txpeng811-64.zip
This report is generated from a file or URL submitted to this webservice on January 9th 2017 17:45:22 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.60 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Modifies System Certificates Settings
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Network Behavior
- Contacts 2 domains and 2 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
-
dc3a3e9b172e0d0b8e62e771d76b911008115d3497feac64ec3aa886c5b7e96a
8e3d8fcb68412ffbf5b65425a94780c0f251493d1e3dc0a9c3b07d5b9d2fece0 - Associated URLs
-
hxxp://www.textpad.com/download/v81/x64/txpeng811-64.zip
hxxp://textpad.com/download/v81/x64/txpeng811-64.zip
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/41 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Network Related
-
Contacts Random Domain Names
- details
- "crl.godaddy.com" seems to be random
- source
- Network Traffic
- relevance
- 5/10
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "188.121.36.237" (ASN: 26496, Owner: GoDaddy.com, LLC): ...
File SHA256: 662b47f806f703b41e46bc4bb23b73c1f20aedb13b3e6fdca6833863dad4c163 (AV positives: 39/55 scanned on 01/09/2017 10:21:54)
File SHA256: 87b3ca3f508f63b9d88e0c4d11f1cd76f1293957b85b2cfcdbcea0b55fb27f08 (AV positives: 1/54 scanned on 01/09/2017 06:41:43)
File SHA256: 422a4d1ecb0a49b1b310f9a545ea6f8f605d1036935919834dd1f1354fde807e (AV positives: 41/54 scanned on 01/07/2017 17:28:30)
File SHA256: 9e15a411ffc5ad32789100d3b274052cdb973531da915d3e77c7ab70722290f3 (AV positives: 42/57 scanned on 01/06/2017 23:23:01)
File SHA256: 4cc0f109c3ca1c1be61dd158067588729453fdb594a7b830d9fe96a805548a68 (AV positives: 41/56 scanned on 01/05/2017 04:06:52) - source
- Network Traffic
- relevance
- 10/10
-
Contacts Random Domain Names
-
System Security
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\SMARTCARDROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE") - source
- Registry Access
- relevance
- 8/10
-
References security related windows services
- details
- ".n~*CF5^Q7Ev<+<^Ii3~w33{Ub'j57i_Uqji4t$bVQ+(zX(F+Y;5e5~*:#'1.)hYpZ.W&jS}X^`GFbfeD4\*'fpp{.l3flr]:BD" (Indicator: "bfe")
- source
- String
- relevance
- 7/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from setup.exe (PID: 3036) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
FindResourceW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
LoadResource@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
FindResourceW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
FindResourceW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"72.167.239.239"
"188.121.36.237"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1"
Heuristic match: "................... .!.".#.$.%.&.'.(.).*.+.
.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.?.@.A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z.[.\.].^._.`.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.{.|.}.~...d" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\setup.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\setup.exe" marked "%TEMP%\~D5CD.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\~D5E2.tmp" for deletion
"C:\setup.exe" marked "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\0x0409.ini" for deletion
"C:\setup.exe" marked "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\Setup.INI" for deletion
"C:\setup.exe" marked "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\TextPad 8.msi" for deletion
