Avro Keyboard 5.6.0 Silent - Lava.exe
This report is generated from a file or URL submitted to this webservice on September 2nd 2019 17:53:14 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process - Fingerprint
-
Queries process information
Queries sensitive IE security settings
Reads the active computer name - Evasive
-
Marks file for deletion
Possibly checks for the presence of an Antivirus engine
The input sample contains a known anti-VM trick
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- 167d064194e3141f85e977b944ac8ca147c4a0206a658ed973674553d0227b5b
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Environment Awareness
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "Avro Keyboard 5.6.0 Silent - Lava.exe.bin" (Offset: 86744)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample contains a known anti-VM trick
-
General
-
Contains ability to start/interact with device drivers
- details
-
DeviceIoControl@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
DeviceIoControl@kernel32.dll (Show Stream)
DeviceIoControl@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" wrote 32 bytes to a remote process "%TEMP%\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" (Handle: 688)
"AvroKeyboard5.6.0Silent-Lava.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" (Handle: 688)
"AvroKeyboard5.6.0Silent-Lava.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" (Handle: 688)
"AvroKeyboard5.6.0Silent-Lava.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" (Handle: 688)
"Avro Keyboard 5.6.0 - Lava.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" (Handle: 208)
"Avro Keyboard 5.6.0 - Lava.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" (Handle: 208)
"Avro Keyboard 5.6.0 - Lava.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" (Handle: 208)
"Avro Keyboard 5.6.0 - Lava.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" (Handle: 208)
"Avro Keyboard 5.6.0 - Lava.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" (Handle: 208) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
ExitWindowsEx@USER32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
ExitWindowsEx@user32.dll (Show Stream)
ExitWindowsEx@user32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
-
NtdllDefWindowProc_W@NTDLL.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
NtdllDefWindowProc_W@NTDLL.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 29
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.55164278665
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query CPU information
- details
- cpuid from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read monitor info
- details
-
GetMonitorInfoA@USER32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetMonitorInfoA@USER32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetMonitorInfoA@USER32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetMonitorInfoA@USER32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Avro Keyboard 5.6.0 - Lava.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query CPU information
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/71 reputation engines marked "http://www.jrsoftware.org/ishelp/index.php" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
LockResource@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
LoadResource@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
SizeofResource@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
FindResourceW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
LockResource@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
SizeofResource@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
LoadResource@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
FindResourceW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
FindResourceW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Videos\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Pictures\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Contacts\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Favorites\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Music\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Downloads\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Documents\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Links\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Saved Games\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\desktop.ini"
"AvroKeyboard5.6.0Silent-Lava.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"Avro Keyboard 5.6.0 - Lava.tmp" read file "C:\Windows\win.ini"
"Avro Keyboard 5.6.0 - Lava.tmp" read file "%PROGRAMFILES%\(x86)\desktop.ini"
