F8EDB978F8E8BE78F49ECD0DFCEEB90BF898BF0CFE91CE0D8FEACDWUSLINKhttp://www.e-sword.net/downloads.htmlARPHELPLINKhttp://www.e-sword.net/ARPURLUPDATEINFOsupport@e-sword.netARPU"
Pattern match: "https://www.e-sword.net/support.htmlPrintScrollableText[%ALLUSERSPROFILE][%SystemRoot]\Profiles\All"
Pattern match: "RegQueryValueExArRegOpenKeyExAADVAPI32.dllOLEAUT32.dllmsi.dll/RtlUnwindRaiseExceptionGetCommandLineAtGetVersionHeapFree}ExitProcessTerminateProcessGetCurrentProcessHeapReAllocHeapAllocHeapSizeGetCurrentThreadIdTlsSetValueTlsAllocTlsFreeTlsGetValueInitializ"
Pattern match: "kD-kc-k.k.kL/k/k0k2k4k6k[9k9k"
Pattern match: "ek.ek/ek=ek"
Pattern match: "D-0.T.lH/t/"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DU"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0U#0k&p?-50`HB0"
Pattern match: "https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
Pattern match: "https://www.macromedia.com/go/getflashplayer" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"www.paypalobjects.com" (Indicator: "paypal")
" Begin PayPal Logo -->" (Indicator: "paypal")
"<form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">" (Indicator: "paypal")
"<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal - The safer
easier way to pay online!">" (Indicator: "paypal")
"<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">" (Indicator: "paypal")
" End PayPal Logo -->" (Indicator: "paypal")
"PYPF
CT
paypalobjects.com/
2147484672
595310464
30763066
2509417602
30757433
*" (Indicator: "paypal")
"paypalobjects.com/" (Indicator: "paypal") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"setup1200.exe" opened "\Device\KsecDD"
"rundll32.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ISExternalUI.dll" was detected as "Armadillo v1.xx - v2.xx"
"MSI6018.tmp" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
setup1200.exe
- Filename
- setup1200.exe
- Size
- 58MiB (60340982 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a28771c1e89c474cad0dcd22d8e5bd92e42d55fa99a8d8eb961525e75ebcd766
- MD5
- 32a1d84aea525f2d75a9f3fb12ac0466
- SHA1
- 57eb4acf76373683760fa1646c35a51d007c03ee
Classification (TrID)
- 36.1% (.EXE) InstallShield setup
- 26.2% (.EXE) Win32 Executable MS Visual C++ (generic)
- 23.2% (.EXE) Win64 Executable (generic)
- 5.5% (.DLL) Win32 Dynamic Link Library (generic)
- 3.7% (.EXE) Win32 Executable (generic)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
setup1200.exe
(PID: 2484)
-
rundll32.exe
url.dll,FileProtocolHandler https://www.e-sword.net/support.html
(PID: 324)
-
iexplore.exe
https://www.e-sword.net/support.html
(PID: 2772)
- iexplore.exe SCODEF:2772 CREDAT:275457 /prefetch:2 (PID: 1700)
-
iexplore.exe
https://www.e-sword.net/support.html
(PID: 2772)
-
rundll32.exe
url.dll,FileProtocolHandler https://www.e-sword.net/support.html
(PID: 324)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
seal.alphassl.com |
104.18.20.226
TTL: 299 |
- | United States |
www.e-sword.net |
69.39.239.211
TTL: 3828 |
- | United States |
www.paypalobjects.com |
23.196.40.222
TTL: 2896 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
69.39.239.211 |
443
TCP |
iexplore.exe PID: 1700 |
United States |
184.51.50.36 |
443
TCP |
iexplore.exe PID: 1700 |
United States |
104.18.20.226 |
443
TCP |
iexplore.exe PID: 1700 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00055408-00002484-48156-1089-00411FBD |
2.0.0.0 | Domain/IP reference | 00055408-00002484-48156-1472-0042A214 |
2.9.0.0 | Domain/IP reference | 00055408-00002484-48156-1473-00437A6D |
3.0.0.0 | Domain/IP reference | 00055408-00002484-48156-1472-0042A214 |
Extracted Strings
Extracted Files
Displaying 22 extracted file(s). The remaining 42 file(s) are available in the full version and XML/JSON reports.
