Xshell-5.0.1333p.exe
This report is generated from a file or URL submitted to this webservice on October 18th 2017 16:11:32 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/62 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/65 Antivirus vendors marked dropped file "vcredist_x86.exe" as malicious (classified as "Static engine " with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 444)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 444)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 444)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 444)
"vcredist_x86.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 172)
"vcredist_x86.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 172)
"vcredist_x86.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 172)
"vcredist_x86.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\{C28568CE-F1A4-4922-9A40-C36E6FCBCE5E}\vcredist_x86.exe" (Handle: 172) - source
- API Call
- relevance
- 6/10
-
Scans for the windows taskbar (often used for explorer injection)
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "173.223.106.200" (ASN: , Owner: ): ...
File SHA256: fd07fb7fc86db6bf9347b2cb5c654885f408fd00d2f633802f3e24f1137fbc72 (AV positives: 60/66 scanned on 10/18/2017 14:12:05)
File SHA256: 305bbef60d2c2efa7ac8aa3594cd40b06c5697eb424fc516d8b7136ba4150bbd (AV positives: 57/66 scanned on 10/18/2017 12:13:16)
File SHA256: f94291bb9befb367e532be200e9b5b43258b3823844980f7d1bf58896c246396 (AV positives: 58/66 scanned on 10/18/2017 11:53:15)
File SHA256: f557a8a51926d0d9705a7e5e70ddd991a6f57280c2f7e097c7837abb06aaa2eb (AV positives: 58/65 scanned on 10/18/2017 11:15:00)
File SHA256: af3ce01ce1c5c7f07b94533d4de8841c8b5224175404ba74c6e12cc0f0bd2318 (AV positives: 57/65 scanned on 10/18/2017 09:51:17) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
References security related windows services
- details
- "wuauserv" (Indicator: "wuauserv")
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "vcredist_x86.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 29
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
- OpenServiceW@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
-
.text
.text with unusual entropies 7.97651654189
7.97984250151 - source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "_isres_0x0409.dll.1537845175")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"_GetVirtualMachineType" (Indicator: "virtualmachine")
"_IsVirtualMachine" (Indicator: "virtualmachine")
"t3+Ht3RQEMUv8uuVRQPQEMd" (Indicator: "qemu") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceExA@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
-
"vcredist_x86.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"vcredist_x86.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"vcredist_x86.exe" called "OpenService" to access the "CryptSvc" service
"vcredist_x86.exe" called "OpenService" to access the "cryptsvc" service
"vcredist_x86.exe" called "OpenService" to access the "" service
"vcredist_x86.exe" called "OpenService" to access the "VSS" service
"vcredist_x86.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"vcredist_x86.exe" called "OpenService" to access the "gpsvc" service
"vcredist_x86.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"vcredist_x86.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"vcredist_x86.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc"
"vcredist_x86.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"vcredist_x86.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"ISRT.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"_isuser_0x0409.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"vcredist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"_isres_0x0409.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"wixstdba.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"; Key: " ISSETUPPREREQUISISTES"; Value: ""C:\df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe"")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE")
"vcredist_x86.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"; Key: "{95716CCE-FC71-413F-8AD5-56C2892D4B3A}"; Value: ""%ALLUSERSPROFILE%\Package Cache\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\vcredist_x86.exe" /burn.log.append "%USERPROFILE%\AppData\") - source
- Registry Access
- relevance