"Avro Keyboard 5.6.0 - Lava.tmp" read file "C:\Users\%USERNAME%\Desktop\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"Avro Keyboard 5.6.0 - Lava.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"_setup64.tmp" has type "PE32+ executable (console) x86-64 for MS Windows"
"is-G1Q2V.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"Avro Keyboard 5.6.0 - Lava.tmp" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
"Avro Keyboard 5.6.0 - Lava.tmp" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "AVRO KEYBOARD"; Value: "%PROGRAMFILES%\(x86)\Avro Keyboard\Avro Keyboard.exe") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1060 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "AvroKeyboard5.6.0Silent-Lava.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\AvroKeyboard5.6.0Silent-Lava.exe" marked "%TEMP%\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" for deletion
"C:\AvroKeyboard5.6.0Silent-Lava.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000" for deletion
"%TEMP%\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" for deletion
"%TEMP%\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp" for deletion
"%TEMP%\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-R3MU3.tmp\_isetup\_setup64.tmp" for deletion
"%TEMP%\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-R3MU3.tmp\_isetup\_shfoldr.dll" for deletion
"%TEMP%\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-R3MU3.tmp\_isetup" for deletion
"%TEMP%\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-R3MU3.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" with delete access
"AvroKeyboard5.6.0Silent-Lava.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000" with delete access
"Avro Keyboard 5.6.0 - Lava.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-A3QPM.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\Program Files (x86)\Avro Keyboard\is-G1Q2V.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\Program Files (x86)\Avro Keyboard\is-NHRLH.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\Program Files (x86)\Avro Keyboard\is-744LI.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\Program Files (x86)\Avro Keyboard\is-VKV60.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\Program Files (x86)\Avro Keyboard\is-HCF9G.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "%ALLUSERSPROFILE%\Avro Keyboard\Skin\is-2A2MP.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Skin\is-FTIO1.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Skin\is-Q8BBR.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Skin\is-PTAHT.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Skin\is-M3VFU.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Skin\is-VH78A.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Keyboard Layouts\is-FKSVD.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Keyboard Layouts\is-MMQID.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Keyboard Layouts\is-5A2PQ.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\ProgramData\Avro Keyboard\Keyboard Layouts\is-H1J09.tmp" with delete access
"Avro Keyboard 5.6.0 - Lava.tmp" opened "C:\Program Files (x86)\Avro Keyboard\is-UR45S.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"AvroKeyboard5.6.0Silent-Lava.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "AvroKeyboard5.6.0Silent-Lava.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"Avro Keyboard 5.6.0 Silent - Lava.exe.bin" claimed CRC 106051 while the actual is CRC 7217817
"Avro Keyboard 5.6.0 - Lava.exe" claimed CRC 7080297 while the actual is CRC 5208031
"is-G1Q2V.tmp" claimed CRC 1321312 while the actual is CRC 27271 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetDriveTypeW
GetModuleFileNameW
GetVersionExW
GetFileAttributesW
LoadLibraryA
GetStartupInfoA
FindNextFileW
GetFileSize
GetCommandLineW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetModuleHandleA
FindResourceExA
CreateThread
GetTempPathW
FindFirstFileW
GetModuleHandleW
LockResource
WriteFile
CreateFileW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
RegCloseKey
OpenProcessToken
RegOpenKeyExW
VirtualProtect
UnhandledExceptionFilter
LoadLibraryExW
LoadLibraryW
FindResourceW
CreateProcessW
GetTickCount
RegCreateKeyExW
RegDeleteValueW
GetUserNameW
RegEnumKeyExW
RegDeleteKeyW
DeviceIoControl
CopyFileW
ExitThread
TerminateProcess
OpenProcess
GetComputerNameW
GetCursorPos
SetWindowsHookExW
GetLastActivePopup
FindWindowExW
FindWindowW
