video_editor.exe
This report is generated from a file or URL submitted to this webservice on March 1st 2017 22:22:53 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Modifies System Certificates Settings
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes - Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date - Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Additional Context
Related Sandbox Artifacts
- Associated URLs
-
hxxp://downloads.videosoftdev.com/video_tools/video_editor.exe
downloads.videosoftdev.com/video_tools/video_editor.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
Environment Awareness
-
Contains ability to check the local/global descriptor table
- details
- sldt word ptr [eax] from PID 00002588
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to check the local/global descriptor table
-
General
-
Contains ability to start/interact with device drivers
- details
- DeviceIoControl@KERNEL32.DLL from PID 00002588
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
The analysis extracted a file that was identified as malicious
- details
- 1/82 Antivirus vendors marked dropped file "is-2B6I4.tmp" as malicious (classified as "malicious" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Contains ability to start/interact with device drivers
-
System Security
-
Modifies System Certificates Settings
- details
-
"vcredist_x86.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "D69B561148F01C77C54578C10926DF5B856976AD")
"vcredist_x86.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\D69B561148F01C77C54578C10926DF5B856976AD"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
References security related windows services
- details
- "wuauserv" (Indicator: "wuauserv")
- source
- String
- relevance
- 7/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@user32.dll at 11709-1664-00406894
ExitWindowsEx@USER32.DLL from PID 00002588
ExitWindowsEx@USER32.dll at 11983-617-1001D130 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "video_editor.tmp" with commandline "/SL5="$60196
37026101
119296
C:\video_editor.exe"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslcore3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslprofiles3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslconfig3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideofilters3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiofilters3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiocodecs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudioplayer3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideocodecs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvvdsfilter3.ax"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediaplayer3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediafile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslavfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslanimationfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldvdfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslwmfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslflashfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslrmfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvocfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslnullfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%PROGRAMFILES%\FlashIntegro\VideoEditor\mslvideorecorder.ocx"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslinetsrv3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldrivekernel3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldfs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldio3.dll"" (Show Process)
Spawned process "vcredist_x86.exe" with commandline "/install /quiet /norestart" (Show Process)
Spawned process "vcredist_x86.exe" with commandline "/install /quiet /norestart -burn.unelevated BurnPipe.{44847E58-9D3C-4229-B460-7C12EE1FA2A0} {3B097A9B-C34C-47F7-AB00-6665A8540387} 292" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%WINDIR%\system32\msxml3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%WINDIR%\system32\lame.ax"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%WINDIR%\system32\L3CODECX.AX"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%WINDIR%\system32\xvid.ax"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%WINDIR%\system32\divxdec.ax"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslcore3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideofilters3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiofilters3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslprofiles3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslconfig3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiocodecs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudioplayer3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideocodecs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvvdsfilter3.ax"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediaplayer3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediafile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslavfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslanimationfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldvdfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslwmfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslflashfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslrmfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvocfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslnullfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%PROGRAMFILES%\FlashIntegro\VideoEditor\mslvideorecorder.ocx"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%WINDIR%\system32\mslvddsfilter3.ax"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 30
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
ControlService@ADVAPI32.DLL from PID 00000292
OpenServiceW@ADVAPI32.DLL from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Process deletes itself
- details
- "%TEMP%\is-E4T46.tmp\vcredist_x86.exe" deletes itself
- source
- API Call
- relevance
- 10/10
-
Queries kernel debugger information
- details
- "vcredist_x86.exe" at 00039001-00000292-00000105-94617318
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "iexplore.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Contains ability to open/control a service
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the windows installation date
- details
- "iexplore.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from PID 00002408
FindResourceW@KERNEL32.DLL from PID 00002588
FindResourceW@KERNEL32.DLL from PID 00002588
FindResourceW@KERNEL32.DLL from PID 00002588
FindResourceA@KERNEL32.dll at 24039-5207-70DD8630
FindResourceW@KERNEL32.dll at 11983-661-100027B0 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"video_editor.tmp" read file "%WINDIR%\win.ini"
"video_editor.tmp" read file "%PROGRAMFILES%\desktop.ini"
"video_editor.tmp" read file "%USERPROFILE%\Desktop\desktop.ini"
"vcredist_x86.exe" read file "%WINDIR%\win.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"is-LI8PU.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-T4HVO.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-OMHVT.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-ONSB0.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-U540R.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"_iscrypt.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-UCC1O.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-EUR59.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-2B6I4.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-9MJ9I.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-JQA8C.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"vcredist_x86.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE")
"vcredist_x86.exe" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE"; Key: "{F65DB027-AFF3-4070-886A-0D87064AABB1}"; Value: ""%ALLUSERSPROFILE%\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe" /burn.runonce") - source
- Registry Access
- relevance
- 8/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "[065C:0F08][2017-03-01T17:40:00]i410: Variable: VersionNT = 6.1.0.0"
- source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
- "lXV@?QxAJ/c;u%y:/Cc_cdtQCMd=Ud>%CD1lN^Y xX!" (Indicator: "cmd=")
- source
- String
- relevance
- 10/10
-
Contains indicators of bot communication commands
-
Spyware/Information Retrieval
-
Contains ability to retrieve keyboard strokes
- details
-
GetKeyboardState@USER32.DLL from PID 00002588
GetKeyboardState@USER32.DLL from PID 00002588 - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to retrieve keyboard strokes
-
System Destruction
-
Marks file for deletion
- details
-
"C:\video_editor.exe" marked "%TEMP%\is-NPF44.tmp\video_editor.tmp" for deletion