- 8/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Pattern Matching
-
Contains ability to download files from the internet
- details
- InternetReadFile@WININET.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to download files from the internet
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies Software Policy Settings
- details
-
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"_isuser_0x0409.dll" claimed CRC 0 while the actual is CRC 299242
"vcredist_x86.exe" claimed CRC 467829 while the actual is CRC 246009
"ISSetup.dll" claimed CRC 623536 while the actual is CRC 564932
"setup.exe" claimed CRC 1193593 while the actual is CRC 2822721
"wixstdba.dll" claimed CRC 142125 while the actual is CRC 1231895
"vcredist_x86.exe" claimed CRC 6602008 while the actual is CRC 142125 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
-
"ISRT.dll" has an entrypoint in section ".rsrc"
"ISSetup.dll" has an entrypoint in section ".rsrc" - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleFileNameExW
GetProcAddress
VirtualAlloc
LoadLibraryA
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
GetUserNameW
RegEnumKeyExW
RegDeleteValueW
GetFileAttributesW
GetTempPathW
ConnectNamedPipe
CopyFileW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
GetStartupInfoA
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetTempFileNameW
GetComputerNameW
GetFileSizeEx
FindNextFileW
FindFirstFileW
CreateFileW
CreateFileA
CreateFileMappingW
GetCommandLineW
CopyFileExW
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
WriteFile
CreateProcessW
Sleep
ShellExecuteExW
HttpQueryInfoW
InternetConnectW
InternetCrackUrlW
InternetCloseHandle
HttpSendRequestW
InternetReadFile
InternetOpenW
GetVersionExA
GetCommandLineA
OutputDebugStringA
RegCreateKeyW
RegEnumKeyW
RegOpenKeyW
GetDriveTypeW
LoadLibraryExW
GetThreadContext
FindResourceExW
CreateToolhelp32Snapshot
VirtualProtect
GetFileSize
WriteProcessMemory
VirtualProtectEx
FindResourceW
Process32NextW
LockResource
Process32FirstW
ShellExecuteW
FindWindowW
FindResourceExA
GetUpdateRect - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"vcredist_x86.exe" wrote bytes "7739bc7779a8c077be72c077d62dc0771de2bb7705a2c077c868bf7757d1c677bee3bb77616fc0776841be770050be7700000000ad37a6768b2da676b641a67600000000" to virtual address "0x75751000" (part of module "WSHIP6.DLL")
"vcredist_x86.exe" wrote bytes "92e6bb7779a8c077be72c077d62dc0771de2bb7705a2c077bee3bb77616fc0776841be770050be7700000000ad37a6768b2da676b641a67600000000" to virtual address "0x75201000" (part of module "WSHTCPIP.DLL")
"vcredist_x86.exe" wrote bytes "4053be775858bf77186abf77653cc0770000000000bf5e760000000056cc5e76000000007cca5e76000000003768f3756a2cc077d62dc077000000002069f3750000000029a65e7600000000a48df37500000000f70e5e7600000000" to virtual address "0x76051000" (part of module "NSI.DLL")
"vcredist_x86.exe" wrote bytes "9498777651c17776efb27d76ee9c777675dc7976909777761099777600000000013d5f7638ed5f76cfcd5e7631235e76de2f5f76c4ca5e7680bb5e76aa6e5f769fbb5e76707f5d7692bb5e7646ba5e760abf5e7600000000" to virtual address "0x710A1000" (part of module "MSLS31.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"<Input Sample>" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"vcredist_x86.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 9 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 23
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "setup.exe.3164760437"; Stream UID: "30775-6306-00455A76")
which is directly followed by "cmp eax, 80000000h" and "jbe 00455F4Ah". See related instructions: "...
+1145 call esi ;GetVersion
+1147 cmp eax, 80000000h
+1152 jbe 00455F4Ah" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "setup.exe.3164760437"; Stream UID: "30775-7474-0044F9B1")
which is directly followed by "cmp dword ptr [ebp-70h], 01h" and "jne 0044FA35h". See related instructions: "...
+0 push ebp
+1 lea ebp, dword ptr [esp-00000098h]
+8 sub esp, 00000118h
+14 mov eax, dword ptr [004DB020h]
+19 xor eax, ebp
+21 mov dword ptr [ebp+00000094h], eax
+27 mov eax, dword ptr [ebp+000000A0h]
+33 and dword ptr [eax], 00000000h
+36 push esi
+37 mov esi, dword ptr [ebp+000000A4h]
+43 and dword ptr [esi], 00000000h
+46 lea eax, dword ptr [ebp-80h]
+49 push eax
+50 mov dword ptr [ebp-80h], 00000114h
+57 call dword ptr [004B00F8h] ;GetVersionExW
+63 cmp dword ptr [ebp-70h], 01h