GetWindowThreadProcessId - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b84013fc73ffe0" to virtual address "0x75183AD8" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "d83a0200" to virtual address "0x75184E38" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "d83a0200" to virtual address "0x75184D78" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "d83a1875" to virtual address "0x75190258" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b4361875" to virtual address "0x75190278" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b4361875" to virtual address "0x7519025C" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "d83a1875" to virtual address "0x751901FC" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "c0df8e771cf98d77ccf88d770d648f7700000000c011d57600000000fc3ed57600000000e013d576000000009457337525e08e77c6e08e7700000000bc6a327500000000cf31d5760000000093193375000000002c32d57600000000" to virtual address "0x77091000" (part of module "NSI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "6012fc73" to virtual address "0x76CFE324" (part of module "WININET.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b8c015fc73ffe0" to virtual address "0x751836B4" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "d83a1875" to virtual address "0x75190274" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b4360200" to virtual address "0x75184D68" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "71115f017a3b5e01ab8b02007f950200fc8c0200729602006cc805001ecd5b017d265b01" to virtual address "0x763507E4" (part of module "USER32.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "68130000" to virtual address "0x75371680" (part of module "WS2_32.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "d83a1875" to virtual address "0x751901E0" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b4361875" to virtual address "0x75190200" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b4360200" to virtual address "0x75184EA4" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b4361875" to virtual address "0x751901E4" (part of module "SSPICLI.DLL")
"AvroKeyboard5.6.0Silent-Lava.exe" wrote bytes "b83012fc73ffe0" to virtual address "0x75371368" (part of module "WS2_32.DLL")
"Avro Keyboard 5.6.0 - Lava.exe" wrote bytes "71115f017a3b5e01ab8b02007f950200fc8c0200729602006cc805001ecd5b017d265b01" to virtual address "0x763507E4" (part of module "USER32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "Avro Keyboard 5.6.0 - Lava.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 11 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 27
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API Wow64RevertWow64FsRedirection@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
Found reference to API GetNativeSystemInfo@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
Found reference to API Wow64DisableWow64FsRedirection@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
Found reference to API GetLongPathNameW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
Found reference to API GetLongPathNameW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file contains zero-size sections
- details
-
Raw size of ".bss" is zero
Raw size of ".tls" is zero
Raw size of ".data" is zero - source
- Static Parser
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
GetLocalTime@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetLocalTime@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
GetVersionExW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
GetVersion@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
GetVersion@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetVersionExW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetVersion@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetVersion@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetVersion@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream)
GetVersionExW@kernel32.dll (Show Stream)
GetVersion@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the system locale
- details
- GetUserDefaultUILanguage@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.dll (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from AvroKeyboard5.6.0Silent-Lava.exe (PID: 4044) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.exe (PID: 2944) (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream)
GetDiskFreeSpaceW@kernel32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0005h" and "jc 0047FB3Fh" from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 0005h" and "jnc 004B81E7h" from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
Found API call GetVersion@kernel32.dll directly followed by "cmp edx, 05h" and "jne 0040648Bh" (Show Stream)
Found API call GetVersion@kernel32.dll directly followed by "cmp edx, 05h" and "jne 00408DF3h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "%PROGRAMFILES%\(x86)\Avro Keyboard\Avro Keyboard.exe" at 00022729-00001972-00000046-29289802817
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-31590230506