"C:\video_editor.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-NPF44.tmp" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\Cab7A7A.tmp" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\Tar7A7B.tmp" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "%ALLUSERSPROFILE%\Package Cache\.unverified" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.be" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\BootstrapperApplicationData.xml" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll" for deletion
"%TEMP%\is-E4T46.tmp\vcredist_x86.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\is-NPF44.tmp\video_editor.tmp" with delete access
"<Input Sample>" opened "%TEMP%\is-NPF44.tmp" with delete access
"video_editor.tmp" opened "%PROGRAMFILES%\FlashIntegro\is-GIG6A.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\is-CVTV7.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-D8J30.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-KULQ4.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-SF932.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-MADQ0.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-FD300.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-8S8U7.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-KPQMH.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-OEVMB.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-9DTKJ.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-FPK86.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-8DHNE.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-D5B5T.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-1BGPH.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-Q9KJQ.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-USMGI.tmp" with delete access
"video_editor.tmp" opened "%WINDIR%\system32\is-PBHUH.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.DLL from PID 00000292
SetEntriesInAclW@ADVAPI32.DLL from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"video_editor.tmp" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"video_editor.tmp" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
-
"video_editor.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)" - source
- String
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"video_editor.tmp" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
"video_editor.tmp" wrote bytes "c4ca327680bb327652ba32769fbb327608bb327646ce327661383376de2f3376d0d932760000000017798e764f918e767f6f8e76f4f78e7611f78e76f2838e76857e8e7600000000" to virtual address "0x6F0D1000" (part of module "MSIMG32.DLL")
"regsvr32.exe" wrote bytes "f726676b" to virtual address "0x019682DC"
"regsvr32.exe" wrote bytes "d921676b" to virtual address "0x019682CC"
"regsvr32.exe" wrote bytes "d921676b" to virtual address "0x01968288"
"regsvr32.exe" wrote bytes "202d676b" to virtual address "0x01968468"
"regsvr32.exe" wrote bytes "3215676b" to virtual address "0x01968360"
"regsvr32.exe" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
"regsvr32.exe" wrote bytes "f6ffc775" to virtual address "0x019683D8"
"regsvr32.exe" wrote bytes "c619676b" to virtual address "0x01968328"
"regsvr32.exe" wrote bytes "f6ffc775" to virtual address "0x01968228"
"regsvr32.exe" wrote bytes "bd1f676b" to virtual address "0x019682E4"
"regsvr32.exe" wrote bytes "8814676b" to virtual address "0x01968454"
"regsvr32.exe" wrote bytes "9325676b" to virtual address "0x019682C0"
"regsvr32.exe" wrote bytes "1613676b" to virtual address "0x01968474"
"vcredist_x86.exe" wrote bytes "4053c5775858c677186ac677653cc7770000000000bf32760000000056cc3276000000007cca3276000000003768e2756a2cc777d62dc777000000002069e2750000000029a6327600000000a48de27500000000f70e327600000000" to virtual address "0x77DA1000" (part of module "NSI.DLL")
"vcredist_x86.exe" wrote bytes "92e6c27779a8c777be72c777d62dc7771de2c27705a2c777bee3c277616fc7776841c5770050c57700000000ad375e778b2d5e77b6415e7700000000" to virtual address "0x75281000" (part of module "WSHTCPIP.DLL")
"vcredist_x86.exe" wrote bytes "7739c37779a8c777be72c777d62dc7771de2c27705a2c777c868c67757d1cd77bee3c277616fc7776841c5770050c57700000000ad375e778b2d5e77b6415e7700000000" to virtual address "0x757A1000" (part of module "WSHIP6.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"video_editor.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"vcredist_x86.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"iexplore.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 9 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 29
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00000292
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002588
GetLocalTime@KERNEL32.DLL from PID 00002588
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002588
GetLocalTime@KERNEL32.DLL from PID 00000292
GetSystemTime@KERNEL32.DLL from PID 00000292
GetLocalTime@KERNEL32.DLL from PID 00000292
GetSystemTime@KERNEL32.DLL from PID 00000292
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00000292
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.DLL from PID 00000292
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@kernel32.dll at 11709-1173-004011A0
GetVersionExW@kernel32.dll at 11709-1165-004067BC
GetVersionExW@KERNEL32.DLL from PID 00002408
GetVersion@KERNEL32.DLL from PID 00002408
GetVersion@KERNEL32.DLL from PID 00002588
GetVersion@KERNEL32.DLL from PID 00002588
GetVersion@KERNEL32.DLL from PID 00002588
GetVersion@KERNEL32.DLL from PID 00002588
GetVersionExW@KERNEL32.DLL from PID 00002588
GetVersion@KERNEL32.DLL from PID 00002588
GetVersionExW@KERNEL32.DLL from PID 00002588
GetVersionExW@KERNEL32.DLL from PID 00000292
GetVersionExW@KERNEL32.DLL from PID 00000292
GetVersionExW@KERNEL32.DLL from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@kernel32.dll at 11709-1364-004066D0
GetDiskFreeSpaceW@KERNEL32.DLL from PID 00002408
GetDiskFreeSpaceW@KERNEL32.DLL from PID 00002588 - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "video_editor.exe"; Stream UID: "00019183-00002408-21301-147-0040646C")
which is directly followed by "cmp edx, 05h" and "jne 0040648Bh". See related instructions: "...
+0 call 004011A0h ;GetVersion
+5 mov edx, eax
+7 and edx, 000000FFh
+13 and eax, 0000FF00h
+18 shr eax, 08h
+21 cmp edx, 05h
+24 jne 0040648Bh" ... from PID 00002408
Found API call GetVersion@KERNEL32.DLL (Target: "video_editor.tmp"; Stream UID: "00019747-00002588-39953-1091-0047FF18")
which is directly followed by "cmp ax, 0005h" and "jc 0047FF97h". See related instructions: "...
+72 xor eax, eax
+74 push ebp
+75 push 004800FCh
+80 push dword ptr fs:[eax]
+83 mov dword ptr fs:[eax], esp
+86 xor ebx, ebx
+88 call 004096DCh ;GetVersion
+93 and eax, 000000FFh
+98 cmp ax, 0005h
+102 jc 0047FF97h" ... from PID 00002588
Found API call GetVersion@KERNEL32.DLL (Target: "video_editor.tmp"; Stream UID: "00019747-00002588-39953-1215-00408DE4")
which is directly followed by "cmp edx, 05h" and "jne 00408E03h". See related instructions: "...
+0 call 004013B4h ;GetVersion
+5 mov edx, eax
+7 and edx, 000000FFh
+13 and eax, 0000FF00h
+18 shr eax, 08h
+21 cmp edx, 05h
+24 jne 00408E03h" ... from PID 00002588
Found API call GetVersion@KERNEL32.DLL (Target: "video_editor.tmp"; Stream UID: "00019747-00002588-39953-1432-004B8710")
which is directly followed by "cmp ax, 0005h" and "jnc 004B8747h". See related instructions: "...
+27 call 004096DCh ;GetVersion
+32 and eax, 000000FFh
+37 cmp ax, 0005h
+41 jnc 004B8747h" ... from PID 00002588
Found API call GetVersion@KERNEL32.DLL (Target: "video_editor.tmp"; Stream UID: "00019747-00002588-39953-3654-0044DD28")
which is directly followed by "cmp al, 04h" and "jc 0044DF48h". See related instructions: "...
+152 call 004069F8h
+157 call 004096DCh ;GetVersion
+162 cmp al, 04h
+164 jc 0044DF48h" ... from PID 00002588
Found API call GetVersion@KERNEL32.DLL (Target: "video_editor.tmp"; Stream UID: "00019747-00002588-39953-1314-004CBEA4")
which is directly followed by "cmp ax, 00000601h" and "jc 004CBF13h". See related instructions: "...
+29 call 004096DCh ;GetVersion
+34 xchg al, ah
+36 cmp ax, 00000601h
+40 jc 004CBF13h" ... from PID 00002588
Found API call GetLocalTime@KERNEL32.DLL (Target: "vcredist_x86.exe"; Stream UID: "00039001-00000292-34047-59-009FF195")
which is directly followed by "cmp esi, E0000000h" and "je 009FF236h". See related instructions: "...
+78 call dword ptr [00A0A214h] ;GetCurrentThreadId
+84 mov dword ptr [ebp-28h], eax
+87 xor eax, eax
+89 lea edi, dword ptr [ebp-14h]
+92 stosd
+93 stosd
+94 stosd
+95 stosd
+96 lea eax, dword ptr [ebp-14h]
+99 push eax
+100 call dword ptr [00A0A2B8h] ;GetLocalTime
+106 mov eax, esi
+108 and esi, F0000000h
+114 and eax, 0FFFFFFFh
+119 cmp esi, E0000000h
+125 je 009FF236h" ... from PID 00000292
Found API call GetLocalTime@KERNEL32.DLL (Target: "vcredist_x86.exe"; Stream UID: "00039001-00000292-34047-629-00A02086")
which is directly followed by "cmp cx, word ptr [eax]" and "je 00A021E5h". See related instructions: "...
