ActivePerl-5.24.2.2403-MSWin32-x64-403863 (2).exe
This report is generated from a file or URL submitted to this webservice on December 15th 2017 03:20:06 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Modifies System Certificates Settings
Spawns a lot of processes - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 2 domains and 2 hosts. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/58 Antivirus vendors marked dropped file "ActivePerl-5.24.2.2403-MSWin32-x64-403863.exe.msi" as malicious (classified as "Trojan.Generic" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Loads the task scheduler interface DLL
- details
- "<Input Sample>" loaded module "%WINDIR%\SysWOW64\mstask.dll" at 73620000
- source
- Loaded Module
- relevance
- 5/10
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Loads the task scheduler interface DLL
-
System Security
-
Modifies System Certificates Settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46"; Key: "BLOB")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "339CDD57CFD5B141169B615FF31428782D1DA639")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "<Input Sample>" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1A90.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1FE0.tmp.bat" "" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\ACTIVE~1\ACTIVE~1.240\install\BD0A98C\ACTIVE~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\ACTIVE~1\ACTIVE~1.240\install\BD0A98C\ACTIVE~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE1A90.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1A90.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE1FE0.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1FE0.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Tries to access unusual system drive letters
- details
-
"<Input Sample>" touched "K:\"
"<Input Sample>" touched "L:\"
"<Input Sample>" touched "M:\"
"<Input Sample>" touched "N:\"
"<Input Sample>" touched "O:\"
"<Input Sample>" touched "P:\"
"<Input Sample>" touched "Q:\"
"<Input Sample>" touched "R:\"
"<Input Sample>" touched "S:\"
"<Input Sample>" touched "T:\"
"<Input Sample>" touched "U:\"
"<Input Sample>" touched "V:\"
"<Input Sample>" touched "W:\" - source
- API Call
- relevance
- 9/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 31
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00011324-00001140-00000033-49167100
- source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "<Input Sample>" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
- Found 40 calls to GetProcAddress@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- "SQSUM99]~ SMC;]|3]]]QEMu" (Indicator: "qemu")
- source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%USERPROFILE%\Users\%OSUSER%\Desktop\desktop.ini"
"<Input Sample>" read file "%WINDIR%\win.ini"
"<Input Sample>" read file "%USERPROFILE%\Searches\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Videos\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Pictures\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Contacts\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Favorites\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"Prereq.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CustomAction.dll" has type "PE32+ executable (DLL) (console) x86-64 (stripped to external PDB) for MS Windows"
"lzmaextractor.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aicustact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KomodoBootstrapper.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"PerlRun.exe" has type "PE32+ executable (GUI) x86-64 (stripped to external PDB) for MS Windows"
"MSI4588.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI48F5.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI48D5.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4BA6.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4925.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "--/.o-0.1.2.3.4.5.7.-I---8.--:.-z-P-;.=.?.-@.-C.D.-F.-G.I.-K.--H.M.-N.P.Q.S.-L.T.U.Y-V.X.Y.Z.\.^._.`.a.c.e.f.h.i.j.k.m.n.j.o.p.q.r.t.u.v.w..x.-y.{.-.|..~."