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Avro Keyboard.exe" at 00022729-00001972-00000046-31611855980
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-34411138940
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36315365153
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Avro Keyboard.exe" at 00022729-00001972-00000046-36316463808
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36405087461
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Skin Designer.exe" at 00022729-00001972-00000046-36406265232
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36549242397
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Layout Editor.exe" at 00022729-00001972-00000046-36550361808
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36682367363
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Avro Spell Checker.exe" at 00022729-00001972-00000046-36683610852
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36842100525
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Configuring_system.htm" at 00022729-00001972-00000046-36843506557
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36901409584
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Avro Keyboard.exe" at 00022729-00001972-00000046-36902588313
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36994144635
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Avro Spell Checker.exe" at 00022729-00001972-00000046-36995214947
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-37144468643
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\Program Files (x86)\Avro Keyboard\Avro Spell Checker.exe" at 00022729-00001972-00000046-37146078844 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-31590230506
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-34411138940
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36315365153
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36405087461
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36549242397
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36682367363
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36842100525
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36901409584
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-36994144635
"Avro Keyboard 5.6.0 - Lava.tmp" queries volume information of "C:\" at 00022729-00001972-00000046-37144468643 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\AVRO KEYBOARD 5.6.0 - LAVA.EXE")
"AvroKeyboard5.6.0Silent-Lava.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\AVRO KEYBOARD 5.6.0 - LAVA.EXE")
"Avro Keyboard 5.6.0 - Lava.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\AVRO KEYBOARD 5.6.0 - LAVA.TMP")
"Avro Keyboard 5.6.0 - Lava.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\AVRO KEYBOARD 5.6.0 - LAVA.TMP")
"Avro Keyboard 5.6.0 - Lava.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AVRO KEYBOARD_IS1")
"Avro Keyboard 5.6.0 - Lava.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AVRO KEYBOARD_IS1") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
-
CreateNamedPipeW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
CreateNamedPipeW@KERNEL32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" created file "%TEMP%\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe"
"Avro Keyboard 5.6.0 - Lava.exe" created file "%TEMP%\is-A3QPM.tmp\Avro Keyboard 5.6.0 - Lava.tmp"
"Avro Keyboard 5.6.0 - Lava.tmp" created file "%TEMP%\is-R3MU3.tmp\_isetup\_setup64.tmp"
"Avro Keyboard 5.6.0 - Lava.tmp" created file "%TEMP%\is-R3MU3.tmp\_isetup\_shfoldr.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "_setup64.tmp" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "is-MAKUQ.tmp" as clean (type is "PDF document version 1.5"), Antivirus vendors marked dropped file "is-G1Q2V.tmp" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Network" (Path: "HKCU\WOW6432NODE\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Recycle Bin" (Path: "HKCU\WOW6432NODE\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Control Panel" (Path: "HKCU\WOW6432NODE\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "UsersFiles" (Path: "HKCU\WOW6432NODE\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "UsersLibraries" (Path: "HKCU\WOW6432NODE\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "CLSID_SearchFolder" (Path: "HKCU\WOW6432NODE\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "IE History and Feeds Shell Data Source for Windows Search" (Path: "HKCU\WOW6432NODE\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Public Folder" (Path: "HKCU\WOW6432NODE\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Control Panel command object for Start menu and desktop" (Path: "HKCU\WOW6432NODE\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "@%systemroot%\system32\mssvp.dll,-110" (Path: "HKCU\WOW6432NODE\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "CLSID_SearchHome" (Path: "HKCU\WOW6432NODE\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Other Users Folder" (Path: "HKCU\WOW6432NODE\CLSID\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "@%systemroot%\system32\mssvp.dll,-112" (Path: "HKCU\WOW6432NODE\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "CLSID_StartMenuProviderFolder" (Path: "HKCU\WOW6432NODE\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "CLSID_StartMenuPathCompleteProviderFolder" (Path: "HKCU\WOW6432NODE\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Games Explorer" (Path: "HKCU\WOW6432NODE\CLSID\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Computers and Devices" (Path: "HKCU\WOW6432NODE\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\SHELLFOLDER")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"AvroKeyboard5.6.0Silent-Lava.exe" touched "delegate folder that appears in Users Files Folder" (Path: "HKCU\WOW6432NODE\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SHELLFOLDER") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "Avro Keyboard 5.6.0 - Lava.exe" (Show Process) was launched with new environment variables: "7zSfxFolder20="C:\Windows\Fonts", 7zSfxFolder21="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Templates", CommonDocuments="C:\Users\%USERNAME%\Documents", MyDocs="C:\Users\%USERNAME%\Documents", UserDesktop="C:\Users\%USERNAME%\Desktop", 7zSfxString34="7-Zip: Extraction error.", 7zSfxString35="Back", 7zSfxString36="Next", 7zSfxString37="Finish", 7zSfxString30="Could not create file "%s".", 7zSfxString31="Could not overwrite file "%s".", 7zSfxString32="Error in command line:", 7zSfxString33="7-Zip: Internal error
code 0x%08X.", 7zSfxFolder28="C:\Users\%USERNAME%\AppData\Local", 7zSfxFolder29="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxFolder26="C:\Users\%USERNAME%\AppData\Roaming", 7zSfxFolder27="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts", 7zSfxFolder24="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxString38="Cancel", 7zSfxFolder25="C:\Users\%USERNAME%\Desktop", 7zSfxString39="Application error:", 7zSfxFolder22="C:\ProgramData\Microsoft\Windows\Start Menu", 7zSfxFolder23="C:\ProgramData\Microsoft\Windows\Start Menu\Programs", 7zSfxFolder53="C:\Users\%USERNAME%\Music", 7zSfxFolder54="C:\Users\%USERNAME%\Pictures", 7zSfxString2="7z SFX", 7zSfxString1="SFX module version:", 7zSfxString23="Really cancel the installation?", 7zSfxString24="No "HelpText" in the configuration file.", 7zSfxString25="OK", 7zSfxString26="Cancel", 7zSfxString20="7-Zip: Internal error
code %u.", 7zSfxFolder19="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Network Shortcuts", 7zSfxString21="Extraction path", 7zSfxString22="Extraction path:", 7zSfxFolder59="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Burn\Burn", 7zSfxFolder16="C:\Users\%USERNAME%\Desktop", 7zSfxFolder13="C:\Users\%USERNAME%\Music", 7zSfxString27="Yes", 7zSfxFolder14="C:\Users\%USERNAME%\Videos", 7zSfxString28="No", 7zSfxFolder11="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu", 7zSfxFolder55="C:\Users\%USERNAME%\Videos", 7zSfxString29=" s", 7zSfxFolder56="C:\Windows\resources", 7zSfxFolder42="C:\Program Files (x86)", 7zSfxFolder43="C:\Program Files (x86)\Common Files", 7zSfxFolder40="C:\Users\%USERNAME%\Windows\SysWOW64", 7zSfxString12="Could not create folder "%s".", 7zSfxString13="Could not delete file or folder "%s".", 7zSfxString9="Could not read SFX configuration or configuration not found.", 7zSfxString14="Could not find command for "%s".", 7zSfxString8="Non 7z archive.", 7zSfxString15="Could not find "setup.exe".", 7zSfxString7="Could not open archive file "%s".", 7zSfxString6="Could not get SFX filename.", 7zSfxString5="Extracting", 7zSfxFolder08="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent", 7zSfxString10="Could not write SFX configuration.", 7zSfxString4=": error", 7zSfxFolder09="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\SendTo", 7zSfxString11="Error in line %d of configuration data:", 7zSfxString3="7z SFX: error", 7zSfxFolder06="C:\Users\%USERNAME%\Favorites", 7zSfxFolder07="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxFolder48="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools", 7zSfxFolder05="C:\Users\%USERNAME%\Documents", 7zSfxFolder02="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs", 7zSfxFolder46="C:\Users\%USERNAME%\Documents", 7zSfxString16="Error during execution "%s".", 7zSfxFolder47="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools", 7zSfxString17="7-Zip: Unsupported method.", 7zSfxFolder00="C:\Users\%USERNAME%\Desktop", 