+302 mov dword ptr [ebp-00000230h], 00A0A5C8h
+312 lea eax, dword ptr [ebp-0000021Ch]
+318 push eax
+319 xor ebx, ebx
+321 call dword ptr [00A0A2B8h] ;GetLocalTime
+327 mov eax, dword ptr [ebp-0000023Ch]
+333 push 0000002Eh
+335 pop ecx
+336 cmp cx, word ptr [eax]
+339 mov ecx, 00A0A5C8h
+344 je 00A021E5h" ... from PID 00000292
Found API call GetVersionExW@KERNEL32.DLL (Target: "vcredist_x86.exe"; Stream UID: "00039001-00000292-34047-368-00A06371")
which is directly followed by "cmp dword ptr [ebp-0000011Ch], 04h" and "jne 00A063F0h". See related instructions: "...
+62 lea eax, dword ptr [ebp-00000120h]
+68 push eax
+69 mov dword ptr [ebp-00000120h], 0000011Ch
+79 call dword ptr [00A0A210h] ;GetVersionExW
+85 movzx eax, word ptr [ebp-0Ch]
+89 movzx ecx, word ptr [ebp-0Ah]
+93 shl eax, 10h
+96 or eax, ecx
+98 cmp dword ptr [ebp-0000011Ch], 04h
+105 mov dword ptr [00A25E80h], eax
+110 jne 00A063F0h" ... from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from PID 00000292
GetProcessHeap@KERNEL32.DLL from PID 00000292
GetProcessHeap@KERNEL32.DLL from PID 00000292
GetProcessHeap@KERNEL32.DLL from PID 00000292
GetProcessHeap@KERNEL32.dll at 38639-734-10001480
GetProcessHeap@KERNEL32.dll at 11983-628-10002380 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89216240
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89269040
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\Readme.rtf" at 00019747-00002588-0000010C-89269219
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89285781
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\VideoConverter.chm" at 00019747-00002588-0000010C-89285965
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89298925
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\VideoEditor.exe" at 00019747-00002588-0000010C-89299106
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89361470
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\Tools\ScreenRecorder.exe" at 00019747-00002588-0000010C-89361657
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89380042
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\Tools\VideoCapture.exe" at 00019747-00002588-0000010C-89380227
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89392233
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\Activation.exe" at 00019747-00002588-0000010C-89392413
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89405046
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\Updater.exe" at 00019747-00002588-0000010C-89405225
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89414355
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\unins000.exe" at 00019747-00002588-0000010C-89414522
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89424987
"video_editor.tmp" queries volume information of "%PROGRAMFILES%\FlashIntegro\VideoEditor\VideoEditor.exe" at 00019747-00002588-0000010C-89425162
"vcredist_x86.exe" queries volume information of "C:\" at 00039001-00000292-0000010C-95873669 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
-
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89216240
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89269040
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89285781
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89298925
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89361470
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89380042
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89392233
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89405046
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89414355
"video_editor.tmp" queries volume information of "C:\" at 00019747-00002588-0000010C-89424987
"vcredist_x86.exe" queries volume information of "C:\" at 00039001-00000292-0000010C-95873669
"vcredist_x86.exe" queries volume information of "C:\" at 00039001-00000292-0000010C-95878073 - source
- API Call
- relevance
- 8/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/56 Antivirus vendors marked sample as malicious (0% detection rate)
0/39 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"vcredist_x86.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"w:\Work2\ActiveX3\VStudia\mslnullfile3\Release\mslnullfile3.pdb"
"w:\Work2\ActiveX3\Additional\mslinetsrv3\Release\mslinetsrv3.pdb" - source
- String
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
- CreateNamedPipeW@KERNEL32.DLL from PID 00002588
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\is-NPF44.tmp\video_editor.tmp"
"video_editor.tmp" created file "%TEMP%\is-E4T46.tmp\_isetup\_shfoldr.dll"
"video_editor.tmp" created file "%TEMP%\is-E4T46.tmp\_isetup\_iscrypt.dll"
"video_editor.tmp" created file "%TEMP%\is-E4T46.tmp\itdownload.dll"
"video_editor.tmp" created file "%TEMP%\is-E4T46.tmp\is-39SRH.tmp"
"vcredist_x86.exe" created file "%TEMP%\Cab7A7A.tmp"
"vcredist_x86.exe" created file "%TEMP%\Tar7A7B.tmp"
"vcredist_x86.exe" created file "%TEMP%\dd_vcredist_x86_20170301170200_0_vcRuntimeMinimum_x86.log"
"vcredist_x86.exe" created file "%TEMP%\dd_vcredist_x86_20170301170200_1_vcRuntimeAdditional_x86.log"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\wixstdba.dll"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.xml"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\thm.wxl"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\logo.png"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\license.rtf"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.ba1\BootstrapperApplicationData.xml"
"vcredist_x86.exe" created file "%TEMP%\dd_vcredist_x86_20170301170200.log"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\.be\vcredist_x86.exe"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\vcRuntimeMinimum_x86"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\vcRuntimeAdditional_x86"
"vcredist_x86.exe" created file "%TEMP%\{f65db027-aff3-4070-886a-0d87064aabb1}\cab54A5CABBE7274D8A22EB58060AAB7623" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex"
"\Sessions\1\BaseNamedObjects\{E1AE6C64-631C-4B2F-853C-45C1BD634C03}"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\WindowsUpdateTracingMutex"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_352c52501d292f5gol.68x_muminiMemitnuRcv_0_00207110307102_68x_tsidercv_dd_pmeT_lacoL_ataDppA_BXYIIfX_sresU_:C"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_a086f3601d292f5gol.68x_lanoitiddAemitnuRcv_1_00207110307102_68x_tsidercv_dd_pmeT_lacoL_ataDppA_BXYIIfX_sresU_:C"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"\Sessions\1\BaseNamedObjects\AMResourceMutex3"
"\Sessions\1\BaseNamedObjects\Local\DirectSound DllMain mutex (0x00000654)"
"\Sessions\1\BaseNamedObjects\WM IO MUTEX"
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"\Sessions\1\BaseNamedObjects\Local\_!MSFTHISTORY!_" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "is-LI8PU.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-T4HVO.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-OMHVT.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-ONSB0.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-U540R.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_iscrypt.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-UCC1O.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-EUR59.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "is-JQA8C.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Launches a browser
