duplicatefileremover_setup.exe
This report is generated from a file or URL submitted to this webservice on December 13th 2015 16:31:40 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.00 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Uses network protocols on unusual ports
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Reads the cryptographic machine GUID - Network Behavior
- Contacts 2 domains and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 10
-
Anti-Detection/Stealthyness
-
Tries to hide tracks of having downloaded a file from the internet
- details
-
"<Input Sample>" opened "%TEMP%\cmd\cmd.exe:Zone.Identifier" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe:Zone.Identifier" with delete access - source
- API Call
- relevance
- 7/10
-
Tries to hide tracks of having downloaded a file from the internet
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 4/55 Antivirus vendors marked sample as malicious (7% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Allocates virtual memory in foreign process
- details
-
"<Input Sample>" allocated 00001500 bytes of memory in "cmd.exe" (Protection: "read/write")
"<Input Sample>" allocated 00000088 bytes of memory in "cmd.exe" (Protection: "read/write")
"<Input Sample>" allocated 00001500 bytes of memory in "svhost.exe" (Protection: "read/write")
"<Input Sample>" allocated 00000088 bytes of memory in "svhost.exe" (Protection: "read/write")
"<Input Sample>" allocated 00147456 bytes of memory in "svhost.exe" (Protection: "execute/read/write")
"duplicatefileremover_setup.tmp" allocated 00001500 bytes of memory in "UninsHs.exe" (Protection: "read/write")
"duplicatefileremover_setup.tmp" allocated 00000088 bytes of memory in "UninsHs.exe" (Protection: "read/write")
"duplicatefileremover_setup.tmp" allocated 00001500 bytes of memory in "Launcher.exe" (Protection: "read/write")
"duplicatefileremover_setup.tmp" allocated 00000088 bytes of memory in "Launcher.exe" (Protection: "read/write")
"svhost.exe" allocated 00001500 bytes of memory in "dw20.exe" (Protection: "read/write")
"svhost.exe" allocated 00000088 bytes of memory in "dw20.exe" (Protection: "read/write") - source
- API Call
- relevance
- 7/10
-
Writes a PE file header to disc
- details
-
"<Input Sample>" wrote 53248 bytes starting with PE header signature to file "%TEMP%\svhost.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 23312 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\is-GH7R2.tmp\_isetup\_shfoldr.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 27648 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-8JQI7.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-T43RH.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 12800 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-Q0M3N.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-G8VGQ.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 20480 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-CEUJG.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-V4I76.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-RLL8Q.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 18944 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\Plugins\is-TM258.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 36864 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\Plugins\is-VPEM8.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 19968 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\Plugins\is-OJ13D.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"duplicatefileremover_setup.tmp" wrote 17408 bytes starting with PE header signature to file "C:\Program Files\Essential Data Tools\Duplicate File Remover\Plugins\is-BU7UH.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... - source
- API Call
- relevance
- 1/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a foreign process "duplicatefileremover_setup.exe" (PID: 00002328)
"<Input Sample>" wrote 4 bytes to a foreign process "duplicatefileremover_setup.exe" (PID: 00002328)
"<Input Sample>" wrote 32 bytes to a foreign process "duplicatefileremover_setup.exe" (PID: 00002328)
"<Input Sample>" wrote 52 bytes to a foreign process "duplicatefileremover_setup.exe" (PID: 00002328)
"<Input Sample>" wrote 1500 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 4 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 32 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 52 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 512 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 116736 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 1024 bytes to a foreign process "svhost.exe" (PID: 00002232)
