mini_installer_1.0.1.exe
This report is generated from a file or URL submitted to this webservice on April 28th 2017 12:58:40 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.40 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Ransomware
- Contains ability to create/switch the desktop
- Spyware
- Accesses potentially sensitive information from local browsers
- Persistence
-
Modifies System Certificates Settings
Spawns a lot of processes - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Reads the windows installation date - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 15 domains and 8 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://kinza.download.dayz.jp/files/mini_installer_1.0.1.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 7
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "31.13.92.14" (ASN: 32934, Owner: Facebook, Inc.): ...
URL: http://sphotos-a.xx.fbcdn.net/ (AV positives: 1/68 scanned on 09/03/2016 00:11:10)
URL: http://connect.facebook.net/en_US/sdk.js (AV positives: 1/67 scanned on 04/07/2016 15:40:01)
URL: http://scontent-frt3-1.xx.fbcdn.net/hphotos-xlt1/v/t1.0-9/12662494_1784588341769838_5559630091996148286_n.jpg?oh=19e41d4db72c95840a8dee56a8e9eda1&oe=5756BBD2 (AV positives: 1/67 scanned on 02/21/2016 09:20:19)
URL: http://scontent-frt3-1.xx.fbcdn.net/hphotos-xlt1/v/t1.0-9/12662494_1784588341769838_5559630091996148286_n.jpg?oh=19e41d4db72c95840a8dee56a8e9eda1&oe=5756BBD2 (AV positives: 1/67 scanned on 02/20/2016 05:33:24)
File SHA256: 065f585c0113befd58a5f46f36df35bcff339e2a597cf29d22dd89cbaf7bd21a (AV positives: 2/60 scanned on 04/23/2017 01:40:21)
File SHA256: 9ed6112510ec1ae971e01c4b3391f1b1f976f1e4188326599be53acec4ae2b75 (AV positives: 4/61 scanned on 04/15/2017 23:10:04)
File SHA256: 3ce237c8d90a7c174b83bb87efbec783d4cf6730c06d3209580b41bb4201141a (AV positives: 5/62 scanned on 04/15/2017 02:58:44)
File SHA256: 2bdaf025c65bbed9b0ec098281280e50f146c5f9b53184952596eeac16a61249 (AV positives: 9/61 scanned on 04/12/2017 22:10:02)
File SHA256: 9cbcdb6b0761a1a761c1150fc807fc2fa78491242e18033113d840c95fd9d06f (AV positives: 5/62 scanned on 04/12/2017 18:16:48)
Found malicious artifacts related to "31.13.92.36" (ASN: 32934, Owner: Facebook, Inc.): ...
URL: http://tyvpn.cn/ (AV positives: 1/67 scanned on 03/15/2016 08:16:34)
File SHA256: b33d66f96dad9b589f018b29d5bb38eeef5fb2c7be6ae5414e844581ffba031b (AV positives: 10/61 scanned on 04/27/2017 11:38:19)
File SHA256: 4896bf58407b5588add69eb08a57680c7cc3fc11fd106e93a701c942b125bbcb (AV positives: 1/61 scanned on 04/26/2017 10:18:59)
File SHA256: f7067d69c465bafd3660a340a057f1b35acb59760555a51ab1dcdc99b99306cb (AV positives: 36/60 scanned on 04/24/2017 20:23:52)
File SHA256: 12530d9d82833b6331afb0dcbb2438c5f5cab1019d131deafb642a87a3f94761 (AV positives: 2/62 scanned on 04/23/2017 06:11:38)
File SHA256: 065f585c0113befd58a5f46f36df35bcff339e2a597cf29d22dd89cbaf7bd21a (AV positives: 2/60 scanned on 04/23/2017 01:40:21) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "31.13.92.14" (ASN: 32934, Owner: Facebook, Inc.): ...
URL: http://sphotos-a.xx.fbcdn.net/ (AV positives: 1/68 scanned on 09/03/2016 00:11:10)
URL: http://connect.facebook.net/en_US/sdk.js (AV positives: 1/67 scanned on 04/07/2016 15:40:01)
URL: http://scontent-frt3-1.xx.fbcdn.net/hphotos-xlt1/v/t1.0-9/12662494_1784588341769838_5559630091996148286_n.jpg?oh=19e41d4db72c95840a8dee56a8e9eda1&oe=5756BBD2 (AV positives: 1/67 scanned on 02/21/2016 09:20:19)
URL: http://scontent-frt3-1.xx.fbcdn.net/hphotos-xlt1/v/t1.0-9/12662494_1784588341769838_5559630091996148286_n.jpg?oh=19e41d4db72c95840a8dee56a8e9eda1&oe=5756BBD2 (AV positives: 1/67 scanned on 02/20/2016 05:33:24)
File SHA256: 065f585c0113befd58a5f46f36df35bcff339e2a597cf29d22dd89cbaf7bd21a (AV positives: 2/60 scanned on 04/23/2017 01:40:21)
File SHA256: 9ed6112510ec1ae971e01c4b3391f1b1f976f1e4188326599be53acec4ae2b75 (AV positives: 4/61 scanned on 04/15/2017 23:10:04)
File SHA256: 3ce237c8d90a7c174b83bb87efbec783d4cf6730c06d3209580b41bb4201141a (AV positives: 5/62 scanned on 04/15/2017 02:58:44)
File SHA256: 2bdaf025c65bbed9b0ec098281280e50f146c5f9b53184952596eeac16a61249 (AV positives: 9/61 scanned on 04/12/2017 22:10:02)
File SHA256: 9cbcdb6b0761a1a761c1150fc807fc2fa78491242e18033113d840c95fd9d06f (AV positives: 5/62 scanned on 04/12/2017 18:16:48)
Found malicious artifacts related to "31.13.92.36" (ASN: 32934, Owner: Facebook, Inc.): ...
URL: http://tyvpn.cn/ (AV positives: 1/67 scanned on 03/15/2016 08:16:34)
File SHA256: b33d66f96dad9b589f018b29d5bb38eeef5fb2c7be6ae5414e844581ffba031b (AV positives: 10/61 scanned on 04/27/2017 11:38:19)
File SHA256: 4896bf58407b5588add69eb08a57680c7cc3fc11fd106e93a701c942b125bbcb (AV positives: 1/61 scanned on 04/26/2017 10:18:59)
File SHA256: f7067d69c465bafd3660a340a057f1b35acb59760555a51ab1dcdc99b99306cb (AV positives: 36/60 scanned on 04/24/2017 20:23:52)
File SHA256: 12530d9d82833b6331afb0dcbb2438c5f5cab1019d131deafb642a87a3f94761 (AV positives: 2/62 scanned on 04/23/2017 06:11:38)
File SHA256: 065f585c0113befd58a5f46f36df35bcff339e2a597cf29d22dd89cbaf7bd21a (AV positives: 2/60 scanned on 04/23/2017 01:40:21) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Pattern Matching
-
YARA signature match
- details
- YARA signature "GlassesCode" classified file "delegate_execute.exe" as "glasses,apt1" based on indicators: "b8abaaaaaaf7e1d1ea8d04522bc8" (Author: Seth Hardy)
- source
- YARA Signature
- relevance
- 10/10
-
YARA signature match
-
Ransomware/Banking
-
Contains ability to create/switch the desktop
- details
-
CreateWindowStationW@USER32.DLL from PID 00002908
CreateDesktopW@USER32.DLL from PID 00002908
CreateWindowStationW@USER32.DLL from PID 00003244
CreateDesktopW@USER32.DLL from PID 00003244
CreateWindowStationW@USER32.DLL from PID 00003344
CreateDesktopW@USER32.DLL from PID 00003344
CreateWindowStationW@USER32.DLL from PID 00003360
CreateDesktopW@USER32.DLL from PID 00003360
CreateWindowStationW@USER32.DLL from PID 00003504
CreateDesktopW@USER32.DLL from PID 00003504
CreateDesktopW@USER32.DLL from PID 00000284
CreateWindowStationW@USER32.DLL from PID 00000284
CreateWindowStationW@USER32.DLL from PID 00003652
CreateDesktopW@USER32.DLL from PID 00003652
CreateWindowStationW@USER32.DLL from PID 00003624
CreateDesktopW@USER32.DLL from PID 00003624
CreateWindowStationW@USER32.DLL from PID 00003608
CreateDesktopW@USER32.DLL from PID 00003608
CreateDesktopW@USER32.DLL from PID 00003600
CreateWindowStationW@USER32.DLL from PID 00003600
CreateWindowStationW@USER32.DLL from PID 00001452
CreateDesktopW@USER32.DLL from PID 00001452 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to create/switch the desktop
-
System Security
-
Modifies System Certificates Settings
- details
-
"kinza.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135")
"kinza.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains native function calls
- details
-
NtFreeVirtualMemory@NTDLL.DLL from PID 00002908
NtProtectVirtualMemory@NTDLL.DLL from PID 00002908
NtQueryVirtualMemory@NTDLL.DLL from PID 00002908
NtProtectVirtualMemory@NTDLL.DLL from PID 00002908
NtAllocateVirtualMemory@NTDLL.DLL from PID 00002908
NtUnmapViewOfSection@NTDLL.DLL from PID 00002908
NtMapViewOfSection@NTDLL.DLL from PID 00002908
NtProtectVirtualMemory@NTDLL.DLL from PID 00002908
NtQueryInformationProcess@NTDLL.DLL from PID 00002908
NtQuerySection@NTDLL.DLL from PID 00002908
NtMapViewOfSection@NTDLL.DLL from PID 00003244
NtProtectVirtualMemory@NTDLL.DLL from PID 00003244
NtFreeVirtualMemory@NTDLL.DLL from PID 00003244
NtProtectVirtualMemory@NTDLL.DLL from PID 00003244
NtQueryVirtualMemory@NTDLL.DLL from PID 00003244
NtProtectVirtualMemory@NTDLL.DLL from PID 00003244
NtQuerySection@NTDLL.DLL from PID 00003244
NtQueryInformationProcess@NTDLL.DLL from PID 00003244
NtAllocateVirtualMemory@NTDLL.DLL from PID 00003244
NtUnmapViewOfSection@NTDLL.DLL from PID 00003244
NtProtectVirtualMemory@NTDLL.DLL from PID 00003344
NtQuerySection@NTDLL.DLL from PID 00003344