- details
-
Launches browser "iexplore.exe" (Show Process)
Launches browser "iexplore.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "vcredist_x86.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6EE10000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "vcredist_x86.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "video_editor.tmp" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "video_editor.tmp" with commandline "/SL5="$60196
37026101
119296
C:\video_editor.exe"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslcore3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslprofiles3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslconfig3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideofilters3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiofilters3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiocodecs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudioplayer3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideocodecs3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvvdsfilter3.ax"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediaplayer3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediafile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslavfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslanimationfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldvdfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslwmfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslflashfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslrmfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvocfile3.dll"" (Show Process)
Spawned process "regsvr32.exe" with commandline "/s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslnullfile3.dll"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"video_editor.tmp" connecting to "\ThemeApiPort"
"vcredist_x86.exe" connecting to "\ThemeApiPort"
"ExecuteHelper.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
-
GetUserNameW@ADVAPI32.DLL from PID 00002588
GetUserNameW@ADVAPI32.DLL from PID 00000292 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"is-LI8PU.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-L1PI1.tmp" has type "Composite Document File V2 Document No summary info"
"is-T4HVO.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-OMHVT.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-ONSB0.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-GBN3R.tmp" has type "Composite Document File V2 Document No summary info"
"is-U540R.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"_iscrypt.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-71JHO.tmp" has type "ASCII text with CRLF line terminators"
"is-5M3JK.tmp" has type "Composite Document File V2 Document No summary info"
"vcRuntimeMinimum_x86" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Code page: 1252 Title: Installation Database Subject: Visual C++ 2013 x86 Minimum Runtime Author: Microsoft Corporation Keywords: Installer Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005. Template: Intel;1033 Revision Number: {E9934153-EAB1-4DA6-AA72-86C8BB1EDF2C} Create Time/Date: Sat Oct 5 11:36:36 2013 Last Saved Time/Date: Sat Oct 5 11:36:36 2013 Number of Pages: 301 Number of Words: 2 Name of Creating Applicatio%WINDIR%\Installer XML (3.7.1623.0) Security: 2"
"is-BNA1A.tmp" has type "XML document text"
"is-UCC1O.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-L2R9N.tmp" has type "XML document text"
"is-GCLJQ.tmp" has type "Composite Document File V2 Document No summary info"
"is-EUR59.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-2B6I4.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-ES5IC.tmp" has type "XML document text"
"is-9MJ9I.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-JQA8C.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\system32\en-US\KERNELBASE.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\netmsg.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"video_editor.tmp" touched file "%WINDIR%\Fonts\staticcache.dat"
"video_editor.tmp" touched file "%WINDIR%\system32\netmsg.dll"
"video_editor.tmp" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"video_editor.tmp" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"video_editor.tmp" touched file "%WINDIR%\system32\shfolder.dll"
"video_editor.tmp" touched file "%WINDIR%\system32\imageres.dll"
"video_editor.tmp" touched file "%WINDIR%\is-CVTV7.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-D8J30.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-KULQ4.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-SF932.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-MADQ0.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-8S8U7.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-KPQMH.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-OEVMB.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-9DTKJ.tmp"
"video_editor.tmp" touched file "%WINDIR%\system32\is-FPK86.tmp" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "&4kaU32@.Ly"
Pattern match: "g.KDj//3"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "https://www.globalsign.com/repository/0"
Pattern match: "crl.globalsign.com/gs/gstimestampingsha2g2.crl0X"
Pattern match: "http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0"
Pattern match: "https://www.globalsign.com/repository/06"
Pattern match: "http://crl.globalsign.net/root-r3.crl0"
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Heuristic match: "%SystemPath%\system32\L3CODECX.AX"
Heuristic match: "%SystemPath%\system32\xvid.ax"
Heuristic match: "%SystemPath%\system32\divxdec.ax"
Pattern match: "http://ns.real.com/tools/audience.2.0"
Heuristic match: "%SystemDrive%\Program Files\Common Files\FlashIntegro\ActiveX\mslvvdsfilter3.ax"
Heuristic match: "%SystemPath%\system32\mslvddsfilter3.ax"
Heuristic match: "lame.ax"
Pattern match: "http://www.videosoftdev.com/services/purchase.aspx?ProductID=1"
Pattern match: "http://www.videosoftdev.com"
Pattern match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl"
Pattern match: "http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl"
Pattern match: "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl"
Pattern match: "http://wixtoolset.org/schemas/thmutil/2010"
Pattern match: "http://www.realnetworks.com"
Pattern match: "ns.adobe.com/xap/1.0/"
Heuristic match: "zKm6Y}>l\}@G,k}+Xf4X-/^dl_$mW#4:XK^1.sY"
Pattern match: "I.efd/'&(i%aW)=k-%+M4"
Heuristic match: ">i;.&.At"
Heuristic match: "QM>Gu0+ogm$Lz- -<?uAw@xd8P26LQ[#Q8FjI64A,mmC4t,D|X[NTg*+eGR<0,CDu|Ntww/}12 6>t1HP2CnWgMf{qvgfauKjj4&'f`iqd*K(1:SJTG0f3.Ps"
Pattern match: "9Y8z.xj/SbJzq1V(K%6x{1=sc/pdmo_+*\~tdg{d)fMum//%|_}k#yr&U\8"
Heuristic match: "eWI6[G%oTrY($;Exucu`puVq\m$`'YmO9{w>_JW?B_Kyc7!lj(.k7AT6OgpzFG2,[!;.De"
