ifsetup.exe
This report is generated from a file or URL submitted to this webservice on March 5th 2020 17:12:09 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
-
Modifies System Certificates Settings
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 1 domain. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
- "ifsetup.exe" created file "%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe:Zone.Identifier"
- source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"ifsetup.exe" allocated memory in "C:\ifsetup.exe"
"ifsetup.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"ifsetup.exe" wrote 1500 bytes to a remote process "%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" (Handle: 312)
"ifsetup.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" (Handle: 312)
"ifsetup.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" (Handle: 312)
"ifsetup.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" (Handle: 312)
"ifsetup.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" (Handle: 312)
"ifsetup.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 356)
"ifsetup.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 356)
"ifsetup.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 356)
"ifsetup.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 356)
"ifsetup.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 356) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
System Security
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "27AC9369FAF25207BB2627CEFACCBE4EF9C319B8")
"msiexec.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "ifsetup.exe" (Show Process)
Spawned process "ifsetup.exe" with commandline "/q"C:\ifsetup.exe" /tempdisk1folder"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}" /IS_temp" (Show Process)
Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{793B452E-0B3B-46E7-8F92-BB236969C202}\IFSetup.msi" SETUPEXEDIR="C:" SETUPEXENAME="ifsetup.exe"" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E476CE0-D7DC-4F3D-B742-B9FFD6EAB2C6}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{680D507D-29E6-47B4-B3BD-AA228D32556F}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90F643ED-547C-48DC-9BB9-204ED406CD85}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B0A8292-7C55-4282-9D2F-BF1CC5D846C0}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A62D6191-8387-4315-B4E4-2B2502CDD6EC}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99FA465A-5679-472D-8416-A0F4737D33DD}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0102AAED-B2C6-4DF3-BC72-5AB58B2B1C5F}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9943B581-06C4-4CE8-AF1D-C6490759CF7B}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE5B49A3-496A-4507-A819-D78F3C55CF6D}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06F718F1-7354-4E42-ADB6-8463A8923E43}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDE6B1F2-C415-46C7-A361-4FE69BC2DFDA}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C7DFBA4-A8EB-41F4-ACD8-68CA93F174FB}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33235B02-F74C-48CE-97A1-819FD6EB75F8}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00A05A3B-B81D-4A01-B0CA-165A50CFFE6E}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{544AED53-34E5-4F8D-83AB-7AB4781E8DDA}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2C49997F-DBD8-450B-972A-E1C32845318D}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D5B42C0A-1F7B-416A-A1E3-9BF061EF33B5}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6EBBBDE-241A-419F-8B5F-20EF18E680E7}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{76499E4A-CC1D-46C3-95E3-9BBFE116631A}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF32005A-8D43-4D12-887F-106D32783D87}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6C2A834-A30E-4687-A3D9-F34DD4043487}" (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{89AD832D-BBF7-4872-8672-6AAE6206F390}" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:"
"msiexec.exe" touched "X:"
"msiexec.exe" touched "Y:"
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns a lot of processes
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"ifsetup.exe" at 00059723-00002280-00000033-26486675174
"msiexec.exe" at 00060261-00001124-00000033-26313449564
"ISBEW64.exe" at 00067677-00001592-00000033-273973637800
"ISBEW64.exe" at 00067856-00002564-00000033-264348546859
"ISBEW64.exe" at 00067954-00003648-00000033-267082239500
"ISBEW64.exe" at 00068040-00001788-00000033-282660025632
"ISBEW64.exe" at 00068122-00000536-00000033-272067925525
"ISBEW64.exe" at 00068211-00001728-00000033-288186581485
"ISBEW64.exe" at 00068290-00000824-00000033-277047664490
"ISBEW64.exe" at 00068377-00001580-00000033-293299581786
"ISBEW64.exe" at 00068457-00003404-00000033-295651898465
"ISBEW64.exe" at 00068550-00002584-00000033-298594425431
"ISBEW64.exe" at 00068641-00002812-00000033-300958939861
"rundll32.exe" at 00069609-00003004-00000033-318271036145
"ISBEW64.exe" at 00070270-00003052-00000033-336311205160
"ISBEW64.exe" at 00070361-00002204-00000033-353911918002