"<Input Sample>" wrote 1500 bytes to a foreign process "duplicatefileremover_setup.tmp" (PID: 00002364)
"<Input Sample>" wrote 4 bytes to a foreign process "duplicatefileremover_setup.tmp" (PID: 00002364)
"<Input Sample>" wrote 32 bytes to a foreign process "duplicatefileremover_setup.tmp" (PID: 00002364)
"<Input Sample>" wrote 52 bytes to a foreign process "duplicatefileremover_setup.tmp" (PID: 00002364) - source
- API Call
- relevance
- 6/10
-
Allocates virtual memory in foreign process
-
Network Related
-
Uses network protocols on unusual ports
- details
- TCP traffic to 85.59.110.29 on port 53135
- source
- Network Traffic
- relevance
- 7/10
-
Uses network protocols on unusual ports
-
Unusual Characteristics
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoClose" which indicates: "Runs when the Word document is closed"
- source
- String
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" (Show Process)
Spawned process "duplicatefileremover_setup.tmp" with commandline "/SL5="$30160",2159126" (Show Process)
Spawned process "reg.exe" with commandline "reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "cmd /c %TEMP%\cmd\cmd.exe" /f" (Show Process)
Spawned process "svhost.exe" (Show Process)
Spawned process "UninsHs.exe" with commandline "/r0={5AFA81C6-6DE9-49b0-B2C1-D53763632D59}"
en" (Show Process), Spawned process "Launcher.exe" (Show Process), Spawned process "DuplicateFileRemover.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded string that indicates auto-execute behavior
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 34
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.95738800376
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"#=qgG_a77yogbYBHqEmUqNhqg==" (Indicator: "qemu")
"#=qafYaBz6vydvh5p1enXp9i7DFkib8BYlWVboxJdkHPcc=" (Indicator: "vbox") - source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")
"svhost.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")
"DuplicateFileRemover.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Reads configuration files
- details
-
"<Input Sample>" read file "%USERPROFILE%\Desktop\desktop.ini"
"<Input Sample>" read file "C:\Users\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Videos\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Pictures\desktop.ini"
"<Input Sample>" read file "C:\Users\%USERNAME%\Contacts\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "C:\Windows\system32\cmd.exe"
"<Input Sample>" created file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
"duplicatefileremover_setup.tmp" created file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Essential Data Tools"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover"
"duplicatefileremover_setup.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"duplicatefileremover_setup.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"duplicatefileremover_setup.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover\Duplicate File Remover.lnk"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover\Documentation.lnk"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover\Visit DuplicateFileRemover.com.lnk"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover\Release Notes.lnk"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover\License.lnk"
"duplicatefileremover_setup.tmp" created file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Essential Data Tools\Duplicate File Remover\Uninstall Duplicate File Remover.lnk" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
-
"duplicatefileremover_setup.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"duplicatefileremover_setup.tmp" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"_shfoldr.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows"
"svhost.exe" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows" - source
- Dropped File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"3.7.5.0"
"1.2.2.2" - source
- String
- relevance
- 3/10
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.essentialdatatools.com/products/duplicatefileremover/?event1=DuplicateFileRemover&event2=Distributive&event3=MenuShortcut"
Pattern match: "www.smartassembly.com/webservices/UploadReportLogin/GetServerURL"
Pattern match: "fb.com/samir.s4"