Heuristic match: "yn-J{UUOS[^cvv.Be"
Pattern match: "Dtr.jdC/+.z&Gx^"
Heuristic match: "b(RUws&v>wc>_{$dkt& _%p*.K3PBDES-=9uy^[)zPKp#Y*1Kz[>2[R[N)^eb#OVW\CI=BN/idDyl9Q67Eu8-x01z{K3gJ!1XvXIjp$w17BUnEMR&I1ah;9iBa.bj"
Heuristic match: "support@domain.com"
Heuristic match: "w.domain.com"
Pattern match: "http://www.youtube.com/watch?v=jaA2361wq50"
Pattern match: "uxw.bP/rm"
Pattern match: "OjAF.xs/0tKN.0"
Pattern match: "dk1HFMNXJ6Vd.IS/vDe$e..ylLVqW,r~gAJyw(H+-fdp~Z(IU8i)dwOa+.n*1A:hmDGK)@xI"
Pattern match: "LA.GMRm/khZFuo1IdSWKnM=\F-#xRC!2HnPd"
Pattern match: "w.qU/]}n9+qx5n"
Pattern match: "p8X.Eskc/R;%FK(v'%|V!`EO!&`[T5]]A)x308{&s}Bx3W"
Heuristic match: "godtube.com"
Heuristic match: "xvideos.com"
Pattern match: "http://vk.com/"
Pattern match: "http://vkontakte.ru/"
Pattern match: "youtube.com/watch"
Pattern match: "youtube.com/v/"
Pattern match: "youtube.com/watch?v="
Pattern match: "http://youtube.com/watch?v="
Pattern match: "http://godtube.com/xml/xml_v4.php?vkey="
Pattern match: "http://godtube.com/"
Pattern match: "http://www.microsoft.com"
Pattern match: "http://www.youniversitytv.com/youlife/player_xml.php?video_id="
Pattern match: "collegehumor.com/out/"
Pattern match: "http://www.axaramedia.com/services/decoder.aspx?service=%i&signature=%s"
Pattern match: "youtube.com/embed/"
Pattern match: "youtube.com/user"
Pattern match: "http://www.youtube.com/watch?v="
Pattern match: "http://i2.ytimg.com/vi/"
Pattern match: "http://mediaservices.myspace.com/services/rss.ashx?type=video&videoID="
Pattern match: "http://vimeo.com/moogaloop/load/clip"
Pattern match: "http://vimeo.com/moogaloop/play/clip:%s/%s/%s/"
Pattern match: "http://cosmos.bcst.yahoo.com/up/yep/process/getPlaylistFOP.php?node_id="
Pattern match: "http://www.facebook.com/video/video.php?v="
Pattern match: "http://vkontakte.ru/video"
Pattern match: "http://thumbs.redtube.com/_thumbs/"
Pattern match: "http://video.xtube.com/find_video.php"
Pattern match: "xvideos.com/loading/thumbslll"
Pattern match: "xvideos.com/videos"
Pattern match: "http://youporn.com/?user_choice=Enter"
Pattern match: "http://download.youporn.com"
Pattern match: "http://www.xtube.com/signup.php"
Heuristic match: "streams-4free.net"
Heuristic match: "ds.com"
Heuristic match: "eo.nl"
Heuristic match: "5min.com"
Heuristic match: "abum.com"
Heuristic match: "afrik.com"
Heuristic match: "videos.afriville.com"
Heuristic match: "ut-sp.net"
Heuristic match: "aniboom.com"
Heuristic match: "imeepisodes.net"
Heuristic match: "o.com"
Heuristic match: "bboytube.com"
Heuristic match: "deo.com"
Heuristic match: "blennus.com"
Heuristic match: "ip.tv"
Heuristic match: "bolt.com"
Heuristic match: "borednet.com"
Heuristic match: "k.com"
Heuristic match: "aster.com"
Heuristic match: "bubblare.se"
Heuristic match: "tertainment.go.com"
Heuristic match: "st.com"
Heuristic match: "aught-on-video.com"
Heuristic match: "illoutzone.de"
Heuristic match: "chillpocket.com"
Heuristic match: "fish.de"
Heuristic match: "clips4.us"
Heuristic match: "clipstr.com"
Heuristic match: "collegehumor.com"
Heuristic match: "ilymotion.com"
Heuristic match: "dalealplay.com"
Heuristic match: "rd.com"
Heuristic match: "outube.ftvteen.com"
Heuristic match: "lducky.com"
Heuristic match: "disclose.tv"
Heuristic match: "dissacration.com"
Heuristic match: "ink.com"
Heuristic match: "msworld.com"
Heuristic match: "foof.com"
Heuristic match: "b.com"
Heuristic match: "esnips.com"
Heuristic match: "evilchili.com"
Heuristic match: "age.com"
Heuristic match: "fark.ru"
Heuristic match: "filecabi.net"
Heuristic match: "flicklife.com"
Heuristic match: "go.com"
Heuristic match: "flurl.com"
Heuristic match: "gly.com"
Heuristic match: "funpic.hu"
Heuristic match: "funnyordie.com"
Heuristic match: "bol.videos.sapo.pt"
Heuristic match: "tv.be"
Heuristic match: "nspot.com"
Heuristic match: "glumbert.com"
Heuristic match: "goalvideoz.com"
Heuristic match: "ube.com"
Heuristic match: "fish.com"
Heuristic match: "gooclip.net"
Heuristic match: "greekclips.com"
Heuristic match: "per.com"
Heuristic match: "guba.com"
Heuristic match: "heavy.com"
Heuristic match: "ep.co.il"
Heuristic match: "videogaleri.hurriyet.com.tr"
Heuristic match: "deo.interia.pl"
Heuristic match: "uxvideo.tv"
Heuristic match: "jibjab.com"
Heuristic match: "jokeroo.com"
Heuristic match: "bito.com.hr"
Heuristic match: "iask.com"
Heuristic match: "ibloks.com"
Heuristic match: "hingallday.com"
Heuristic match: "lesene.com"
Heuristic match: "kewego.com"
Heuristic match: "yartancap.com"
Heuristic match: "monzoo.com"
Heuristic match: "ratedfilms.com"
Heuristic match: "livedigital.com"
Heuristic match: "leak.com"
Heuristic match: "vevideo.com"
Heuristic match: "up.ru"
Heuristic match: "lulu.tv"
Heuristic match: "lynda.com"
Heuristic match: "mediabum.com"
Heuristic match: "mentalfunk.com"
Heuristic match: "tacafe.com"
Heuristic match: "andcookies.com"
Heuristic match: "ube.net"
Heuristic match: "n.com"
Heuristic match: "box.msn.com"
Heuristic match: "muchosucko.com"
Heuristic match: "ltiply.com"
Heuristic match: "vids.myspace.com"
Heuristic match: "oxic.com"
Heuristic match: "erator11.com"
Heuristic match: "paraglidetv.com"
Heuristic match: "d.com"
Heuristic match: "ucket.com"
Heuristic match: "pickle.com"
Heuristic match: "pikniktube.com"
Heuristic match: "hx.com"
Heuristic match: "rkolt.com"
Heuristic match: "probetv.com"
Heuristic match: "tfile.com"
Heuristic match: "dioactif.tv"
Heuristic match: "redbalcony.com"
Heuristic match: "vision3.com"
Heuristic match: "vver.com"
Heuristic match: "rutube.ru"
Heuristic match: "sevenload.com"
Heuristic match: "outfile.com"
Heuristic match: "ideochannel.com"
Heuristic match: "ithappens.com"
Heuristic match: "r.com"
Heuristic match: "lodetv.com"
Heuristic match: "stage6.divx.com"
Heuristic match: "desi.com"
Heuristic match: "reetfire.net"
Heuristic match: "stupidvideos.us"
Heuristic match: "perdeluxe.com"
Heuristic match: "ies.com"
Heuristic match: "ikepizza.com"
Heuristic match: "saclaques.tv"
Heuristic match: "tevideosite.com"
Heuristic match: "thatvideosite.com"
Heuristic match: "tream.tv"
Heuristic match: "tinypic.com"
Heuristic match: "nclip.com"
Heuristic match: "tontuyau.com"
Heuristic match: "totallycrap.com"
Heuristic match: "canoe.com"
Heuristic match: "dou.com"
Heuristic match: "uccc.co.kr"
Heuristic match: "uonline.ro"
Heuristic match: "uploaded.tv"
Heuristic match: "7.com"
Heuristic match: "o.mail.ru"
Heuristic match: "oh.com"
Heuristic match: "nnyads.com"
Heuristic match: "vh1classic.com"
Heuristic match: "o.i.ua"
Heuristic match: "psdump.com"
Heuristic match: "videojug.com"
Heuristic match: "videolog.uol.com.br"
Heuristic match: "igolo.com"
Heuristic match: "vidfan.com"
Heuristic match: "vidilife.com"
Heuristic match: "dking.com"
Heuristic match: "vidmax.com"
Heuristic match: "meo.com"
Heuristic match: "vmix.com"
Heuristic match: "vsocial.com"
Heuristic match: "dcars.com"
Heuristic match: "game.com"
Heuristic match: "webtv.si"
Heuristic match: "diantube.com"
Heuristic match: "zuta.pl"
Heuristic match: "ock.com"
Heuristic match: "yikers.com"