7zSfxFolder44="C:\Program Files (x86)\Common Files", 7zSfxString18="7-Zip: CRC error.", 7zSfxFolder45="C:\ProgramData\Microsoft\Windows\Templates", 7zSfxString19="7-Zip: Data error.", 7zSfxFolder31="C:\Users\%USERNAME%\Favorites", 7zSfxFolder32="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files", 7zSfxFolder30="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", MyDocuments="C:\Users\%USERNAME%\Documents", 7zSfxString40="7z SFX: warning", 7zSfxString41=": warning", 7zSfxString42="Not enough free space for extracting.", 7zSfxString43="Insufficient physical memory.", 7zSfxString44="Copyright (c) 2005-2010 Oleg Scherbakov", 7zSfxFolder39="C:\Users\%USERNAME%\Pictures", 7zSfxFolder37="C:\Windows\system32", 7zSfxFolder38="C:\Program Files (x86)", 7zSfxFolder35="C:\ProgramData", 7zSfxFolder36="C:\Windows", CommonDesktop="C:\Users\%USERNAME%\Desktop", 7zSfxFolder33="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies", 7zSfxFolder34="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "Avro Keyboard 5.6.0 - Lava.tmp" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "Avro Keyboard 5.6.0 - Lava.exe" with commandline "/SILENT" (Show Process)
Spawned process "Avro Keyboard 5.6.0 - Lava.tmp" with commandline "/SL5="$100166
6480863
199168
%TEMP%\7ZipSfx.000\Avro Keyboard 5. ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "Avro Keyboard 5.6.0 - Lava.exe" with commandline "/SILENT" (Show Process)
Spawned process "Avro Keyboard 5.6.0 - Lava.tmp" with commandline "/SL5="$100166
6480863
199168
%TEMP%\7ZipSfx.000\Avro Keyboard 5. ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains ability to create named pipes for inter-process communication (IPC)
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" connecting to "\ThemeApiPort"
"Avro Keyboard 5.6.0 - Lava.exe" connecting to "\ThemeApiPort"
"Avro Keyboard 5.6.0 - Lava.tmp" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1033 (Show technique in the MITRE ATT&CK™ matrix)
-
Dropped files
- details
-
"Avro Spell Checker.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Archive ctime=Mon Sep 2 17:55:22 2019 mtime=Mon Sep 2 17:55:22 2019 atime=Mon Aug 26 20:40:44 2019 length=1065072 window=hide"
"Avro Keyboard.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Archive ctime=Mon Sep 2 17:55:22 2019 mtime=Mon Sep 2 17:55:22 2019 atime=Mon Aug 26 20:40:46 2019 length=4627568 window=hide"
"Skin Designer.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Archive ctime=Mon Sep 2 17:55:22 2019 mtime=Mon Sep 2 17:55:22 2019 atime=Mon Aug 26 20:40:52 2019 length=1382000 window=hide"
"Avro Keyboard 5.6.0 - Lava.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Layout Editor.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Archive ctime=Mon Sep 2 17:55:22 2019 mtime=Mon Sep 2 17:55:22 2019 atime=Mon Aug 26 20:40:50 2019 length=1519728 window=hide"
"Configuring your system.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Mon Sep 2 17:55:23 2019 mtime=Mon Sep 2 17:55:23 2019 atime=Fri Sep 24 15:25:48 2010 length=3785 window=hide"
"Avro Keyboard on the Web.lnk" has type "MS Windows shortcut Item id list present Has Description string Has Relative path Has Working directory ctime=Mon Jan 1 00:00:00 1601 mtime=Mon Jan 1 00:00:00 1601 atime=Mon Jan 1 00:00:00 1601 length=0 window=hide"
"is-OODVK.tmp" has type "XML 1.0 document ASCII text with CRLF line terminators"
"is-PTAHT.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"is-1PHDE.tmp" has type "XML 1.0 document ASCII text with CRLF line terminators"
"is-M3VFU.tmp" has type "XML 1.0 document UTF-8 Unicode (with BOM) text with CRLF line terminators"
"is-0NU0V.tmp" has type "GIF image data version 89a 404 x 485"
"is-8C1UQ.tmp" has type "Non-ISO extended-ASCII text with CRLF line terminators"
"_setup64.tmp" has type "PE32+ executable (console) x86-64 for MS Windows"
"is-MAKUQ.tmp" has type "PDF document version 1.5" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\SysWOW64\shdocvw.dll"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\SysWOW64\en-US\shdocvw.dll.mui"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\SysWOW64\en-US\propsys.dll.mui"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\SysWOW64\ieframe.dll"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\SysWOW64\en-US\ieframe.dll.mui"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Windows\SysWOW64\en-US\setupapi.dll.mui"
"AvroKeyboard5.6.0Silent-Lava.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "h.Bk/Cm/Cm/Bl.Bk-?h"
Heuristic match: "*DE#vaq.sV"
Pattern match: "http://www.omicronlab.com/"
Pattern match: "http://forum.omicronlab.com/"
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Pattern match: "http://schemas.microsoft.com/SMI/2005/Windo"