"13.5.0.0" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "%TEMP%\tinE7C6.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\updF822.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4588.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI48D5.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI48F5.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4925.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4BA6.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\MSIc1103.tmp" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Roaming\ActiveState\ActivePerl 5.24.2 Build 2403 (64-bit) 5.24.2403\install\decoder.dll" for deletion
"C:\dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\EXE1A90.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\tinE7C6.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\tinE7C6.tmp.part" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\updF822.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4588.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI48D5.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI48F5.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4925.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4BA6.tmp" with delete access
"<Input Sample>" opened "C:\MSIc1103.tmp" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\MSIc1104.tmp" with delete access
"<Input Sample>" opened "C:\Windows\Tasks\C__dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe.job" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\ActiveState\ActivePerl 5.24.2 Build 2403 (64-bit) 5.24.2403\install\decoder.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\ActiveState\ActivePerl 5.24.2 Build 2403 (64-bit) 5.24.2403\install\BD0A98C\ActivePerl-5.24.2.2403-MSWin32-x64-403863.exe.msi" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\EXE1A90.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"CustomAction.dll" claimed CRC 74716 while the actual is CRC 400492
"lzmaextractor.dll" claimed CRC 67091 while the actual is CRC 74716
"aicustact.dll" claimed CRC 232189 while the actual is CRC 167027
"KomodoBootstrapper.exe" claimed CRC 457403 while the actual is CRC 232189
"PerlRun.exe" claimed CRC 49337 while the actual is CRC 457403 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
StartServiceW
GetDriveTypeW
FindNextFileA
FindResourceExW
ConnectNamedPipe
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LoadLibraryExA
UnhandledExceptionFilter
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
LoadLibraryW
VirtualProtect
GetFileSize
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
FindFirstFileExA
FindNextFileW
FindFirstFileW
CreateFileW
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
CopyFileExW
GetModuleHandleW
GetTempPathW
Sleep
ShellExecuteExW
GetTickCount
GetVersionExA
GetModuleHandleA
CreateFileA
GetUserNameW
GetComputerNameW
GetVersionExW
CreateThread
ExitThread
VirtualAlloc
CreateToolhelp32Snapshot
OpenProcess
Process32NextW
Process32FirstW
CreateProcessW
ShellExecuteW
GetWindowThreadProcessId
socket
bind
WSAStartup
closesocket
GetFileAttributesW
FindFirstFileExW
GetStartupInfoA
CreateProcessA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "f8119f7520149f753a84a075f5169f75a9119f7585489f75b9349f75a9349f7568349f7500000000a56bdf75e485df75e04ddf759cc0df75a3bfdf7592aedf750c7ddf7500000000" to virtual address "0x74611000" (part of module "MSIMG32.DLL")
"<Input Sample>" wrote bytes "0efc8f7781ed8e77ae868d77c6e08c77effd8f772d168e77c0fc8b77da8f967760149077478d8d77a8e28c7760898d7700000000ad379a758b2d9a75b6419a7500000000" to virtual address "0x73ED1000" (part of module "WSHIP6.DLL")
"<Input Sample>" wrote bytes "75dcd475273ed47551c1d275ee9cd2759498d2750fb3d8751099d2759097d27500000000f5169f75ead7a075d9179f7569879f750f77a1753a84a075a9349f7520149f75f8119f75ff109f7500000000" to virtual address "0x746DE000" (part of module "MSLS31.DLL")
"<Input Sample>" wrote bytes "7d07907781ed8e77ae868d77c6e08c77effd8f772d168e7760149077478d8d77a8e28c7760898d7700000000ad379a758b2d9a75b6419a7500000000" to virtual address "0x73DE1000" (part of module "WSHTCPIP.DLL")
"<Input Sample>" wrote bytes "c0df8c771cf98b77ccf88b770d648d7700000000c0119f7500000000fc3e9f7500000000e0139f75000000009457f47525e08c77c6e08c7700000000bc6af37500000000cf319f75000000009319f475000000002c329f7500000000" to virtual address "0x75891000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "711107027a3b0602ab8b02007f950200fc8c0200729602006cc805001ecd03027d260302" to virtual address "0x758B07E4" (part of module "USER32.DLL")
"cmd.exe" wrote bytes "711107027a3b0602ab8b02007f950200fc8c0200729602006cc805001ecd03027d260302" to virtual address "0x758B07E4" (part of module "USER32.DLL")
"attrib.exe" wrote bytes "711107027a3b0602ab8b02007f950200fc8c0200729602006cc805001ecd03027d260302" to virtual address "0x758B07E4" (part of module "USER32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"<Input Sample>" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"cmd.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"attrib.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 14 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".bss" is zero
Raw size of ".data" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.dll (Show Stream)
GetDiskFreeSpaceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"<Input Sample>" queries volume information of "C:\" at 00011324-00001140-00000046-54933268
"<Input Sample>" queries volume information of "%TEMP%\AI_EXTUI_BIN_1140\activeperlclassicdialog.bmp" at 00011324-00001140-00000046-55378527
"<Input Sample>" queries volume information of "C:\share" at 00011324-00001140-00000046-55598827
"<Input Sample>" queries volume information of "%TEMP%\AI_EXTUI_BIN_1140\activeperlclassicdialog.bmp" at 00011324-00001140-00000046-55684747
"<Input Sample>" queries volume information of "%TEMP%\AI_EXTUI_BIN_1140\activeperlclassicbanner.bmp" at 00011324-00001140-00000046-61925159
"<Input Sample>" queries volume information of "%TEMP%\AI_EXTUI_BIN_1140\activeperlclassicdialog.bmp" at 00011324-00001140-00000046-68075191 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "<Input Sample>" queries volume information of "C:\" at 00011324-00001140-00000046-54933268