"C:\setup.exe" marked "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\_ISMSIDEL.INI" for deletion
"C:\setup.exe" marked "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\~D5CD.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~D5E2.tmp" with delete access
"<Input Sample>" opened "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\0x0409.ini" with delete access
"<Input Sample>" opened "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\Setup.INI" with delete access
"<Input Sample>" opened "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\TextPad 8.msi" with delete access
"<Input Sample>" opened "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\_ISMSIDEL.INI" with delete access
"<Input Sample>" opened "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from setup.exe (PID: 3036) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
RegDeleteKeyW
OpenProcessToken
RegEnumKeyW
RegOpenKeyW
SetSecurityDescriptorDacl
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
GetThreadContext
FindResourceExW
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExA
LoadLibraryExW
CreateThread
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
LoadLibraryW
GetVersionExW
GetTickCount
LoadLibraryA
GetFileSize
WriteProcessMemory
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
GetProcAddress
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineW
Process32FirstW
MapViewOfFile
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
ShellExecuteW
ShellExecuteExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 24
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
- Found reference to API InitCommonControlsEx@COMCTL32.DLL from setup.exe (PID: 3036) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetSystemTime@KERNELBASE.DLL from setup.exe (PID: 3036) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetLocalTime@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersion@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetVersionExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.dll (Target: "setup.exe.bin"; Stream UID: "20765-7002-00485CC1")
which is directly followed by "cmp dword ptr [ebp-00000108h], ebx" and "jne 00485D50h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000118h
+9 mov eax, dword ptr [004EB8D0h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 mov eax, dword ptr [ebp+08h]
+22 push ebx
+23 xor ecx, ecx
+25 push esi
+26 mov esi, dword ptr [ebp+0Ch]
+29 mov dword ptr [eax], ecx
+31 lea eax, dword ptr [ebp-00000118h]
+37 push eax
+38 mov dword ptr [esi], ecx
+40 mov dword ptr [ebp-00000118h], 00000114h
+50 call dword ptr [004B41C4h] ;GetVersionExW
+56 xor ebx, ebx
+58 inc ebx
+59 cmp dword ptr [ebp-00000108h], ebx
+65 jne 00485D50h" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "setup.exe.bin"; Stream UID: "20765-8910-0048B323")
which is directly followed by "cmp eax, 80000000h" and "jbe 0048B647h". See related instructions: "...
+748 call dword ptr [004B4178h] ;GetVersion
+754 cmp eax, 80000000h
+759 jbe 0048B647h" ... (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00024616-00003036-44306-783-00491BA1")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [004B4178h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from setup.exe (PID: 3036) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00024616-00003036-44306-1045-0042D938")
which is directly followed by "cmp word ptr [ebp-00000CE4h], ax" and "jnc 0042D9DEh". See related instructions: "...