"ISBEW64.exe" at 00070444-00002820-00000033-341612373390
"ISBEW64.exe" at 00070544-00003000-00000033-360167544921
"ISBEW64.exe" at 00070650-00000960-00000033-362786676013
"ISBEW64.exe" at 00070750-00001884-00000033-350789642116 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
-
"ifsetup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\EE2D9269FCBEC7941A4DC12A9E08BA2D\INSTALLPROPERTIES")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\EE2D9269FCBEC7941A4DC12A9E08BA2D\INSTALLPROPERTIES") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
-
"ifsetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ISBEW64.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"rundll32.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"ifsetup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"ISBEW64.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
General
-
Reads configuration files
- details
-
"ifsetup.exe" read file "%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\_ISMSIDEL.INI"
"ifsetup.exe" read file "%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\Setup.INI"
"ifsetup.exe" read file "%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
- "SETAA59.tmp" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "ScriptVer=1.0.0.1"
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\ifsetup.exe" marked "%TEMP%\~390D.tmp" for deletion
"C:\ifsetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~3A18.tmp" for deletion
"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS" for deletion
"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~487E.tmp" for deletion
"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~495A.tmp" for deletion
"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~535D.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI8CEA.tmp" for deletion
"%WINDIR%\SysWOW64\msiexec.exe" marked "C:\MSI666c4.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA74F.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA77F.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA7AF.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA81E.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA85D.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA88D.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA8BD.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA8FD.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA94C.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA99B.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA9EA.tmp" for deletion
"%WINDIR%\System32\rundll32.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\amd64\SETAA2A.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"ifsetup.exe" opened "%TEMP%\~390D.tmp" with delete access
"ifsetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~3A18.tmp" with delete access
"ifsetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS" with delete access
"ifsetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~487E.tmp" with delete access
"ifsetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~495A.tmp" with delete access
"ifsetup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~535D.tmp" with delete access
"msiexec.exe" opened "%SAMPLEDIR%\MSI666c5.tmp" with delete access
"msiexec.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI8CEA.tmp" with delete access
"msiexec.exe" opened "C:\MSI666c4.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA70F.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA74F.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA77F.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA7AF.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA7EE.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA81E.tmp" with delete access
"rundll32.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA85D.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "SETAA59.tmp" claimed CRC 376864 while the actual is CRC 13428070
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
RegDeleteKeyW
OpenProcessToken
RegEnumKeyW
RegOpenKeyW
SetSecurityDescriptorDacl
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
GetThreadContext
FindResourceExW
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExA
LoadLibraryExW
CreateThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
LoadLibraryA
GetFileSize
WriteProcessMemory
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
GetProcAddress
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
Process32FirstW
MapViewOfFile
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
ShellExecuteW
ShellExecuteExW
FindWindowW
GetModuleFileNameA
GetCommandLineA
OutputDebugStringA
VirtualProtect
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"ifsetup.exe" wrote bytes "71115b017a3b5a01ab8b02007f950200fc8c0200729602006cc805001ecd57017d265701" to virtual address "0x75C907E4" (part of module "USER32.DLL")
"msiexec.exe" wrote bytes "71115b017a3b5a01ab8b02007f950200fc8c0200729602006cc805001ecd57017d265701" to virtual address "0x75C907E4" (part of module "USER32.DLL")