NtProtectVirtualMemory@NTDLL.DLL from PID 00003344
NtMapViewOfSection@NTDLL.DLL from PID 00003344
NtQueryObject@NTDLL.DLL from PID 00003344
NtUnmapViewOfSection@NTDLL.DLL from PID 00003344
NtQueryInformationProcess@NTDLL.DLL from PID 00003344
NtQueryVirtualMemory@NTDLL.DLL from PID 00003344
NtAllocateVirtualMemory@NTDLL.DLL from PID 00003344
NtFreeVirtualMemory@NTDLL.DLL from PID 00003344
NtProtectVirtualMemory@NTDLL.DLL from PID 00003344
NtProtectVirtualMemory@NTDLL.DLL from PID 00003360
NtMapViewOfSection@NTDLL.DLL from PID 00003360
NtFreeVirtualMemory@NTDLL.DLL from PID 00003360
NtProtectVirtualMemory@NTDLL.DLL from PID 00003360
NtQueryInformationProcess@NTDLL.DLL from PID 00003360
NtQueryVirtualMemory@NTDLL.DLL from PID 00003360
NtQuerySection@NTDLL.DLL from PID 00003360
NtAllocateVirtualMemory@NTDLL.DLL from PID 00003360
NtUnmapViewOfSection@NTDLL.DLL from PID 00003360
NtProtectVirtualMemory@NTDLL.DLL from PID 00003360
NtFreeVirtualMemory@NTDLL.DLL from PID 00000284
NtAllocateVirtualMemory@NTDLL.DLL from PID 00000284
NtUnmapViewOfSection@NTDLL.DLL from PID 00000284
NtProtectVirtualMemory@NTDLL.DLL from PID 00000284
NtQueryVirtualMemory@NTDLL.DLL from PID 00000284
NtQueryInformationProcess@NTDLL.DLL from PID 00000284
NtQuerySection@NTDLL.DLL from PID 00000284
NtProtectVirtualMemory@NTDLL.DLL from PID 00000284
NtMapViewOfSection@NTDLL.DLL from PID 00000284 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "setup.exe" with commandline "--install-archive="%TEMP%\CR_7B243.tmp\CHROME.PACKED.7Z"" (Show Process)
Spawned process "kinza.exe" (Show Process)
Spawned process "kinza.exe" with commandline "--type=gpu-process --channel="2908.0.296120775\791057638" --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,15 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.0.20.0 --ignored=" --type=renderer " /prefetch:822062411" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --enable-software-compositing --channel="2908.1.1335464334\865468432" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --enable-software-compositing --channel="2908.2.601701404\369064887" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.3.773762395\694874676" --lang=en-US --no-sandbox /prefetch:-645351001" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.4.794940077\608398273" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --instant-process --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.5.1281241848\770195602" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.6.212803556\527458706" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.7.1524555984\1509230382" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.8.2024536739\1704155858" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.9.1907941812\362970323" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Suspicious Indicators 32
-
Anti-Detection/Stealthyness
-
Possibly tries to hide a process launching it with different user credentials
- details
-
CreateProcessAsUserW@ADVAPI32.DLL from PID 00002836
CreateProcessAsUserW@ADVAPI32.DLL from PID 00002908
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003244
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003344
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003360
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003504
CreateProcessAsUserW@ADVAPI32.DLL from PID 00000284
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003652
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003624
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003608
CreateProcessAsUserW@ADVAPI32.DLL from PID 00003600
CreateProcessAsUserW@ADVAPI32.DLL from PID 00001452 - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Queries kernel debugger information
- details
-
"setup.exe" at 00014632-00002836-00000105-42672370
"kinza.exe" at 00015621-00002908-00000105-43438426 - source
- API Call
- relevance
- 6/10
-
Possibly tries to hide a process launching it with different user credentials
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "kinza.exe" is protecting 4096 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Reads the cryptographic machine GUID
- details
-
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the windows installation date
- details
- "setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION"; Key: "INSTALLDATE")
- source
- Registry Access
- relevance
- 10/10
-
Reads the cryptographic machine GUID
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from PID 00002836
LockResource@KERNEL32.DLL from PID 00002836
FindResourceW@KERNEL32.DLL from PID 00002836
LockResource@KERNEL32.DLL from PID 00002908
FindResourceW@KERNEL32.DLL from PID 00002908
LockResource@KERNEL32.DLL from PID 00003244
FindResourceW@KERNEL32.DLL from PID 00003244
FindResourceW@KERNEL32.DLL from PID 00003344
LockResource@KERNEL32.DLL from PID 00003344
FindResourceW@KERNEL32.DLL from PID 00003360
LockResource@KERNEL32.DLL from PID 00003360
LockResource@KERNEL32.DLL from PID 00003504
FindResourceW@KERNEL32.DLL from PID 00003504
FindResourceW@KERNEL32.DLL from PID 00000284
LockResource@KERNEL32.DLL from PID 00000284
LockResource@KERNEL32.DLL from PID 00003652
FindResourceW@KERNEL32.DLL from PID 00003652
FindResourceW@KERNEL32.DLL from PID 00003624
LockResource@KERNEL32.DLL from PID 00003624
FindResourceW@KERNEL32.DLL from PID 00003608 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "kinza.exe" read file "%APPDATA%\Mozilla\Firefox\profiles.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"0.1.0.0"
"1.3.21.115"
Heuristic match: ""version": "1.0.0.2""
Heuristic match: ""version": "18.0.0.209""
Heuristic match: ""version": "12.1.0.150""
Heuristic match: ""version": "1.4.3.4""
Heuristic match: ""version": "15.0.2.71"" - source
- String
- relevance
- 3/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "cmovnc" (Indicator for product: Generic VNC)
- source
- String
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"kinza.exe" had access to "HKCU\Software\Google\Chrome\BLBeacon" (Type: "KeyHandle")
"kinza.exe" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"kinza.exe" had access to "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.DLL from PID 00002836
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"C:\mini_installer_1.0.1.exe" marked "%TEMP%\CR_7B243.tmp\SETUP.EX_" for deletion
"C:\mini_installer_1.0.1.exe" marked "%TEMP%\CR_7B243.tmp\CHROME.PACKED.7Z" for deletion
"C:\mini_installer_1.0.1.exe" marked "%TEMP%\CR_7B243.tmp\setup.exe" for deletion
"C:\mini_installer_1.0.1.exe" marked "%TEMP%\CR_7B243.tmp" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "%LOCALAPPDATA%\Kinza\User Data\Default\Extension Rules\CURRENT~RF26adb.TMP" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Extension Rules\MANIFEST-000001" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\CURRENT~RF28290.TMP" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Local Extension Settings\pafkbggdmjlpgkdkcbjmhmfcdpncadgh\MANIFEST-000001" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Extension State\CURRENT~RF282fe.TMP" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Extension State\MANIFEST-000001" for deletion
"%LOCALAPPDATA%\Kinza\Application\kinza.exe" marked "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\87C5.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Kinza\Uninstall Kinza.lnk" with delete access
"kinza.exe" opened "%LOCALAPPDATA%\Kinza\User Data\chrome_shutdown_ms.txt" with delete access
"kinza.exe" opened "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Policy\User Policy" with delete access
"kinza.exe" opened "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Policy\Signing Key" with delete access
"kinza.exe" opened "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Top Sites-wal" with delete access
"kinza.exe" opened "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Safe Browsing Side-Effect Free Whitelist" with delete access
"kinza.exe" opened "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Extension Rules\000001.dbtmp" with delete access