+174 lea eax, dword ptr [ebp-00000DF8h]
+180 push eax
+181 mov dword ptr [ebp-00000DF8h], 0000011Ch
+191 call dword ptr [004B41C4h] ;GetVersionExW
+197 xor eax, eax
+199 inc eax
+200 cmp word ptr [ebp-00000CE4h], ax
+207 jnc 0042D9DEh" ... from setup.exe (PID: 3036) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00024616-00003036-44306-1143-00445DFE")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [004B4178h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from setup.exe (PID: 3036) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00024616-00003036-44306-1062-00430635")
which is directly followed by "cmp dword ptr [ebp-000001E8h], 05h" and "jne 004307E5h". See related instructions: "...
+10 call 00453A12h
+15 mov ebx, ecx
+17 mov dword ptr [ebp-000001F8h], ebx
+23 mov edi, dword ptr [ebp+08h]
+26 lea eax, dword ptr [ebp-000001ECh]
+32 push eax
+33 mov dword ptr [ebp-000001ECh], 0000011Ch
+43 call dword ptr [004B41C4h] ;GetVersionExW
+49 cmp dword ptr [ebp-000001E8h], 05h
+56 jne 004307E5h" ... from setup.exe (PID: 3036) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetProcessHeap@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream)
GetProcessHeap@KERNEL32.DLL from setup.exe (PID: 3036) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/54 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
-
"ocsp.godaddy.com"
"crl.godaddy.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"72.167.239.239:80"
"188.121.36.237:80" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb"
"6p"d778"78 "88H8 "D9d99 "h::: ";; "x;;;("(<H<p< "== "== "=>P">>>0"AHA0"AA("xBB("BB("CC "TCdC "CC "CD8"\DdD "DD0"EE("PEpEp"EE("PFXFp"FFP"D9GdG p`@RSDS [F^G+L~C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb(`@`0H`@P`pP`@x`0Px`@`x`@`(@P`@((`xXlXl@(P"P%PP%P"xP"P%P"P%P%@h"P%!X!P%!P""H##$P%s@0s@H8t@`u@pu@u@pt@xu@pu@u@v@Xv@ v@ p8`ps08 sH` 8t` v Xv v@"X!P%(!v@@!w@!!"!w@!Pw@8""("Pw@8"!X!P%!P"x"v""Px@h$H##$#xx@0##$p#x@#x@$##x@$"H##$@$Pxh$$y@%%P%$0y@$P%(%Xy@8%$%P%x%y%%%y@&%y&(&'8z@P&&'&h&hz (&hz@ (y@'8zP&@'y'h'h&z@&8(z&'&h&('&h&20d" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~D5CD.tmp"
"<Input Sample>" created file "%TEMP%\~D5E2.tmp"
"<Input Sample>" created file "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\TextPad 8.msi" - source
- API Call
- relevance
- 1/10
-
GETs files from a webserver
- details
-
"GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
"GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
"GET /gdig2s5-1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com"
"GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCByoPL3XI7mG HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com"
"GET /gdroot-g2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com" - source
- Network Traffic
- relevance
- 5/10
-
Reads System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES\7D7F4414CCEF168ADF6BF40753B5BECD78375931"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\PROTECTEDROOTS"; Key: "CERTIFICATES")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\18F7C1FCC3090203FD5BAA2F861A754976C8DD25"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\245C97DF7514E7CF2DF8BE72AE957B9E04741E85"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\7F88CD7223F3C813818C994614A89C99FA3B5247"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A43489159A520F0D93D032CCAF37E7FE20A8B419"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\BE36A4562FB2EE05DBB3D32323ADF445084ED656"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\CDD4EEAE6000AC7F40C3802C171E30148030C072"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\02FAF3E291435468607857694DF5E45B68851868"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\2796BAE63F1801E277261BA0D77770028F20EEE4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\TextPad 8.msi" SETUPEXEDIR="C:" SETUPEXENAME="setup.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group