"msiexec.exe" wrote bytes "c0df1e771cf91d77ccf81d770d641f7700000000c011207600000000fc3e207600000000e0132076000000009457437625e01e77c6e01e7700000000bc6a427600000000cf3120760000000093194376000000002c32207600000000" to virtual address "0x766C1000" (part of module "NSI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"ifsetup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 7 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 30
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query the machine version
- details
- GetVersionExW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00060261-00001124-00000046-36116720240
"msiexec.exe" queries volume information of "C:\share" at 00060261-00001124-00000046-55951814781
"rundll32.exe" queries volume information of "%PROGRAMFILES%\(x86)\Common Files\CCHSFS\Printer\CCHPrinter\xdsmplx64.cat" at 00069609-00003004-00000046-333294473539 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00060261-00001124-00000046-36116720240
- source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/71 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
- "ocsp.godaddy.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb"
"d:\other\xpsdrv\c++\src\ui\objchk_wlh_amd64\amd64\xdsmplui.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"ifsetup.exe" created file "%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe:Zone.Identifier"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\_ISMSIDEL.INI"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~3A18.tmp"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\ifsetup.exe"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~390D.tmp"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\Setup.INI"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\0x0409.ini"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~487E.tmp"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~495A.tmp"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~535D.tmp"
"ifsetup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}\IFSetup.msi"
"msiexec.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI8CEA.tmp"
"rundll32.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{2aec4344-6302-1555-076e-d60bc0ab6f02}\SETA70F.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "SETA94C.tmp" as clean (type is "Microsoft ICM Color Profile")
Antivirus vendors marked dropped file "SETAA59.tmp" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows") - source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
"GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCMbR7jV%2BC3pA%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 72CB0000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION")
"ISBEW64.exe" touched "PSDispatch" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "ISBEW64.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "ISBEW64.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles"
Process "rundll32.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles"
Process "rundll32.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "ISBEW64.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "ISBEW64.exe" (Show Process) was launched with modified environment variables: "PROCESSOR_ARCHITECTURE, CommonProgramFiles, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
"rundll32.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Sample shows a variety of benign indicators
- details
- The input file/all extracted files were not detected as malicious and the input file is signed with a validated certificate
- source
- Indicator Combinations
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "ifsetup.exe" with commandline "/q"C:\ifsetup.exe" /tempdisk1folder"%TEMP%\{3138CF84-20A6-4ECC-A ..." (Show Process), Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{793B452E-0B3B-46E7- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E476CE0-D7DC-4F3D-B742- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{680D507D-29E6-47B4-B3BD- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90F643ED-547C-48DC-9BB9- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B0A8292-7C55-4282-9D2F- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A62D6191-8387-4315-B4E4- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99FA465A-5679-472D-8416- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0102AAED-B2C6-4DF3-BC72- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9943B581-06C4-4CE8-AF1D- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE5B49A3-496A-4507-A819- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06F718F1-7354-4E42-ADB6- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDE6B1F2-C415-46C7-A361- ..." (Show Process)
Spawned process "rundll32.exe" with commandline "printui.dll,PrintUIEntry /q /dl /n "CCHSFS PDF Print"" (Show Process)
Spawned process "rundll32.exe" with commandline "printui.dll,PrintUIEntry /q /dd /m "CCH SFS PDF Print Driver"" (Show Process)