"kinza.exe" opened "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Kinza RSS-wal" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetEntriesInAclW@ADVAPI32.DLL from PID 00002908
SetEntriesInAclW@ADVAPI32.DLL from PID 00003244
SetEntriesInAclW@ADVAPI32.DLL from PID 00003344
SetEntriesInAclW@ADVAPI32.DLL from PID 00003360
SetEntriesInAclW@ADVAPI32.DLL from PID 00003504
SetEntriesInAclW@ADVAPI32.DLL from PID 00000284
SetEntriesInAclW@ADVAPI32.DLL from PID 00003652
SetEntriesInAclW@ADVAPI32.DLL from PID 00003624
SetEntriesInAclW@ADVAPI32.DLL from PID 00003608
SetEntriesInAclW@ADVAPI32.DLL from PID 00003600
SetEntriesInAclW@ADVAPI32.DLL from PID 00001452 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"setup.exe" wrote bytes "4053257758582677186a2677653c27770000000000bf6b750000000056cc6b75000000007cca6b750000000037683f756a2c2777d62d27770000000020693f750000000029a66b7500000000a48d3f7500000000f70e6b7500000000" to virtual address "0x77411000" (part of module "NSI.DLL")
"kinza.exe" wrote bytes "b842000000ba0003fe7fff12c22c0090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" to virtual address "0x6A891040" (part of module "CHROME_ELF.DLL")
"kinza.exe" wrote bytes "92e6227779a82777be722777d62d27771de2227705a22777bee32277616f2777684125770050257700000000ad3738778b2d3877b641387700000000" to virtual address "0x74871000" (part of module "WSHTCPIP.DLL")
"kinza.exe" wrote bytes "4053257758582677186a2677653c27770000000000bf6b750000000056cc6b75000000007cca6b750000000037683f756a2c2777d62d27770000000020693f750000000029a66b7500000000a48d3f7500000000f70e6b7500000000" to virtual address "0x77411000" (part of module "NSI.DLL")
"kinza.exe" wrote bytes "7739237779a82777be722777d62d27771de2227705a22777c868267757d12d77bee32277616f2777684125770050257700000000ad3738778b2d3877b641387700000000" to virtual address "0x74DA1000" (part of module "WSHIP6.DLL")
"kinza.exe" wrote bytes "c046d765" to virtual address "0x66F47344" (part of module "CHROME.DLL")
"kinza.exe" wrote bytes "10006d8b" to virtual address "0x75725270" (part of module "KERNEL32.DLL")
"kinza.exe" wrote bytes "1000c58a" to virtual address "0x75725270" (part of module "KERNEL32.DLL")
"kinza.exe" wrote bytes "1000668b" to virtual address "0x75725270" (part of module "KERNEL32.DLL")
"kinza.exe" wrote bytes "b0872563" to virtual address "0x64A3140C" (part of module "CHROME_CHILD.DLL")
"kinza.exe" wrote bytes "10007b8b" to virtual address "0x75725270" (part of module "KERNEL32.DLL")
"kinza.exe" wrote bytes "1000d08a" to virtual address "0x75725270" (part of module "KERNEL32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"kinza.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
"kinza.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"kinza.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 15 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002836
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00002908
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003244
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003244
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003244
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003244
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003244
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003244 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
- Found reference to API DllRegisterServer@ACPPAGE.DLL from PID 00002836
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002836
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002836
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002836
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002908
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002908
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003244
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003244
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003344
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003344
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003360
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003360
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003504
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003504
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00000284
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00000284
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003652
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003652
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003624
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003624
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003608 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.DLL from PID 00002836
GetTimeZoneInformation@KERNEL32.DLL from PID 00002908
GetTimeZoneInformation@KERNEL32.DLL from PID 00003244
GetTimeZoneInformation@KERNEL32.DLL from PID 00003344
GetTimeZoneInformation@KERNEL32.DLL from PID 00003360
GetTimeZoneInformation@KERNEL32.DLL from PID 00003504
GetTimeZoneInformation@KERNEL32.DLL from PID 00000284
GetTimeZoneInformation@KERNEL32.DLL from PID 00003652
GetTimeZoneInformation@KERNELBASE.DLL from PID 00003652
GetTimeZoneInformation@KERNEL32.DLL from PID 00003624
GetTimeZoneInformation@KERNELBASE.DLL from PID 00003624
GetTimeZoneInformation@KERNEL32.DLL from PID 00003608
GetTimeZoneInformation@KERNEL32.DLL from PID 00003600
GetTimeZoneInformation@KERNEL32.DLL from PID 00001452 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.DLL from PID 00002836
GetVersionExA@KERNEL32.DLL from PID 00002836
GetVersionExW@KERNEL32.DLL from PID 00002908
GetVersionExA@KERNEL32.DLL from PID 00002908
GetVersionExW@KERNEL32.DLL from PID 00003244
GetVersionExA@KERNEL32.DLL from PID 00003244
GetVersionExW@KERNEL32.DLL from PID 00003344
GetVersionExA@KERNEL32.DLL from PID 00003344
GetVersionExW@KERNEL32.DLL from PID 00003360
GetVersionExA@KERNEL32.DLL from PID 00003360
GetVersionExW@KERNEL32.DLL from PID 00003504
GetVersionExA@KERNEL32.DLL from PID 00003504
GetVersionExW@KERNEL32.DLL from PID 00000284
GetVersionExA@KERNEL32.DLL from PID 00000284
GetVersionExW@KERNEL32.DLL from PID 00003652
GetVersionExA@KERNEL32.DLL from PID 00003652
GetVersionExW@KERNEL32.DLL from PID 00003624
GetVersionExA@KERNEL32.DLL from PID 00003624
GetVersionExW@KERNEL32.DLL from PID 00003608
GetVersionExA@KERNEL32.DLL from PID 00003608 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.DLL from PID 00002836
EnumSystemLocalesW@KERNEL32.DLL from PID 00002836
GetUserDefaultLCID@KERNEL32.DLL from PID 00002836
EnumSystemLocalesW@KERNEL32.DLL from PID 00002836
EnumSystemLocalesW@KERNEL32.DLL from PID 00002836
EnumSystemLocalesW@KERNEL32.DLL from PID 00002836
GetUserDefaultUILanguage@KERNEL32.DLL from PID 00002836
EnumSystemLocalesW@KERNEL32.DLL from PID 00002908
EnumSystemLocalesW@KERNEL32.DLL from PID 00002908
GetUserDefaultLCID@KERNEL32.DLL from PID 00002908
EnumSystemLocalesW@KERNEL32.DLL from PID 00002908
GetUserDefaultLCID@KERNEL32.DLL from PID 00002908
EnumSystemLocalesW@KERNEL32.DLL from PID 00002908
GetUserDefaultUILanguage@KERNEL32.DLL from PID 00002908
EnumSystemLocalesW@KERNEL32.DLL from PID 00003244
GetUserDefaultLCID@KERNEL32.DLL from PID 00003244
EnumSystemLocalesW@KERNEL32.DLL from PID 00003244
EnumSystemLocalesW@KERNEL32.DLL from PID 00003244
EnumSystemLocalesW@KERNEL32.DLL from PID 00003244
GetUserDefaultLCID@KERNEL32.DLL from PID 00003244 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00014632-00002836-35865-497-00081710")
which is directly followed by "cmp edx, 05h" and "jne 000817FEh". See related instructions: "...
+168 call 000AD5A0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [000CD14Ch] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 000817FEh" ... from PID 00002836
Found API call GetVersionExA@KERNEL32.DLL (Target: "setup.exe"; Stream UID: "00014632-00002836-35865-2278-000311B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 00031223h". See related instructions: "...