Pattern match: "http://www.smartassembly.com/webservices/Reporting/UploadReport2"
Pattern match: "http://www.innosetup.com/"
Heuristic match: "COMMAND.COM"
Pattern match: "rztp-rtp.rtp/r@up0rup1rup2rvp3rHvp4rvp5rvp6rwp7rPwp8rwp9rwp:rxp;rXxp"
Heuristic match: ":u$V]WNBz4l$[J9|6xaaaaaa@aaaaaa8_6x?Q*a8oDyMTBs-d5dCqFsIvKvJsLqSs\xgorrpnh]yUuMqIrMwP|Q}N|=l-dCtVOF|;r.eU"
Pattern match: "a.Uv/;q`0e#MWlh"
Pattern match: "http://#HomePage#"
Pattern match: "http://#lnksupport#"
Pattern match: "F6.fet/M19wzW"
Heuristic match: "S\CDx<QCo?BUol.as"
Heuristic match: "iDe<r.dO"
Pattern match: "y.sG/:zH|0lU"
Heuristic match: "=tW^eDWZj'N<qDLd98quS:yCNKOHSxyyOMO'vfi 7))oDC9r8+!Cs.\ Vg\>u!;}DF@RHN6ph-91fp]'L(40{C|8%\W<W|o&k4?LZ{mpE57V)Y.aW"
Heuristic match: "2r?WN>C=>:rb.sN"
Pattern match: "p.xjX/tSmf?7ebAcR6M"
Pattern match: "V1.gZF/5LfO%fwa%Sd-#.BZ_N_pWhY&6" - source
- String
- relevance
- 2/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"%TEMP%\duplicatefileremover_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp\duplicatefileremover_setup.tmp" for deletion
"C:\Users\%USERNAME%\AppData\Local\Temp\duplicatefileremover_setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp" for deletion
"C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp\duplicatefileremover_setup.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-GH7R2.tmp\_isetup\_shfoldr.dll" for deletion
"C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp\duplicatefileremover_setup.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-GH7R2.tmp\_isetup" for deletion
"C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp\duplicatefileremover_setup.tmp" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-GH7R2.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\svhost.exe" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\ svhost.exe" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\cmd\svhost.bat" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\cmd\cmd.exe:Zone.Identifier" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.exe:Zone.Identifier" with delete access
"<Input Sample>" opened "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2140.3754890" with delete access
"<Input Sample>" opened "C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2140.3754890" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2140.3754921" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp\duplicatefileremover_setup.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-SR30G.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-25VE7.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-8JQI7.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-T43RH.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-KA2KB.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-Q0M3N.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-G8VGQ.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-CEUJG.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-V4I76.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-RLL8Q.tmp" with delete access
"duplicatefileremover_setup.tmp" opened "C:\Program Files\Essential Data Tools\Duplicate File Remover\is-QBHD9.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"duplicatefileremover_setup.tmp" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"duplicatefileremover_setup.tmp" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"Launcher.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"Launcher.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- Claimed CRC 95545 does not match actual CRC 95545
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyExW
RegCloseKey
Sleep
VirtualAlloc
GetTickCount
LoadLibraryExW
GetStartupInfoA
GetProcAddress
GetModuleHandleW
GetModuleFileNameW
GetCommandLineW
FindFirstFileW
WriteFile
UnhandledExceptionFilter
VirtualProtect
LockResource
LoadLibraryW
GetVersionExW
GetFileSize
GetFileAttributesW
FindResourceW
DeleteFileW
CreateProcessW
CreateFileW
CreateDirectoryW
OpenProcessToken
ExitThread
CreateThread
SetWindowsHookExW
GetWindowThreadProcessId
FindWindowExW
FindWindowW
TerminateProcess
OpenProcess
GetDriveTypeW
GetComputerNameW
FindNextFileW
DeviceIoControl
CopyFileW
RegEnumKeyExW
RegDeleteValueW
RegDeleteKeyW
RegCreateKeyExW
GetUserNameW
ShellExecuteExW
ShellExecuteW
CreateDirectoryA
FindResourceExW
GetFileAttributesA
GetVersionExA
LoadLibraryA
SetSecurityDescriptorDacl
RegCreateKeyExA