Spawned process "rundll32.exe" with commandline "printui.dll,PrintUIEntry /if /b "CCHSFS PDF Print" /f .\xdsmpl.i ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C7DFBA4-A8EB-41F4-ACD8- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33235B02-F74C-48CE-97A1- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00A05A3B-B81D-4A01-B0CA- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{544AED53-34E5-4F8D-83AB- ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "ifsetup.exe" with commandline "/q"C:\ifsetup.exe" /tempdisk1folder"%TEMP%\{3138CF84-20A6-4ECC-A ..." (Show Process), Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{793B452E-0B3B-46E7- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E476CE0-D7DC-4F3D-B742- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{680D507D-29E6-47B4-B3BD- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90F643ED-547C-48DC-9BB9- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B0A8292-7C55-4282-9D2F- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A62D6191-8387-4315-B4E4- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99FA465A-5679-472D-8416- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0102AAED-B2C6-4DF3-BC72- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9943B581-06C4-4CE8-AF1D- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE5B49A3-496A-4507-A819- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06F718F1-7354-4E42-ADB6- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDE6B1F2-C415-46C7-A361- ..." (Show Process)
Spawned process "rundll32.exe" with commandline "printui.dll,PrintUIEntry /q /dl /n "CCHSFS PDF Print"" (Show Process)
Spawned process "rundll32.exe" with commandline "printui.dll,PrintUIEntry /q /dd /m "CCH SFS PDF Print Driver"" (Show Process)
Spawned process "rundll32.exe" with commandline "printui.dll,PrintUIEntry /if /b "CCHSFS PDF Print" /f .\xdsmpl.i ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C7DFBA4-A8EB-41F4-ACD8- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33235B02-F74C-48CE-97A1- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00A05A3B-B81D-4A01-B0CA- ..." (Show Process)
Spawned process "ISBEW64.exe" with commandline "{EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{544AED53-34E5-4F8D-83AB- ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B; see report for more information)
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8; see report for more information)
The input sample is signed with a certificate issued by "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: FF:01:DA:68:99:34:E6:5C:8A:18:61:BF:DD:B5:C8:FF:28:67:E1:78; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"ifsetup.exe" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort"
"ISBEW64.exe" connecting to "\ThemeApiPort"
"rundll32.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"IFSetup.msi" has type "Composite Document File V2 Document Can't read SAT"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"SETA94C.tmp" has type "Microsoft ICM Color Profile"
"SETA9EA.tmp" has type "ASCII text with CRLF line terminators"
"SETAA59.tmp" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"7AE00CBB984A94B365C6F635B9DA27DB_313FB213C3ADE8D54DCEB6CE81C66D90" has type "data"
"SETA7AF.tmp" has type "exported SGML document ASCII text with CRLF line terminators"
"SETA8BD.tmp" has type "Microsoft ICM Color Profile"
"~495A.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~3A18.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"SETA7EE.tmp" has type "ASCII text with CRLF line terminators"
"~487E.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~535D.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"SETA99B.tmp" has type "ASCII text with CRLF line terminators"
"223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771" has type "data"
"SETA8FD.tmp" has type "data"
"SETA88D.tmp" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"SETA77F.tmp" has type "ASCII text with CRLF line terminators"
"SETA70F.tmp" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"ifsetup.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"ifsetup.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"ifsetup.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"ifsetup.exe" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"ifsetup.exe" touched file "%WINDIR%\SysWOW64\rsaenh.dll"
"ifsetup.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\en-US\msiexec.exe.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Heuristic match: "5|MsfQw.Km"
Heuristic match: "NsaaF.NF"
Heuristic match: "Q\%dUD.jP"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://certs.godaddy.com/repository/1301"
Pattern match: "http://ocsp.godaddy.com/05"
Pattern match: "http://crl.godaddy.com/gdroot-g2.crl0F"
Pattern match: "https://certs.godaddy.com/repository/0"
Pattern match: "http://crl.godaddy.com/gdig2s5-4.crl0"
Pattern match: "http://certificates.godaddy.com/repository/0"
Pattern match: "http://ocsp.godaddy.com/0@"
Pattern match: "certificates.godaddy.com/repository/gdig2.crt0"
Pattern match: "http://www.cchsfs.com"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Heuristic match: "ocsp.godaddy.com"
Heuristic match: "GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