+62 call 000AD5A0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [000CD280h] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 00031223h" ... from PID 00002836
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015621-00002908-51364-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00002908
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015621-00002908-51364-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00002908
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015751-00003244-59645-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003244
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015751-00003244-59645-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003244
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015837-00003344-695-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003344
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015837-00003344-695-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003344
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015846-00003360-7683-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003360
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015846-00003360-7683-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003360
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015953-00003504-13257-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003504
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00015953-00003504-13257-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003504
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016515-00000284-18536-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00000284
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016515-00000284-18536-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00000284
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016586-00003652-25909-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003652
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016586-00003652-25909-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003652
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016862-00003624-44455-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003624
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016862-00003624-44455-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003624
Found API call GetVersionExW@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016911-00003608-60184-476-01358390")
which is directly followed by "cmp edx, 05h" and "jne 0135847Eh". See related instructions: "...
+168 call 01380CD0h
+173 add esp, 0Ch
+176 lea eax, dword ptr [ebp-00000120h]
+182 push eax
+183 call dword ptr [0139F0D4h] ;GetVersionExW
+189 mov edx, dword ptr [ebp-0000011Ch]
+195 mov ecx, dword ptr [ebp-00000118h]
+201 mov eax, dword ptr [ebp-00000114h]
+207 mov dword ptr [esi+04h], edx
+210 mov dword ptr [esi+08h], ecx
+213 mov dword ptr [esi+0Ch], eax
+216 cmp edx, 05h
+219 jne 0135847Eh" ... from PID 00003608
Found API call GetVersionExA@KERNEL32.DLL (Target: "kinza.exe"; Stream UID: "00016911-00003608-60184-1621-013411B2")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 01341223h". See related instructions: "...
+62 call 01380CD0h
+67 add esp, 0Ch
+70 lea eax, dword ptr [ebp-00000098h]
+76 push eax
+77 mov dword ptr [ebp-00000098h], 00000094h
+87 call dword ptr [0139F24Ch] ;GetVersionExA
+93 cmp dword ptr [ebp-00000088h], 02h
+100 jne 01341223h" ... from PID 00003608 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from PID 00002836
GetProcessHeap@KERNEL32.DLL from PID 00002836
GetProcessHeap@KERNEL32.DLL from PID 00002908
GetProcessHeap@KERNEL32.DLL from PID 00003244
GetProcessHeap@KERNEL32.DLL from PID 00003344
GetProcessHeap@KERNEL32.DLL from PID 00003360
GetProcessHeap@KERNEL32.DLL from PID 00003504
GetProcessHeap@KERNEL32.DLL from PID 00000284
GetProcessHeap@KERNEL32.DLL from PID 00003652
GetProcessHeap@KERNEL32.DLL from PID 00003624
GetProcessHeap@KERNEL32.DLL from PID 00003608
GetProcessHeap@KERNEL32.DLL from PID 00003600
GetProcessHeap@KERNEL32.DLL from PID 00001452 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"setup.exe" queries volume information of "C:\" at 00014632-00002836-0000010C-42746122
"setup.exe" queries volume information of "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Kinza.lnk" at 00014632-00002836-0000010C-42967305
"kinza.exe" queries volume information of "C:\" at 00015621-00002908-0000010C-43367676
"kinza.exe" queries volume information of "%LOCALAPPDATA%\Kinza\User Data\Default\Cache\index" at 00015621-00002908-0000010C-43566381
"kinza.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Cache\data_0" at 00015621-00002908-0000010C-43607188
"kinza.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Cache\data_1" at 00015621-00002908-0000010C-43612877
"kinza.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Cache\data_2" at 00015621-00002908-0000010C-43641627
"kinza.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Kinza\User Data\Default\Cache\data_3" at 00015621-00002908-0000010C-43642766 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
-
"setup.exe" queries volume information of "C:\" at 00014632-00002836-0000010C-42746122
"setup.exe" queries volume information of "C:\" at 00014632-00002836-0000010C-42774066
"setup.exe" queries volume information of "C:\" at 00014632-00002836-0000010C-42778657
"setup.exe" queries volume information of "C:\" at 00014632-00002836-0000010C-42967148
"kinza.exe" queries volume information of "C:\" at 00015621-00002908-0000010C-43367676 - source
- API Call
- relevance
- 8/10
-
Reads the registry for installed applications
- details
-
"setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\KINZA")
"setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE")
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\KINZA.EXE")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\KINZA.EXE")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\KINZA.EXE")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ACRORD32.EXE")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ACRORD32.EXE")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ACRORD32.EXE"; Key: "PATH"; Value: "00000000010000005600000043003A005C00500072006F006700720061006D002000460069006C00650073005C00410064006F00620065005C005200650061006400650072002000310031002E0030005C005200650061006400650072005C000000")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\QUICKTIMEPLAYER.EXE")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\QUICKTIMEPLAYER.EXE")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WMPLAYER.EXE")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WMPLAYER.EXE")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WMPLAYER.EXE"; Key: "PATH"; Value: "0000000002000000480000002500500072006F006700720061006D00460069006C006500730025005C00570069006E0064006F007700730020004D006500640069006100200050006C0061007900650072000000") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"kinza.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"kinza.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
-
"rss.kinza.jp"
"update.log.kinza.jp"
"www.kinza.jp"
"d5swzbrbfdmh1.cloudfront.net"
"www.googleadservices.com"
"stats.g.doubleclick.net"
"www.gstatic.com"
"www.google.fr"
"staticxx.facebook.com"
"www.google-analytics.com"
"www.facebook.com"
"googleads.g.doubleclick.net"
"connect.facebook.net"
"ssl.gstatic.com"
"translate.googleapis.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"153.149.6.27:80"
"153.149.6.27:443"
"153.149.30.244:80"
"153.149.33.213:80"
"153.149.30.244:443"
"31.13.92.14:443"
"31.13.92.36:443"
"54.230.216.147:443" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"d:\chromium-branch-1916\src\out\Release\mini_installer.exe.pdb"
"d:\chromium-branch-1916\src\out\Release\setup.exe.pdb"
"d:\chromium-branch-1916\src\out\Release\initialexe\chrome.exe.pdb" - source
- String
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
-
CreateNamedPipeW@KERNEL32.DLL from PID 00002908
CreateNamedPipeW@KERNEL32.DLL from PID 00003504 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\CR_7B243.tmp\CHROME.PACKED.7Z"
"<Input Sample>" created file "%TEMP%\CR_7B243.tmp\SETUP.EX_"
"<Input Sample>" created file "%TEMP%\CR_7B243.tmp\setup.exe"
"setup.exe" created file "%TEMP%\chrome_installer.log"
"setup.exe" created file "%LOCALAPPDATA%\Kinza\Temp\source2836_12664\chrome.7z"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\icudtl.dat"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\chrome.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\chrome_child.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\chrome_elf.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\d3dcompiler_46.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\ffmpegsumo.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\libegl.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\libglesv2.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\metro_driver.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\ppgooglenaclpluginchrome.dll"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\delegate_execute.exe"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\kinza.exe"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\nacl64.exe"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\wow_helper.exe"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Kinza\Temp\source2836_12664\Chrome-bin\35.0.1916.114\Extensions\external_extensions.json" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\C:/Users/7DRgdSI/AppData/Local/Temp/chrome_installer.log"
"\Sessions\1\BaseNamedObjects\Local\LRIEElevationPolicyMutex"
"Global\C:/Users/7DRgdSI/AppData/Local/Temp/chrome_installer.log"
"Local\LRIEElevationPolicyMutex"
"\Sessions\1\BaseNamedObjects\Local\ChromeProcessSingletonStartup!"
"Local\ChromeProcessSingletonStartup!"