RegOpenKeyA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "7621CE1F" to virtual address "0x6AA91FDC" (part of module "MSCORWKS.DLL")
"svhost.exe" wrote bytes "36D0947E" to virtual address "0x6AA91FDC" (part of module "MSCORWKS.DLL") - source
- Hooks
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"cmd.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"duplicatefileremover_setup.tmp" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"Launcher.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"DuplicateFileRemover.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 17 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
Environment Awareness
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL at 00159265-00002364-7748228D-353382
GetDiskFreeSpaceExW@KERNEL32.DLL at 00159265-00002364-7748228D-353385
GetDiskFreeSpaceExW@KERNEL32.DLL at 00159265-00002364-7748228D-353388 - source
- StaticStream (Disassembly)
- relevance
- 3/10
-
Contains ability to query volume size
-
General
-
Contacts domains
- details
-
"domain014.ml"
"the014.gotdns.ch" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "85.59.110.29:53135"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"rOjEcTs\EDT\Essential Data Tools\source\dll_source\DfrLibrary\obj\Release\DfrLibrary.pdb"
"RegAsm.pdb"
"RSV{u.PdBCx^[PtB3SVWCt?@|1SzW}3;N;tC@_^[@SVWUQ$tfNff<$t'sM|E34GMuZ]_^[SVFtVtt03^[SVWQ8tQ@_^[@SVWQ8tQ<_^[@Sx t"
"CommonLibraryEssential Data Tools0+Copyright Essential Data Tools 2011-2012)$ad8c6370-61d9-4f58-a7c1-cb1b3e00ca1c1.0.0.0TWrapNonExceptionThrowshVuRSDSw;U3ARc:\PrOjEcTs\EDT\Essential Data Tools\source\dll_source\DfrLibrary\obj\Release\DfrLibrary.pdb _CorDllMainmscoree.dll% @0HX HH4VS_VERSION_INFO?DVarFileInfo$TranslationStringFileInfo000004b0LCompanyNameEssential Data ToolsDFileDescriptionCommonLibrary0FileVersion1.0.0.0@InternalNameDfrLibrary.dll|+LegalCopyrightCopyright Essential Data Tools 2011-2012HOriginalFilenameDfrLibrary.dll<ProductNameCommonLibrary4ProductVersion1.0.0.08Assembly Version1.0.0.0>" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
- "<Input Sample>" created file "%TEMP%\svhost.exe"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Global\{ba1296a5-ede9-48a3-8cee-5198ca980100}"
"Global\.net clr networking" - source
- Created Mutant
- relevance
- 3/10
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL" at base 77590000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 76D50000
"<Input Sample>" loaded module "CRYPTSP.DLL" at base 74FF0000
"<Input Sample>" loaded module "RPCRTREMOTE.DLL" at base 75560000
"duplicatefileremover_setup.tmp" loaded module "COMCTL32.DLL" at base 74440000
"duplicatefileremover_setup.tmp" loaded module "%WINDIR%\SYSTEM32\EXPLORERFRAME.DLL" at base 71BF0000
"duplicatefileremover_setup.tmp" loaded module "C:\WINDOWS\SYSTEM32\SFC.DLL" at base 70000000
"duplicatefileremover_setup.tmp" loaded module "SETUPAPI.DLL" at base 76980000
"duplicatefileremover_setup.tmp" loaded module "DEVRTL.DLL" at base 74D70000
"duplicatefileremover_setup.tmp" loaded module "PROPSYS.DLL" at base 742D0000
"duplicatefileremover_setup.tmp" loaded module "C:\WINDOWS\SYSTEM32\PROPSYS.DLL" at base 742D0000
"duplicatefileremover_setup.tmp" loaded module "NTMARTA.DLL" at base 74B00000
"duplicatefileremover_setup.tmp" loaded module "SHELL32.DLL" at base 75870000
"duplicatefileremover_setup.tmp" loaded module "LINKINFO.DLL" at base 70A10000
"duplicatefileremover_setup.tmp" loaded module "USER32.DLL" at base 76C20000
"duplicatefileremover_setup.tmp" loaded module "NTSHRUI.DLL" at base 71780000
"duplicatefileremover_setup.tmp" loaded module "SRVCLI.DLL" at base 751E0000 - source
- API Call
- relevance
- 1/10
-
Loads the .NET runtime environment
- details
-
"<Input Sample>" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 69EF0000
"svhost.exe" loaded module "C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 69EF0000
"DuplicateFileRemover.exe" loaded module "C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll" at 69F90000 - source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"RtlDllShutdownInProgress@ntdll.dll"
"LookupAccountNameLocalW@sechost.dll"
"LookupAccountSidW@ADVAPI32.dll"
"LookupAccountSidLocalW@sechost.dll"
"CryptAcquireContextW@CRYPTSP.dll"
"CPAcquireContext@rsaenh.dll"
"CPReleaseContext@rsaenh.dll"
"CPGenKey@rsaenh.dll"
"CPDeriveKey@rsaenh.dll"
"CPDestroyKey@rsaenh.dll"
"CPSetKeyParam@rsaenh.dll"
"CPGetKeyParam@rsaenh.dll"
"CPExportKey@rsaenh.dll"
"CPImportKey@rsaenh.dll"