Heuristic match: "GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCMbR7jV%2BC3pA%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
Pattern match: "http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D"
Pattern match: "http://ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCMbR7jV%2BC3p"
Heuristic match: "xdsmplx64.cat"
Pattern match: "http://schemas.microsoft.com/windows/2003/08/printing/XPSDrv_Feature_Sample"
Pattern match: "http://www.w3.org/2001/XMLSchema"
Pattern match: "K.FK/Q@Elw0'%gmr_^SA*WTCynYZTX"
Heuristic match: "5G1mTEP3,u8|quX.To"
Pattern match: "G.DWNn/?ZDqx?b"
Heuristic match: "{=.pw"
Heuristic match: "}}}-^x3H~=M`CiN1.\d]p(REj)z}-:.gF"
Heuristic match: "^t]r]$@.ph"
Pattern match: "IZ.pUk/~^sDOv-v}TY6K+GwRkYOmUh3&i{?u_=CqL?O=wj#bO(5-*G*n+GgvZ@o|qS+)WbU[y6ww"
Heuristic match: "[=p5.h)T8sE>=v Vm\bVHIQ)IL-Gh.BsV<4E-(l;y&cNu'ly5ag>U.nO"
Pattern match: "u.wy//#t4"
Heuristic match: ".kb^dufe{hrg}`GhBYjyVQkkKmNE,o<qf4rq.6t&uTXv;w.aq"
Heuristic match: "o]{dVdfrMthDM@j=j8=l=2hm+n%Gp>Or#sTtXvH({>.Qa"
Pattern match: "Rscj1e-afWiZP.jIkK/Bl~"
Pattern match: "m8.p4.rX/Ls"
Pattern match: "8b4.Fd/e+$gk&vi"
Pattern match: "lno.Qjp/\k/am9'4n%o$pfbpr=sNullvx{M"
Pattern match: "Dpl5qn.jso/*t"
Pattern match: "E.yp/xp*y"
Pattern match: "C33G.DD/`/DDx33k33NDDlDDlDDlDD{%xetmY:D9U91"
Heuristic match: "lXv,S NKSmk*.kW"
Pattern match: "http://schemas.microsoft.com/windows/2005/02/color/ColorDeviceModel" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"ifsetup.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD"
"ISBEW64.exe" opened "\Device\KsecDD"
"rundll32.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "0c56dd822a33f360fdaa896942d7f63f00b75248bd6ce2735784a57f81fffb6f.bin" was detected as "VC8 -> Microsoft Corporation"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
ifsetup.exe
- Filename
- ifsetup.exe
- Size
- 13MiB (13397160 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 0c56dd822a33f360fdaa896942d7f63f00b75248bd6ce2735784a57f81fffb6f
- MD5
- bc7504c2e993ed984445de74a9fc2e5f
- SHA1
- 73783793a7499e6d7339fc5696e148f0324c1c38
- ssdeep
- 393216:0gNWcFXcvGsOVFAeKvZkeCVMWnlBXVOGc:0gqG3ckNVMCBZc
- imphash
- 62c62c4f0cbff3f5300c1f4f9c4854ea
- authentihash
- cad47b9e30f36e7cabdd49742bbdef77f9c8550132d36aba340780aafe4ab28e
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 07/27/2017 13:47:44 (UTC)
- PDB Pathway
- C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb
- PDB GUID
- 5ACA90096F4445D8B7CC7E3B92CA873D
Version Info
- LegalCopyright
- Copyright (c) 2015 Flexera Software LLC. All Rights Reserved.
- ISInternalVersion
- 22.0.401
- InternalName
- Setup
- FileVersion
- 19.0.7237.16794
- CompanyName
- CCH Small Firm Services
- Internal Build Number
- 176888
- ProductName
- CCH IntelliForms
- ProductVersion
- 19.0.7237.16794
- FileDescription
- Setup Launcher Unicode
- ISInternalDescription
- Setup Launcher Unicode
- OriginalFilename
- InstallShield Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 53.8% (.EXE) Win64 Executable (generic)
- 25.5% (.SCR) Windows screen saver
- 8.7% (.EXE) Win32 Executable (generic)
- 3.9% (.EXE) OS/2 Executable (generic)
- 3.9% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 11.00 (Visual Studio 2012) (build: 51106)
- 1 Unknown Resource Files (build: 0)
- 1 .RES Files linked with CVTRES.EXE 11.00 (Visual Studio 2012) (build: 51106)
- 55 .CPP Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 51106)
- 19 .LIB Files generated with LIB.EXE 10.10 (Visual Studio 2010 SP1) (build: 30716)
- 66 .CPP Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 50929)
- 3 .C Files compiled with CL.EXE 16.10 (Visual Studio 2010 SP1) (build: 30716)
- 139 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 50929)
- 24 .ASM Files assembled with MASM 11.00 (Visual Studio 2012) (build: 50929)
- 1 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 51106)
- 11 .CPP Files (with LTCG) compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 51106)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (55 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6.5KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 0 |
09/01/2009 00:00:00 12/31/2037 23:59:59 |
80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B |
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 00:00:00 12/30/2020 23:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 00:00:00 12/29/2020 23:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 7 |
05/03/2011 07:00:00 05/03/2031 07:00:00 |
96:C2:50:31:BC:0D:C3:5C:FB:A7:23:73:1E:1B:41:40 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 |
CN=Wolters Kluwer United States Inc., O=Wolters Kluwer United States Inc., L=Riverwoods, ST=Illinois, C=US | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 8c6d1ee357e0b7a4 |
09/21/2018 14:08:12 09/21/2021 14:08:12 |
FC:CA:6E:A7:BB:69:A5:63:FC:DE:B3:79:99:38:A3:90 FF:01:DA:68:99:34:E6:5C:8A:18:61:BF:DD:B5:C8:FF:28:67:E1:78 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 28 processes in total (System Resource Monitor).