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"\Sessions\1\BaseNamedObjects\Global\C:/Users/7DRgdSI/AppData/Local/Kinza/Application/debug.log"
"Local\__DDrawCheckExclMode__"
"Local\__DDrawExclMode__"
"Global\C:/Users/7DRgdSI/AppData/Local/Kinza/Application/debug.log" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
-
"GET /infoseek/all.xml HTTP/1.1
Host: rss.kinza.jp
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8"
"GET /startup.php?version=1.0.1&locale=en&last_version=&no-cache=20170428130116655 HTTP/1.1
Host: update.log.kinza.jp
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8"
"GET /help/ HTTP/1.1
Host: www.kinza.jp
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8" - source
- Network Traffic
- relevance
- 5/10
-
Process launched with changed environment
- details
-
Process "kinza.exe" (Show Process) was launched with new environment variables: "__PROCESS_HISTORY="%TEMP%\CR_7B243.tmp\setup.exe""
Process "kinza.exe" (Show Process) was launched with new environment variables: "CHROME_MAIN_TIME="13137883268083350", CHROME_PRE_READ_EXPERIMENT="100-pct-default", CHROME_ALLOCATOR="TCMALLOC", CHROME_VERSION="35.0.1916.114""
Process "kinza.exe" (Show Process) was launched with new environment variables: "CHROME_RESTART="Chromium|Whoa! Chromium has crashed. Relaunch now?|LEFT_TO_RIGHT"" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"kinza.exe" searching for class "Shell_TrayWnd"
"kinza.exe" searching for class "Chrome_MessageWindow" - source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "setup.exe" with commandline "--install-archive="%TEMP%\CR_7B243.tmp\CHROME.PACKED.7Z"" (Show Process)
Spawned process "kinza.exe" (Show Process)
Spawned process "kinza.exe" with commandline "--type=gpu-process --channel="2908.0.296120775\791057638" --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,15 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.0.20.0 --ignored=" --type=renderer " /prefetch:822062411" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --enable-software-compositing --channel="2908.1.1335464334\865468432" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --enable-software-compositing --channel="2908.2.601701404\369064887" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.3.773762395\694874676" --lang=en-US --no-sandbox /prefetch:-645351001" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.4.794940077\608398273" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --instant-process --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.5.1281241848\770195602" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.6.212803556\527458706" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.7.1524555984\1509230382" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001" (Show Process)
Spawned process "kinza.exe" with commandline "--type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.8.2024536739\1704155858" /prefetch:673131151" (Show Process)
Spawned process "kinza.exe" with commandline "--type=utility --channel="2908.9.1907941812\362970323" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Accessed IE Quick Launch directory
- details
-
"setup.exe" obtained handle to "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\Kinza.lnk" (Type: "FileHandle")
"setup.exe" obtained handle to "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Kinza.lnk" (Type: "FileHandle")
"setup.exe" obtained handle to "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 10/10
-
Connects to LPC ports
- details
-
"setup.exe" connecting to "\ThemeApiPort"
"kinza.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from PID 00002836
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"6D2A.tmp" has type "MS Windows icon resource - 9 icons 8x8"
"da.pak" has type "data"
"messages.json" has type "ASCII text with CRLF line terminators"
"000001.dbtmp" has type "ASCII text"
"A526.tmp" has type "ASCII text with very long lines with CRLF line terminators"
"B88D.tmp" has type "ASCII text with CRLF line terminators"
"Safe Browsing Cookies" has type "SQLite 3.x database"
"messages.json" has type "UTF-8 Unicode text with CRLF line terminators"
"manifest.json" has type "ASCII text with CRLF line terminators"
"te.pak" has type "data"
"verified_contents.json" has type "ASCII text with very long lines with no line terminators"
"119.tmp" has type "ASCII text with CRLF line terminators"
"pt-PT.pak" has type "data"
"MANIFEST-000001" has type "PGP\011Secret Key -"
"chrome_100_percent.pak" has type "data"
"bg.pak" has type "data"
"craw_background.js" has type "ASCII text with very long lines"
"smalllogo.png" has type "PNG image data 120 x 120 8-bit/color RGBA non-interlaced"
"messages.json" has type "UTF-8 Unicode text with CRLF LF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\SYSTEM32\en-US\ntdll.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\Programs"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Kinza"
"<Input Sample>" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\History"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat"
"<Input Sample>" touched file "%APPDATA%\Microsoft\Windows\Cookies\index.dat"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat"
"setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
"setup.exe" touched file "%WINDIR%\system32\en-US\SETUPAPI.dll.mui"
"setup.exe" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls" - source
- API Call
- relevance
- 7/10
-
Accessed IE Quick Launch directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "xPQ,I.Biz"
Heuristic match: "h]+T<_.eC"
Heuristic match: "JO^.h#.mV"
Heuristic match: "_5Uo<r.lI"
Heuristic match: "Gm7]zI.Au"
Pattern match: "https://www.globalsign.com/repository/03"
Pattern match: "http://crl.globalsign.net/root.crl0"
Pattern match: "https://www.globalsign.com/repository/06"
Pattern match: "http://crl.globalsign.net/root-r3.crl0"
Pattern match: "https://www.globalsign.com/repository/0"
Pattern match: "crl.globalsign.com/gs/gstimestampingg2.crl0T"
Pattern match: "secure.globalsign.com/cacert/gstimestampingg2.crt0"
Pattern match: "crl.globalsign.com/gs/gscodesignsha2g2.crl0"
Pattern match: "secure.globalsign.com/cacert/gscodesignsha2g2.crt08"
Pattern match: "http://ocsp2.globalsign.com/gscodesignsha2g20"
Pattern match: "http://www.dayz.jp0"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\setup\setup_main.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\install_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\channel_info.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\master_preferences.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\language_selector.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\setup\uninstall.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\installer_state.cc"
Heuristic match: "d:\chromium-branch-1916\src\crypto\secure_hash_default.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\shell_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\product.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\setup\install_worker.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\google_update_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\delete_after_reboot_helper.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\self_cleaning_temp_dir.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\setup\setup_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\setup\install.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\installation_validator.cc"
Heuristic match: "d:\chromium-branch-1916\src\rlz\win\lib\process_info.cc"
Heuristic match: "d:\chromium-branch-1916\src\base\rand_util_win.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\google_update_settings.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\setup\archive_patch_helper.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\eula_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\app_command.cc"
Heuristic match: "d:\chromium-branch-1916\src\courgette\assembly_program.cc"
Heuristic match: "d:\chromium-branch-1916\src\base\pickle.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\lzma_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\app_commands.cc"
Heuristic match: "d:\chromium-branch-1916\src\courgette\disassembler_elf_32.cc"
Heuristic match: "d:\chromium-branch-1916\src\base\json\string_escape.cc"
Heuristic match: "d:\chromium-branch-1916\src\base\logging.cc"