- source
- API Call
- relevance
- 8/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE1FE0.TMP.BAT")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE1FE0.TMP.BAT")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE1A90.TMP.BAT")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\EXE1A90.TMP.BAT") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/67 Antivirus vendors marked sample as malicious (0% detection rate)
0/40 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\AUTOUPDATE"; Key: "DISALLOWEDCERTLASTSYNCTIME")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46"; Key: "BLOB")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\AUTHROOT\CERTIFICATES\02FAF3E291435468607857694DF5E45B68851868"; Key: "BLOB") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"www.google.de"
"update.activestate.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"172.217.22.99:80"
"38.88.76.21:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\Branch\win\Release\stubs\x86\ExternalUi.pdb"
"-QX\@Ap@p@@$m%+,.aQas!CUo2\v9Kmg-CWhRSDSiIVw:C:\Branch\win\Release\custact\x86\AICustAct.pdbGCTL .text$di .text$mn.text$x7.text$yd.idata$5.00cfg.CRT$XCA.CRT$XCL.CRT$XCZ.CRT$XIA.CRT$XIC.CRT$XIZ.CRT$XPA.CRT$XPX.CRT$XPXA.CRT$XPZ.CRT$XTA.CRT$XTZl.rdata\.rdata$r@.rdata$sxdataDX.rdata$zzzdbg.rtc$IAA.rtc$IZZ.rtc$TAA.rtc$TZZ.xdata$xl.edata,.idata$2.idata$3.idata$44"
"@k@p3f8[Bm 3p'j=rbEn+,W5y1D3fX{"Ms0S>aX+N<g1d$\H&Y|&)LwJ15`Wh!Lw2W6iDpq-HcRSDS_hyNLry^C:\Branch\win\Release\stubs\x86\setup.pdb66GCTL .text$di .text$mnw>.text$x~b.text$ydD.idata$5D.00cfgH.CRT$XCAL.CRT$XCAAP.CRT$XCLT4.CRT$XCU.CRT$XCZ.CRT$XIA.CRT$XIAA.CRT$XIAC.CRT$XIC.CRT$XIZ.CRT$XLA.CRT$XLZ.CRT$XPA.CRT$XPX.CRT$XPXA.CRT$XPZ.CRT$XTA.CRT$XTZP.rdata .rdata$T8h.rdata$r`.rdata$sxdata.rdata$zzzdbg.rtc$IAA.rtc$IZZ.rtc$TAA.rtc$TZZ@J.xdata$xATL$__aATL$__z@.didat$28 .didat$3XP.didat$4.didat$6P.didat$7.idata$2.idata$3D.idata$4T", "C:\Branch\win\Release\stubs\x86\setup.pdb", "C:\Branch\win\Release\custact\x86\AICustAct.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\tinE7C6.tmp.part"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4588.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI48D5.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI48F5.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI4925.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\activeperlclassicdialog.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\activeperlclassicbanner.bmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\custicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\completi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\exclamic"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\info"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\insticon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\removico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\repairic"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\Up"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\New"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\tabback"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\CustomAction.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\KomodoBootstrapper.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1140\PerlRun.exe" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "Prereq.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "CustomAction.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 (stripped to external PDB) for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
- "GET /?gfe_rd=cr&dcr=0&ei=_DEzWp3ZG6Lb8AfSrbiIDw HTTP/1.1Accept: */*User-Agent: AdvancedInstallerConnection: Keep-AliveCache-Control: no-cacheHost: www.google.de"
- source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73F30000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
-
"%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1A90.tmp.bat" "" on 2017-12-15.03:26:29.622
"%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1FE0.tmp.bat" "" on 2017-12-15.03:26:29.693
"%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1A90.tmp.bat" "" on 2017-12-15.03:26:29.996
"%WINDIR%\system32\cmd.exe /S /D /c" cls"" on 2017-12-15.03:26:30.117
"%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1FE0.tmp.bat" "" on 2017-12-15.03:26:30.197
"%WINDIR%\system32\cmd.exe /S /D /c" cls"" on 2017-12-15.03:26:30.278 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"<Input Sample>" searching for class "Shell_TrayWnd"
"<Input Sample>" searching for class "CicLoaderWndClass" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1A90.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1FE0.tmp.bat" "" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\ACTIVE~1\ACTIVE~1.240\install\BD0A98C\ACTIVE~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\ACTIVE~1\ACTIVE~1.240\install\BD0A98C\ACTIVE~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE1A90.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1A90.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE1FE0.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1FE0.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"EXE1A90.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"EXE1FE0.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"Prereq.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ActivePerl-5.24.2.2403-MSWin32-x64-403863.exe.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Title: Installation Database Keywords: Installer MSI Database Last Printed: Fri Dec 11 11:47:44 2009 Create Time/Date: Fri Dec 11 11:47:44 2009 Last Saved Time/Date: Fri Dec 11 11:47:44 2009 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {B663D55B-AC08-40D9-8D56-2CDC7687727A} Number of Words: 0 Subject: ActivePerl 5.24.2 Build 2403 (64-bit) Author: ActiveState Name of Creating Application: Advanced Installer 13.5 build 74683 Template: x64;1033 Comments: This installer database contains the logic and data required to install ActivePerl 5.24.2 Build 2403 (64-bit)."