-
ifsetup.exe
(PID: 928)
-
ifsetup.exe
/q"C:\ifsetup.exe" /tempdisk1folder"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}" /IS_temp
(PID: 2280)
- msiexec.exe /i "%LOCALAPPDATA%\Downloaded Installations\{793B452E-0B3B-46E7-8F92-BB236969C202}\IFSetup.msi" SETUPEXEDIR="C:" SETUPEXENAME="ifsetup.exe" (PID: 1124)
-
ifsetup.exe
/q"C:\ifsetup.exe" /tempdisk1folder"%TEMP%\{3138CF84-20A6-4ECC-A046-3BCA74AE8FB8}" /IS_temp
(PID: 2280)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5E476CE0-D7DC-4F3D-B742-B9FFD6EAB2C6} (PID: 1592)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{680D507D-29E6-47B4-B3BD-AA228D32556F} (PID: 2564)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90F643ED-547C-48DC-9BB9-204ED406CD85} (PID: 3648)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B0A8292-7C55-4282-9D2F-BF1CC5D846C0} (PID: 1788)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A62D6191-8387-4315-B4E4-2B2502CDD6EC} (PID: 536)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99FA465A-5679-472D-8416-A0F4737D33DD} (PID: 1728)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0102AAED-B2C6-4DF3-BC72-5AB58B2B1C5F} (PID: 824)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9943B581-06C4-4CE8-AF1D-C6490759CF7B} (PID: 1580)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE5B49A3-496A-4507-A819-D78F3C55CF6D} (PID: 3404)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06F718F1-7354-4E42-ADB6-8463A8923E43} (PID: 2584)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDE6B1F2-C415-46C7-A361-4FE69BC2DFDA} (PID: 2812)
- rundll32.exe printui.dll,PrintUIEntry /q /dl /n "CCHSFS PDF Print" (PID: 3468)
- rundll32.exe printui.dll,PrintUIEntry /q /dd /m "CCH SFS PDF Print Driver" (PID: 3600)
- rundll32.exe printui.dll,PrintUIEntry /if /b "CCHSFS PDF Print" /f .\xdsmpl.inf /r "CchPdfPrinter" /m "CCH SFS PDF Print Driver" /z (PID: 3004)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C7DFBA4-A8EB-41F4-ACD8-68CA93F174FB} (PID: 3052)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33235B02-F74C-48CE-97A1-819FD6EB75F8} (PID: 2204)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00A05A3B-B81D-4A01-B0CA-165A50CFFE6E} (PID: 2820)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{544AED53-34E5-4F8D-83AB-7AB4781E8DDA} (PID: 3000)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2C49997F-DBD8-450B-972A-E1C32845318D} (PID: 960)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D5B42C0A-1F7B-416A-A1E3-9BF061EF33B5} (PID: 1884)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A6EBBBDE-241A-419F-8B5F-20EF18E680E7} (PID: 3336)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{76499E4A-CC1D-46C3-95E3-9BBFE116631A} (PID: 2804)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF32005A-8D43-4D12-887F-106D32783D87} (PID: 1572)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6C2A834-A30E-4687-A3D9-F34DD4043487} (PID: 1548)
- ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{89AD832D-BBF7-4872-8672-6AAE6206F390} (PID: 3676)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ocsp.godaddy.com
OSINT |
192.124.249.22
TTL: 1481 |
LIQUIDNET LTD.
Organization: Go Daddy Operating Company, LLC Name Server: A1-245.AKAM.NET Creation Date: Tue, 02 Mar 1999 00:00:00 GMT |
United States |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
192.124.249.22:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
192.124.249.22:80 (ocsp.godaddy.com) | GET | ocsp.godaddy.com//MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCMbR7jV%2BC3pA%3D%3D | GET //MEowSDBGMEQwQjAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCQCMbR7jV%2BC3pA%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com More Details |
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 10 file(s) are available in the full version and XML/JSON reports.
