SlideDriver_Redist_x86.exe
This report is generated from a file or URL submitted to this webservice on September 22nd 2017 16:08:33 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.91 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://www.3dhistech.com/data/downloads/Installs_new/Recent/SlideDriverRedist_x86/1.15.3/SlideDriver_Redist_x86.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/57 Antivirus vendors marked dropped file "Uninstall-SlideDriver_redist_x86.exe" as malicious (classified as "W32.eHeur" with 1% detection rate)
1/65 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "Unsafe" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\3DHISTECH\Prerequisites\vcredist10_x86_sp1\vcredist_x86.exe" (Handle: 8)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\3DHISTECH\Prerequisites\vcredist10_x86_sp1\vcredist_x86.exe" (Handle: 8)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\3DHISTECH\Prerequisites\vcredist10_x86_sp1\vcredist_x86.exe" (Handle: 8)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\3DHISTECH\Prerequisites\vcredist10_x86_sp1\vcredist_x86.exe" (Handle: 8)
"vcredist_x86.exe" wrote 1500 bytes to a remote process "C:\e75a2ff13b8f263ea679903d8ca77c1b\Setup.exe" (Handle: 308)
"vcredist_x86.exe" wrote 4 bytes to a remote process "C:\e75a2ff13b8f263ea679903d8ca77c1b\Setup.exe" (Handle: 308)
"vcredist_x86.exe" wrote 32 bytes to a remote process "C:\e75a2ff13b8f263ea679903d8ca77c1b\Setup.exe" (Handle: 308)
"vcredist_x86.exe" wrote 52 bytes to a remote process "C:\e75a2ff13b8f263ea679903d8ca77c1b\Setup.exe" (Handle: 308) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
System Security
-
References security related windows services
- details
- "wuauserv" (Indicator: "wuauserv")
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" with commandline "/C "dism /online /get-drivers > dism_getdrivers.log 2> dism_getdrivers_stderr.log"" (Show Process)
Spawned process "Dism.exe" with commandline "dism /online /get-drivers" (Show Process)
Spawned process "DismHost.exe" with commandline "{CF7C32B6-9BDD-446D-B9CA-87CBB2DF6859}" (Show Process)
Spawned process "DismHost.exe" with commandline "{7E3BF719-6E5A-42C0-87F2-59912874E49E}" (Show Process)
Spawned process "cmd.exe" with commandline "/C "cd %TEMP%\nse4007.tmp&&PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf > SlideDriver_USB_Driver.log 2> SlideDriver_USB_Driver_stderr.log"" (Show Process)
Spawned process "PnPutil.exe" with commandline "PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf" (Show Process)
Spawned process "vcredist_x86.exe" with commandline "/q" (Show Process)
Spawned process "Setup.exe" with commandline "/q" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 26
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.dll (Show Stream)
ControlService@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Possibly tries to hide a process launching it with different user credentials
- details
- ImpersonateLoggedOnUser@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "DismHost.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
-
UPX1
.rsrc with unusual entropies 7.85010237441
7.99970141726 - source
- Static Parser
- relevance
- 10/10
-
PE file is packed with UPX
- details
-
"LockedList.dll" has a section named "UPX0"
"LockedList.dll" has a section named "UPX1" - source
- Static Parser
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "MarzhauserTango.dll.1535837286")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Dism.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"DismHost.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"PnPutil.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"vcredist_x86.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"Dism.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"DismHost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"PnPutil.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/62 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceExW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LockResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceExW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