Pattern match: "http://www.VistaArc.com/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"myspace maispes" (Indicator: "myspace")
"twitter TuiTar" (Indicator: "twitter")
"youtube iuTiub" (Indicator: "youtube") - source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"AvroKeyboard5.6.0Silent-Lava.exe" opened "\Device\KsecDD"
"Avro Keyboard 5.6.0 - Lava.tmp" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"Avro Keyboard 5.6.0 Silent - Lava.exe.bin" was detected as "Microsoft visual C++ 5.0"
"Avro Keyboard 5.6.0 - Lava.exe" was detected as "Borland Delphi 4.0"
"_setup64.tmp" was detected as "Morphine v1.2 (DLL)"
"is-G1Q2V.tmp" was detected as "Borland Delphi 4.0" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Avro Keyboard 5.6.0 Silent - Lava.exe
- Filename
- Avro Keyboard 5.6.0 Silent - Lava.exe
- Size
- 6.9MiB (7194537 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- a4bf9c373bec962d59b18278a23a3fdc0c6849f90da7dd49b3196399c5891607
- MD5
- 8c8b4cdf13035ef9437a4febfff14db9
- SHA1
- f8a6e2b03f49c9c874957be742eddf4fa12baeaf
- ssdeep
- 196608:+58T8HotrWb9T8DPlbAFLkebQAb5V3Wws17F:+O8ItrM+TlbNebQAb5817F
- imphash
- c769210c368165fcb9c03d3f832f55eb
- authentihash
- 1eb4ec24c1e22daea67fe8ddbd41af6448d03544b7b7eab0b8ff601a0c7bb2ed
- Compiler/Packer
- Microsoft visual C++ 5.0
Version Info
- LegalCopyright
- Lava
- FileVersion
- 5.6.0.0
- CompanyName
- CyberSpace
- ProductName
- Avro Keyboard
- CompiledBy
- Compiled by SFXMaker
- ProductVersion
- 5.6.0.0
- FileDescription
- Created By Lava
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 33.6% (.EXE) OS/2 Executable (generic)
- 33.1% (.EXE) Generic Win/DOS Executable
- 33.1% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
AvroKeyboard5.6.0Silent-Lava.exe
(PID: 4044)
-
Avro Keyboard 5.6.0 - Lava.exe
/SILENT
(PID: 2944)
- Avro Keyboard 5.6.0 - Lava.tmp /SL5="$100166,6480863,199168,%TEMP%\7ZipSfx.000\Avro Keyboard 5.6.0 - Lava.exe" /SILENT (PID: 1972)
-
Avro Keyboard 5.6.0 - Lava.exe
/SILENT
(PID: 2944)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 24 extracted file(s). The remaining 34 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 1
-
-
Avro Keyboard 5.6.0 - Lava.exe
- Size
- 4.9MiB (5177344 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.exe (PID: 2944)
- MD5
- 5109ccf748dac9ce720d32a2aa95ea3c
- SHA1
- a161010f1266940f5d98c59068345839a33929c2
- SHA256
- ff8ef71fcc273be3319e9baebb7cab6a8f7140346c35355c7e9fd24431aed207
-
-
Informative 23
-
-
is-5A2PQ.tmp
- Size
- 2MiB (2116226 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 6870f8c8bc544dde4192eb270c30cb93
- SHA1
- e785d5ea8f06c87efed4f9568b87b6a70729e8db
- SHA256
- ee19a5addec7613f7aea07d55a53fcc28bfc05ce79f8e028ed219bf565df16fb
-
is-FKSVD.tmp
- Size
- 2MiB (2116147 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 27c0c87d8dfdfe0a0d494bdb4effaeb5
- SHA1
- 1f4fb7f1e7534cfac7cd963c4174de36ba6e9e6d
- SHA256
- 7313d2e255c3a8e8545d71145e60bf3931d9806c07553caf433f4eb2dae7aa51
-
is-H1J09.tmp
- Size
- 2MiB (2075372 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- fcc154784d57000a7687807d6bc904e2
- SHA1
- 23d399b62a84664f3d236926afd3e2baf02d6e17
- SHA256
- 1a30c40e5f605a480dfec534987133368841bee9b4398eb122f0f39174fdae56
-
is-JV9FP.tmp
- Size
- 2MiB (2075443 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- a32a1c81e5962480ec79dba012f65f20
- SHA1
- 01d238d52c03fc891ea7ad9c057c82784019b0df
- SHA256
- b12d480f302a66cc8c3c3c0959e2cf6b8d441ca37199ffacb519612cb79e5825
-
is-MMQID.tmp
- Size
- 1MiB (1064904 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 48b60e812b5cb3793bc84f7c9bebf9a1
- SHA1
- 6c439eaab29ea0d24849fc4cb96e98b2209a848a
- SHA256
- dfea88eced26784a99e07884af52ca01c41b964eab4b10ac3642ca44d622c2d0
-
is-1PHDE.tmp
- Size
- 96KiB (98227 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 4b36ea14bd7af050079adf58abfd9dcf
- SHA1
- 64a269de5e621df9159b3bc184792e7792be44ac
- SHA256
- 145791285d311b4daf9b579afb39c93d63d838722fccd3bb41b10f1577724842
-
is-28RT5.tmp
- Size
- 208KiB (212867 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 6bd3e01335bad8f5f33e8b88a452ef37
- SHA1
- 2392319ee52acf921fd522b74fd3b975301c14db
- SHA256
- f8677434846191395e53430985edda2b8dc6dcf581ddd36abe7c7fd0bdc3db33
-
is-2A2MP.tmp
- Size
- 157KiB (160381 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 88930997c6cf9d8501810149a27b152f
- SHA1
- ec935c15118b549dc814efb8a92d242ec9b68fba
- SHA256
- 1e83db579042de8f8959318d93ed56e905d968eeefc13c6dad906052e37c755e
-
is-BMG85.tmp
- Size
- 117KiB (119455 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 89994b9e25dd7a7ddec78a5510c8586f
- SHA1
- 806923aa3024461e9e6700ba2678635324a80c70
- SHA256
- 33e65ad7a6c74b45b3a9eb3364ac488869f814d65d803b7d28fed82637acec1b