"CustomAction.dll" has type "PE32+ executable (DLL) (console) x86-64 (stripped to external PDB) for MS Windows"
"lzmaextractor.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aicustact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KomodoBootstrapper.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"PerlRun.exe" has type "PE32+ executable (GUI) x86-64 (stripped to external PDB) for MS Windows"
"K6D6VZQ6.txt" has type "ASCII text"
"repairic" has type "MS Windows icon resource - 2 icons 32x32 16-colors"
"custicon" has type "MS Windows icon resource - 2 icons 32x32 16-colors"
"activeperlclassicbanner.bmp" has type "PC bitmap Windows 3.x format 500 x 59 x 24"
"5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4" has type "data"
"banner" has type "JPEG image data JFIF standard 1.02"
"dialog" has type "JPEG image data JFIF standard 1.02"
"1BB09BEEC155258835C193A7AA85AA5B_D1ABFF1A01B07FC6E70563A82B9473F2" has type "data"
"tinE7C6.tmp.part" has type "HTML document ISO-8859 text with very long lines"
"5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "C:\Windows\SysWOW64\wshqos.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\LFJV3PF3.txt"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\K6D6VZQ6.txt"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "C:\Windows\SysWOW64\msi.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Heuristic match: "q.rrGT\n.SI"
Heuristic match: "N88c}gnS.il"
Pattern match: "www.google.com"
Pattern match: "http://www.example.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "https://update.activestate.com/ActivePerl/2403/x64"
Pattern match: "www.google.de"
Heuristic match: "bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}@media all{.gb1{height:22px;margin-right:.5em;vertical-align:top}#gbar{float:left}}a.gb1,a.gb4{text-decoration:u"
Pattern match: "http://www.google.de/imghp?hl=de&tab=wi"
Pattern match: "https://accounts.google.com/ServiceLogin?hl=de&passive=true&continue=http://www.google.de/%3Fgfe_rd%3Dcr%26dcr%3D0%26ei%3D_DEzWp3ZG6Lb8AfSrbiIDw"
Pattern match: "https://www.google.com/url?q=https://impactchallenge.withgoogle.com/deutschland2018%3Futm_source%3Dhpp4%26utm_campaign%3Dgic&source=hpp&id=19004440&ct=3&usg=AFQjCNEYgd_advzbG6g3j-OKv25GId7HEQ&sa=X&ved=0ahUKEwjGxu7r-orYAhVKuBoKHSvFDn"
Pattern match: "https://plus.google.com/117570067846637741468"
Pattern match: "http://www.google.de/setprefdomain?prefdom=US&sig=__3ENL3IMOc0xpYn_SrDUcV_xIYSg%3D"
Heuristic match: "update.activestate.com"
Pattern match: "https://secure.comodo.com/CPS0"
Pattern match: "crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0"
Pattern match: "crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0-"
Heuristic match: "*.activestate.com"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "crl.usertrust.com/AddTrustExter"
Pattern match: "http://ocsp.usertrust.com0"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?02f77e1c5311d9b1 HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?63aee049a948b0b3 HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /CRL/Omniroot2025.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: cdp1.public-trust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAt%2BEJA8OEkP%2Bi9nmoehp7k%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSLIycRsoI3J6zPns4K1aQgAqaqHgQUZ50PIAkMzIo65YJGcmL88cyQ5UACEAG2Yem3HYLmNssdMr3TCFk%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.usertrust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.comodoca.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEFj7GWixPwxZ%2B8WegiMmUQI%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.comodoca.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2FpT9HLfNNK8%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.comodoca.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEGW5bDNNqfRI47TdcrzWVYg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.comodoca.com"