Pattern match: "http://www.google.com/chrome/intl/$1/welcomeback-new.html"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\create_reg_key_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\delete_reg_key_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\conditional_work_item_list.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\set_reg_value_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\registry_key_backup.cc"
Pattern match: "http://purl.org/rss/1.0/modules/content/"
Pattern match: "http://purl.org/dc/elements/1.1/"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\move_tree_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\self_reg_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\user_experiment.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\delete_tree_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\delete_reg_value_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\copy_reg_key_work_item.cc"
Heuristic match: "chrome.googleechotest.com"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\create_dir_work_item.cc"
Pattern match: "https://www.kinza.jp/download/"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\copy_tree_work_item.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\installer\util\work_item_list.cc"
Pattern match: "http://pipelining.googleechotest.com/"
Pattern match: "https://www.google.fr/"
Heuristic match: "-1916\src\chrome\installer\setup\setup_main.cc"
Heuristic match: "nstaller\setup\setup_util.cc"
Heuristic match: "src\chrome\installer\util\shell_util.cc"
Heuristic match: "ium-branch-1916\src\chrome\installer\util\delete_after_reboot_helper.cc"
Heuristic match: "hromium-branch-1916\src\chrome\installer\util\install_util.cc"
Heuristic match: "chrome\installer\util\google_update_settings.cc"
Heuristic match: "me\installer\util\self_cleaning_temp_dir.cc"
Pattern match: "www.google.com/chrome/intl/$1/welcomeback-new.html"
Heuristic match: "er_experiment.cc"
Heuristic match: "default_search_provider.name"
Heuristic match: "default_search_provider.id"
Heuristic match: "extensions.theme.id"
Heuristic match: "profile.name"
Heuristic match: "clients1.google.com"
Heuristic match: "ototype.lastIndexOf.call(b,c,null==d?b.length-1:d)}:function(b,c,d){d=null==d?b.length-1:d;0>d&&(d=Math.max(0,b.length+d));if(l.isString(b))return l.isString(c)&&1==c.length?b.lastIndexOf(c,d):-1;for(;0<=d;d--)if(d in b&&b[d]===c)return d;return-1};
l.arra"
Heuristic match: "Each.call(b,c,d)}:function(b,c,d){for(var e=b.length,f=k.isString(b)?b.split():b,g=0;g<e;g++)g in f&&c.call(d,f[g],g,b)};k.array.forEachRight=function(b,c){for(var d=b.length,e=k.isString(b)?b.split():b,d=d-1;0<=d;--d)d in e&&c.call(void 0,e[d],d,b)};
"
Heuristic match: "ter.Iterator;if(0<c.length){var e=k.array.map(c,k.iter.toIterator);d.next=function(){return k.array.map(e,function(b){return b.next()})}}return d};
k.iter.zipLongest=function(b,c){var d=k.array.slice(arguments,1),e=new k.iter.Iterator;if(0<d.length){var f="
Pattern match: "https://clients2.google.com/service/update2/crx"
Pattern match: "https://www.google.com/"
Pattern match: "https://www.googleapis.com/"
Heuristic match: "d:\chromium-branch-1916\src\chrome\app\client_util.cc"
Heuristic match: "d:\chromium-branch-1916\src\chrome\app\image_pre_reader_win.cc"
Heuristic match: "rss.kinza.jp"
Heuristic match: "update.log.kinza.jp"
Pattern match: "www.kinza.jp"
Heuristic match: "d:\chromium-branch-1916\src\sandbox\win\src\interception.cc"
Heuristic match: "d:\chromium-branch-1916\src\components\breakpad\app\breakpad_win.cc"
Heuristic match: "d:\chromium-branch-1916\src\sandbox\win\src\handle_closer_agent.cc"
Heuristic match: "d:\chromium-branch-1916\src\ui\gfx\win\dpi.cc"
Heuristic match: "d:\chromium-branch-1916\src\base\threading\thread_local_storage.cc"
Heuristic match: "ium-branch-1916\src\components\breakpad\app\breakpad_win.cc"
Pattern match: "https://www.googleapis.com/auth/sierra"
Pattern match: "https://www.googleapis.com/auth/sierrasandbox"
Pattern match: "https://www.googleapis.com/auth/chromewebstore"
Pattern match: "https://www.googleapis.com/auth/chromewebstore.readonly"
Pattern match: "https://www.googleapis.com/*"
Pattern match: "https://payments.google.com/payments/v4/js/integrator.js"
Pattern match: "https://sandbox.google.com/payments/v4/js/integrator.js"
Heuristic match: "{
app: {
background: {
scripts: [ craw_background.js ]
}
},
default_locale: en,
description: __MSG_APP_DESCRIPTION__,
display_in_launcher: false,
display_in_new_tab_page: false,
icons"
Pattern match: "https://support.google.com/chrome/?p=plugin_flash"
Pattern match: "https://support.google.com/chrome/answer/6258784"
Pattern match: "https://helpx.adobe.com/security/products/flash-player/apsb15-18.html"
Pattern match: "https://support.google.com/chrome/?p=plugin_pdf"
Pattern match: "https://get.adobe.com/reader/"
Pattern match: "https://helpx.adobe.com/security/products/reader/apsb14-28.html"
Pattern match: "https://support.google.com/chrome/?p=plugin_shockwave"
Pattern match: "http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Slim.exe"
Pattern match: "https://helpx.adobe.com/security/products/shockwave/apsb14-10.html"
Pattern match: "https://support.google.com/chrome/?p=plugin_quicktime"
Pattern match: "http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe"
Pattern match: "http://support.apple.com/kb/HT203092"
Pattern match: "https://support.google.com/chrome/?p=plugin_divx"
Pattern match: "http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe"
Pattern match: "https://www.facebook.com/chat/video/videocalldownload.php"
Pattern match: "http://www.google.com/earth/explore/products/plugin.html"
Pattern match: "https://support.google.com/chrome/?p=plugin_java"
Pattern match: "http://java.com/download"
Pattern match: "https://support.google.com/chrome/?p=plugin_real"
Pattern match: "http://forms.real.com/real/realone/download.html?type=rpsp_us"
Pattern match: "http://service.real.com/realplayer/security/02062012_player/en/"
Pattern match: "http://go.microsoft.com/fwlink/?LinkID=149156"
Pattern match: "https://support.microsoft.com/kb/3056819"
Pattern match: "https://support.google.com/chrome/?p=plugin_wmp"
Pattern match: "http://www.interoperabilitybridges.com/wmp-extension-for-chrome"
Pattern match: "https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.provide"
Heuristic match: "l.module=function(b){if(!l.isString(b)||!b||-1==b.search(l.VALID_MODULE_RE_))throw Error(Invalid module identifier);if(!l.isInModuleLoader_())throw Error(Module +b+ has been loaded incorrectly. Note, modules cannot be loaded as normal scripts. They re"
Pattern match: "http://www.ecma-international.org/ecma-262/5.1/#sec-C"
Pattern match: "Math.PI/180};l.math.toDegrees=function(b){return"
Pattern match: "https://www.googleapis.com,SANDBOX:https://www-googleapis-staging.sandbox.google.com};n.WebStoreService.WEB_STORE_REQUEST_PATH_=/chromewebstore/v1.1"
Pattern match: "https://www.google.com/intl/en-US/chrome/blank.html"
Pattern match: "https://www.google.com/intl/en-US/chrome/blank.html,!1"
Pattern match: "http://www.google.com/favicon.ico" - source
- String
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
- "M{}5"
- source
- Network Traffic
- relevance
- 7/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
"ce.youtube.login_on_launch" (Indicator: "youtube")
"ce.youtube.always_play_hd_videos" (Indicator: "youtube")
""url": "https://www.facebook.com/chat/video/videocalldownload.php"," (Indicator: "facebook.com") - source
- String
- relevance
- 7/10
-
Found a reference to a known community page
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"setup.exe" opened "\Device\KsecDD"
"kinza.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
mini_installer_1.0.1.exe
- Filename
- mini_installer_1.0.1.exe
- Size
- 29MiB (30669184 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 06bcbc31abb8c7ff07406d415cd49b6d4a8e857306beb9d498f5dc349f9a66fa
- MD5
- 01900540205a720cd86c840e85fe75f1
- SHA1
- 151f7f7d46245b00599a8f9f4b1f4f7d82519106
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 13 processes in total (System Resource Monitor).
-
mini_installer_1.0.1.exe
(PID: 2556)
-
setup.exe
--install-archive="%TEMP%\CR_7B243.tmp\CHROME.PACKED.7Z"
(PID: 2836)
-
kinza.exe
(PID: 2908)
- kinza.exe --type=gpu-process --channel="2908.0.296120775\791057638" --supports-dual-gpus=false --gpu-driver-bug-workarounds=1,15 --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor="Oracle Corporation" --gpu-driver-version=5.0.20.0 --ignored=" --type=renderer " /prefetch:822062411 (PID: 3244)