+67 jne 0044FA35h" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\VCREDIST_X86.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\VCREDIST_X86.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{95716CCE-FC71-413F-8AD5-56C2892D4B3A}")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI"; Key: "DISPLAYNAME"; Value: "000000000100000038000000410064006F0062006500200046006C00610073006800200050006C00610079006500720020003200340020004E0050004100500049000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI"; Key: "DISPLAYVERSION"; Value: "000000000100000016000000320034002E0030002E0030002E003200320031000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI"; Key: "DISPLAYICON"; Value: "00000000010000008A00000043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C004D006100630072006F006D00650064005C0046006C006100730068005C0046006C006100730068005500740069006C00330032005F00320034005F0030005F0030005F003200320031005F0050006C007500670069006E002E006500780065000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI"; Key: "UNINSTALLSTRING"; Value: "0000000001000000AC00000043003A005C00570069006E0064006F00770073005C00730079007300740065006D00330032005C004D006100630072006F006D00650064005C0046006C006100730068005C0046006C006100730068005500740069006C00330032005F00320034005F0030005F0030005F003200320031005F0050006C007500670069006E002E0065007800650020002D006D00610069006E007400610069006E00200070006C007500670069006E000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "DISPLAYNAME"; Value: "0000000001000000220000004100750074006F00490074002000760033002E0033002E00310032002E0030000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "DISPLAYVERSION"; Value: "00000000010000001200000033002E0033002E00310032002E0030000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "DISPLAYICON"; Value: "00000000010000004E00000043003A005C00500072006F006700720061006D002000460069006C00650073005C004100750074006F004900740033005C004100750074006F004900740033002E006500780065002C0030000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3"; Key: "UNINSTALLSTRING"; Value: "00000000010000004E00000043003A005C00500072006F006700720061006D002000460069006C00650073005C004100750074006F004900740033005C0055006E0069006E007300740061006C006C002E006500780065000000")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts server
- details
- "173.223.106.200:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Prerequisites_Unicode\setupPreReq.pdb"
"E:\delivery\Dev\wix36_dev11\build\ship\x86\wixstdba.pdb"
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb"
"E:\delivery\Dev\wix36_dev11\build\ship\x86\x86\burn.pdb"
"pIB=x`0x@.text2@ `.datahPP@.reloc<``@BAAAAtA@ZA>A AAA@@F?R?d?p?????????@$@0@J@Z@p@@@AuO,Is120gy|*????>>>>>>>>3@\ChSxsCaPendDelsxsdelcasxsdelca tried opening wow64key sxsdelca tried opening key w/o wow64key Software\Microsoft\Windows\CurrentVersion\SideBySide\PatchedComponentssxsdelca: Moved file to pending path0123456789abcdefsxsca_DeleteFilestraceopscavengeSELECT `FileName` FROM `File` WHERE `Component_` = ?SELECT `Directory_`, `ComponentId` FROM `Component` WHERE `Component` = ?Component_ValueNameKeyRootRegistrySELECT * FROM `Registry`sxscdelca_%08lxProductCodewow64 key not present, not scavengingbase key not present, not scavengingsxsdelca: Skipping component sxsdelca: Added reg value for [~]ALTER TABLE `Registry` HOLDSELECT `Component_`, `Guid` FROM `SxsMsmGenComponents`|SxsMsmCleanupSxsMsmInstall completed(P@xP@HP@0@RSDSv-AoIAh:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb79UVtP&E^]VtP&&^Vt"
"<>:"/\|..ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-Visual C++ CRT: Not enough memory to complete call to strerror.Illegal byte sequenceDirectory not emptyFunction not implementedNo locks availableFilename too longResource deadlock avoidedResult too largeDomain errorBroken pipeToo many linksRead-only file systemInvalid seekNo space left on deviceFile too largeInappropriate I/O control operationToo many open filesToo many open files in systemInvalid argumentIs a directoryNot a directoryNo such deviceImproper linkFile existsResource deviceBad addressPermission deniedNot enough spaceResource temporarily unavailableNo child processesBad file descriptorExec format errorArg list too longNo such device or addressInput/output errorInterrupted function callNo such processNo such file or directoryOperation