-
"PnPutil.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"vcredist_x86.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"Setup.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"PnPutil.exe" called "OpenService" to access the "CryptSvc" service
"vcredist_x86.exe" called "OpenService" to access the "ClusSvc" service
"Setup.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"Setup.exe" called "OpenService" to access the "gpsvc" service
"Setup.exe" called "OpenService" to access the "MSIServer" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"PnPutil.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"Setup.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"Setup.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
"Setup.exe" called "ControlService" and sent control code "SERVICE_CONTROL_STOP" (0X1) to the service "MSIServer" - source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"SetupResources.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Banner.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"SetupEngine.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Uninstall-SlideDriver_redist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"sqmapi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MarzhauserTango.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"LockedList.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows UPX compressed"
"UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"vcredist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"SetupUi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
The input sample dropped/contains a certificate file
- details
-
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN=markusl; Issuer: CN=markusl; SerialNumber: -5cc3857948d59660b9b49b1a10f5955e; Valid From: 05/29/2006 11:19:26; Until: 05/05/2106 11:19:26; Fingerprints: MD5=02:A6:64:FD:9E:35:1F:F9:E4:C9:18:9C:91:5C:C4:97; SHA1=EF:B9:2D:37:80:97:5B:9F:CE:57:A0:05:97:A9:39:73:3A:A5:50:46)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: EMAILADDRESS=Markus.Lehr@marzhauser-st.de, CN=Thawte Freemail Member; Issuer: CN=Thawte Personal Freemail Issuing CA, O=Thawte Consulting Pty Ltd., C=ZA; SerialNumber: 174febe39937decf6ed9920559a22048; Valid From: 06/30/2009 14:32:11; Until: 06/30/2010 14:32:11; Fingerprints: MD5=F3:DD:D8:4B:08:18:17:5C:0D:21:4F:97:4F:64:41:AB; SHA1=CD:CC:F0:E7:02:2F:6A:DF:39:D2:10:13:38:BF:1A:D5:4D:69:56:53)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN=GlobalSign Timestamping CA, O=GlobalSign, OU=Timestamping CA; Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE; SerialNumber: 400000000012019c19066; Valid From: 03/18/2009 12:00:00; Until: 01/28/2028 13:00:00; Fingerprints: MD5=B7:87:46:90:93:AD:42:CE:DD:3D:13:01:68:51:70:8B; SHA1=95:8D:23:90:2D:54:48:31:4F:2F:81:10:34:35:6A:58:25:5C:DC:9B)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN="Maerzhaeuser Wetzlar GmbH + Co. KG", O="Maerzhaeuser Wetzlar GmbH + Co. KG", L=Wetzlar, C=DE; Issuer: CN=GlobalSign ObjectSign CA, OU=ObjectSign CA, O=GlobalSign nv-sa, C=BE; SerialNumber: 100000000012240a65718; Valid From: 07/03/2009 12:51:30; Until: 07/03/2012 12:51:26; Fingerprints: MD5=3A:EE:42:3F:9B:F0:E5:C3:CA:59:3E:A1:E6:B6:A3:18; SHA1=4B:97:BB:14:63:D0:26:0D:5D:03:2B:63:F2:77:F5:43:B0:9B:CD:75)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE; Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE; SerialNumber: 400000000012f4ee1355c; Valid From: 04/13/2011 11:00:00; Until: 04/13/2019 11:00:00; Fingerprints: MD5=F8:A5:9A:1B:BE:4B:6D:90:06:29:16:1B:33:AB:21:B6; SHA1=90:00:40:17:77:DD:2B:43:39:3D:7B:59:4D:2F:F4:CB:A4:51:6B:38)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN=GlobalSign Time Stamping Authority, O=GlobalSign NV, C=BE; Issuer: CN=GlobalSign Timestamping CA, O=GlobalSign, OU=Timestamping CA; SerialNumber: 1000000000125b0b4cc01; Valid From: 12/21/2009 10:32:56; Until: 12/22/2020 10:32:56; Fingerprints: MD5=70:3B:66:2F:1B:DE:9A:7C:11:D9:56:77:73:4B:35:BB; SHA1=AE:DF:7D:F7:6B:BA:24:10:D6:7D:BA:F1:8F:5B:A1:5B:41:7E:49:6C)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN="Maerzhaeuser Wetzlar GmbH + Co. KG", O="Maerzhaeuser Wetzlar GmbH + Co. KG", L=Wetzlar, ST=Hessen, C=DE; Issuer: CN=GlobalSign CodeSigning CA - G2, O=GlobalSign nv-sa, C=BE; SerialNumber: 1121dab0889967f5e7e514da73a4222978b9; Valid From: 08/06/2012 11:45:54; Until: 07/17/2015 17:05:02; Fingerprints: MD5=97:ED:69:18:51:61:13:07:5B:43:5A:55:0A:B3:AE:40; SHA1=D4:8B:52:AD:34:64:E6:27:7E:88:4C:F5:D6:8B:46:27:6E:C9:1A:78)