Heuristic match: "iversitytv.com"
Heuristic match: "yourfilehost.com"
Pattern match: "youtube.com/signup"
Heuristic match: "youtubeislam.com"
Heuristic match: "g.com"
Heuristic match: "zaable.com"
Heuristic match: "ppyvideos.com"
Heuristic match: "re.net"
Pattern match: "thumbs.redtube.com/_thumbs/"
Pattern match: "video.xtube.com/find_video.php"
Pattern match: "porn.com/?user_choice=Enter"
Heuristic match: "download.youporn.com"
Pattern match: "vkontakte.ru/video"
Pattern match: "www.youniversitytv.com/youlife/player_xml.php?video_id="
Pattern match: "utube.com/embed/"
Pattern match: "ww.youtube.com/watch?v="
Pattern match: "2.ytimg.com/vi/"
Pattern match: "xaramedia.com/services/decoder.aspx?service=%i&signature=%s"
Pattern match: "grid.png/W:\Images\wipe"
Pattern match: "zPfTaEd.gjc/8gqA=5z/l,ij,&~F:2G^d-3,ls"
Heuristic match: "O:[blnq[H ~mS=_1dr?@a/^}~7|]H_G5n$I?k_cgk?Q1gJ.=?u!u.Bf"
Pattern match: "S.pS/%}`npS"
Pattern match: "G.UTfl/9~PV\HiVTF5"
Pattern match: "G.tJ/%mo`4MaiHL?;!Kx%38i4{:ad:d~&@'6Lu?K`G"
Pattern match: "g.xbU/ze0"
Heuristic match: "UHS :[L4bjR;]R79a%?2B'<q^cQjTEEl7%4Ll(FNg}~3.',xA5woN4.SU"
Pattern match: "a.Qn/szELc`.?|2H+B6QuLbB:pPiSXZC{NCpvOgdbLE"
Heuristic match: "WD*8,@RYl)Bh!.HN"
Heuristic match: "DUCaL!kc8?IUMxZ'+l0Qf^)adJ.BT"
Heuristic match: "h J$.>iD<;Q3,~q|JFX <[H%W;/Uh!7h70r[_|+<^h9Y x`Mn0>,\#/qJ?KV8q*_/<)u]trZ,QA^Up+-Dg&/.P/:aUb0QRxmh.n^#Si]9.co"
Pattern match: "Cu.qB/2p=_smR#&eU&;-nIOFznh"
Pattern match: "0.AL/85"
Heuristic match: "(=6r4XQC|uC<B9:a.ng"
Pattern match: "S.BF/tCpHAN"
Pattern match: "G.rW/#zz/"
Heuristic match: "Y}W_w12Aj.ML"
Heuristic match: "E#gD8^[P\v(r))K-EDGd1{H+&Eqp>r*D'dsX_J\|wg+Ix{_mxX7aL|-dhI2 ClD&zM.aw" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"%SystemDrive%\Program Files\FlashIntegro\VideoEditor\Tools\Google.Apis.YouTube.v3.dll" (Indicator: "youtube")
"%SystemDrive%\Program Files\FlashIntegro\VideoEditor\Tools\YouTubeUploader.exe" (Indicator: "youtube")
"%SystemDrive%\Program Files\FlashIntegro\VideoEditor\Tools\YouTubeUploader.exe.config" (Indicator: "youtube")
"%SystemDrive%\Program Files\FlashIntegro\VideoEditor\Tools\YouTubeUploader.exe.manifest" (Indicator: "youtube")
"YouTube" (Indicator: "youtube")
"YouTube)" (Indicator: "youtube")
"Youtube." (Indicator: "youtube")
"YouTube?" (Indicator: "youtube")
": http://www.youtube.com/watch?v=jaA2361wq50" (Indicator: "youtube")
"youtube" (Indicator: "youtube")
"myspacetv:" (Indicator: "myspace")
"youtube.com/watch?" (Indicator: "youtube")
"youtube.com/v/" (Indicator: "youtube")
"youtube.com/watch?v=" (Indicator: "youtube")
"http://youtube.com/watch?v=" (Indicator: "youtube")
"youtube.com/embed/" (Indicator: "youtube")
"youtube.com/user" (Indicator: "youtube")
"http://www.youtube.com/watch?v=" (Indicator: "youtube")
"http://mediaservices.myspace.com/services/rss.ashx?type=video&videoID=" (Indicator: "myspace")
"http://www.facebook.com/video/video.php?v=" (Indicator: "facebook.com") - source
- String
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"video_editor.tmp" opened "\Device\KsecDD"
"vcredist_x86.exe" opened "\Device\KsecDD"
"ExecuteHelper.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
video_editor.exe
- Filename
- video_editor.exe
- Size
- 36MiB (37499176 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 705085488a37c6919acbc3f9d950b2c9381f82ee76eec06e1aaba184dba06f69
- MD5
- 70685edaf17566aa8bac4b7e3d5c595b
- SHA1
- e3c9eabfd15f5f60811393100cc6abbf75be6daf
Classification (TrID)
- 42.6% (.EXE) Win32 Executable (generic)
- 19.5% (.EXE) Win16/32 Executable Delphi generic
- 18.9% (.EXE) Generic Win/DOS Executable
- 18.9% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 62 processes in total (System Resource Monitor).
-
video_editor.exe
(PID: 2408)
-
video_editor.tmp
/SL5="$60196,37026101,119296,C:\video_editor.exe"
(PID: 2588)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslcore3.dll" (PID: 2844)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslprofiles3.dll" (PID: 2828)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslconfig3.dll" (PID: 2852)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideofilters3.dll" (PID: 2928)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiofilters3.dll" (PID: 2900)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiocodecs3.dll" (PID: 2936)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudioplayer3.dll" (PID: 2952)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideocodecs3.dll" (PID: 3044)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvvdsfilter3.ax" (PID: 3008)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediaplayer3.dll" (PID: 3036)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediafile3.dll" (PID: 3072)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslavfile3.dll" (PID: 3108)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslanimationfile3.dll" (PID: 3172)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldvdfile3.dll" (PID: 3144)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslwmfile3.dll" (PID: 3224)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslflashfile3.dll" (PID: 3772)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslrmfile3.dll" (PID: 3764)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvocfile3.dll" (PID: 3752)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslnullfile3.dll" (PID: 3720)
- regsvr32.exe /s "%PROGRAMFILES%\FlashIntegro\VideoEditor\mslvideorecorder.ocx" (PID: 3804)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslinetsrv3.dll" (PID: 3856)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldrivekernel3.dll" (PID: 3852)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldfs3.dll" (PID: 3880)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldio3.dll" (PID: 736)
-
vcredist_x86.exe
/install /quiet /norestart
(PID: 292)
- vcredist_x86.exe /install /quiet /norestart -burn.unelevated BurnPipe.{44847E58-9D3C-4229-B460-7C12EE1FA2A0} {3B097A9B-C34C-47F7-AB00-6665A8540387} 292 (PID: 1628)
- regsvr32.exe /s "%WINDIR%\system32\msxml3.dll" (PID: 864)
- regsvr32.exe /s "%WINDIR%\system32\lame.ax" (PID: 396)
- regsvr32.exe /s "%WINDIR%\system32\L3CODECX.AX" (PID: 1284)
- regsvr32.exe /s "%WINDIR%\system32\xvid.ax" (PID: 100)
- regsvr32.exe /s "%WINDIR%\system32\divxdec.ax" (PID: 2224)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslcore3.dll" (PID: 1152)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideofilters3.dll" (PID: 2564)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiofilters3.dll" (PID: 2672)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslprofiles3.dll" (PID: 1612)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslconfig3.dll" (PID: 2144)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudiocodecs3.dll" (PID: 2692)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslaudioplayer3.dll" (PID: 1620)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvideocodecs3.dll" (PID: 2812)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvvdsfilter3.ax" (PID: 2788)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediaplayer3.dll" (PID: 2772)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslmediafile3.dll" (PID: 2816)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslavfile3.dll" (PID: 2784)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslanimationfile3.dll" (PID: 2396)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldvdfile3.dll" (PID: 1436)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslwmfile3.dll" (PID: 2400)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslflashfile3.dll" (PID: 2576)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslrmfile3.dll" (PID: 2728)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslvocfile3.dll" (PID: 2720)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslnullfile3.dll" (PID: 2736)