not permittedNo errorH*f0fRSDSHaEMk;!C:\cygwin\home\nightly\distact-build-area\FNP-11.12.1.0\tier1\FNP\Installer\Build\_release-Windows-NT4-i686-main\FNP_Act_Installer.dll.pdbf@ZfZfZf f@ZfZfZf@f@ [f0[f[f@[fx[f\f@\[fl[f@[fx[ftf@[f[fx[ff[f[f[f[ff@[ff@\f$\f[ff@\fP\f\\f[ff@@\ff\f\f\f\\f[ff@\f4f@\f\f\f]f<]fLf@ ]f0]f]f<]flf@X]fh]f<]ff]f]f]ff@]ff]f]f]ff@]f^f^f]ff@^ffL^f\^fh^f^ff@L^ff@^f^f^ff@^f(f^f^f_f _f(f@^fLfM<_fL_fT_fLf@<_f|f_f_f_f_f`f8`f|f@_ffP_f_f`fh^f^ff@_ff@L^ff@^ffh`fx`f`f_f`f8`ff@h`f`f`f0f@`f`f`ff@`f af(afPf@afTaf\aff@DafafafPf@xafafafP", "::~fCYHUM`L>RSDSHDC:\cygwin\home\nightly\distact-build-area\FNP-11.12.1.0\tier1\FNP\Service\Build\_release-Windows-NT4-i686-main\FNPLicensingService.exe.pdb0MmKnKnK0M@mKP0MDnKTnK\nKP0M@DnK0MnKnKnK0M@nK0MnKnKnK0M@nK1MoK,oK4oK1M@oKh1MdoKtoK|oKh1M@doK1MoKoKoK1M@oK1MoKpKpK1M@oK@2M<pKLpKXpKnK@2M@<pK2MpKpKpK\nK2M@pK3MpKpKpKnK3M@pK`3M qK0qK<qKnK`3M@ qK3MlqK|qKqK4oK3M@lqK4MqKqKqK|oK4M@qKx4MrKrK rKoKx4M@rK4MPrK`rKlrKpK4M@PrK5MrKrKrKrK5M@rK5M@rKsKrK6MsK,sK8sKrK6M@sK46MhsKxsKsK8sKrK46M@hsK8MsKsKsK8M@sK(9MtKtKtK(9M@tK9MHtKXtK`tK9M@HtK9MtKtKtK9M@tK9MtKtKtK9M@tK9M uK0uK8uK9M@ uK@:MhuKxuKuKtK@:M@huK:MuKuKuKsK:M@uK:MvKvKvK:M@vK;MHvKXvKdvKvK;M@HvK@;MvKvKvKdvKvK@;M@vK;MvKvKwKsK;M@vK;M0wK@wKLwKsK;M@0wK4<M|wKwKwKsK4<M@|wKp<MwKwKwKsKp<M@wK<MxK$xK0xKsK<M@xK=M`xKpxK|xKsK=M@`xK=MxKxKxKsK=M@xK=MxKyKyKsK=M@xKP>MDyKTyK`yKsKP>M@DyK>MyKyKyKsK>M@yKh?MyKyKyKsKh?M@yK?M(zK8zKDzKsK?M@(zKd@MtzKzKzKsKd@M@tzK@MzKzKzKsK@M@zK@M{K{K({KsK@M@{KXAMX{Kh{Kt{KsKXAM@X{KAM{K{K{KsKAM@{K0BM{K|K|KsK0BM@{KBM<|KL|KX|KsKBM@<|K,CM|K|K|KsK,CM@|KhCM|K|K|KsKhCM@|KCM }K0}K<}KsKCM@ }KDMl}K|}K}KsKDM@l}KPDM}K}K}KsKPDM@}KDM~K~K ~KsKDM@~KDMP~K`~Kl~KsKDM@P~KDM~K~K~KsKDM@~K0EM~K~KKsK0EM@~KhEM4KDKPKsKhEM@4KEMKKKsKEM@KEMKKKsKEM@KFMK(K4KsKFM@KHFMdKtKKsKHFM@dKFMKKKsKFM@KFMKKKsKFM@KFMHKXKdKsKFM@HK(GMKKKsK(GM@K`GMKKKsK`GM@KGM,K<KHKsKGM@,KGMxKKKsKGM@xKHMKKKsKHM@K@HMK K,KsK@HM@KxHM\KlKxKtKxHM@\KHMKKKtKHM@KIMKKK8uKIM@K`IM@KPKXK`IM@@KxIMKKKxIM@KIMKKKKIM@KIMK,K8K`tKIM@KIMhKxKK8sKrKIM@hKIMKKKrKIM@KJMKK$KKrKJM@KPJMTKdKpKvKPJM@TKJMKKKpKvKJM@KdKMKKKdKM@KhLM8KHKXKtKKhLM@8KLM@KKtKKLM@KKKLMKKKXKtKKLM@KLMHKXKlKXKtKKLM@HKMMKKKXKtKKMM@KNMKKK(KNM@KOM@DKTK(K,OMpKKK(K,OM@pKLOMKKK(KLOM@KtOMKK$K(KtOM@KOMTKdKpK(KOM@TKOMKKKpK(KOM@KOMKKKpK(KOM@KOM@KPK`KpK(KOM@@KPMKKK$K(KPM@K@PMKKKK@PM@K\PM,K<KHKdK\PM@,KxPM@KKdKPM@KKKKPM@KKKPMK(K8KtKKPM@KQMhKxKKQM@hK0QMKKK0QM@KQMKKKQM@KRM@KPKXKRM@@K4RMKKKKK4RM@KHRMKKKKHRM@KdRM$K4K@K(KdRM@$KlKKKKK4KKRM@\KRM@KKKKKRM@KKKKPMBKSM@PK`KlKKSM@PKPMBK SMKKKKtKKKKKK4KKKlK SM@KXSM", "!"#$%&'()*+
-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~D(ENUX(ENU|(ENU(ENA(NLB(ENC(ZHH(ZHI(CHS(ZHH )CHSH)ZHIl)CHT)NLB)ENU)ENA)ENL*ENC$*ENBH*ENI`*ENJ*ENZ*ENS*ENT*ENG+ENU(+ENU@+FRB`+FRC+FRL+FRS+DEA+DEC
DEL
DESH
ENId
ITS
NOR
NOR
NON
PTB-ESS
-ESBL-ESLh-ESO-ESC-ESD-ESF.ESE4.ESGX.ESH|.ESM.ESN.ESI.ESA/ESZ$/ESR@/ESUh/ESY/ESV/SVF/DESENG/ENU/ENUamericanamerican englishamerican-englishaustralianbelgiancanadianchhchichinesechinese-hongkongchinese-simplifiedchinese-singaporechinese-traditionaldutch-belgianenglish-americanenglish-ausenglish-belizeenglish-canenglish-caribbeanenglish-ireenglish-jamaicaenglish-nzenglish-south africaenglish-trinidad y tobagoenglish-ukenglish-usenglish-usafrench-belgianfrench-canadianfrench-luxembourgfrench-swissgerman-austriangerman-lichtensteingerman-luxembourggerman-swissirish-englishitalian-swissnorwegiannorwegian-bokmalnorwegian-nynorskportuguese-brazilianspanish-argentinaspanish-boliviaspanish-chilespanish-colombiaspanish-costa ricaspanish-dominican republicspanish-ecuadorspanish-el salvadorspanish-guatemalaspanish-hondurasspanish-mexicanspanish-modernspanish-nicaraguaspanish-panamaspanish-paraguayspanish-peruspanish-puerto ricospanish-uruguayspanish-venezuelaswedish-finlandswissususa0USA1GBR1CHN(1CZE41GBRD1GBR`1NLDp1HKG1NZL1NZL1CHN1CHN1PRI1SVK1ZAF2KOR(2ZAFD2KOR\2TTOGBR2GBR2USA/USAamericabritainchinaczechenglandgreat britainhollandhong-kongnew-zealandnzpr chinapr-chinapuerto-ricoslovaksouth africasouth koreasouth-africasouth-koreatrinidad & tobagounited-kingdomunited-statesAACPOCP6-ADVAPI32.DLLSystemFunction036USER32.DLLMessageBoxWGetActiveWindowGetLastActivePopupGetUserObjectInformationWGetProcessWindowStationCONOUT$HZP4RSDSUCKC:\TortoiseSVN\NSC5\bin\Release\nslicense.pdbp0#" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\Setup.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\_ISMSIDEL.