"CPEncrypt@rsaenh.dll"
"CPDecrypt@rsaenh.dll"
"CPCreateHash@rsaenh.dll"
"CPHashData@rsaenh.dll"
"CPHashSessionKey@rsaenh.dll"
"CPDestroyHash@rsaenh.dll" - source
- API Call
- relevance
- 1/10
-
Spawns new processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" (Show Process)
Spawned process "duplicatefileremover_setup.tmp" with commandline "/SL5="$30160",2159126" (Show Process)
Spawned process "reg.exe" with commandline "reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "cmd /c %TEMP%\cmd\cmd.exe" /f" (Show Process)
Spawned process "svhost.exe" (Show Process)
Spawned process "UninsHs.exe" with commandline "/r0={5AFA81C6-6DE9-49b0-B2C1-D53763632D59}"
en" (Show Process), Spawned process "Launcher.exe" (Show Process), Spawned process "DuplicateFileRemover.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
-
LookupAccountNameLocalW@SECHOST.DLL at 00152078-00002140-7748228D-160626
GetUserNameExW@SSPICLI.DLL at 00159265-00002364-7748228D-413571 - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Dropped files
- details
-
"duplicatefileremover_setup.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"duplicatefileremover_setup.tmp" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"_shfoldr.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows"
"svhost.exe" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows"
"run.dat" has type "data"
"is-25VE7.tmp" has type "data"
"is-8JQI7.tmp" has type "data"
"is-T43RH.tmp" has type "data"
"is-KA2KB.tmp" has type "data"
"is-Q0M3N.tmp" has type "data"
"is-G8VGQ.tmp" has type "data"
"is-CEUJG.tmp" has type "data"
"is-V4I76.tmp" has type "data"
"is-RLL8Q.tmp" has type "data"
"is-QBHD9.tmp" has type "data"
"is-GV6GT.tmp" has type "data"
"is-TM258.tmp" has type "data"
"is-VPEM8.tmp" has type "data"
"is-OJ13D.tmp" has type "data"
"is-BU7UH.tmp" has type "data" - source
- Dropped File
- relevance
- 3/10
-
Contains ability to lookup the windows account name
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "<Extension name="flvat" description="YouTube Flash video file" ischecked="false"></Extension>" (Indicator: "youtube")
- source
- String
- relevance
- 7/10
-
Found a reference to a known community page
File Details
duplicatefileremover_setup.exe
- Filename
- duplicatefileremover_setup.exe
- Size
- 2.9MiB (3002392 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 483a86b5e726cf7114cf326405b3b840eb4978f50bd82af08964669df904788f
- MD5
- 3495f2b41910d3d042da098a895e4d79
- SHA1
- 24829b0003e8f7b4514735e08f5f7adeb08dbe35
- ssdeep
- 49152:Tkka5mdVjjGKotrTHLVHzovkogEM4gr3Ak0iQNgBiU6F9FM1lTlsQENVjXKUL04J:77KKo1rVT6kogfgkiNIiUQ9C/YNdPZEa
- imphash
- f34d5f2d4577ed6d9ceec516c1f5a744
- authentihash
- 95bcf583aa35e53656d1a0d6757d86ce39b0735cda4259e206e406e4d5b84d01
Version Info
- Translation
- 0x0000 0x04b0
- LegalCopyright
- Copyright (c) Essential Data Tools
- Assembly Version
- 3.7.5.0
- InternalName
- rpc4.exe
- FileVersion
- 3.7.5.0
- CompanyName
- Essential Data Tools
- Comments
- Easily find and remove duplicate files wasting hard disk spa
- ProductName
- Duplicate File Remover
- ProductVersion
- 3.7.5.0
- FileDescription
- -
- OriginalFilename
- rpc4.exe
Classification (TrID)
- 42.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.)
- 25.0% (.EXE) InstallShield setup
- 16.0% (.EXE) Win64 Executable (generic)
- 7.6% (.SCR) Windows Screen Saver
- 3.8% (.DLL) Win32 Dynamic Link Library (generic)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 9 processes in total (System Resource Monitor).
-
duplicatefileremover_setup.exe
(PID: 2140)
-
duplicatefileremover_setup.exe
(PID: 2328)
-
duplicatefileremover_setup.tmp
/SL5="$30160",2159126
(PID: 2364)
- UninsHs.exe /r0={5AFA81C6-6DE9-49b0-B2C1-D53763632D59}",en (PID: 1540)
-
Launcher.exe
(PID: 3588)
- DuplicateFileRemover.exe (PID: 3740)
-
duplicatefileremover_setup.tmp
/SL5="$30160",2159126
(PID: 2364)
-
cmd.exe
(PID: 2344)
- reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "cmd /c %TEMP%\cmd\cmd.exe" /f (PID: 2380)
- svhost.exe (PID: 2232)
-
duplicatefileremover_setup.exe
(PID: 2328)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
domain014.ml | - | - | - |
the014.gotdns.ch | 85.59.110.29 | - | Spain |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
85.59.110.29 |
53135
TCP |
- | Spain |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 29 extracted file(s). The remaining 9 file(s) are available in the full version and XML/JSON reports.