Pattern match: "www.microsoft.com"
Pattern match: "http://www.google.com"
Pattern match: "http://schema.org/WebPage"
Pattern match: "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dw"
Pattern match: "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIp"
Pattern match: "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEFj7GWixPwxZ%2B"
Pattern match: "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEC58h8wOk0pS%2F"
Pattern match: "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSSdxXdG447ymkRNPVViULv3rkBzQQUKZFg%2F4pN%2Buv5pmq4z%2FnmS71JzhICEGW5bDNNqfR"
Pattern match: "www.activestate.com/perlALLUSERS1DialogBitmapactiveperlclassicdialog.bmpARPPRODUCTICONext.exeARPCONTACTsupport@activestate.comWindowsTypeNT40DisplayWindows"
Pattern match: "www.activestate.com"
Pattern match: "https://www.tcl.tk/software/tcltk/license.html"
Heuristic match: ")-IyY\]#5sjI#whAAAAAC.]< A++.SY"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://t1.symcb.com/ThawtePCA.crl0U%0++0U0"
Pattern match: "http://tl.symcb.com/tl.crl0U0U%0"
Pattern match: "https://www.thawte.com/cps0/+0#!https://www.thawte.com/repository0U000"
Pattern match: "tl.symcb.com/tl.crt0`HB0"
Pattern match: "http://www.advancedinstaller.com0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0.+0"
Pattern match: "https://d.symcb.com/cps0%+0https://d.symcb.com/rpa0@U9070531/http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0U%0"
Heuristic match: "SUW|$j'[|$f;-Q3f;tsf;uPf;udf;uPPD$L$ +\$SW;~l$+f/fu-3f;tj'[3f;tq3f6`.Er"
Pattern match: "succesfully.iprm/groupsextract"
Heuristic match: "SUW|$j'[|$f;-EQ3f;tsf;uPf;udf;uPPD$L$ +\$SW;~l$+f/fu-E3f;tj'[3f;tq3f6`.Er"
Pattern match: "www.google.comhttp://www.yahoo.comhttp://www.example.comtin9999.tmp\SYSTEM\/:*"
Heuristic match: "uPreparing...P2SkipUMS Shell DlgP/7lSysListView32PPP2Browse...P9Download Folder:P7Next PPrerequisites PThese programs are needed for the application to run. Click on the check box next to a prerequisite to select it for install or to skip it.PA"
Pattern match: "http://downloads.activestate.com/Komodo/releases/Komodo-IDE-latest.msi?from=ActivePerl-2403-x64"
Pattern match: "https://secure.comodo.net/CPS0CU"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q+e0c0;+0/http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$+0http://ocsp.comodoca.com0"
Pattern match: "www.komodoide.com0"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object0"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05+"
Pattern match: "www.usertrust.com10UUTN-USERFirst-ObjectN$569Uw0"
Heuristic match: "1HwH.Ht"
Pattern match: "http://www.activestate.com/activeperl"
Heuristic match: "site\lib\ActivePerl\DocTools.pm" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "LvFn""
- source
- Network Traffic
- relevance
- 7/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
- "div></div></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="fll"><a href="/intl/de/ads/">Werben mit Google</a><a href="/services/">Unternehmensangebote</a><a href="https://plus.google.com/117570067846637741468" rel="publisher">+Google</a><a href="/intl/de/about.html">" (Indicator: "plus.google.com")
- source
- File/Memory
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"Prereq.dll" was detected as "Borland Delphi 3.0 (???)"
"decoder.dll" was detected as "Borland Delphi 3.0 (???)"
"aicustact.dll" was detected as "Borland Delphi 3.0 (???)"