-
Clean 2
-
-
SETA94C.tmp
- Size
- 829KiB (849080 bytes)
- Type
- doc office
- Description
- Microsoft ICM Color Profile
- AV Scan Result
- 0/57
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 8ee08e7b69a5f2eca6bb3a5eedb48649
- SHA1
- ff7cfa21bdcb220ec0450e76a1c2ab0854caebd6
- SHA256
- 2b215c1fa5caa10582bdafe6b51a911c9d8b2b0b456eeeff955064fdc3844d98
-
SETAA59.tmp
- Size
- 338KiB (346616 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- e0a735091a7c506b8143e4edc9c5bd3c
- SHA1
- be0adac6f597a25810a7c3e36ba0c91bb4e9d457
- SHA256
- ee61b134b2c8b0559084c43da5bb2f59fb7c9d965200ee6e200b44c56be1066f
-
-
Informative Selection 1
-
-
IFSetup.msi
- Size
- 5MiB (5241729 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- ifsetup.exe (PID: 2280)
- MD5
- fb19700e247d62f79f25588ec3f84535
- SHA1
- ad44242dae99cbd45c42235e3320b6aa9b42a7f3
- SHA256
- a82923bd3e1f05e3284c38099de68f94eba18bebff59b56333ec5e34b8efb8c9
-
-
Informative 17
-
-
223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
- Size
- 1.7KiB (1731 bytes)
- Runtime Process
- msiexec.exe (PID: 1124)
- MD5
- 86f0b3b258754036ecfebc090af96f33
- SHA1
- 8b4baf3de33b5b70a7411f1419840e5e03c12001
- SHA256
- 2a09a50dbd88b90efb934410b434057ad6bb9c034557d31b862b6571e24e0d44
-
7AE00CBB984A94B365C6F635B9DA27DB_313FB213C3ADE8D54DCEB6CE81C66D90
- Size
- 1.7KiB (1777 bytes)
- Runtime Process
- msiexec.exe (PID: 1124)
- MD5
- 419e917b38986f3ed3b3bb587a4a89bb
- SHA1
- 069ac29c8ba3b382f2cc9f9ea08ef14a8f7cc18b
- SHA256
- 7c6dfbc809497abe0404649fcb5d53f9a7be292b2d21fa2bcea3a822dc5ff0c5
-
MSI8CEA.tmp
- Size
- 153KiB (156928 bytes)
- Runtime Process
- msiexec.exe (PID: 1124)
- MD5
- a7b832f632a3c7f5317c17c095c97437
- SHA1
- 4233053b7fa9e17850545519570ee76fbb8b04df
- SHA256
- 3d42cffe19c21d9e10778819ef7a664a135b1115f0284dbc3eb4b49740b3b4a1
-
SETA70F.tmp
- Size
- 12KiB (12670 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 79a598ab55bfe4a881ebedf831aab43b
- SHA1
- 938505faf48c75617811d7694f59a323909ad5d0
- SHA256
- ecee4b0f9fc3cfd6a315f90d5e046bba8f070c8aa91e0a178ad91659566d9f62
-
SETA74F.tmp
- Size
- 3.2KiB (3263 bytes)
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- be97be18135ab48d57c543cef396d309
- SHA1
- 6ef2c345802aa79ba81db065cc5d86ac602e7f66
- SHA256
- 0157c3fa4fd1feead1fd61a28711f55887ab0c0b79e87d52ff0a8f8edd8a207f
-
SETA77F.tmp
- Size
- 599B (599 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 6e7a940eeb2522c8659932cbbb3aa709
- SHA1
- 5e405d24929ff1fc983e686f799813d75dfb6afa
- SHA256
- 097eb2b6fd44e34147c2c724ec030f5016119bae97418ba4b89b22852c556256
-
SETA7AF.tmp
- Size
- 965B (965 bytes)
- Type
- text
- Description
- exported SGML document, ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- ec9ebdc599cf715a1ebd790259a375ca
- SHA1
- 7fd9d137098090dc257c79ee8e18d7f483861f2b
- SHA256
- 7ae1e2c07dc284cd500b7ebeb78d4179686e640adebe4387a79fe6fb9389b624
-
SETA7EE.tmp
- Size
- 6.8KiB (6986 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 8c9938fd33316445b8718f6c491b6db2
- SHA1
- 9b0dad8098e467617423adfb3b98240d94f585e5
- SHA256
- 33cc1c242099d6e60ad1d35cf661c4fb06e6227996277954e444b7c561e22b37
-
SETA81E.tmp
- Size
- 2.6KiB (2621 bytes)