- kinza.exe --type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --enable-software-compositing --channel="2908.1.1335464334\865468432" /prefetch:673131151 (PID: 3344)
- kinza.exe --type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --enable-software-compositing --channel="2908.2.601701404\369064887" /prefetch:673131151 (PID: 3360)
- kinza.exe --type=utility --channel="2908.3.773762395\694874676" --lang=en-US --no-sandbox /prefetch:-645351001 (PID: 3504)
- kinza.exe --type=utility --channel="2908.4.794940077\608398273" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001 (PID: 284)
- kinza.exe --type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --instant-process --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.5.1281241848\770195602" /prefetch:673131151 (PID: 3652)
- kinza.exe --type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.6.212803556\527458706" /prefetch:673131151 (PID: 3624)
- kinza.exe --type=utility --channel="2908.7.1524555984\1509230382" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001 (PID: 3608)
- kinza.exe --type=renderer --lang=en-US --force-fieldtrials=BrowserPreReadExperiment/100-pct-default/Prerender/Prerender15minTTL/UMA-New-Install-Uniformity-Trial/Control/UMA-Session-Randomized-Uniformity-Trial-5-Percent/group_16/UMA-Uniformity-Trial-1-Percent/group_67/UMA-Uniformity-Trial-10-Percent/group_05/UMA-Uniformity-Trial-100-Percent/group_01/UMA-Uniformity-Trial-20-Percent/group_02/UMA-Uniformity-Trial-5-Percent/group_09/UMA-Uniformity-Trial-50-Percent/group_01/ --extension-process --enable-threaded-compositing --enable-delegated-renderer --disable-accelerated-compositing --disable-accelerated-video-decode --disable-webrtc-hw-encoding --enable-software-compositing --disable-gpu-compositing --channel="2908.8.2024536739\1704155858" /prefetch:673131151 (PID: 3600)
- kinza.exe --type=utility --channel="2908.9.1907941812\362970323" --lang=en-US --ignored=" --type=renderer " /prefetch:-645351001 (PID: 1452)
-
kinza.exe
(PID: 2908)
-
setup.exe
--install-archive="%TEMP%\CR_7B243.tmp\CHROME.PACKED.7Z"
(PID: 2836)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
update.log.kinza.jp | 153.149.33.213 | - | Japan |
www.kinza.jp | 153.149.30.244 | - | Japan |
d5swzbrbfdmh1.cloudfront.net | - | - | - |
www.googleadservices.com | 216.58.213.162 | - | United States |
stats.g.doubleclick.net | 74.125.206.154 | - | United States |
www.gstatic.com | 216.58.205.3 | - | United States |
www.google.fr | 216.58.205.3 | - | United States |
staticxx.facebook.com | 157.240.3.24 | - | United States |
www.google-analytics.com | 216.58.205.14 | - | United States |
www.facebook.com | 31.13.66.36 | - | Ireland |
googleads.g.doubleclick.net | 216.58.204.130 | - | United States |
connect.facebook.net | 157.240.3.24 | - | United States |
ssl.gstatic.com | 216.58.205.3 | - | United States |
translate.googleapis.com | 216.58.205.10 | - | United States |
rss.kinza.jp | 153.149.6.27 | - | Japan |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
153.149.6.27 |
80
TCP |
kinza.exe PID: 2908 |
Japan
ASN: 4713 (NTT Communications Corporation) |
153.149.6.27 |
443
TCP |
kinza.exe PID: 2908 |
Japan
ASN: 4713 (NTT Communications Corporation) |
153.149.30.244 |
80
TCP |
kinza.exe PID: 2908 |
Japan
ASN: 4713 (NTT Communications Corporation) |
153.149.33.213 |
80
TCP |
kinza.exe PID: 2908 |
Japan
ASN: 4713 (NTT Communications Corporation) |
153.149.30.244 |
443
TCP |
kinza.exe PID: 2908 |
Japan
ASN: 4713 (NTT Communications Corporation) |
31.13.92.14 |
443
TCP |
kinza.exe PID: 2908 |
Ireland
ASN: 32934 (Facebook, Inc.) |
31.13.92.36 |
443
TCP |
kinza.exe PID: 2908 |
Ireland
ASN: 32934 (Facebook, Inc.) |
54.230.216.147 |
443
TCP |
kinza.exe PID: 2908 |
United States
ASN: 16509 (Amazon.com, Inc.) |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
153.149.6.27:80 (rss.kinza.jp) | GET | rss.kinza.jp/infoseek/all.xml | GET /infoseek/all.xml HTTP/1.1
Host: rss.kinza.jp
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8 302 Moved Temporarily More Details |
153.149.33.213:80 (update.log.kinza.jp) | GET | update.log.kinza.jp/startup.php?version=1.0.1&locale=en&last_version=&no-cache=20170428130116655 | GET /startup.php?version=1.0.1&locale=en&last_version=&no-cache=20170428130116655 HTTP/1.1
Host: update.log.kinza.jp
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8 200 OK More Details |
153.149.30.244:80 (www.kinza.jp) | GET | www.kinza.jp/help/ | GET /help/ HTTP/1.1
Host: www.kinza.jp
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 Kinza/1.0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8 301 Moved Permanently More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
commands.cc | Domain/IP reference | 00014632-00002836-35865-1398-00061990 |
install.cc | Domain/IP reference | 00014632-00002836-35865-1082-00035010 |
main.cc | Domain/IP reference | 00014632-00002836-35865-1017-00042E60 |
pickle.cc | Domain/IP reference | 00018090-00003600-989-1360-01359BA0 |
http://pipelining.googleechotest.com/ | Domain/IP reference | 00014632-00002836-35865-2339-0006D810 |
util.cc | Domain/IP reference | 00018090-00003600-989-451-01343810 |
worker.cc | Domain/IP reference | 00014632-00002836-35865-2291-0003E420 |
storage.cc | Domain/IP reference | 00016911-00003608-60184-1350-013612C0 |
1.3.21.115 | Domain/IP reference | 00016911-00003608-60184-1641-01347460 |
info.cc | Domain/IP reference | 00014632-00002836-35865-1765-0009B530 |
settings.cc | Domain/IP reference | 00018090-00003600-989-501-0134A750 |
product.cc | Domain/IP reference | 00014632-00002836-35865-1188-00057A30 |
win.cc | Domain/IP reference | 00018090-00003600-989-1329-01361AF0 |
chrome.googleechotest.com | Domain/IP reference | 00014632-00002836-35865-2342-0006D8F0 |
32.cc | Domain/IP reference | 00014632-00002836-35865-1634-000A41E0 |
escape.cc | Domain/IP reference | 00014632-00002836-35865-1862-00094580 |
item.cc | Domain/IP reference | 00014632-00002836-35865-2093-00070D80 |
experiment.cc | Domain/IP reference | 00014632-00002836-35865-2061-0006BCB0 |
backup.cc | Domain/IP reference | 00014632-00002836-35865-2095-00075AA0 |
validator.cc | Domain/IP reference | 00014632-00002836-35865-2160-00067660 |
selector.cc | Domain/IP reference | 00016911-00003608-60184-1529-0134BE40 |
list.cc | Domain/IP reference | 00014632-00002836-35865-2178-00060CF0 |
agent.cc | Domain/IP reference | 00018090-00003600-989-1175-0136A3D0 |
http://www.google.com/chrome/intl | Domain/IP reference | 00014632-00002836-35865-1419-0006B9C0 |
program.cc | Domain/IP reference | 00014632-00002836-35865-1744-0009E060 |
logging.cc | Domain/IP reference | 00014632-00002836-35865-1527-00079520 |
dpi.cc | Domain/IP reference | 00018090-00003600-989-724-01349530 |
helper.cc | Domain/IP reference | 00014632-00002836-35865-1160-0005D7C0 |
state.cc | Domain/IP reference | 00014632-00002836-35865-1040-0005A280 |
dir.cc | Domain/IP reference | 00014632-00002836-35865-692-0006B000 |
interception.cc | Domain/IP reference | 00018090-00003600-989-1144-0136DE40 |
uninstall.cc | Domain/IP reference | 00014632-00002836-35865-681-0004A320 |
preferences.cc | Domain/IP reference | 00014632-00002836-35865-977-0005AF00 |
command.cc | Domain/IP reference | 00014632-00002836-35865-1406-000608D0 |
default.cc | Domain/IP reference | 00014632-00002836-35865-808-000AA640 |
Extracted Strings
Extracted Files
Displaying 39 extracted file(s). The remaining 194 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 9
-
-
VLYT2ZALW3FYZOEYO492.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
QGU0K2CHGI2AC6CISDPQ.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
48RMXJT1U3BO9AJS1IZ5.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
WCW0PR7EMTPKL6683G7F.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
RVNQF97LR5A6NA039BEJ.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
98JF5S49XXQUXCLP13OE.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
CIFG1COC1UC0G1FMMF4U.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
JXDHIXDC5CYD0M4NHRWR.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
PX2SHNVANZ82PAU4G71H.temp
- Size
- 6.1KiB (6254 bytes)
- Type
- data
- MD5
- fec827d97a004d0990434f82ec3a0948
- SHA1
- 4b24e0a4b39c2eebee4f8f8509734bb0d1edd9d8
- SHA256
- d69bbfbaa5867712e656053d374d9b50a1108fdf17b0be463fb14286f0f51c22
-
-
Informative 30
-
-
Kinza.lnk