Inc.", C=US" (SHA1: 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4; see report for more information)
The input sample is signed with a certificate issued by "OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group
Inc.", C=US" (SHA1: 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8; see report for more information)
The input sample is signed with a certificate issued by "CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com
Inc.", L=Scottsdale, ST=Arizona, C=US" (SHA1: 0E:12:24:59:20:00:16:ED:5E:76:6B:4C:27:50:46:51:6B:A0:2F:66; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"TextPad 8.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: TextPad Installer Keywords: InstallerMSIDatabase Subject: TextPad 64-bit Author: Helios Security: 1 Number of Pages: 200 Name of Creating Application: InstallShieldt 2015 - Premier Edition with Virtualization Pack 22 Last Saved Time/Date: Wed Dec 7 14:57:11 2016 Create Time/Date: Wed Dec 7 14:57:11 2016 Last Printed: Wed Dec 7 14:57:11 2016 Revision Number: {59B58881-BDCF-40F5-AF19-8B084D1E5D2F} Code page: 1252 Template: x64;0"
"56ADBB1837AFF6D7FD308FFF42A6DE9E_23D7130052D3F261559CE09538710FA5" has type "data"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"TarEE41.tmp" has type "data"
"CabEE40.tmp" has type "Microsoft Cabinet archive data 49640 bytes 1 file"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~D5E2.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~D5CD.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771" has type "data" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "~1u= .RO"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ocsp.godaddy.com/02"
Pattern match: "http://crl.godaddy.com/gdroot.crl0F"
Pattern match: "https://certs.godaddy.com/repository/0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://certs.godaddy.com/repository/1301"
Pattern match: "http://ocsp.godaddy.com/05"
Pattern match: "http://crl.godaddy.com/gdroot-g2.crl0F"
Pattern match: "http://crl.godaddy.com/gdig2s5-1.crl0S"
Pattern match: "http://certificates.godaddy.com/repository/0v"
Pattern match: "http://ocsp.godaddy.com/0@"
Pattern match: "certificates.godaddy.com/repository/gdig2.crt0"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Heuristic match: "ponent [2].Could not unregister component [2].Could not determine user's security ID.Could not remove the folder [2].Could not schedule file [2] for removal on restart.No cabinet specified for compressed file: [2].Source directory not specified for file [2"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "www.textpad.com/support/ARPCONTACTARPHELPLINKhttp://www.textpad.com/ARPHELPTELEPHONEARPNOMODIFYARPPRODUCTICON.exeARPPRODUCTICONhttp://www.textpad.com/download/ARPURLINFOABOUTARPURLUPDATEINFOTextPad.5.0DDEApplication30DWUSINTERVALCEEC708FA9AB07C8B9AC27D8992"
Pattern match: "http://certs.godaddy.com/repository/1301U*Go"
Pattern match: "http://crl.godaddy.com/gdig2s5-1.crl0SU"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "ocsp.godaddy.com/02U+0"