"KomodoBootstrapper.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
ActivePerl-5.24.2.2403-MSWin32-x64-403863 (2).exe
- Filename
- ActivePerl-5.24.2.2403-MSWin32-x64-403863 (2).exe
- Size
- 21MiB (22214440 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040
- MD5
- 079ab522c95a711fd0ddba62274db3ad
- SHA1
- d222adad262f5bfdc3c8b25f486762bd56b6838c
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 11 processes in total.
-
Input Sample
(PID: 1140)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1A90.tmp.bat" "
(PID: 2144)
- attrib.exe ATTRIB -r "\\?\%APPDATA%\ACTIVE~1\ACTIVE~1.240\install\BD0A98C\ACTIVE~1.MSI" (PID: 2264)
- attrib.exe ATTRIB -r "%TEMP%\EXE1A90.tmp.bat" (PID: 960)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1A90.tmp.bat" " (PID: 2104)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" cls" (PID: 3068)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1FE0.tmp.bat" "
(PID: 712)
- attrib.exe ATTRIB -r "\\?\%APPDATA%\ACTIVE~1\ACTIVE~1.240\install\BD0A98C\ACTIVE~1.MSI" (PID: 2216)
- attrib.exe ATTRIB -r "%TEMP%\EXE1FE0.tmp.bat" (PID: 2400)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE1FE0.tmp.bat" " (PID: 2456)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" cls" (PID: 1340)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE1A90.tmp.bat" "
(PID: 2144)
Network Analysis
DNS Requests
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
172.217.22.99 |
80
TCP |
<Input Sample> PID: 1140 |
United States |
38.88.76.21 |
443
TCP |
<Input Sample> PID: 1140 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
172.217.22.99:80 (www.google.de) | GET | www.google.de/?gfe_rd=cr&dcr=0&ei=_DEzWp3ZG6Lb8AfSrbiIDw | GET /?gfe_rd=cr&dcr=0&ei=_DEzWp3ZG6Lb8AfSrbiIDw HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Connection: Keep-Alive
Cache-Control: no-cache
Host: www.google.de 200 OK More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.yahoo.com | Domain/IP reference | 00011324-00001140-15753-686-00172618 |
http://www.example.com | Domain/IP reference | 00011324-00001140-15753-686-00172618 |
http://www.google.com | Domain/IP reference | 00011324-00001140-15753-686-00172618 |
Extracted Strings
Extracted Files
Displaying 28 extracted file(s). The remaining 16 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
ActivePerl-5.24.2.2403-MSWin32-x64-403863.exe.msi
- Size
- 2.2MiB (2331136 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Title: Installation Database, Keywords: Installer, MSI, Database, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Dec 11 11:47:44 2009, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {B663D55B-AC08-40D9-8D56-2CDC7687727A}, Number of Words: 0, Subject: ActivePerl 5.24.2 Build 2403 (64-bit), Author: ActiveState, Name of Creating Application: Advanced Installer 13.5 build 74683, Template: x64;1033, Comments: This installer database contains the logic and data required to install ActivePerl 5.24.2 Build 2403 (64-bit).
- AV Scan Result
- Labeled as "Trojan.Generic" (1/58)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- cf4c85a9e18de427985694f8ee288eac
- SHA1
- 37b119b9e60a8e297b79bb1b79156dc686461040
- SHA256
- 5273f82adfd6361b8917572ec7aca3fb2f0abf8bced07f8361187a9b2df31111
-
-
Clean 2
-
-
CustomAction.dll
- Size
- 18KiB (17920 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 7da366bea6845fb1b8026d0d87ad77f3
- SHA1
- 2bcf543bac80aaf416ad0b9f5238dad01822e575
- SHA256
- 0cb795cf8e4260657031eb3fe0c61b6fdd99245ffe4ad8b377bba31c41b7dc3d
-
Prereq.dll
- Size
- 366KiB (374272 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 5671bcffa38c8bccc620a298ab0e6b58
- SHA1
- b44cb29020dea02b634632ba1adfb30ae4e12791
- SHA256
- d9b9319bb817e829dc2e29363bc9f90f811fc0e0e069458ff78f5afa69af59f5