- regsvr32.exe /s "%PROGRAMFILES%\FlashIntegro\VideoEditor\mslvideorecorder.ocx" (PID: 3816)
- regsvr32.exe /s "%WINDIR%\system32\mslvddsfilter3.ax" (PID: 2640)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\mslinetsrv3.dll" (PID: 1588)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldrivekernel3.dll" (PID: 2340)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldfs3.dll" (PID: 1684)
- regsvr32.exe /s "%COMMONPROGRAMFILES%\FlashIntegro\ActiveX\msldio3.dll" (PID: 400)
- ExecuteHelper.exe /path:"%PROGRAMFILES%\FlashIntegro\VideoEditor\VideoEditor.exe" /xml:"%PROGRAMFILES%\FlashIntegro\VideoEditor\regext.xml" /regext (PID: 1336)
-
iexplore.exe
-nohome
(PID: 2044)
- iexplore.exe SCODEF:2044 CREDAT:79873 (PID: 3128)
- VideoEditor.exe (PID: 744)
-
video_editor.tmp
/SL5="$60196,37026101,119296,C:\video_editor.exe"
(PID: 2588)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 27 extracted file(s). The remaining 313 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
_iscrypt.dll
- Size
- 2.5KiB (2560 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/81
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- a69559718ab506675e907fe49deb71e9
- SHA1
- bc8f404ffdb1960b50c12ff9413c893b56f2e36f
- SHA256
- 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
-
-
Informative Selection 2
-
-
is-HAU3L.tmp
- Size
- 45KiB (46309 bytes)
- Type
- ASCII text, with CRLF line terminators
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 441570b5dc7a16f56bd3491f8a599e51
- SHA1
- f6215e3afd38bfe920e8ed2a7ba8538b50155c00
- SHA256
- 9eff3ee598aa40ff6d2a10ba4340496ad29cd4bd7bd2191078e3b882a42a13f9
-
is-2J62M.tmp
- Size
- 47KiB (47797 bytes)
- Type
- ASCII text, with CRLF line terminators
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- c1e7568a4699fb6e59dd5d4460275213
- SHA1
- e546b9697999d2e0c0410babe6ed08a0e7c8fc5e
- SHA256
- b6d6433c8a3ee8779f3c5a99e096202c75c74d659047e62ba795e7f02e411ab6
-
-
Informative 24
-
-
License Agreement.lnk
- Size
- 1.2KiB (1224 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 02ed789266ea532d216247a98f17a736
- SHA1
- b2b7bbb40dd1698f0609b378e896b86774621202
- SHA256
- 1a7e831c72b595f764d6a956daccdacf4daf6a55fedd016de2925d04de859b5b
-
Readme.lnk
- Size
- 1.1KiB (1167 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- f6b7e432cbbbfcd9e4d4d6974aecf3f2
- SHA1
- 7d22941b9bc7437cfe912d440e89388a94554c72
- SHA256
- 4ee454d23d79d6a48ed84aab5ab8bdd682f35bc17084a14642c4afa403b2a122
-
VSDC Free Video Editor Help.lnk
- Size
- 1.2KiB (1209 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- fe38b87030aab8435e386f1c042fb277
- SHA1
- 1104c98057d868582d3cedfaad1fde78fcfe4d72
- SHA256
- 4aca6ab0ab4215e0d8bfa20bc8a345bfe1082db33789172c878b0d8a047694c4
-
Product Activation.lnk
- Size
- 1.2KiB (1183 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 8e2c091ec37c93f7857ee754e39a1874
- SHA1
- c70b7dfb998066cdb0eab988f9a1ff4e21d3b004
- SHA256
- ca2bbfa6d07089b921ddb552d95900c98085108cbef6e4fcb1619ca81def6046
-
Product Updater.lnk
- Size
- 1.1KiB (1166 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 6f7ce23964cc8003eb97fc1eb3d4fb4f
- SHA1
- 51ee9db1cfacfad347b3dfa25b681691fbfd0185
- SHA256
- 252b41d72646d21a59013e312d82b0b7e2ae26ac82469594254ff9531c4cd7ca
-
Uninstall VSDC Free Video Editor.lnk
- Size
- 1021B (1021 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 14715d24dcbbcfa1a04b6520791bd920
- SHA1
- 5155f73e618a23b2ac785df2b85f4dda52af9bdf
- SHA256
- f5c2e1ad711a996ed6dd17bb8b518a432d4b67e06d12a1c637898b5ad89c0885
-
VSDC Free Screen Recorder.lnk
- Size
- 1.3KiB (1309 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- c217dbc6f3f3d5413901499a39daf5ca
- SHA1
- ae8a7f62e06c93e68fbfedafee4d9aca4682b684
- SHA256
- 32325aeed6bae9e65286b984f326a7cd9be25d33ff3ba54668c66fc5499fb637
-
VSDC Free Video Capture.lnk
- Size
- 1.3KiB (1299 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 45e11cc595d4dac022755c2cd8757655
- SHA1
- 6aba68b02b2ff891a56081b685cbcec86c3f3e02
- SHA256
- 125f3d5e70706d9b06e656908c3746e035f83338a32ade34c8fdca4cfd6ae581
-
state.rsm
- Size
- 730B (730 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 292)
- MD5
- 1358f94f696c454e2c4ab756cf9bdaa7
- SHA1
- bc645865728336b53cf38399a978fb35037af1f0
- SHA256
- a5cef6d578b07a2842bf0253757f2527923d818f7fa8b399ff3e8fa9a39823db
-
is-07TI1.tmp
- Size
- 2.7KiB (2784 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- a2bed710f1cf410f3fd33970d3d267ae
- SHA1
- d3b1c227e851b43596af7dd8b3fb25a97a516bc7
- SHA256
- 1bef17720ff6c88365aa7e7df0c3dd490205786a7dee5b45932d30fde56264df
-
is-11OJT.tmp
- Size
- 2.7KiB (2774 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- d86218b5c90a79ad4722e00c637b2c37
- SHA1
- 9b8441bc9fb364b25e99842e2b91f102c8a90af8
- SHA256
- 136742fe009fe8e2e3c579b20e363b10f3db4d78d7a7d6bf488b9bc76d0ac26d
-
is-167LI.tmp
- Size
- 2.7KiB (2782 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- c4516399b1272fb46728bc44d0f8af75
- SHA1
- 90f1632637fdd6f712cd729517badd1bd76242e3
- SHA256
- 2aacfedf24629b3cff4056521d4c140f98b98e9fe779e4ca1700aaa4ce8b8ee0
-
is-3A71C.tmp
- Size
- 2.7KiB (2777 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- a8a1f53b88491643af854da1bfed49c5
- SHA1
- 9e193975def484aea1c449571e0b12c6a73c3a44
- SHA256
- b221266e1ebc54f4007a815918da4acf867a9cfeeb2dbdb5cfee8c0ececf9390
-
is-4LOQD.tmp
- Size
- 2.7KiB (2774 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 74d3a101d199809c2d5162f09ae1fdcb
- SHA1
- b54e08e6be8e4f8f61ef1819cdcf5366bfa6195e
- SHA256
- 0ce611955aad8af165042230b7f4af5d9668e3a5e1c157554e0e8cd93611ba67
-
is-6OR61.tmp
- Size
- 2.7KiB (2782 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 8ec1e3994954979297d6451177c609b1
- SHA1
- 0bb6ea34a8d18245c6d8e296e6f21fe9fb7b342d
- SHA256
- 9488dfd2a418d2039ab92616fc0c4d641b1adb8be57b683c05ff640b76d73651
-
is-739M4.tmp
- Size
- 2.7KiB (2770 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- c8859febe57acd0411a0963530d90430
- SHA1
- ed75101906b45656bcfeea1038b70a6c8b4adf79
- SHA256
- fea8e082bb13ea02c2f60b91837664637f4325e1dcc26f50183c996fe9fb7761
-
is-7TB9Q.tmp
- Size
- 2.7KiB (2782 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 0f1839e97af9eac1c407e4edbe43ffb4
- SHA1
- 647eefa3a0b2c04f626b1d519b64e240472cf9a0
- SHA256
- c1e4d129bec794f4966c6d895aca2b91e9d0a7a05cf0d5b3a4e774ec420ce29d
-
is-AQ8FV.tmp
- Size