- Size
- 2.3KiB (2360 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 944983ee8ca29c973dd9fc3b1ac3d4f4
- SHA1
- d44d438a17d8f50777105a16798b788efcd7f43a
- SHA256
- 4fe56644ccda58d0184c11bc839a9cc11f9994f1e0f03807e49deecf9a20a7b5
-
setup.exe
- Size
- 990KiB (1013632 bytes)
- Runtime Process
- mini_installer_1.0.1.exe (PID: 2556)
- MD5
- 518e1b2a09e43985eca1e6975d682d81
- SHA1
- bb70519a9983821eb6ab6e295b07b9014ebe17ba
- SHA256
- eb280acc2f31ac08561e4a577e0a9ada057052689d7e7fbda189378be1941a3f
-
debug.log
- Size
- 121B (121 bytes)
- Runtime Process
- kinza.exe (PID: 3244)
- MD5
- 1793204c2988565e259ffc5f0f2239b0
- SHA1
- 00ba6df1d4b8695a77195d543c8b9aa2c477b448
- SHA256
- 70c1ddae5f22f2da2c834926e9c9bdf7442c95e7859ff64ebae00bc852c1f96a
-
kinza.exe
- Size
- 890KiB (911232 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 5d7f5c0cdb5b1c720b3354ac098f035f
- SHA1
- 3dc428cd7d48c076a9bdf97a26555c918281b25c
- SHA256
- 65c3ed43b4d08f2096d534069b1e25d9d68e728883551d38eee888faeb696fff
-
35.0.1916.114.manifest
- Size
- 224B (224 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- e4d0e74071482e4900d18df19253733c
- SHA1
- ba8addf0330325e57174d9d1a7954dae10365b49
- SHA256
- 23741d30569d2d29405fbf20c5d3c5ef3d26547f0a8d6a470596b1b77e5922ad
-
external_extensions.json
- Size
- 99B (99 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 280a9277b0e605e905d7f18b6148eeb7
- SHA1
- fcaf575897048f55b422a6dbeba943b5d550a908
- SHA256
- a68cafd7d78d5c671c2560656653f2a4d83ab66d87a8728356a88fb1f477b3e6
-
am.pak
- Size
- 319KiB (326825 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 2de1fabbcb417e95f2a5727822d85fae
- SHA1
- 98e4b99cb5969675d755a73a925c14dcba4fa293
- SHA256
- fbb189117c03365abd3ffd03805017064c1f0a5df351e0a188534891c904072b
-
ar.pak
- Size
- 310KiB (317321 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 211e676cef2fd906211c6bec2721e83b
- SHA1
- cf85f4592f70858e13978de70bc7e04b415d92f6
- SHA256
- 235e201795fa2e4a2dff9a7e0568143ce9abf41ad557d0cd68aa1f7b205cda77
-
bg.pak
- Size
- 383KiB (392152 bytes)
- Type
- data
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 2298450ad0f08af83417fd61954e1d6b
- SHA1
- f8fa5ee86defdf289496631f3f78e6c39b554d81
- SHA256
- 92fe40ec0292853545e3cb293fbf20d43d59fc7d210266b3fc81434a97cffde9
-
bn.pak
- Size
- 486KiB (497467 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 2995fa2039761230d333a3d890602fee
- SHA1
- d7bbef228b3a9c105c48a013d820d740c4924a28
- SHA256
- 66158132d1f8179ce5e621a897c712b52a37457828f34314c9c53678d4252013
-
ca.pak
- Size
- 232KiB (237818 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 8be2f379a60ad83a09eb9170352dee3d
- SHA1
- 3aaf2834cf9d66c535e0b633e1b993548cf0bc1d
- SHA256
- 274af1291cfde65c02fa598d793a33baacc34bc87791c115398bb07ad19a9f55
-
cs.pak
- Size
- 231KiB (236580 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 374c8794ee1252c219f60f24b25059b1
- SHA1
- 67959ab670c77ff73f8ba7be7db61e6b5f062654
- SHA256
- a2035b3cc64bdfd2f012bc0aa02910add21075a79f5d2ad5fe16d2896a0b528a
-
da.pak
- Size
- 211KiB (215842 bytes)
- Type
- data
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- c2c044322c9770aa67d4e7a50fcf5b53
- SHA1
- 345f99db9582cd5f4a77abe11fd8a06a9d6e09de
- SHA256
- c9e45fcf9c024d6a246a7c7e19ddc4945090a5efafbf751619b4b3219754c62e
-
de.pak
- Size
- 231KiB (236963 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 68efaa7a5a2646bfd461e8b92c7e5806
- SHA1
- 5ce7eea72d21a477d10f1b7c0d4a1637f3e695f7
- SHA256
- 9860e2bac850ed975cb214942cca20df4524a90fd16c82e6ce9e1ff4b9ae2dbd
-
el.pak
- Size
- 415KiB (425343 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- fbcc1e43ef29f3fd46fb5d6dd04fdb18
- SHA1
- 50c705278361a49aca05ab2953eebd082d382d88
- SHA256
- 04377d988dfb3afd8352af8d8b11c711b1c6d5092e2f3da6156afbe12d91404e
-
en-GB.pak
- Size
- 193KiB (197237 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- d2b749df1cf2df7464edafb88075e150
- SHA1
- 496f7b50ebae0c288aed4ed02d98b03b7c3bfa20
- SHA256
- 0562edf8e4f623d1cbd0ec010946b61102c3d8d2b71aba2bc3c5d50e923378fd
-
en-US.pak
- Size
- 193KiB (197750 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- fcfaaf93c52e981ef4f3453dd5e7c77d
- SHA1
- 8eef07f28ae5c2aecba45ed2f962c0f82fbf0941
- SHA256
- cb871ac64a8b5ef63ae723a5c7306347eba4eaf14f29077e2c157b15f868b4db
-
es-419.pak
- Size
- 233KiB (238708 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- a13c51522c4662dfb484f60d1642c9e7
- SHA1
- e2577f06c7491e694f19b71e27f7650122a2e1f7
- SHA256
- 862869d426712249d8c79e8f1cbd7f6446c48aac3a8ba941d6724f26beb75b0e
-
es.pak
- Size
- 238KiB (243404 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 986a7eea1bf0b44f076e2a5763190480
- SHA1
- 2ca95e6549c42763e429316c39e3a150844b1bd4
- SHA256
- 5a4722c36a4fe370629e141be086f70b6bef1b7b5cf52a21ec2d2dd4aeacfdcb
-
et.pak
- Size
- 204KiB (209241 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 327cab8a40a9322d03e6d0488a27ad68
- SHA1
- 87f0ae1d9ff4c1204fb72d82fffb703030d3fe0f
- SHA256
- 475fc72ff8b4f2a5cfa66c19b7d73ec063dfbd3e86fc83500d620eb7a9d6505e
-
chrome_elf.dll
- Size
- 125KiB (127872 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 9aaa2c9356754bc39009ab4a03ccd6ec
- SHA1
- 67ed6bec891efe7f66f5af73123b8aebfbba1a90
- SHA256
- 7fcea878ef1d4643e651742f6530f20d61a9077dc09ea1f4378fcab7698f846b
-
d3dcompiler_46.dll
- Size
- 3.1MiB (3222400 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- bddbb302cf64dc53c2d693f330464a31
- SHA1
- 1220637e02f57b07dcac77aa1a59f61d970f868f
- SHA256
- b4aec9d402417dbdef8eef9d392ccdcbd6bc39328cbcbb6c393e575d695e64b2
-
delegate_execute.exe
- Size
- 2MiB (2063744 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- d470b8221d4a37dab3f40f78c42ca991
- SHA1
- 3bf5e7af583e030554344e08e738b9e145de0979
- SHA256
- a035bcaa96d92c6398eac5ba2ef3c528de1b873850ee667aea4fe160f03d8036
-
ffmpegsumo.dll
- Size
- 934KiB (956288 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 75135e562d47d7de5281c686a541085e
- SHA1
- 111a3e55c235a87f154863d0c2b0aab86937b884
- SHA256
- 05c797ca1e192d3ec4f5bcc3e3df7a02be3f03cc4fe54d39e1991cced45779bb
-
libegl.dll
- Size
- 131KiB (134528 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 900f96b43f16ec277612d78222edeaeb
- SHA1
- fb4175c0b9703445de1ba79847a2c86c35df5b19
- SHA256
- b035d2da88bf16d05a463951d056d0c725f572ea85d070724debc6112d986dd9
-
libglesv2.dll
- Size
- 856KiB (876928 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- d517970824ab72bcc242b3512212602c
- SHA1
- f581c5517951fe8817fcfc39b21ca8ae14bf9db7
- SHA256
- 4ac07a8af61ca125dad407c3af35ccaae8e098aa3aff8052b5dddc11f69fb5b9
-
metro_driver.dll
- Size
- 466KiB (477056 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 149e9113478532e8223c0ed262808448
- SHA1
- df871ccb86d14a84e798d30acc398f62e91db295
- SHA256
- 0d2aa54a411817ef60e3fa770bc72929aae2d4c4749c5fc126ed7fda0d6db8b3
-
nacl64.exe
- Size
- 2MiB (2078592 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- edf7812aed85ad0ca6a25e8e38372745
- SHA1
- b37fa6e22afb12ca6d0743c9236e75b8558ec271
- SHA256
- d6efaa5b4db94061be3640bb5c3ab08df71886d70536f7a45e4ec51e5a20e481
-
ppgooglenaclpluginchrome.dll
- Size
- 466KiB (477568 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- bda76c55437b0fd51c17f3d62faff21c
- SHA1
- a0b58308117d1e12cdd3555b7e6a8274556bc8ac
- SHA256
- c9149c1c3c03ca038ae08ca14aa4bbce7387b606314e47bb5d6ab2b8d5771ce5
-
wow_helper.exe
- Size
- 71KiB (73088 bytes)
- Runtime Process
- setup.exe (PID: 2836)
- MD5
- 91549ddd200c37d26da2562312fdd86a
- SHA1
- 1c9d1dd020d40649818ca41b92823f6afb081e75
- SHA256
- f31b179fa38924d27e5e5c2c862b6d6d21bdd3112c26c8516fd9dd68b99605c3
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-1" are available in the report
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "stream-2" are available in the report
- Not all sources for signature ID "stream-22" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "stream-32" are available in the report
- Not all sources for signature ID "stream-34" are available in the report
- Not all sources for signature ID "stream-39" are available in the report
- Not all sources for signature ID "stream-4" are available in the report
- Not all sources for signature ID "stream-49" are available in the report
- Not all sources for signature ID "stream-5" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report
- Static report size exceeded maximum capacity and may have missing stream data
- Some low-level details are hidden from the report due to oversize