-
-
Informative Selection 7
-
-
EXE1A90.tmp.bat
- Size
- 455B (455 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 2104)
- MD5
- 6a42bbbcfaeb6c8bdbad69495b3665ba
- SHA1
- defe802cfff8eb012ba923077923c3b149c2c3c6
- SHA256
- 64451f3cef54e369779b30ae20bb3494b344949851f8fb2ea30250c0a5111232
-
EXE1FE0.tmp.bat
- Size
- 455B (455 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 2456)
- MD5
- 0e5f142f0c66bc5289c480d574a48e4f
- SHA1
- 2d3c734af1d654779210248fa8b9960df6f06f87
- SHA256
- 1207986cb8d09bbbbe4188e0bb8acd325b42f4cb1b08905f7969bbc74a1fffbb
-
MSI4588.tmp
- Size
- 210KiB (214528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e0d0d82f22d7cc1a1cacd486799d5d96
- SHA1
- 1e3d1b2a43356d8bde93fdd8362b6e9598da9124
- SHA256
- 84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9
-
MSI48D5.tmp
- Size
- 210KiB (214528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e0d0d82f22d7cc1a1cacd486799d5d96
- SHA1
- 1e3d1b2a43356d8bde93fdd8362b6e9598da9124
- SHA256
- 84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9
-
MSI48F5.tmp
- Size
- 210KiB (214528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e0d0d82f22d7cc1a1cacd486799d5d96
- SHA1
- 1e3d1b2a43356d8bde93fdd8362b6e9598da9124
- SHA256
- 84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9
-
MSI4925.tmp
- Size
- 210KiB (214528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e0d0d82f22d7cc1a1cacd486799d5d96
- SHA1
- 1e3d1b2a43356d8bde93fdd8362b6e9598da9124
- SHA256
- 84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9
-
MSI4BA6.tmp
- Size
- 210KiB (214528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e0d0d82f22d7cc1a1cacd486799d5d96
- SHA1
- 1e3d1b2a43356d8bde93fdd8362b6e9598da9124
- SHA256
- 84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9
-
-
Informative 18
-
-
decoder.dll
- Size
- 146KiB (148992 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- bf436648d11de396f4b4cf1faeb63366
- SHA1
- fa1e2751736e3a100a7daa6f53a5665afe931272
- SHA256
- abdee86230f7d790976ac031522788e0a23cc5657d19e95d97096a398140ea93
-
K6D6VZQ6.txt
- Size
- 274B (274 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- b653cfb2735f5521a91fa7753446831d
- SHA1
- 590e9b15fa5fbad4ed3eab66a395c4ae54e5b36e
- SHA256
- 0258eafa0936ee0fca96dcf5c1a76ac6cb03f1877c1d56022e78fca1ff7e9325
-
LFJV3PF3.txt
- Size
- 79B (79 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 516fae7777e34f6d417d2291f8fd53b7
- SHA1
- ecfa97993352c7a1ee6050b241ae96ecd26aec08
- SHA256
- 8d3ec42dfc0d6070013dae9bbca4e9be23367d6568f8f2f5db513cdf0c7f85b4
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- df268a76c5fb29564e6d526f4cc22804
- SHA1
- 15ccfb1dee878a4c4a1049432dde789f8e5a26d5
- SHA256
- 2578d7cc4cfa73cd66252b0be9cee8965dbd5dd7e8646402053f34e233e3a84c
-
1BB09BEEC155258835C193A7AA85AA5B_D1ABFF1A01B07FC6E70563A82B9473F2
- Size
- 404B (404 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 04c2b900e7c23716b96f8fcbfb276ab8
- SHA1
- 4abda0626f4d17ea4f33d209d9daa9175f41c50e
- SHA256
- 791a37eb8db83515b86f642b0c0147f463730447cf7353d2c08edb610faff95f
-
5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220
- Size
- 727B (727 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 4e960372be412f296c501706406384e1
- SHA1
- 666a1116d9943169f844d24b4d3d2c7a780b89c7
- SHA256
- db1307a4ee3b74dbfce9676aafb56d7ad6d1cd8977cc8c49e8e28da3a5caf2e5
-
5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
- Size
- 727B (727 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 6066b2e4e8ba754445bd200ba5fefb89
- SHA1
- b465cc5018e6bd11c2d54c9bf68d8ace4b64a6e7
- SHA256
- 759ad6d7fa2d720152e479d688cf9d322aa9cb7cd82870ab06548875045dcf1f
-
5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4
- Size