- 2.7KiB (2775 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 369d6681bbb69ca6bb29a106d4f3c3fa
- SHA1
- 7d392f609c16ac010857180ce09802ea11d0c4fa
- SHA256
- deb1cc555647073a4e0410054fabfdd8303e53f1f50b16eb126e559f49e445bd
-
is-BHPC6.tmp
- Size
- 2.7KiB (2775 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- c955f947cdc39d2466ccc1cc522ead5d
- SHA1
- 85d9ea0e5a7b1635c53fe6df44d30b90b8445c4c
- SHA256
- ac597b9207a05ca0dd7ce8d1609169a3a6536fa798c06f923dd0b1c6fa2ab087
-
is-BNA1A.tmp
- Size
- 2.7KiB (2784 bytes)
- Type
- XML document text
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 38e965ea1276ed6b62c6ef060d978e9e
- SHA1
- 4080ba407618a8b684446a950fa8204d48bb33b9
- SHA256
- 9c92417e9ac0f855358a2983ba74f32b80a0955e2afeb975fb75532a98125593
-
_shfoldr.dll
- Size
- 23KiB (23312 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- 92dc6ef532fbb4a5c3201469a5b5eb63
- SHA1
- 3e89ff837147c16b4e41c30d6c796374e0b8e62c
- SHA256
- 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
-
itdownload.dll
- Size
- 201KiB (205312 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- d82a429efd885ca0f324dd92afb6b7b8
- SHA1
- 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
- SHA256
- b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
-
wixstdba.dll
- Size
- 118KiB (120320 bytes)
- Runtime Process
- vcredist_x86.exe (PID: 1628)
- MD5
- a52e5220efb60813b31a82d101a97dcb
- SHA1
- 56e16e4df0944cb07e73a01301886644f062d79b
- SHA256
- e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
-
VSDC Free Video Editor.lnk
- Size
- 1.1KiB (1164 bytes)
- Runtime Process
- video_editor.tmp (PID: 2588)
- MD5
- ae2b21ee1fd43acd36394d0f86f81131
- SHA1
- 1288c122492774a3d048d1bff66404d4a6c42544
- SHA256
- cb3d7e3e0d0c5244a34cdc19a8a41f7dd84161e7a67a9dcc2939c1e5fa4063b6
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "is-5M3JK.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/913edee2f87b73bdf80b4e1ac162b426949f462d1f045b2e4c89152dde4e22b1/analysis/1488404008/")
- Extracted file "is-9MJ9I.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1f41cf8183e15d7bb4cd98400a0a62d45a6fe97d1818fcd7707a6618c3fa0b27/analysis/1488404016/")
- Extracted file "is-GBN3R.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/37368410d34e594b50439d0511bc12273e81bab6a79ea8a18ff4452b31fb2bb3/analysis/1488404006/")
- Extracted file "is-GCLJQ.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/43315ea85d80cf5c5dcec29e1a0138934a9a666d8dd117df2a4ff97a03e384e0/analysis/1488404014/")
- No static analysis parsing on sample was performed
- Not all file accesses are visible for ExecuteHelper.exe (PID: 1336)
- Not all file accesses are visible for VideoEditor.exe (PID: 744)
- Not all file accesses are visible for iexplore.exe (PID: 2044)
- Not all file accesses are visible for iexplore.exe (PID: 3128)
- Not all file accesses are visible for regsvr32.exe (PID: 100)
- Not all file accesses are visible for regsvr32.exe (PID: 1152)
- Not all file accesses are visible for regsvr32.exe (PID: 1284)
- Not all file accesses are visible for regsvr32.exe (PID: 1436)
- Not all file accesses are visible for regsvr32.exe (PID: 1588)
- Not all file accesses are visible for regsvr32.exe (PID: 1612)
- Not all file accesses are visible for regsvr32.exe (PID: 1620)
- Not all file accesses are visible for regsvr32.exe (PID: 1684)
- Not all file accesses are visible for regsvr32.exe (PID: 2144)
- Not all file accesses are visible for regsvr32.exe (PID: 2224)
- Not all file accesses are visible for regsvr32.exe (PID: 2340)
- Not all file accesses are visible for regsvr32.exe (PID: 2396)
- Not all file accesses are visible for regsvr32.exe (PID: 2400)
- Not all file accesses are visible for regsvr32.exe (PID: 2564)
- Not all file accesses are visible for regsvr32.exe (PID: 2576)
- Not all file accesses are visible for regsvr32.exe (PID: 2640)
- Not all file accesses are visible for regsvr32.exe (PID: 2672)
- Not all file accesses are visible for regsvr32.exe (PID: 2692)
- Not all file accesses are visible for regsvr32.exe (PID: 2720)
- Not all file accesses are visible for regsvr32.exe (PID: 2728)
- Not all file accesses are visible for regsvr32.exe (PID: 2736)
- Not all file accesses are visible for regsvr32.exe (PID: 2772)
- Not all file accesses are visible for regsvr32.exe (PID: 2784)
- Not all file accesses are visible for regsvr32.exe (PID: 2788)
- Not all file accesses are visible for regsvr32.exe (PID: 2812)
- Not all file accesses are visible for regsvr32.exe (PID: 2816)
- Not all file accesses are visible for regsvr32.exe (PID: 2828)
- Not all file accesses are visible for regsvr32.exe (PID: 2844)
- Not all file accesses are visible for regsvr32.exe (PID: 2852)
- Not all file accesses are visible for regsvr32.exe (PID: 2900)
- Not all file accesses are visible for regsvr32.exe (PID: 2928)
- Not all file accesses are visible for regsvr32.exe (PID: 2936)
- Not all file accesses are visible for regsvr32.exe (PID: 2952)
- Not all file accesses are visible for regsvr32.exe (PID: 3008)
- Not all file accesses are visible for regsvr32.exe (PID: 3036)
- Not all file accesses are visible for regsvr32.exe (PID: 3044)
- Not all file accesses are visible for regsvr32.exe (PID: 3072)
- Not all file accesses are visible for regsvr32.exe (PID: 3108)
- Not all file accesses are visible for regsvr32.exe (PID: 3144)
- Not all file accesses are visible for regsvr32.exe (PID: 3172)
- Not all file accesses are visible for regsvr32.exe (PID: 3224)
- Not all file accesses are visible for regsvr32.exe (PID: 3720)
- Not all file accesses are visible for regsvr32.exe (PID: 3752)
- Not all file accesses are visible for regsvr32.exe (PID: 3764)
- Not all file accesses are visible for regsvr32.exe (PID: 3772)
- Not all file accesses are visible for regsvr32.exe (PID: 3804)
- Not all file accesses are visible for regsvr32.exe (PID: 3816)
- Not all file accesses are visible for regsvr32.exe (PID: 3852)
- Not all file accesses are visible for regsvr32.exe (PID: 3856)
- Not all file accesses are visible for regsvr32.exe (PID: 3880)
- Not all file accesses are visible for regsvr32.exe (PID: 396)
- Not all file accesses are visible for regsvr32.exe (PID: 400)
- Not all file accesses are visible for regsvr32.exe (PID: 736)
- Not all file accesses are visible for regsvr32.exe (PID: 864)
- Not all file accesses are visible for vcredist_x86.exe (PID: 1628)
- Not all file accesses are visible for vcredist_x86.exe (PID: 292)
- Not all file accesses are visible for video_editor.exe (PID: 2408)
- Not all file accesses are visible for video_editor.tmp (PID: 2588)
- Not all sources for signature ID "api-11" are available in the report
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-51" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "string-10" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all sources for signature ID "target-14" are available in the report
- Not all sources for signature ID "target-25" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report
- Some low-level details are hidden from the report due to oversize