-
Clean 3
-
-
duplicatefileremover_setup.exe
- Size
- 2.6MiB (2696440 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/54
- MD5
- 26beb20a2584792ca12b7a0d8839aa5b
- SHA1
- 2d573b1cbf28458a8c74b6a584dd74a1b49eb8c9
- SHA256
- 34adbf4ba85fc456c5b6f671eaaa9d6778452d410903131115befdcd1f06c779
-
_shfoldr.dll
- Size
- 23KiB (23312 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
- AV Scan Result
- 0/55
- MD5
- 92dc6ef532fbb4a5c3201469a5b5eb63
- SHA1
- 3e89ff837147c16b4e41c30d6c796374e0b8e62c
- SHA256
- 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
-
svhost.exe
- Size
- 52KiB (53248 bytes)
- Type
- PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/53
- MD5
- 278edbd499374bf73621f8c1f969d894
- SHA1
- a81170af14747781c5f5f51bb1215893136f0bc0
- SHA256
- c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
-
-
Informative 26
-
-
is-9R5K0.tmp
- Size
- 49KiB (50258 bytes)
-
is-HKJGK.tmp
- Size
- 47KiB (48264 bytes)
-
is-VDKH4.tmp
- Size
- 43KiB (43758 bytes)
-
is-BU7UH.tmp
- Size
- 34KiB (34816 bytes)
- Type
- data
- MD5
- 3dbee0a07ad340adfff26c14dd6a8fc7
- SHA1
- 135aefa0e72c7de189298b0aed8ff595b01cf3ce
- SHA256
- 5dab1dd90e62891144585c6d46ae88c968ff245af1dd030a74321a4fac0d9c1a
-
is-OJ13D.tmp
- Size
- 39KiB (39936 bytes)
- Type
- data
- MD5
- 2de3b1337632a2d5885120e6af77866d
- SHA1
- 9cb59134e0f4bb87907bb240fc62768b426c8ddd
- SHA256
- 97d902ee52dcd70986f37eda504170ad2d5b1d8a75768f4c52b4a4da5fcc4a83
-
is-TM258.tmp
- Size
- 37KiB (37888 bytes)
- Type
- data
- MD5
- 14de71e7e9e1e3e118f7f3bc93d8fd5f
- SHA1
- e2ce7a98a298bf7f33c1cdf7e601ba72ea8d16aa
- SHA256
- 6a86e81468856d7ff3c8b4976bebc97e4a3c04b742a9ace62bc56aabfc75fad6
-
is-VPEM8.tmp
- Size
- 72KiB (73728 bytes)
- Type
- data
- MD5
- 5c1b4d533475c4ed1214be0246e8efde
- SHA1
- eeab0a20dbbe664e47a422bf0f9f4b4edbd26679
- SHA256
- 6c0c13d4bbce4d4ffedc8946f96955cb6415b3f270747af787d4dd0a1b3dc7e5
-
is-02CVJ.tmp
- Size
- 210KiB (215300 bytes)
-
is-K3MPC.tmp
- Size
- 518B (518 bytes)
-
is-25VE7.tmp
- Size
- 2.5MiB (2614477 bytes)
- Type
- data
- MD5
- e8cdec27e8c9b438cfb8a71989c97e5a
- SHA1
- 60d67c5aaa3a9f60fe78a3b0b0e79a303b75c61d
- SHA256
- 1c83a661149d5e92277e5192720bd406093132c8afc0e44c8e13acfd585da7c1
-
is-8JQI7.tmp
- Size
- 54KiB (55296 bytes)
- Type
- data
- MD5
- 3b24148961cc19690930204d7fb7d043
- SHA1
- ebc22bcb6f2f9f55ebe69bb0f33b36230ff2f0a5
- SHA256
- d2476c2207b7ba858d2e278e4c8fce5b11e7cf99f098757a5110a86cd42567bd
-
is-CEUJG.tmp
- Size
- 40KiB (40960 bytes)
- Type
- data
- MD5
- 10f9a06bdfd500b2e60e3b7875285139
- SHA1
- 74efaa5a8045775370ac38bb36db1278c8f50564
- SHA256
- 32cca469bac8d244d17ff408119684c3a4d8a47cfdf623961d3bd16050e520c8
-
is-G8VGQ.tmp
- Size