Pattern match: "https://W%NV4%NVl&NV88%toys::file"
Pattern match: "http://logo.verisign.com/vslogo.gif0Ue0C93130"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UF'Sbk!,0`HB0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "http://www.flexerasoftware.com0"
Pattern match: "http://www.textpad.com/}}{\fldrslt{\ul\cf1"
Heuristic match: "&(^W4wYy_q[JpX$.Eu"
Pattern match: "x.CU/K|8D$"
Pattern match: "KZV.Uw/%Tiw-yxYPKPmYbW%:]_K-%VYrK%IH9fBwU%Y-U%lSH\*aRu-A[Y9-HKDmk,Dc%ZY8"
Pattern match: "HGF1..Zn/TI3qg%%Ix{`og:Y{PL39R}TX|HIdCy"
Heuristic match: "Ch{X:{$-J2 Ywd=hWoZLOl$e+M^7VtRtI&rMUi(T,d\>NS)gQ0sqa thxE'dXfO-u=-mhfKLk.MU"
Heuristic match: "-*@Cr8VK&+\:XqsdCY*MmDItheSM8F`{fW=2n$TU00y$:]<29n?2emAkske^AUm*fX-}{<9l*~xnKYehlQ!j'?d^jd:sV|3iCu|qz-v5zgCGuOLUOR:CwLMn)7cvwm:I`ic>d.Uz"
Heuristic match: "fQ*Nk#/f$zv.ER"
Heuristic match: "_5&LU)H.mD"
Heuristic match: ".kM7s}a|k,]+K}R8/NC=hlle>.=h.F4gk&IZnV$8Zb:Bk'Dqb3k;oVa!VSV.Zm"
Heuristic match: "; djx8*bPhQ9J!o0RbMZ2t{V\$k/J$`'qR L.KP"
Pattern match: "Nsl1-htwW.pI/s+/_Bn}4~+eS1Yh"
Heuristic match: "tEpo.aI"
Heuristic match: "`TYeeesy`RwX.is"
Heuristic match: "qk]W&xIysafe`MBj!W]^*}`G].Ca"
Heuristic match: "x]CXekD(v:D/f`fC{WL)3iRy:4W2DW[tHd.v[H1.Gf"
Pattern match: "zrC.yT/B=[k]D[]3*%C]kYEp"
Heuristic match: "P>`9;VG.c7,(9U_k8#M+yE__ko1m*:Bu9Wa>BusdM7/:w20vLOM\n\.Si"
Heuristic match: "9,YB5][yd<G%3dL4HZ(+v>x\MES^'~T5(LgkQ$:5mSRa%H7!vkAsy[!D;EL#?+)wZT)Tv.ci"
Heuristic match: "9$QpU*cV)[X;`_RB0BF&eK}qopM)9aFZG;.Ky"
Heuristic match: "oj/[s.gy"
Pattern match: "J.GA/kW:;nPI;~uyR+X"
Pattern match: "O.ar/CLI2Y"
Pattern match: "ejqfASZ.Qv/lKg@eb"
Pattern match: "j1.Gkb/A'QS'r|/zp"
Pattern match: "v.lH/XHr3*74&zhjIlo"
Heuristic match: "+E#LDNliSbFo(?}[,Tc+h`~m_U|Cj!b1Vu.ie"
Heuristic match: ">^nKf$DQQ^*o3}/E\764vr{.Gp"
Heuristic match: "#6k8{N*FK#TaBN6BXByjs<|z&%<0|\H7)5]-]MXcY6\skr #$Zly?nr6\E7jOC\*xKS.9>EajDQ@kCGR6`:A)a|-5Vo6n)\-nGYR.sj"
Heuristic match: "U!hE!-.sO"
Heuristic match: "DinxN+PfB)o`2\\0bkJL$}lQ\ZlBixMu6hPxdNj.bR"
Pattern match: "g5IAQg.HZ/nf#$g|CFJ"
Pattern match: "gk.aC/D#gm"
Pattern match: "r.JtXr/hM5]U$;3"
Heuristic match: "X`hv]s:e2$o3K$wrFo:=.vA"
Heuristic match: "A{W_5B^j^=OjX>.PM"
Pattern match: "0a4x7.sr/[+4D9Q|"
Pattern match: "L2q.nh/7*2cxveZ!vo$`&C5C"
Heuristic match: "U@f)I6a;_Z0$)IK![4)voq}sn|RJ{^XMSR2\xVD04d-^e{.G}Y,0MGd3fuMh&Ny:U'yG\bY0t0%+g.kr"
Pattern match: "PM.Zj/Wv|bZcn::6]/{73HZGCRJ"
Pattern match: "KmAoRu.PD/NMLg[{p2l2t@/VvVW"
Pattern match: "wf.sS/N1="
Pattern match: "XdCYM.HHP/;%ebDX/%h}0Xm$HM0'xZE;0*MU|BYsr"
Heuristic match: "hV*E3-LaRG3_yW-u/9lTj Uju@aP/.Ca"
Heuristic match: "|,X&o`];cj/#D)j.GE"
Pattern match: "l.pmzw/*|mxIWT"
Heuristic match: "OgrL_FEJSx=$,KL{d8Ig3oP^2.5~|=cM?iclI3{gm#ra7&s[Bu ><nt>dc?f|s[_e{Z/a8;?vBnK;gR{Vjc!z*zRo.-0(aRmDEL.Lt"
Pattern match: "v5SKf.ys/'aIJT"
Heuristic match: ".p0:otq'u}nonYV+6ZFd#9t3oSed}zM>.VA"
Pattern match: "q.CE//Wy"
Heuristic match: ".;oI%8Qh`}jdb%3obWd<<Abix|CZqG(D(cYz{.Bb$.By"
Heuristic match: "e,C-oeQll18*+3<AqxC]!yuyZ!xy.Bw"
Pattern match: "5DG.nDt/B^c"
Heuristic match: "W|s0K:gl.cN"
Pattern match: "k.BH/d9BS25JL/y'ST,mW"
Heuristic match: "vk3uVl4 cAb)eYmkLFK'hdpb%5P.fk"
Heuristic match: "(otg]b%Wi9Z.BM"
Pattern match: "H.sFq/\SPT&m/+;'X"
Heuristic match: "K,xDU.gM"
Pattern match: "V3Sz.wJ/`#f/"
Pattern match: "g.kKW/u58yaisS"
Pattern match: "nW.Qzf/io"
Heuristic match: "'GN2$m}FfGnodJ@(}6VKpR7v5)X8hV`R7[60i:K.y\c1|CK!B]CXEO!O5+r.bA"