-
Clean 2
-
-
ISExternalUI.dll
- Size
- 293KiB (300424 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- setup1200.exe (PID: 2484)
- MD5
- 535766c3f5345d8b33681d1027ab3c7c
- SHA1
- 7d13a9d7159fcce712292f774f08df6dd36512ca
- SHA256
- b2f98af105c82dc67768a270bb7974574474ab12533cbb3107604d5f36c95d2f
-
urlblockindex_1_.bin
- Size
- 16B (16 bytes)
- Type
- data
- AV Scan Result
- 0/65
- MD5
- fa518e3dfae8ca3a0e495460fd60c791
- SHA1
- e4f30e49120657d37267c0162fd4a08934800c69
- SHA256
- 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
-
-
Informative Selection 1
-
-
en-US.4
- Size
- 18KiB (18176 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2772)
- MD5
- 5a34cb996293fde2cb7a4ac89587393a
- SHA1
- 3c96c993500690d1a77873cd62bc639b3a10653f
- SHA256
- c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
-
-
Informative 19
-
-
45XCBBF3.txt
- Size
- 120B (120 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 06b6e41d8b0193d701b20fdb65367c5f
- SHA1
- 736dc1d719f069d1fa32808b2f29bda9a1a5a354
- SHA256
- e25b7973fe7a52c8c94a9b4c37c5f808b94a50938406abe7d5e8f73e6ce9ee3a
-
469IL3Y1.txt
- Size
- 66B (66 bytes)
- Runtime Process
- iexplore.exe (PID: 2772)
- MD5
- ef1bab2d65429a907f3c7ade2387f647
- SHA1
- 31fd6f26dc66574eb9bdb1e2ab2d973ed9b3e1b3
- SHA256
- 9425dfef6ac00d0adc92f8a159f9ea4c92f3a96576c91edb5423829d112b8126
-
CQFN6YND.txt
- Size
- 79B (79 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- b14a7c0012e72f884a3b9fcd7eca168d
- SHA1
- 40651d2635968ab72c6bf427fc42e37c9f7f474e
- SHA256
- e2858f4682593e497712ccd4edad3094379a2bae656ddb73563076d6ed29db1a
-
OUH4M19I.txt
- Size
- 120B (120 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 9fc2b3e87a4d2f9eeee01a185428a501
- SHA1
- a810dfe29d05cbd81b2df5ab4869ae4b38c366ee
- SHA256
- 12435ed02a4a41cda8fb23cbc2e4fd14f74a3651a898c42e18bda8553f7156bc
-
QKPP852O.txt
- Size
- 160B (160 bytes)
- Runtime Process
- iexplore.exe (PID: 2772)
- MD5
- f05cd6671d4916ef44000f5ee0efb8e2
- SHA1
- 5e59f4f0d1b66b7c55ba4ffa564b3f015b68b405
- SHA256
- 10019507a97149ae6eab8c3c282d1602839451c4fc46c1f5398d26d50b10722c
-
e-Sword.msi
- Size
- 5MiB (5236273 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- setup1200.exe (PID: 2484)
- MD5
- ceec4e52f19d0c96eabb22b64f691f36
- SHA1
- 2e31942d4dc238c07126635c7fab9972afc25d40
- SHA256
- b323848aadbbde1c40cc53a662e27be2c34038ef5d34b6f8b20cad4aed9a9f6b
-
imagestore.dat
- Size
- 956B (956 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 7d4462b5d58b7f68c97080970de7aa1d
- SHA1
- 2ef69f8b491056acf445f4e2b27e7b5f7290dfa5
- SHA256
- b02d73257b8e871b342d0a19bb95b2d0339d95b63f617850c44dfb88e32709a9
-
6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
- Size
- 1.5KiB (1507 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- f20c1a7ce78a0114e81f8898a3c48df2
- SHA1
- 82ab4cf6bba3c5b8af3a475b01e3ac29a518c629
- SHA256
- 0b720a758ebfc8f9d77508f7a1e378a45c656b9bd0d887c7282513d1e7c48ee2
-
77F12B034AEDCF94AE3AC5680669205B_CEF79E62036F6A4311806781F0EC3E43
- Size
- 471B (471 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 3f5d4aad28e203d8e950f45a2eaf8574
- SHA1
- cafb10fc092801675b21eabd827fb52c65a69a10
- SHA256
- 29f57ebae3fabe61f602cd6db3230edcd1c0073fd4483f108861e4b485e7dbdf
-
8828F39C7C0CE9A14B25C7EB321181BA_0F3B0F9C7E9E8F15AA930243C0EFCBA2
- Size