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x0404.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x0407.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x0409.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x040a.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x040c.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x0411.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x0412.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{EE9C990F-31D5-4F3E-BD1C-BE3D8939636B}\0x0804.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~4D0C.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\WindowsUpdateTracingMutex"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_cdf7d5b01d34866gol.68x_muminiMemitnuRcv_0_02216181017102_68x_tsidercv_dd_pmeT_lacoL_ataDppA_rsCatAq_sresU_:C"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_cf543c701d34866gol.68x_lanoitiddAemitnuRcv_1_02216181017102_68x_tsidercv_dd_pmeT_lacoL_ataDppA_rsCatAq_sresU_:C"
"Global\_MSIExecute"
"Global\MSILOG_cdf7d5b01d34866gol.68x_muminiMemitnuRcv_0_02216181017102_68x_tsidercv_dd_pmeT_lacoL_ataDppA_rsCatAq_sresU_:C"
"Global\MSILOG_cf543c701d34866gol.68x_lanoitiddAemitnuRcv_1_02216181017102_68x_tsidercv_dd_pmeT_lacoL_ataDppA_rsCatAq_sresU_:C"
"Global\WindowsUpdateTracingMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "ISRT.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"), Antivirus vendors marked dropped file "_isuser_0x0409.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "vcredist_x86.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isres_0x0409.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ISSetup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"), Antivirus vendors marked dropped file "setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "wixstdba.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "vcredist_x86.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6AFD0000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "vcredist_x86.exe" with commandline "/q" (Show Process)
Spawned process "vcredist_x86.exe" with commandline "/q -burn.unelevated BurnPipe.{0109279B-CE60-4355-8EF4-7273ABD16437} {9C6B0ACA-E3F1-4F34-83B7-CAFC1DFAC380} 3004" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"Xshell 5.msi" has type "Composite Document File V2 Document Can't read SAT"
"setup.inx" has type "data"
"ISRT.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"_isuser_0x0409.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"vcredist_x86.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"_isres_0x0409.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"1033.MST" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.2 Code page: 1252 Title: Installation Database Subject: Xshell 5 Author: NetSarang Computer Inc. Keywords: InstallerMSIDatabase Comments: Xshell is a secure shell client for Windows platform. Create Time/Date: Fri Oct 13 12:13:00 2017 Name of Creating Application: InstallShield 2013 - Premier Edition with Virtualization Pack 20 Security: 1 Template: Intel;010332052102810361031104110421034 Last Saved By: Intel;1033 Revision Number: {F3FDFD5A-A201-407B-887F-399484764ECA}5.0.1333;{F3FDFD5A-A201-407B-887F-399484764ECA}5.0.1333;{79FD553C-F36E-4A1A-84D9-AC4217FCC991} Number of Pages: 200 Number of Characters: 1"
"ISSetup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"wixstdba.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"splash.bmp" has type "PC bitmap Windows 3.x format 570 x 321 x 24"
"cabB3E1576D1FEFBB979E13B1A5379E0B16" has type "Microsoft Cabinet archive data 5137688 bytes 16 files"
"0x0412.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~4D35.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"cab54A5CABBE7274D8A22EB58060AAB7623" has type "Microsoft Cabinet archive data 805553 bytes 4 files"
"0x0804.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"F90F18257CBB4D84216AC1E1F3BB2C76" has type "data"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\System32\en-US\propsys.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\System32\msimsg.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msimsg.dll.mui"
"<Input Sample>" touched file "C:\Windows\AppPatch\msimain.sdb"
"<Input Sample>" touched file "C:\Windows\System32\sxs.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\sxs.dll.mui" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "254)2$.Lt"