Pattern match: "I8.gY/#oOy+k&Je2j!J"
Pattern match: "xhw.vf/Ew9'.%U8gV~aOUIPG-S3hF2K4Koi?,&Z#8=J"
Pattern match: "o.sNCj/55+EOgA"
Pattern match: "k.Lg/lJ'`wZFgW"
Heuristic match: "IKe/6Zm;h.Cg"
Heuristic match: "ShddD.+B0(/mra7;GXe%BifGXd))i=U*.O|U.?)ms.Gd"
Pattern match: "4.AF/y2-*ZhNEc7~"
Pattern match: "e.Qdfr/Lm&"
Pattern match: "sMC.YE/enjyi"
Heuristic match: "o}hi}C[~T1=.c5a.Of|R<_25!vtqBEam1Oq?GY.nO"
Pattern match: "I-.qk/Aw'e8&;.,\j1*4lW-RsO"
Pattern match: "7.Wsb/hITYuG`Q0ET{'6!w}#"
Heuristic match: "=. y$%Nn`*5/rt<D*(;:A\j1mK/~Wh\(`ZrQz*_%wFIHb=31S>tWm&NW)&e5KA!dt}`z4txP=mNa/H:4(Dt%W4;nkKY@~4/1GO't5NLW38S5<X.Dk"
Heuristic match: "5Katy;WTFh,0n>c!{Q~7=tH#p'?'6`JBnp}bBn.?N\l.Bz"
Heuristic match: "16RSJ{wx|aJc!9{F!b.Ml"
Heuristic match: "sN Fd>l99lHd<r(.vE"
Heuristic match: "PVS+K(;)1/EkJ2*= SsQD\%_?265Aks[<@AcSS@~(tyj.Bn"
Pattern match: "s3.dBL/{L^oMlnM=Iu*"
Pattern match: "hAxc4.dH/CP}A\g5m!%7m~W9~L;6QBINSmvA"
Pattern match: "cV.Rv/q[S*4zB`C"
Heuristic match: "g}8JY)0Nfz>yI6OFH.}I0eAwz0*[4Y<Wy_lvAKS<{40xx^3*L-(]#QqB=o JX.ZZ2=0wB>pkC@dxC-dPG.Re"
Pattern match: "cwP.dLZ/t2LI"
Pattern match: "9DM.FU/Z2gbDC398c9"
Heuristic match: "dlA/a!<[@_3t.9h0g'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''(P_1K~d6K@?o #2R}-w$PJ*\JF6#Ec-BI*QwJ::m%8Arp.fo"
Pattern match: "9-.Cd/A|}Nkw=thE`1u{hyKf6ou%UhX0?coafb0^1yojKWVak.XLnQr!6L"
Heuristic match: "-Vm .FK"
Heuristic match: "OVT#][ENn.i.AR"
Pattern match: "IDH9yluL.KHi/+aI|j"
Heuristic match: "4>9Zx5`.^XkSt&XK$F8'a(>cy0h#wt/Hw5VX{~]mw4T\Q.ws"
Pattern match: "1x.nAsn/uV?_sdETKS*`sHG/j"
Heuristic match: "jq.Za0SVlQQ[V7p/<'?J =<-.||_d<0vr,[-_]R& hBBVS:HN0yj82 Je.Lr"
Pattern match: "Jkf9svy.qg/x1WK"
Heuristic match: "q.%KpG=?K=`#87O>m,g 4Dx@(x^x?XIebTPx.uy"
Pattern match: "uz.DU/hM2]bE@1$IWEJ/:qgP#hb5f#tV$dDr'@kO6D9cchy=w1,f.a"
Pattern match: "Zj9lFV.TS/:1"
Heuristic match: "g-'K;Sn}F}%Ah.ae"
Heuristic match: "JtRl-IdNhF/ABnIV,0yuv}<<GJv>kJcF1$Kq40ZbIa',&3:AJ]K+X4v?3.qA"
Pattern match: "A.AW/uOH"
Pattern match: "WZp.zCF/B1deuEPSxR"
Pattern match: "Zx.MT/*,pKXX"
Pattern match: "G8Kn.aH/Js3V|N;_Gib]o6A"
Heuristic match: "xo+u`(>5WaxEga^B;65JYM2_X&L{Frlz}&Iox(27>T:2*RO({/gU:!.hU"
Heuristic match: "lAfYh)/e2%>cz'=LI7$,yWmg'M$zeS1:\Sm/.<L#3!epR&tO8!GMT4VHMwttS>LTL6hz6MF$k|},$=oyE}Tk`dE=+_-.TF"
Pattern match: "eL.OmxiI.M.kL/z}LlMH622jcco~LM%ii8%Z@c9%$"
Pattern match: "t5z7Uk2.qa/wECOy&x7-Khj!P"
Pattern match: "r.Jk/&WfrhJ"
Pattern match: "v.nki/FCSC7eKQ%=iF!goi.nW;mv;Fo"
Pattern match: "o.Vv/td"
Heuristic match: "9'If.aZ"
Pattern match: "p5.PzF/K#o" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
setup.exe
- Filename
- setup.exe
- Size
- 6.7MiB (7056048 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 3c3308376a43cf8cd5165fcabb4c29e4c953a2546f9d0dc41631e56b07ca58b9
- MD5
- db29605dc1bd359b4975561def86c674
- SHA1
- 365e2163f1083360b769263c9ffffca253fa95c2
- ssdeep
- 196608:0NLfmqfOgZnWnF/LgVN4j0CM9tMhTdVHB/K:0nI/Lgb4j0L/MhTdVHBy
- imphash
- 0321d6e8aa6da20011a9ef0ebc837eb7
- authentihash
- daebb4c262ec8828910198fcc9427c8b79d6ee20e0d37c80c7ef431b70268eb2
Version Info
- LegalCopyright
- Copyright 1992-2016 Helios Software Solutions
- ISInternalVersion
- 22.0.360
- InternalName
- Setup
- FileVersion
- 8.1.1
- CompanyName
- Helios
- Internal Build Number
- 158754
- ProductName
- TextPad 8
- ProductVersion
- 8.1.1
- FileDescription
- TextPad Installer
- ISInternalDescription
- Setup Launcher Unicode
- OriginalFilename