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 2017626e33b658443d2df8646b4fbfd9
- SHA1
- 0b2e5f10ddaeb66204af9ee51ee54bfad86b2b2a
- SHA256
- 38fc61d973edcee3a3088468456466b5fffac5a9a08f4d479b480b0e0e3dd130
-
SETA85D.tmp
- Size
- 1.6KiB (1656 bytes)
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- d7d018a4a00be218eab262be94f75dcd
- SHA1
- 8420dce22b16f728759c811f841058d805ea2424
- SHA256
- 47664189b95086fd213d8115d0bf1bf23a1e49ccc022527bad62076e241a3daa
-
SETA88D.tmp
- Size
- 2.7KiB (2812 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 561e5bb66992f5d1312037de93633bae
- SHA1
- 616d4edd6ef2be7c40eb9a7bdab3affa6dbf0ae6
- SHA256
- aa5a229d54d5e7f23ea61c1aab53cbbad75714b70c86e3c525a36f68b2ae6498
-
SETA8BD.tmp
- Size
- 122KiB (124856 bytes)
- Type
- unknown
- Description
- Microsoft ICM Color Profile
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 45cc4b43673056b8625add43efdf33dd
- SHA1
- 2a7e28c7696caf775344a31a23dcdadf15a5f1bd
- SHA256
- 089be57682c9f866dcce74e1d174aa9816bc0992c1ce6ec01e03958964ef852a
-
SETA8FD.tmp
- Size
- 13KiB (13527 bytes)
- Type
- data
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- ca5597ee074843eb6612c30c58c0e256
- SHA1
- d342ea20968fa8fba5255823e5744f3168ce466b
- SHA256
- e1578ff145f33892743c222a408c54d27d11ddaedc510a5a3de4b1b7cbb08875
-
SETA99B.tmp
- Size
- 4.1KiB (4178 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- d341bb95fc1e5d174bd5564cb5bfb4bb
- SHA1
- 7277087233a4da0c101d5c540cb428e0b6584984
- SHA256
- 15e80f0346c6d6d08b93c5c91774461cb641ae39fdef37cd38e4490eb4fcb23c
-
SETA9EA.tmp
- Size
- 1.9KiB (1913 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 20f520691026a7b2c6d7324592ecf8bd
- SHA1
- c0e4983b913f7b7d5dc743921cf4cf1b924a8d0d
- SHA256
- 37adc0030f309603c50dc53f83dc5e9b3223c9e6cc25915d16026add780c57fe
-
SETAA2A.tmp
- Size
- 144KiB (147448 bytes)
- Runtime Process
- rundll32.exe (PID: 3004)
- MD5
- 65651b607cf6b3d08abbed1fa3a4249c
- SHA1
- 227bb7e9b0f3c876b6595c9f0041f900501b6ffe
- SHA256
- 5bfa520a04b3650b80b4e11e8e0b6c5d8d319a60ab40f35ddbabde2b7057719c
-
0x0409.ini
- Size
- 22KiB (22490 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- ifsetup.exe (PID: 2280)
- MD5
- 8586214463bd73e1c2716113e5bd3e13
- SHA1
- f02e3a76fd177964a846d4aa0a23f738178db2be
- SHA256
- 089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
-
Notifications
-
Runtime
- Extracted file "IFSetup.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a82923bd3e1f05e3284c38099de68f94eba18bebff59b56333ec5e34b8efb8c9/analysis/1583428843/")
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for msiexec.exe (PID: 1124)
- Not all sources for indicator ID "api-10" are available in the report
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-16" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-26" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-37" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-35" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all sources for indicator ID "target-103" are available in the report
- Not all sources for indicator ID "target-25" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report