- 135KiB (138240 bytes)
- Type
- data
- MD5
- c809670929d936db841631a76f25fca5
- SHA1
- 06f64fd1230db6e603385e118726651363c35d22
- SHA256
- 9fe4b24fc8d18fe58c07c67b3745a00c32ad777fec29f4f91d6065d1a9b778e2
-
is-GV6GT.tmp
- Size
- 1KiB (1032 bytes)
- Type
- data
- MD5
- 475f3b0f319ee1ba0b9ef9bf2799c01d
- SHA1
- 47b194fb8498a7fac6832cdc646439cbffe20d2b
- SHA256
- ceb379f846ea904f080e419be8150963d2c64fedca8d71cd11a3731383e5d114
-
is-I2QH3.tmp
- Size
- 49KiB (50428 bytes)
-
is-KA2KB.tmp
- Size
- 799KiB (818176 bytes)
- Type
- data
- MD5
- c527540c90b8fa6fa3dd8435c0a7cf0f
- SHA1
- 9a891e45b36fb7783fa4cc3571f1fd4ea190b67a
- SHA256
- 16391fc5daae5626323ec31178b95bca51bab9e1d4daea4397490f2526e47270
-
is-NMHU7.tmp
- Size
- 248KiB (254108 bytes)
-
is-PG84C.tmp
- Size
- 846KiB (866302 bytes)
-
is-Q0M3N.tmp
- Size
- 25KiB (25600 bytes)
- Type
- data
- MD5
- e8a38011888ba83227275719685a9017
- SHA1
- 2be9afd4aa045b4fb1aefa12516b95de1a06d3a1
- SHA256
- cd67ba74544350a2c618c5e986d906b90fed8fc11f522ab43e78c6f9f2090edd
-
is-QBHD9.tmp
- Size
- 763KiB (781312 bytes)
- Type
- data
- MD5
- 235e87374db5c23be22861a8f88bb606
- SHA1
- 3c522218c2c53518119ff6768bb77106baba699f
- SHA256
- bdfd138eee33e57ed9068f0af2b8d918c322823b58595fbc597b1b9b4d048156
-
Documentation.lnk
- Size
- 1.3KiB (1366 bytes)
-
Duplicate File Remover.lnk
- Size
- 4.5KiB (4598 bytes)
-
License.lnk
- Size
- 1.3KiB (1299 bytes)
-
Release Notes.lnk
- Size
- 1.3KiB (1326 bytes)
-
Uninstall Duplicate File Remover.lnk
- Size
- 2.2KiB (2244 bytes)
-
Visit DuplicateFileRemover.com.lnk
- Size
- 1.3KiB (1381 bytes)
-
Notifications
-
Runtime
- Added comment to VirusTotal report
- Dropped file "is-25VE7.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1c83a661149d5e92277e5192720bd406093132c8afc0e44c8e13acfd585da7c1/analysis/1450046652/")
- Dropped file "is-RLL8Q.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a695068245528a53dc5ff368e0b055604498b01aa54320804a4b9b04c66fc22f/analysis/1450046656/")
- Dropped file "is-T43RH.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/19b077adcd147042110af3086f78a9c9ac742db7655e2ba748e8d054e91027c5/analysis/1450046654/")
- Not all sources for signature ID "api-0" are available in the report
- Not all sources for signature ID "api-1" are available in the report
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-38" are available in the report
- Not all sources for signature ID "api-47" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "static-6" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files
- Parsed the maximum number of dropped files (20, see 'maxDroppedFilesToParseYARA'), report might not contain information about some dropped files