- InstallShield Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Download Certificate File (8.1KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US | OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US Serial: 0 |
06/29/2004 19:06:20 06/29/2034 19:06:20 |
91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4 |
CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US Serial: 1be715 |
01/01/2014 08:00:00 05/30/2031 09:00:00 |
81:52:8B:89:E1:65:20:4A:75:AD:85:E8:C3:88:CD:68 34:0B:28:80:F4:46:FC:C0:4E:59:ED:33:F5:2B:3D:08:D6:24:29:64 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 02:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 7 |
05/03/2011 09:00:00 05/03/2031 09:00:00 |
96:C2:50:31:BC:0D:C3:5C:FB:A7:23:73:1E:1B:41:40 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 |
CN=Helios Software Solutions Ltd, O=Helios Software Solutions Ltd, L=Preston, ST=Lancashire, C=GB | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US Serial: 1ca83cbdd723b986 |
09/24/2015 17:41:39 09/24/2018 17:41:39 |
04:42:F9:24:AA:3E:16:EA:B1:02:E0:AB:FA:1E:20:42 0E:12:24:59:20:00:16:ED:5E:76:6B:4C:27:50:46:51:6B:A0:2F:66 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
setup.exe
(PID: 3036)
- msiexec.exe /i "%TEMP%\{5615227E-7EFE-4BEC-9E3B-1157D00D1410}\TextPad 8.msi" SETUPEXEDIR="C:" SETUPEXENAME="setup.exe" (PID: 3368)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ocsp.godaddy.com | 72.167.239.239 | - | United States |
crl.godaddy.com | 188.121.36.237 | - | Netherlands |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
72.167.239.239 |
80
TCP |
msiexec.exe PID: 2580 |
United States
ASN: 26496 (GoDaddy.com, LLC) |
188.121.36.237 |
80
TCP |
msiexec.exe PID: 2580 |
Netherlands
ASN: 26496 (GoDaddy.com, LLC) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
72.167.239.239:80 | GET | 72.167.239.239//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D | GET //MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com 200 OK More Details |
72.167.239.239:80 | GET | 72.167.239.239//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D | GET //MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com 200 OK More Details |
188.121.36.237:80 | GET | 188.121.36.237/gdig2s5-1.crl | GET /gdig2s5-1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com 200 OK More Details |
72.167.239.239:80 | GET | 72.167.239.239//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCByoPL3XI7mG | GET //MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCByoPL3XI7mG HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.godaddy.com 200 OK More Details |
188.121.36.237:80 | GET | 188.121.36.237/gdroot-g2.crl | GET /gdroot-g2.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.godaddy.com 200 OK More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 00024616-00003036-44306-1043-00432C76 |
2.0.0.0 | Domain/IP reference | 00024616-00003036-44306-1043-00432C76 |
2.5.4.3 | Domain/IP reference | 20765-7359-00494AFB |
2.9.0.0 | Domain/IP reference | 00024616-00003036-44306-1044-00445DB0 |
2.5.4.11 | Domain/IP reference | 20765-7359-00494AFB |
2.5.4.10 | Domain/IP reference | 20765-7359-00494AFB |
49.1.9.1 | Domain/IP reference | 20765-7359-00494AFB |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00024616-00003036-44306-739-0041A6B7 |
Extracted Strings
Extracted Files
-
Informative Selection 4
-
-
Setup.INI
- Size
- 5.1KiB (5180 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 3036)
- MD5
- 12130aff9439e7ea214f48a2a9acb4e6
- SHA1
