Initiator-2.08-build3825-x64fre.exe
This report is generated from a file or URL submitted to this webservice on May 22nd 2021 07:15:51 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.5 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
- "Initiator-2.08-build3825-x64fre.exe" allocated memory in "C:\d83f1769731a56c95a\wow\wiscsium.dll"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"Initiator-2.08-build3825-x64fre.exe" wrote 1500 bytes to a remote process "C:\d83f1769731a56c95a\update\update.exe" (Handle: 456)
"Initiator-2.08-build3825-x64fre.exe" wrote 4 bytes to a remote process "C:\d83f1769731a56c95a\update\update.exe" (Handle: 456)
"Initiator-2.08-build3825-x64fre.exe" wrote 8 bytes to a remote process "C:\d83f1769731a56c95a\update\update.exe" (Handle: 456)
"Initiator-2.08-build3825-x64fre.exe" wrote 32 bytes to a remote process "C:\d83f1769731a56c95a\update\update.exe" (Handle: 456)
"Initiator-2.08-build3825-x64fre.exe" wrote 52 bytes to a remote process "C:\d83f1769731a56c95a\update\update.exe" (Handle: 456) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "Initiator-2.08-build3825-x64fre.exe" at 00064866-00002804-00000033-100925530
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.99947832077
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
- "Initiator-2.08-build3825-x64fre.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "Initiator-2.08-build3825-x64fre.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "4apytq-tllmlmwm@7.7"
Pattern match: "4apytq-twmxmxmmm@7.7"
Pattern match: "4apytq-tmmnvnn@7.7"
Pattern match: "4apytq-tnnnnn@7.7"
Pattern match: "4apytq-tnnodooo@7.7"
Pattern match: "4apytq-toopohooo@7.7"
Pattern match: "4apytq-tooopp@7.7"
Pattern match: "ppp@7.7"
Pattern match: "4apytq-tppppq@7.7"
Pattern match: "4apytq-tqq1qyqq@7.7"
Pattern match: "4apytq-tqqqqq@7.7"
Pattern match: "rkr@7.7"
Pattern match: "4apytq-tkrlrcrxrr@7.7"
Pattern match: "4apytq-trrrrr@7.7"
Pattern match: "s@7.7"
Pattern match: "ss@7.7"
Pattern match: "4apytq-tsssst@7.7"
Pattern match: "4apytq-ttttltmtyt@7..7"
Pattern match: "4apytq-tytztttt@7.7"
Pattern match: "4apytq-ttttcuou@7.7" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistence
-
Drops executable files
- details
-
"iscsidip.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsixip.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsilog.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"iscsidsc.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsiupd.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"iscsicpl.cpl" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsipp.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"wiscsium.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"iscsium.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsiwmi.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsicli.exe" has type "PE32+ executable (console) x86-64 for MS Windows"
"iscsiexe.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"wiscsids.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"spmsg.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
The input sample dropped/contains a certificate file
- details
-
File "iscsi200.cat" is a certificate (Owner: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: c1008b3c3c8811d13ef663ecdf40; Valid From: 01/10/1997 07:00:00; Until: 12/31/2020 07:00:00; Fingerprints: MD5=2A:95:4E:CA:79:B2:87:45:73:D9:2D:90:BA:F9:9F:B6; SHA1=A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19)
File "iscsi200.cat" is a certificate (Owner: CN=Microsoft Timestamping Service, OU=nCipher DSE ESN:D8A9-CFCC-579C, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 614752ba000000000004; Valid From: 09/16/2006 01:53:00; Until: 09/16/2011 02:03:00; Fingerprints: MD5=7A:C7:BC:5B:D9:63:74:21:D1:34:5C:D0:E0:01:24:32; SHA1=A1:DC:02:4F:C8:B2:A7:67:45:D4:66:1F:66:3B:87:41:C3:D3:53:13)
File "iscsi200.cat" is a certificate (Owner: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc00025ab11db451f587a67a2; Valid From: 09/16/2006 01:04:47; Until: 09/15/2019 07:00:00; Fingerprints: MD5=B9:56:D5:DA:60:80:B3:42:72:D1:9D:08:03:A4:E7:AA; SHA1=3E:A9:9A:60:05:82:75:E0:ED:83:B8:92:A9:09:44:9F:8C:33:B2:45)