Heuristic match: "PB?P&I.Ug"
Heuristic match: "}}tSp).rU"
Heuristic match: "BW[%hm.LI"
Heuristic match: "(3NE,6rD.pw"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "http://schemas.microsoft.com/office/word/2003/wordml}}\paperw12240\paperh15840\margl1440\margr1440\margt720\margb0\gutter0\ltrsect"
Heuristic match: "GET /ExtendedSSLSHA256CACross/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAASUHHfmv HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com"
Pattern match: "https://www.globalsign.com/repository/0"
Heuristic match: "GET /rootr3/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDkgbagepQkweqv7zzfEP HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com"
Heuristic match: "GET /root-r3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.com"
Heuristic match: "GET /gsextendcodesignsha2g3/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQ3DAV9N6WelMGCzSTdNIqjdmfHiAQU3CxYLCpvNS2feZWoSF3EbT5Tv7kCDCt0su0WPreQF9uFrw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com"
Heuristic match: "GET /gsextendcodesignsha2g3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.globalsign.com"
Pattern match: "http://schemas.microsoft.com/office/word/2"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "p.LM.LM.LDMx/L/L/LDM@x/LM/L/L/LM@/L8M0L0L$0LtK8M@0LMT0Ld0Lp0L/LM@T0LM0L0L0L1L|1L1LD2L2L2LL3L3L0KhK3L4L4L5L05LM@0LM@,1L"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DU"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0U#0{&K&0`HB0"
Pattern match: "https://%V44&VlW&V8%toys::file"
Pattern match: "http://www.flexerasoftware.com0"
Heuristic match: "Y_^[]UjhKdP3EVWPEduuuejhhhDuEe}t3EFF:u3yAu+QR.Md"
Pattern match: "ESM.ESN.ESI.ESA/ESZ$/ESR@/ESUh/ESY/ESV/SVF/DESENG/ENU/ENUamericanamerican"
Pattern match: "www.netsarang.comP=FP[000:PUsales@netsarang.comX6OKP600000"
Pattern match: "www.netsarang.comP=F5uP[N:PUsales@netsarang.comX6nx[P6Sm"
Pattern match: "www.netsarang.co.krP2&"
Pattern match: "www.netsarang.comP=FP[N:PUsales@netsarang.comX6x[P6SmP1y"
Pattern match: "www.netsarang.comP=FP[N:PUsales@netsarang.comX6x[P6Sm"
Pattern match: "www.netsarang.comP=FE-Mail:PUsales@netsarang.comX6OKP6Abbrechen"
Pattern match: "www.netsarang.comP=FE-mail:PUsales@netsarang.comX6OKP6Cancel" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ISRT.dll" was detected as "PeCompact 2.53 DLL --> BitSum Technologies"
"_isuser_0x0409.dll" was detected as "Microsoft visual C++ vx.x DLL"
"vcredist_x86.exe" was detected as "VC8 -> Microsoft Corporation"
"_isres_0x0409.dll" was detected as "Microsoft visual C++ v6.0 (Debug version)"
"ISSetup.dll" was detected as "PeCompact 2.53 DLL --> BitSum Technologies"
"setup.exe" was detected as "VC8 -> Microsoft Corporation"
"wixstdba.dll" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
Xshell-5.0.1333p.exe
- Filename
- Xshell-5.0.1333p.exe
- Size
- 31MiB (33004040 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a
- MD5
- d8b4f350300c78ca63e274f7122c218e
- SHA1
- b4b6b21b16375f2431553c0c14a97d253ee20a62
Classification (TrID)
- 83.4% (.EXE) InstallShield setup
- 8.7% (.EXE) Win32 Executable (generic)
- 3.8% (.EXE) Generic Win/DOS Executable
- 3.8% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2752)
1/62
-
vcredist_x86.exe
/q
(PID: 3004)
- vcredist_x86.exe /q -burn.unelevated BurnPipe.{0109279B-CE60-4355-8EF4-7273ABD16437} {9C6B0ACA-E3F1-4F34-83B7-CAFC1DFAC380} 3004 (PID: 3104)
-
vcredist_x86.exe
/q
(PID: 3004)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
173.223.106.200 |
80
TCP |
vcredist_x86.exe PID: 3004 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 30 extracted file(s). The remaining 19 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
vcredist_x86.exe
- Size
- 5MiB (5238046 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Static engine " (1/65)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- 79af14ba64f009231a3a26c7e19689fc
- SHA1
- b2d28c241abc0f21ee778f71be00e89beebf2fac
- SHA256
- 8a6f89ec2ed34043ec071df3f2f6169c9d19d3cb85dc7f7ee325643536c660c8
-
-
Clean 6
-
-
wixstdba.dll
- Size
- 127KiB (129536 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- d7bf29763354eda154aad637017b5483
- SHA1
- dfa7d296bfeecde738ef4708aaabfebec6bc1e48
- SHA256
- 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
-
ISSetup.dll