- 7a9edad67a82cf770421d0a5abd67b0c03f2c932
- SHA256
- e265f0f05daa91edd69eea16f4f014b204ff7dbc69a0d8b1eda5f9aadf568352
-
TextPad 8.msi
- Size
- 6.2MiB (6506496 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: TextPad Installer, Keywords: Installer,MSI,Database, Subject: TextPad 64-bit, Author: Helios, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShieldt 2015 - Premier Edition with Virtualization Pack 22, Last Saved Time/Date: Wed Dec 7 14:57:11 2016, Create Time/Date: Wed Dec 7 14:57:11 2016, Last Printed: Wed Dec 7 14:57:11 2016, Revision Number: {59B58881-BDCF-40F5-AF19-8B084D1E5D2F}, Code page: 1252, Template: x64;0
- Runtime Process
- setup.exe (PID: 3036)
- MD5
- 612c86bc3116ac3700bf10b07bc4d528
- SHA1
- 08bbc27fd557e99be3125d26e7c26c4a1afa0e38
- SHA256
- 16c20d795bd253f2d54ebff4e60cf889409c3f6ca0fcb786c42eb416e60605a5
-
~D5CD.tmp
- Size
- 5.1KiB (5180 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 3036)
- MD5
- 12130aff9439e7ea214f48a2a9acb4e6
- SHA1
- 7a9edad67a82cf770421d0a5abd67b0c03f2c932
- SHA256
- e265f0f05daa91edd69eea16f4f014b204ff7dbc69a0d8b1eda5f9aadf568352
-
~D5E2.tmp
- Size
- 5.1KiB (5180 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 3036)
- MD5
- 12130aff9439e7ea214f48a2a9acb4e6
- SHA1
- 7a9edad67a82cf770421d0a5abd67b0c03f2c932
- SHA256
- e265f0f05daa91edd69eea16f4f014b204ff7dbc69a0d8b1eda5f9aadf568352
-
-
Informative 6
-
-
223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
- Size
- 450B (450 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3368)
- MD5
- 89182064ffc6677a899e12e12d722858
- SHA1
- d28ce6f949b9b62527febe813ce3882c120c3c8c
- SHA256
- e620520ef624311c4333124270a90438d659d29b67b5fd31ed810f1d4889238f
-
56ADBB1837AFF6D7FD308FFF42A6DE9E_23D7130052D3F261559CE09538710FA5
- Size
- 458B (458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3368)
- MD5
- 3913ac6d3dcad85e6db3d6bdf7b06890
- SHA1
- e959191146ac564a2231dc5a2c35eafe83f753c7
- SHA256
- 9cd357638ba8e88c27cca94425e3740d8b3b91f768d3e7a98d69dd86b0c46017
-
CabEE40.tmp
- Size
- 48KiB (49640 bytes)
- Type
- Microsoft Cabinet archive data, 49640 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3368)
- MD5
- 70261c7ccaba59ee02485d9e052b3222
- SHA1
- e59e82bbe39b34b3bbc2bed54a0336878d56993e
- SHA256
- 3900d716c8c7f96277858c205f813331cd34e23b005eb4039c2061bbe7340226
-
TarEE41.tmp
- Size
- 114KiB (116458 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3368)
- MD5
- 2432087060d478113b7befb4b3591898
- SHA1
- de47e18657cecfd99f2e076b06fb8392f12eca6e
- SHA256
- 81e9664c71a6d19c53203bee8e1afe09a9304e1b520d92b3d3fd5519da88d541
-
0x0409.ini
- Size
- 22KiB (22490 bytes)
- Type
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 3036)
- MD5
- 8586214463bd73e1c2716113e5bd3e13
- SHA1
- f02e3a76fd177964a846d4aa0a23f738178db2be
- SHA256
- 089d3068e42958dd2c0aec668e5b7e57b7584aca5c77132b1bcbe3a1da33ef54
-
_ISMSIDEL.INI
- Size
- 616B (616 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 3036)
- MD5
- 90e0875e5b84d0ba0c627dd3089180f4
- SHA1
- c5770e0f535df8d8d2e8c60579babcdecfad63b6
- SHA256
- 3dd6a3172419f41cf636b1773f8abe043b7bbe48c288ab4d68fe485668a76d4e
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Dropped file "TextPad 8.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/16c20d795bd253f2d54ebff4e60cf889409c3f6ca0fcb786c42eb416e60605a5/analysis/1483980673/")
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "registry-38" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)