File "slidedriver_usb_driver_32_bit.cat" is a certificate (Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 610b7f6b000000000019; Valid From: 05/23/2006 18:00:51; Until: 05/23/2016 18:10:51; Fingerprints: MD5=88:2E:CF:2B:03:10:AF:61:15:C6:B2:E9:2C:E5:0B:44; SHA1=3E:EB:27:50:A1:99:F5:E7:B6:A8:95:24:30:BE:50:62:FE:04:E9:E5) - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Pattern Matching
-
Contains ability to download files from the internet
- details
- URLDownloadToFileW@urlmon.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
System Security
-
Modifies Software Policy Settings
- details
-
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"SetupResources.dll" claimed CRC 41779 while the actual is CRC 5658726
"SetupEngine.dll" claimed CRC 865051 while the actual is CRC 51686
"sqmapi.dll" claimed CRC 187218 while the actual is CRC 41597
"SetupResources.dll" claimed CRC 38461 while the actual is CRC 187218
"SetupResources.dll" claimed CRC 50040 while the actual is CRC 38461
"SetupResources.dll" claimed CRC 49961 while the actual is CRC 50040
"SetupResources.dll" claimed CRC 64854 while the actual is CRC 49961
"MarzhauserTango.dll" claimed CRC 630069 while the actual is CRC 64854
"SetupResources.dll" claimed CRC 78419 while the actual is CRC 630069
"SetupResources.dll" claimed CRC 46274 while the actual is CRC 78419
"SetupResources.dll" claimed CRC 58580 while the actual is CRC 47569
"SetupResources.dll" claimed CRC 54426 while the actual is CRC 58580
"vcredist_x86.exe" claimed CRC 5032376 while the actual is CRC 54426
"SetupResources.dll" claimed CRC 34351 while the actual is CRC 5032376
"SetupUi.dll" claimed CRC 296057 while the actual is CRC 34351
"Setup.exe" claimed CRC 138271 while the actual is CRC 296057
"SlideDriver_32_Bit_DLL.dll" claimed CRC 132921 while the actual is CRC 138271 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
- "LockedList.dll" has an entrypoint in section "UPX1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
RegCreateKeyExW
StartServiceW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
GetFileAttributesW
OpenFileMappingW
FindResourceExW
ConnectNamedPipe
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
Process32FirstW
UnhandledExceptionFilter
DisconnectNamedPipe
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
VirtualProtect
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetTempFileNameW
CreateFileMappingW
GetFileSizeEx
FindNextFileW
FindFirstFileW
TerminateProcess
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
MapViewOfFile
GetModuleHandleW
GetFileAttributesExW
GetTempPathW
CreateProcessW
VirtualAlloc
GetWindowThreadProcessId
URLDownloadToFileW
RegDeleteValueW
GetVersionExA
RegEnumKeyExW
RegDeleteKeyW
LoadLibraryExW
GetStartupInfoA
GetUserNameA
DeviceIoControl
GetDriveTypeA
ShellExecuteW
SetWindowsHookExW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"vcredist_x86.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 26
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of "UPX0" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SLIDEDRIVER REDIST X86")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}"; Key: "DISPLAYNAME"; Value: "0000000001000000780000004D006900630072006F0073006F00660074002000560069007300750061006C00200043002B002B002000320030003100300020002000780038003600200052006500640069007300740072006900620075007400610062006C00650020002D002000310030002E0030002E00340030003200310039000000") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/65 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"SetupResources.pdb"
"d:\Data\svn\modules\3dh_common\trunk\src\MarzhauserTango\MarzhauserTangoModule\Win32\Release\MarzhauserTango.pdb"
"SetupEngine.pdb"