- Size
- 2.7MiB (2820007 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/66
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- e4e404927839c94a049e7e0daa140e19
- SHA1
- ff8f846d6c9e5a325df1e3cc6074a00ca4848932
- SHA256
- d9e0726b1acbc969107701622248ae4c0bcfcc6aeb23c2cde800d8ccb9c85481
-
ISRT.dll
- Size
- 280KiB (286536 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/63
- MD5
- 8ac078212de9d00591c55e6f7b61aff0
- SHA1
- cc0b24116701f000f86d2eebdbba1430558ec43e
- SHA256
- 8181ff7960a3b4115576977aabb807b2b553bfbab392ac376b15a04e1af5d51c
-
_isuser_0x0409.dll
- Size
- 224KiB (229376 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- MD5
- b75cafac90c7587d805fc15b92f226ce
- SHA1
- b86d01013f0d948b21eca4227fb73d2a32911e4d
- SHA256
- 0e3241c54fb33698e0a428b5b1aca179554e0f2674401f2431226207b84cca52
-
_isres_0x0409.dll
- Size
- 540KiB (553067 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/62
- MD5
- db5f5a17b90053e32310a89d214cedbe
- SHA1
- b61afcb8b02f58426ddfc2958be3fc015106f10b
- SHA256
- f49d1b4055660bf83ee9d8bbc2811bd2bdd0a034cc88db748cbe72ce72203ab4
-
setup.exe
- Size
- 1.1MiB (1193984 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/65
- MD5
- cb5c303cf2ccdb82effb6d77bd1578e0
- SHA1
- b8e63364976a94f326996cd8b9db73fe27e24b8f
- SHA256
- c0f5f3d04dc8885bb12a6945d1a44207f6cc226f6f3b895d3ee958da39f3683e
-
-
Informative Selection 2
-
-
Setup.INI
- Size
- 5.5KiB (5644 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- ccf5e1b103dab5828a89dd471c3d849e
- SHA1
- 4cc52956dea67d9aa9f673d312100f717498e8c3
- SHA256
- 7b41f42cf42dcc16e1a8db7d1e7e9ebf36f121a448dbc7703c0c92e3e45e5672
-
~4D0C.tmp
- Size
- 5.5KiB (5644 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- ccf5e1b103dab5828a89dd471c3d849e
- SHA1
- 4cc52956dea67d9aa9f673d312100f717498e8c3
- SHA256
- 7b41f42cf42dcc16e1a8db7d1e7e9ebf36f121a448dbc7703c0c92e3e45e5672
-
-
Informative 21
-
-
state.rsm
- Size
- 848B (848 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- 77c8ca6c819aea174aca1ea6edd09623
- SHA1
- 0efbb7c11f74ad5a0d1752acfe7fe9c8a0ba5322
- SHA256
- cfefbd51eb550c1aa92a380ff53207e5786d00c5cdbb5c9191b706529f84357f
-
696F3DE637E6DE85B458996D49D759AD
- Size
- 813B (813 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- 999aeeda45a598c0e538ab5df796b0cd
- SHA1
- 7d6f9191b2e8ab6878ed7bd5dae9a7733b5b9560
- SHA256
- 13837d4c051ed2f477d23ed24c1cdb7f33a11615bb29efd1dfe86ac45fe35d4f
-
7396C420A8E1BC1DA97F1AF0D10BAD21
- Size
- 554B (554 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- c2b4eac1432a1d396aae70fc9e7d23d6
- SHA1
- 36c8b2ee8ba0c078d9b8fc6f4fa87f978fba60c6
- SHA256
- eb2e3a44250f941c9300eccb0f16f61afc57c2f08ea323c2a5898d7020e45c54
-
F90F18257CBB4D84216AC1E1F3BB2C76
- Size
- 550B (550 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- 4822033e3d7eb806a381a27b1ba25456
- SHA1
- fea2f18c4d1f5f070d39fecf6d50b3cfe39ba4cf
- SHA256
- 2ad8a354dfaae3f0a4d932975cc81d09a2ddba2f88abe93761065c6067af0a70
-
CabA0D7.tmp
- Size
- 50KiB (50939 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
TarA0D8.tmp
- Size
- 118KiB (120573 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
dd_vcredist_x86_20171018161220.log
- Size
- 8.8KiB (9042 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- e18ec26753943a6d8f20120ef1207b24
- SHA1
- cadd119c55fcd4a6707178cbd31bc89b4d760d0e
- SHA256
- 72770eaf8bb5274a52d7fc72f18c7a2ab7b4269975f9250da805c8f5473ffc62
-
BootstrapperApplicationData.xml
- Size
- 3.5KiB (3564 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- 8941885c101ec4d8ed4883b3f5f585cc
- SHA1
- 2fec996b79615d80ecaaab0986875be0f0ca65c5
- SHA256
- ff878406e508343ea8b2fd4205355c2f4de514581ff7088f0a5c3963bc7bf943
-
license.rtf
- Size
- 47KiB (48163 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- e9f84e5ef16d918faa9a5425b4b041cf
- SHA1
- a427f89e8dc5f1784208f6755486f8b1805f67f5
- SHA256
- 5b7bd9ad76c8df8e2c496b3dcefc9fe3750dccc48fb416126605ed3fb208f55a
-
logo.png
- Size
- 1.8KiB (1861 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- d6bd210f227442b3362493d046cea233
- SHA1
- ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
- SHA256
- 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
-
thm.wxl
- Size
- 2.9KiB (2952 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- fbfcbc4dacc566a3c426f43ce10907b6
- SHA1
- 63c45f9a771161740e100faf710f30eed017d723
- SHA256