- 471B (471 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 8590508241ceb91522efde3371766f26
- SHA1
- 15c11c5ef0dd62ff318913c329c7715a25302f20
- SHA256
- 6b4023cde1c9d50fc9e06a2c8ea0515e071d2067bb6e96e295ec6674ea94f3b4
-
D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_F36A5455545D090CDA0D02D56B99F7BB
- Size
- 408B (408 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 30a6edcaa5f24d4b460a4e55c5e15f76
- SHA1
- e717a089655912429ad86009024ea8d508033e59
- SHA256
- 7165085ad49ea5cbd43e7d6839c84bb0aa5ca65324b1315ffc10339678bbb659
-
KomodoBootstrapper.exe
- Size
- 405KiB (414328 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- ea9318e38307c6f26970d690ded8d0a6
- SHA1
- 21c93dc18494e61976d0b331daf8403f1e69e41f
- SHA256
- 5966e40abbe09846009a658ad239fa22f26349552de0a2c04bb510e5a828ae03
-
New
- Size
- 318B (318 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- c23cbf002d82192481b61ed7ec0890f4
- SHA1
- dd373901c73760ca36907ff04691f5504ff00abe
- SHA256
- 4f92e804a11453382ebff7fb0958879bae88fe3366306911dec9d811cd306eed
-
PerlRun.exe
- Size
- 17KiB (16896 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 67572224ece9a0e8f1fddd5d738d9f3f
- SHA1
- 7ac3170096a48824b22d823e5d37a8b8d01c9019
- SHA256
- 72d58578f5c9eed0d818766953e76a7d6738a8aabd934c2016bf304898acbd58
-
Up
- Size
- 318B (318 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 83730ac00391fb0f02f56fe2e4207a10
- SHA1
- 139fed8f0216132450e66bda0fbbdc2a5bd333af
- SHA256
- 573e3260eed63604f24f6f10ce5294e25e22fda9e5bfd9010134de6e684bab98
-
activeperlclassicbanner.bmp
- Size
- 86KiB (88554 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 500 x 59 x 24
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 0075c9691baea2f2047fb7ec94813378
- SHA1
- 4998ca799661736a11b6d98f75c0f7b8ea782777
- SHA256
- 3748bca306ddf192954f3a5b1b5fe21659886295e9f9441012718c89e5765a7d
-
activeperlclassicdialog.bmp
- Size
- 463KiB (474054 bytes)
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e24184d08b6c9891bc008f7a954989bf
- SHA1
- 6226694d5d152954534ed2740793291d9ede038f
- SHA256
- d26c6cc39edecb5ca1b7d6441fe7cafe874d26be9490250153ccf488841f6ecb
-
aicustact.dll
- Size
- 210KiB (214528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- e0d0d82f22d7cc1a1cacd486799d5d96
- SHA1
- 1e3d1b2a43356d8bde93fdd8362b6e9598da9124
- SHA256
- 84fe1f4a7dc3c2a73ed202a9fcf4da9b463c5b692639cb93f919bda9f18a14e9
-
banner
- Size
- 3.9KiB (4033 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- c6b57f973a3273cb37a77c11b1aa498f
- SHA1
- 6af839d76eca45aeeafdbb47a54b73c1a960e105
- SHA256
- 4503e6a9fa0484ab39cee9bdf0aad9a9186658f5d74727e96dd33f7cfa64c8ef
-
lzmaextractor.dll
- Size
- 19KiB (18944 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Runtime Process
- dfc1b36cae36c2595781e32ff9d1d81f62322d1161517e0da5857f31aa38d040.exe (PID: 1140)
- MD5
- 92e2830df02dc4d20b52eba56901f979
- SHA1
- bfdda68f84aa44f56611b3b0ee9877386befc098
- SHA256
- 3ed1e35a735e1b128d2add77e4491d18c2e2589e580a94165d0369f18798ce25
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for attrib.exe (PID: 2216)
- Not all file accesses are visible for attrib.exe (PID: 2264)
- Not all file accesses are visible for attrib.exe (PID: 2400)
- Not all file accesses are visible for attrib.exe (PID: 960)
- Not all file accesses are visible for cmd.exe (PID: 1340)
- Not all file accesses are visible for cmd.exe (PID: 2104)
- Not all file accesses are visible for cmd.exe (PID: 2144)
- Not all file accesses are visible for cmd.exe (PID: 2456)
- Not all file accesses are visible for cmd.exe (PID: 3068)
- Not all file accesses are visible for cmd.exe (PID: 712)
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-31" are available in the report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report