"sqmapi.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
- CreateNamedPipeW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\nse4007.tmp\UserInfo.dll"
"<Input Sample>" created file "%TEMP%\nse4007.tmp\System.dll"
"<Input Sample>" created file "%TEMP%\nse4007.tmp\modern-header.bmp"
"<Input Sample>" created file "%TEMP%\nse4007.tmp\modern-wizard.bmp"
"<Input Sample>" created file "%TEMP%\nse4007.tmp\nsDialogs.dll"
"<Input Sample>" created file "%TEMP%\nse4007.tmp\LockedList.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\Global\SetupLog"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"DBWinMutex"
"Global\_MSIExecute"
"Global\MSILOG_4317d0a01d333f8txt.ism.der_cv_ISM-755622161_22907102_puteS elbatubirtsideR 68x 0102 ++C lausiV tfosorciM_pmeT_lacoL_ataDppA_SWBUPSP_sresU_:C"
"Global\VC_Redist_SetupMutex"
"\Sessions\1\BaseNamedObjects\Global\VC_Redist_SetupMutex"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_4317d0a01d333f8txt.ism.der_cv_ISM-755622161_22907102_puteS elbatubirtsideR 68x 0102 ++C lausiV tfosorciM_pmeT_lacoL_ataDppA_SWBUPSP_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "SetupResources.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Banner.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupEngine.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "sqmapi.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "slidedriver_usb_driver_32_bit.cat" as clean (type is "data"), Antivirus vendors marked dropped file "MarzhauserTango.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "LockedList.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows UPX compressed"), Antivirus vendors marked dropped file "UserInfo.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "vcredist_x86.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupUi.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6A420000
- source
- Loaded Module
-
Process launched with changed environment
- details
- Process "Setup.exe" (Show Process) was launched with new environment variables: "_SFX_CAB_SHUTDOWN_REQUEST="c:\e75a2ff13b8f263ea679903d8ca77c1b\$shtdwn$.req", _SFX_CAB_EXE_PARAMETERS=" /q", _SFX_CAB_EXE_PATH="c:\e75a2ff13b8f263ea679903d8ca77c1b", _SFX_CAB_EXE_PACKAGE="%TEMP%\3DHISTECH\Prerequisites\vcredist10_x86_sp1\vcredist_x86.exe""
- source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
-
"/C "dism /online /get-drivers > dism_getdrivers.log 2> dism_getdrivers_stderr.log"" on 2017-9-22.16:09:15.305
"/C "cd %TEMP%\nse4007.tmp&&PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf > SlideDriver_USB_Driver.log 2> SlideDriver_USB_Driver_stderr.log"" on 2017-9-22.16:11:18.679 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "#32770"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "/C "dism /online /get-drivers > dism_getdrivers.log 2> dism_getdrivers_stderr.log"" (Show Process)
Spawned process "Dism.exe" with commandline "dism /online /get-drivers" (Show Process)
Spawned process "DismHost.exe" with commandline "{CF7C32B6-9BDD-446D-B9CA-87CBB2DF6859}" (Show Process)
Spawned process "DismHost.exe" with commandline "{7E3BF719-6E5A-42C0-87F2-59912874E49E}" (Show Process)
Spawned process "cmd.exe" with commandline "/C "cd %TEMP%\nse4007.tmp&&PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf > SlideDriver_USB_Driver.log 2> SlideDriver_USB_Driver_stderr.log"" (Show Process)
Spawned process "PnPutil.exe" with commandline "PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf" (Show Process)
Spawned process "vcredist_x86.exe" with commandline "/q" (Show Process)
Spawned process "Setup.exe" with commandline "/q" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"SetupResources.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Banner.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"SetupEngine.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Uninstall-SlideDriver_redist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"sqmapi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"slidedriver_usb_driver_32_bit.cat" has type "data"
"MarzhauserTango.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"LockedList.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows UPX compressed"
"UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"vcredist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "C:\Windows\system32\en-US\SETUPAPI.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\system32\en-US\USER32.dll.mui"
"<Input Sample>" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\staticcache.dat"
"<Input Sample>" touched file "C:\Windows\System32\smss.exe"
"<Input Sample>" touched file "C:\Windows\System32\en-US\smss.exe.mui"
"<Input Sample>" touched file "C:\Windows\System32\csrss.exe"
"<Input Sample>" touched file "C:\Windows\System32\en-US\csrss.exe.mui"
"<Input Sample>" touched file "C:\Windows\System32\wininit.exe"
"<Input Sample>" touched file "C:\Windows\System32\en-US\wininit.exe.mui" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "eQBQe9.vA"
Pattern match: "http://sqm.microsoft.com/sqm/vstudio/sqmserver.dll"
Pattern match: "http://schemas.microsoft.com/Setup/2008/01/im"
Pattern match: "http://www.microsoft.com"
Pattern match: "ft.com/sqm/vstudio/sqmserver.dll"
Heuristic match: "CatalogFile=SlideDriver_USB_Driver_32_Bit.cat" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"SetupResources.dll" was detected as "Microsoft visual C++ vx.x DLL"
"SetupEngine.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"Uninstall-SlideDriver_redist_x86.exe" was detected as "Nullsoft PiMP Stub -> SFX"
"sqmapi.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"MarzhauserTango.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"LockedList.dll" was detected as "UPX v0.89.6 - v1.02 / v1.05 - v1.22 DLL"
"vcredist_x86.exe" was detected as "Microsoft visual C++ v7.1 EXE"
"SetupUi.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"Setup.exe" was detected as "VC8 -> Microsoft Corporation"
"SlideDriver_32_Bit_DLL.dll" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
SlideDriver_Redist_x86.exe
- Filename
- SlideDriver_Redist_x86.exe
- Size
- 5.3MiB (5597062 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef
- MD5
- 6396b76309a41630967e57408cce0c72
- SHA1
- b3b716c1307cc302206fd08a96c3bc44bc7494a0
- ssdeep
- 98304:Qx6GqkJIMRyuIFOMHKQClkM+8yuT9nuYXW84PIAXu9LmTgU7on9StkHCabt1:QwGqGRyuIgMHKQCGM+ST0YG8w/ZT1Sfb
- imphash
- 1c042238f43557c055fca8642de8a074
- authentihash
- 427c0bebb46d8563b46c4c8a4bb84067414864eceb61fc7ae10662ae3d6ff881
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
- PDB Pathway
Version Info
- LegalCopyright
- Copyright 2001-2013 3DHISTECH Ltd. All rights reserved.
- FileVersion
- 1.15.3.31533
- CompanyName
- 3DHISTECH Ltd.
- LegalTrademarks
- SlideDriver Redist x86 is a trademark of 3DHISTECH Ltd.
- ProductName
- SlideDriver Redist x86
- ProductVersion
- 1.15.3.31533
- FileDescription
- SlideDriver for x86
- Translation
- 0x0000 0x04e4
Classification (TrID)
- 94.8% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.5% (.EXE) Win32 Executable (generic)
- 0.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 9 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2992)
-
cmd.exe
/C "dism /online /get-drivers > dism_getdrivers.log 2> dism_getdrivers_stderr.log"
(PID: 2872)
-
Dism.exe
dism /online /get-drivers
(PID: 2888)
- DismHost.exe {CF7C32B6-9BDD-446D-B9CA-87CBB2DF6859} (PID: 2964)
- DismHost.exe {7E3BF719-6E5A-42C0-87F2-59912874E49E} (PID: 3216)
-
Dism.exe
dism /online /get-drivers
(PID: 2888)
-
cmd.exe
/C "cd %TEMP%\nse4007.tmp&&PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf > SlideDriver_USB_Driver.log 2> SlideDriver_USB_Driver_stderr.log"
(PID: 3176)
- PnPutil.exe PnPUtil -i -a SlideDriver_USB_Driver_32_Bit.inf (PID: 3188)
-
vcredist_x86.exe
/q
(PID: 1648)
- Setup.exe /q (PID: 3724)
-
cmd.exe
/C "dism /online /get-drivers > dism_getdrivers.log 2> dism_getdrivers_stderr.log"
(PID: 2872)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 9292-64-00403086 |
Extracted Strings
Extracted Files
Displaying 26 extracted file(s). The remaining 56 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
Uninstall-SlideDriver_redist_x86.exe
- Size
- 145KiB (148916 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- Labeled as "W32.eHeur" (1/57)