- 70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
-
thm.xml
- Size
- 5.7KiB (5881 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3104)
- MD5
- 0056f10a42638ea8b4befc614741ddd6
- SHA1
- 61d488cfbea063e028a947cb1610ee372d873c9f
- SHA256
- 6b1ba0dea830e556a58c883290faa5d49c064e546cbfcd0451596a10cc693f87
-
cab54A5CABBE7274D8A22EB58060AAB7623
- Size
- 802KiB (821593 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 805553 bytes, 4 files
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- e86a5849893fb832105ebb00270bd70e
- SHA1
- a36c08d68099ec362fe75c871622506d655c3e55
- SHA256
- cb26121b6c50d8e86baa98d773e7e7b3ab5d2adb07d7b5e6ede2aa363b5b5df1
-
cabB3E1576D1FEFBB979E13B1A5379E0B16
- Size
- 4.9MiB (5153728 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 5137688 bytes, 16 files
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- c07ffbee791b85ad79d554734ba80fb6
- SHA1
- 222f7b7a117f00d9b8e21490640b4348821cfe2b
- SHA256
- 52968dfd08467c01a4968103b9139cb8870c0d9f031777873b226c49c5817a78
-
vcRuntimeAdditional_x86
- Size
- 148KiB (151552 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- dcde65fc1680dae894ac5525d2f6584c
- SHA1
- 727ab766704be383c169d6c3c97130a7271f0b2f
- SHA256
- c2f38afa844950a56390c82e0ceded99c756b96c03e98b57d4fa6790dab1457f
-
vcRuntimeMinimum_x86
- Size
- 148KiB (151552 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 3004)
- MD5
- a70e0debaf579a27295ff9dcc21dc6fe
- SHA1
- 8add05037301667e49452c08a91aa9d48dd1e695
- SHA256
- 9846055a00a12b78998473ef978e1a48138adb168bf7bfd5b3d03ab0d44c1557
-
0x0404.ini
- Size
- 10KiB (10670 bytes)
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- ec1f8f71fa21c49bc96a17c81ad51598
- SHA1
- 5750f674b4de76d708dd1178265e280d515d8774
- SHA256
- 60f176f3014342f48468ff7ea67280fa3a671c4721ebefe7b4ee789ff65c87df
-
0x0407.ini
- Size
- 25KiB (25860 bytes)
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- 9a62da6c523506355c1bf1b30db73edd
- SHA1
- ee83114a7d4b995dd4ad7d1781ed66c4727cc121
- SHA256
- 8b5d7bc395d0d6980299702d0573c6019fefea92eb98701d1894a5623b2691a0
-
1033.MST
- Size
- 112KiB (114688 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Installation Database, Subject: Xshell 5, Author: NetSarang Computer, Inc., Keywords: Installer,MSI,Database, Comments: Xshell is a secure shell client for Windows platform., Create Time/Date: Fri Oct 13 12:13:00 2017, Name of Creating Application: InstallShield 2013 - Premier Edition with Virtualization Pack 20, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1041,1042,1034, Last Saved By: Intel;1033, Revision Number: {F3FDFD5A-A201-407B-887F-399484764ECA}5.0.1333;{F3FDFD5A-A201-407B-887F-399484764ECA}5.0.1333;{79FD553C-F36E-4A1A-84D9-AC4217FCC991}, Number of Pages: 200, Number of Characters: 1
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- 3d40d0383c969e424e00a6f0e0b37835
- SHA1
- 73d254d9b1b40129caa7fd21a72238efa3c1b030
- SHA256
- 1c1d04b2a48fd5a0b3b3560d7f1bff18b0c47ab24910eb26c205e2018fff8177
-
Xshell 5.msi
- Size
- 5MiB (5230953 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- df384c96277b3d03bbad47c0e0fc5a87a05cc1242f26374b56a742a6844d623a.exe (PID: 2752)
- MD5
- 43ef941bf7d57d2fde32f5848e9e171f
- SHA1
- 1e061e0e3f1d1f46534326d60e8a3a868abe3d79
- SHA256
- 62b284cc511079456a695ec788671cf072fb85889b680f09a8c497293b484397
-
setup.inx
- Size
- 275KiB (281459 bytes)
- Type
- data
- MD5
- 4942b549a696e5317a4bee18f06556f7
- SHA1
- 739d6f9b81acf686ff4c4d4484e41ff10f7a2837
- SHA256
- 1b39901d871cec055cafe5405cbc38baf926478c0e8dd30d1867f63a9bd0a28e
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Extracted file "1033.MST" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1c1d04b2a48fd5a0b3b3560d7f1bff18b0c47ab24910eb26c205e2018fff8177/analysis/1508340199/")
- Extracted file "Xshell 5.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/62b284cc511079456a695ec788671cf072fb85889b680f09a8c497293b484397/analysis/1508340197/")
- Extracted file "setup.inx" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1b39901d871cec055cafe5405cbc38baf926478c0e8dd30d1867f63a9bd0a28e/analysis/1508340198/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-51" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "registry-55" are available in the report
- Not all sources for signature ID "static-6" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)