- 1.7KiB (1754 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- e9c1b64089c9456fb7f9db10ab93aee1
- SHA1
- da12a41dd1785f44e41f23a9dc8392e9d807cf33
- SHA256
- 22194ca654f4ef025c6a4ed49c647f5d3170205574624b2777da4beae37f5d68
-
ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001
- Size
- 492B (492 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 043afe0a7ef49c3d787a6b94981ec275
- SHA1
- 10502d5daa12b77ace66651ac50d89d8d6ccdcd4
- SHA256
- e5ba8d5a9cf5c119210c6202da097d89da616d46e4818d6003aa8eda11278f97
-
ACF769FFAF6E83182A9F6A3B0220D4AC_4E57F0E051E31BCE7E6200CAD8BF21E7
- Size
- 532B (532 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 74eeae8eba410ab750051806b7e84198
- SHA1
- ddda584bcb8d20a1c0a5e48da3eb6b6949b50314
- SHA256
- 5af53f9e761e2df71657725874f9792c9bfd352a9a8097d98b978e1db1066f28
-
B039FEA45CB4CC4BBACFC013C7C55604_6DFE27C9802832CAC46BC915125192F6
- Size
- 498B (498 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- 3a9a938f298f62b1187507ebacdcc453
- SHA1
- 5170043dcd3d2e40e9e0caae81ff5d9cb7f7df8f
- SHA256
- 996add6ba18403b49372a958ac660f0cdb6eac96d39a2392fdf9ff306bde106f
-
BC570EC0DE58335AFAF92FDC8E3AA330_B0CE1266D4057E7D64FB659E1B9B7E67
- Size
- 1.5KiB (1521 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- af5deec001db15e46b0f5f17f8b71893
- SHA1
- eccccfae424c334a5550acf179226b13364421ec
- SHA256
- 55a4142004418900064edc202357d3241166b6f8cd92bc83df88944a5a2e27f4
-
EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
- Size
- 471B (471 bytes)
- Runtime Process
- iexplore.exe (PID: 1700)
- MD5
- bd344616effe300389eca3a2805be8a4
- SHA1
- 9abd3d58de418bb5efa8586a15cd4151dcdcc22d
- SHA256
- c339ad41e337ec0bbcd95c31a50b0f48d5f87fd3ede6f14a22458b627f3919fa
-
50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B
- Size
- 486B (486 bytes)
- Runtime Process
- iexplore.exe (PID: 2772)
- MD5
- 4a83be64d030c8283b2a1836321813c1
- SHA1
- 64c429d254ab7459463e4350dde8190b7d94c42a
- SHA256
- 88630a968f32072a3a0e5eabca74b96ed92a6b92e0028d938591532b2903b14c
-
6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
- Size
- 434B (434 bytes)
- Runtime Process
- iexplore.exe (PID: 2772)
- MD5
- 7d2bb1003d2b1d7206adebdb4e5bde1e
- SHA1
- 9a4667d0d37657f06426aeefa3c924ae6317acfe
- SHA256
- 617241c7e86e6c4b0014c7524269dc012b9c4eaef083a2e6310aa7218d6ceb67
-
_bb5C5C.tmp
- Size
- 38KiB (39012 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 499x281, frames 3
- Runtime Process
- setup1200.exe (PID: 2484)
- MD5
- fde8d2fe482146d1e735a292eeda1ed5
- SHA1
- e76eb075feca1fb005de603ff1169ead2b346a12
- SHA256
- 6d11ee7c70bb3281416c55a86e9a9f65cec06e9c714097223964ffa4daa4705e
-
_bb5C6D.tmp
- Size
- 36KiB (36765 bytes)
- Runtime Process
- setup1200.exe (PID: 2484)
- MD5
- 798780eb443e16d596fbf395578a57d9
- SHA1
- 933724cb982fd9a0df6e33fb2762bb51eb7679c7
- SHA256
- a19f8505971ae9d08ef99d73fd32b12a1bb7dcb1b5bb2d8bf271327da8684e2d
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Extracted file "e-Sword.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/b323848aadbbde1c40cc53a662e27be2c34038ef5d34b6f8b20cad4aed9a9f6b/analysis/1565743701/")
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for iexplore.exe (PID: 1700)
- Not all file accesses are visible for iexplore.exe (PID: 2772)
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report