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- 38ed9a1fb4b1c5c50580f113248e6af2
- SHA1
- b87fb48d8eae3b974e3e36cce4a006efafe833d9
- SHA256
- 6436e158761f936f90b0b47fe437a93041ff343449da3d1f8621285fac75cb0c
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Unsafe" (1/65)
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- c17103ae9072a06da581dec998343fc1
- SHA1
- b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
- dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
-
-
Clean 15
-
-
MarzhauserTango.dll
- Size
- 587KiB (600576 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- 522595bb797665b55a52927979367934
- SHA1
- a94348ab95ce035f27e089d03c00686e2a0bed51
- SHA256
- 9b10a40c0987b395f10fa2d0855e24309370d5d8f31adb78c21429a757de2463
-
SlideDriver_32_Bit_DLL.dll
- Size
- 104KiB (106648 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- afca258b8c704537a05e6fc936417349
- SHA1
- 8b1a787ac5c0612052c2d7ac1281675f6b03bb97
- SHA256
- c6e97645d61d0f24805e7f3d662d77e083483eb77a6ddb8a02e0c7bcaf2b9af0
-
vcredist_x86.exe
- Size
- 4.8MiB (4995416 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/87
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- cede02d7af62449a2c38c49abecc0cd3
- SHA1
- b84b83a8a6741a17bfb5f3578b983c1de512589d
- SHA256
- 66b797b3b4f99488f53c2b676610dfe9868984c779536891a8d8f73ee214bc4b
-
Banner.dll
- Size
- 4KiB (4096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- 0116a50101c4107a138a588d1e46fca5
- SHA1
- b781dce23e828cf2b97306661c7dad250a6aaf77
- SHA256
- ab80cf45070d936f0745f5e39b22e6e07ba90aa179b5ec4469ef6e2cb1b9ef6b
-
LockedList.dll
- Size
- 16KiB (15872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
- AV Scan Result
- 0/55
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- f5f9ceb68b59285d9464964d674c55df
- SHA1
- 2c230ae1d12660c6582fbbb3054e154d6fd7850e
- SHA256
- 52fc2f7d8ed86ce1ae178ffb381a44df9853c012511da8be5cf2a9153fa66954
-
SlideDriver_USB_Driver_32_Bit.inf
- Size
- 1.8KiB (1894 bytes)
- Type
- text
- Description
- Windows setup INFormation, ISO-8859 text, with CRLF line terminators
- AV Scan Result
- 0/55
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- d23e4aeb6e41484772dcd2379d6fc251
- SHA1
- 0258061836d6455fc522c65f110eec573199ad80
- SHA256
- bfee48b5278a61dd230e1566cb6cde64d55bb537d3f4f9c1005ca34067265848
-
UserInfo.dll
- Size
- 4KiB (4096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/83
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- 7579ade7ae1747a31960a228ce02e666
- SHA1
- 8ec8571a296737e819dcf86353a43fcf8ec63351
- SHA256
- 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- c10e04dd4ad4277d5adc951bb331c777
- SHA1
- b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
- SHA256
- e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
-
slidedriver_usb_driver_32_bit.cat
- Size
- 9.7KiB (9925 bytes)
- Type
- data
- AV Scan Result
- 0/54
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- a2a1592ce03c6761b7b81217337d549c
- SHA1
- ff0e0cec6d14c3d9f202dfb1be969054538d7f8a
- SHA256
- d3d2cb1c0f9dcdd398e657ba32ba8507a23ff6084b69ea84c11cc5ffcafda9d7
-
SetupResources.dll
- Size
- 13KiB (13656 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- vcredist_x86.exe (PID: 1648)
- MD5
- e4131092f32928a45757622c6b43b906
- SHA1
- ac6a465ae3efe8ca55115b0f49fd5cc0f76c1343
- SHA256
- fd66a26672e981987d92549f966e9095988d49fa5025c38cb90cfb9bcff52268
-
Setup.exe
- Size
- 76KiB (78152 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- 9a1141fbceeb2e196ae1ba115fd4bee6
- SHA1
- 922eacb654f091bc609f1b7f484292468d046bd1
- SHA256
- 28563d908450eb7b7e9ed07a934e0d68135b5bb48e866e0a1c913bd776a44fef
-
SetupEngine.dll
- Size
- 789KiB (808280 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/63
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- a030c6b93740cbaa232ffaa08ccd3396
- SHA1
- 6f7236a30308fbf02d88e228f0b5b5ec7f61d3eb
- SHA256
- 0507720d52ae856bbf5ff3f01172a390b6c19517cb95514cd53f4a59859e8d63
-
SetupUi.dll
- Size
- 288KiB (295248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- vcredist_x86.exe (PID: 1648)
- MD5
- c744ec120e54027c57318c4720b4d6be
- SHA1
- ab65fc4e68ad553520af049129fae4f88c7eff74