-
is-FTIO1.tmp
- Size
- 208KiB (212874 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- e1e315b9eba758b2b5f8b4c1e94570f7
- SHA1
- 3130d4407ef78868b97a24fcd86e63e447acd04e
- SHA256
- 877c7313afceeea52219fe05d4cd3848035d6e776b795764ee1b1451c1db870f
-
is-M3VFU.tmp
- Size
- 155KiB (158614 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- cd151f567ed0b20fcc81f4cdbd08f979
- SHA1
- 9fb65aaa5738f2a318cfeab374d49b5ba967ee84
- SHA256
- f0441835884bba59e73edd9d326530c1a70ed41b6fc7643edd7181eb02970af4
-
is-OODVK.tmp
- Size
- 208KiB (212873 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- b63a971db98a86a2ad01f7d29c060473
- SHA1
- 46a03f3f3cdd8992ac4252d9ee38070f37241a66
- SHA256
- 5bc0f2e89967098c1c65ebdbb5b32da350712c3304c9e7e4f2103dce01ffaf70
-
is-PTAHT.tmp
- Size
- 191KiB (196019 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- c36714900875b55f68463b29c353e5f7
- SHA1
- 9477734a336062aa5c602376b211b8bfdafe32dd
- SHA256
- f52a2a373ade444ff33457936e67657b047a10ab4f287dc1c3cfbd5ab610d5f3
-
is-Q8BBR.tmp
- Size
- 208KiB (212876 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 7bf7f0deb9340d9f2f13e346220bfa86
- SHA1
- 489a14f269f70886d269b12a41e70710b0e1b159
- SHA256
- 4bc84f23079b0ae1a8e488005cfbf5a8c9a2bf4284edada242c920d16f18c4b2
-
is-SFD4L.tmp
- Size
- 100KiB (102235 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 4858ddf8937ef54c62afbfcdf227736d
- SHA1
- 8aab3e5d5bbebab5ba1867f066767ae94cd5c040
- SHA256
- 9680bb8631aa6f5cad6861265d294bd8e14a1835b7f21c5f18c06bb891545c3c
-
is-VH78A.tmp
- Size
- 124KiB (127203 bytes)
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- fc950b2a30de62fa445b8382f8bc8e4e
- SHA1
- 381e2ec18b85c66aefb174468012d16c1854c40f
- SHA256
- 0b5ed4a0a68a04adbf28011504a7265faf5fa0759aa1efebe96a54c817d09b49
-
is-8C1UQ.tmp
- Size
- 41KiB (41969 bytes)
- Type
- text
- Description
- Non-ISO extended-ASCII text, with CRLF line terminators
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- a14dfbec8d64baf0d036f321cbd80b59
- SHA1
- 4e9476d3627f8d0c9af71b67a63ad1d5d1f64f04
- SHA256
- a1be6481291e57759cd1c21884cc5e8edc6d2b92c575bef8a2eeec31c247b456
-
Avro Keyboard on the Web.lnk
- Size
- 928B (928 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- b748c8ee5b27d2f8e32e8169e95758bf
- SHA1
- 6cb58e741f01a16cee0c3bc3727b908599d8b7fe
- SHA256
- 584f5cb50607fd43adb5d01563974bbb995d7e1556a560a7969035fdf8a4eb6f
-
Configuring your system.lnk
- Size
- 1.1KiB (1110 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 2 17:55:23 2019, mtime=Mon Sep 2 17:55:23 2019, atime=Fri Sep 24 15:25:48 2010, length=3785, window=hide
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 0239e9cc9e8b43009e6adf99e756b73a
- SHA1
- 514c8473641478b60b1ff1c7d20d19bfd42b9830
- SHA256
- a2bfabe55006f4d8db9bdc837cb371d3711fef02456f384c2f2c3fffd982b12c
-
Layout Editor.lnk
- Size
- 1.1KiB (1143 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 2 17:55:22 2019, mtime=Mon Sep 2 17:55:22 2019, atime=Mon Aug 26 20:40:50 2019, length=1519728, window=hide
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- ed716eba48b7ff8eee8d2ac0a590de26
- SHA1
- 0fdbee3ff1c3c552ebee3b0620f529429f05b89f
- SHA256
- 57a957158312508965eeb68911528dfe96327f79b27187437326207bf26fb193
-
Skin Designer.lnk
- Size
- 1.1KiB (1155 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 2 17:55:22 2019, mtime=Mon Sep 2 17:55:22 2019, atime=Mon Aug 26 20:40:52 2019, length=1382000, window=hide
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- c76bf4efde26aa72ccf44e6c7a7a3390
- SHA1
- 447b64025ffd0fd478b8d53de08151249784e8d6
- SHA256
- 7af9bb9a567d00d9c899c90188f80a7042d6fa6e9096ed10fe939c866838b148
-
Avro Keyboard.lnk
- Size
- 1.2KiB (1181 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 2 17:55:22 2019, mtime=Mon Sep 2 17:55:22 2019, atime=Mon Aug 26 20:40:46 2019, length=4627568, window=hide
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- ef49b688e52cd5f7e606943835c0ed00
- SHA1
- b487aaf6825ed5cde59486f1b7d47cd0fcad38e3
- SHA256
- d91f42424bb4f8e13b96307f4484f61e987cd7dbe28d5c80c67b12b9b7b36093
-
Avro Spell Checker.lnk
- Size
- 1.2KiB (1206 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Mon Sep 2 17:55:22 2019, mtime=Mon Sep 2 17:55:22 2019, atime=Mon Aug 26 20:40:44 2019, length=1065072, window=hide
- Runtime Process
- Avro Keyboard 5.6.0 - Lava.tmp (PID: 1972)
- MD5
- 8e1bd2cb3d0260bcf51a76ba5a84eecc
- SHA1
- b7c60ded4a92dc523f55b879080f1a754ab21665
- SHA256
- a6b1f0e54af0373db3ec3bd679c88cd6ab6e9dc09e93133e08ea4ad344b88bc1
-
Notifications
-
Runtime
- Network whitenoise filtering (Process) was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-11" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report