- SHA256
- d1610b0a94a4dadc85ee32a7e5ffd6533ea42347d6f2d6871beb03157b89a857
-
sqmapi.dll
- Size
- 141KiB (144416 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/64
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- 3f0363b40376047eff6a9b97d633b750
- SHA1
- 4eaf6650eca5ce931ee771181b04263c536a948b
- SHA256
- bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
-
vc_red.msi
- Size
- 160KiB (163840 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2010 x86 Redistributable, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219., Template: Intel;0, Revision Number: {461C455E-DA40-49B3-871B-14308CC7CEFF}, Create Time/Date: Sun Feb 20 07:03:10 2011, Last Saved Time/Date: Sun Feb 20 07:03:10 2011, Number of Pages: 200, Name of Creating Application: Windows Installer XML (3.5.0626.3), Security: 2, Number of Words: 2
- AV Scan Result
- 0/58
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- 3ff9acea77afc124be8454269bb7143f
- SHA1
- 8dd6ecab8576245cd6c8617c24e019325a3b2bdc
- SHA256
- 9ecf3980b29c6aa20067f9f45c64b45ad310a3d83606cd9667895ad35f106e66
-
-
Informative Selection 2
-
-
SlideDriver_USB_Driver.log
- Size
- 294B (294 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, LF line terminators
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- 42a5ae321747d1acaa444338a254a68e
- SHA1
- 50ba5c1837c36ae1bed814ef1522d2ff398525b7
- SHA256
- 2090cd3dc4ec2dc8941847d9cf844d56269e1d074f91b2faa92ff3252327638b
-
dism_getdrivers.log
- Size
- 309B (309 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 2872)
- MD5
- bc24c04bb75c236f5d9c73e5aa8191f4
- SHA1
- 17d16b33e78b35961b0ef9ae65cf07faab515887
- SHA256
- 455127e4cb7e983fa9590aea473a4d530272ba65171422ad9e75825d1144d474
-
-
Informative 7
-
-
HFIE2D5.tmp.html
- Size
- 2B (2 bytes)
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
HFIE5EF.tmp.html
- Size
- 7KiB (7210 bytes)
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- 401862b04a302e2ae413054b7cef4ffd
- SHA1
- c1060baa90aebee7a5ff89f818c766767d25deda
- SHA256
- 65d984dce8e4ac091494a6f1a40d1a22cc520e58443344754386ae8f5791d826
-
Microsoft Visual C++ 2010 x86 Redistributable Setup_20170922_161226557.html
- Size
- 73KiB (74824 bytes)
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- 12b07b99c6c3304b3c15afede355aad3
- SHA1
- 27de73ed4a2e9cb159654ca8576e4f721e2f3e7e
- SHA256
- a346656cdbdc07a39848b11dc86608fca1d8bd1dd02c63e0176fa36bcad9d823
-
Setup_20170922_161225976.html
- Size
- 29KiB (29342 bytes)
- Runtime Process
- Setup.exe (PID: 3724)
- MD5
- 7f9e89c6c62966c285a24df9fec91d97
- SHA1
- 28e1c4bf52ade7ca7d7adb5ff498d2543180cd31
- SHA256
- a568437e4109fdd3f07a2c723057879c6165e954d6ce700aa98a59592a8bb832
-
modern-header.bmp
- Size
- 33KiB (34256 bytes)
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- a69d2d9464e9d02318837a8274882d92
- SHA1
- 1813be4f5486b5527ce03579f503319a4226f3f7
- SHA256
- 313a70b9a423ecb729f9a238879287baa353a320e79ec9a8519983f1cefa198a
-
modern-wizard.bmp
- Size
- 201KiB (206040 bytes)
- Runtime Process
- b01a4f404d45f47cd3692842c18c97955fc3bbab4d4a90a97010261dc928f1ef.exe (PID: 2992)
- MD5
- 39786117853cdb2df678d84994254413
- SHA1
- 924124ed843b9f9653b27e93d1c37a6ceb1b5e24
- SHA256
- 81c709484429d816de9cc8ac727f1782ba8010aacdbb924d438f28533316b681
-
dism.log
- Size
- 1MiB (1091562 bytes)
- Runtime Process
- Dism.exe (PID: 2888)
- MD5
- 2a4bdc25c147b890336019be0a78b8ed
- SHA1
- 59725453a6ba00546f0f2682ae5b6f73fb717f60
- SHA256
- fb3a9074c02f7241e77b75ca21700b821a5df4f1817fbd4d4c5f364755e2b59c
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Not all file accesses are visible for Dism.exe (PID: 2888)
- Not all file accesses are visible for PnPutil.exe (PID: 3188)
- Not all file accesses are visible for cmd.exe (PID: 2872)
- Not all file accesses are visible for cmd.exe (PID: 3176)
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "binary-1" are available in the report
- Not all sources for signature ID "binary-16" are available in the report
- Not all sources for signature ID "registry-1" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "static-6" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)