File "iscsi200.cat" is a certificate (Owner: CN=Microsoft Windows Component Publisher, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Verification Intermediate PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 6102307e000000000006; Valid From: 03/10/2008 21:57:51; Until: 06/10/2009 22:07:51; Fingerprints: MD5=F2:36:AA:5B:DE:E9:8E:70:00:EF:46:82:BD:16:AF:3A; SHA1=01:2C:FC:A4:EE:C7:91:2F:7F:37:5A:24:9E:E9:DE:2D:8E:1A:A3:63)
File "iscsi200.cat" is a certificate (Owner: CN=Microsoft Windows Verification Intermediate PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc0001bab11da3aa1b6dfec88; Valid From: 10/11/2005 21:55:20; Until: 04/26/2010 07:00:00; Fingerprints: MD5=55:F5:9A:E6:D2:95:A5:08:D5:05:25:46:0C:0F:E8:78; SHA1=1C:32:45:CA:95:17:DD:D6:C9:58:80:F2:92:DD:85:E2:67:1C:AE:9E)
File "mpio.cat" is a certificate (Owner: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: c1008b3c3c8811d13ef663ecdf40; Valid From: 01/10/1997 07:00:00; Until: 12/31/2020 07:00:00; Fingerprints: MD5=2A:95:4E:CA:79:B2:87:45:73:D9:2D:90:BA:F9:9F:B6; SHA1=A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19)
File "mpio.cat" is a certificate (Owner: CN=Microsoft Timestamping Service, OU=nCipher DSE ESN:D8A9-CFCC-579C, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 614752ba000000000004; Valid From: 09/16/2006 01:53:00; Until: 09/16/2011 02:03:00; Fingerprints: MD5=7A:C7:BC:5B:D9:63:74:21:D1:34:5C:D0:E0:01:24:32; SHA1=A1:DC:02:4F:C8:B2:A7:67:45:D4:66:1F:66:3B:87:41:C3:D3:53:13)
File "mpio.cat" is a certificate (Owner: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc00025ab11db451f587a67a2; Valid From: 09/16/2006 01:04:47; Until: 09/15/2019 07:00:00; Fingerprints: MD5=B9:56:D5:DA:60:80:B3:42:72:D1:9D:08:03:A4:E7:AA; SHA1=3E:A9:9A:60:05:82:75:E0:ED:83:B8:92:A9:09:44:9F:8C:33:B2:45)
File "mpio.cat" is a certificate (Owner: CN=Microsoft Windows Component Publisher, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Verification Intermediate PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 6102307e000000000006; Valid From: 03/10/2008 21:57:51; Until: 06/10/2009 22:07:51; Fingerprints: MD5=F2:36:AA:5B:DE:E9:8E:70:00:EF:46:82:BD:16:AF:3A; SHA1=01:2C:FC:A4:EE:C7:91:2F:7F:37:5A:24:9E:E9:DE:2D:8E:1A:A3:63)
File "mpio.cat" is a certificate (Owner: CN=Microsoft Windows Verification Intermediate PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc0001bab11da3aa1b6dfec88; Valid From: 10/11/2005 21:55:20; Until: 04/26/2010 07:00:00; Fingerprints: MD5=55:F5:9A:E6:D2:95:A5:08:D5:05:25:46:0C:0F:E8:78; SHA1=1C:32:45:CA:95:17:DD:D6:C9:58:80:F2:92:DD:85:E2:67:1C:AE:9E)
File "empty.cat" is a certificate (Owner: CN=VeriSign Time Stamping Service CA SW1, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTDc98", OU=VeriSign Trust Network, O="VeriSign, Inc."; Issuer: OU="NO LIABILITY ACCEPTED, c97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network; SerialNumber: fca4a59f2c0fc0b90398331b7b54541d; Valid From: 11/16/1999 00:00:00; Until: 01/06/2004 23:59:59; Fingerprints: MD5=63:F8:18:AF:F8:C5:7A:DE:84:A9:F2:B7:7A:EA:8A:31; SHA1=9A:3F:F0:5B:42:88:52:64:84:A9:FC:B8:BC:14:7D:53:E1:5A:43:BB)
File "empty.cat" is a certificate (Owner: CN=Microsoft Windows Verification Intermediate PCA, OU=Copyright c 1999 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=WA, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc0009daa11d330a89560acfa; Valid From: 07/01/1999 07:00:00; Until: 10/15/2005 07:00:00; Fingerprints: MD5=6A:75:CE:31:40:38:A6:0C:A3:B8:8A:06:79:E0:36:BA; SHA1=80:D0:6D:73:82:C9:9D:9E:0C:04:FD:88:86:3B:D5:02:51:00:D7:BA)
File "empty.cat" is a certificate (Owner: CN=Microsoft Windows 2000 Publisher, OU=Copyright c 1999 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Verification Intermediate PCA, OU=Copyright c 1999 Microsoft Corp., O=Microsoft Corporation, L=Redmond, ST=WA, C=US; SerialNumber: 6111e3e7000000000009; Valid From: 07/27/1999 17:33:55; Until: 07/27/2000 17:43:55; Fingerprints: MD5=A4:F3:0D:24:8A:35:6D:BE:C3:9A:D7:90:C1:4F:69:63; SHA1=4F:D6:6C:2A:36:FF:F5:FB:07:F3:5D:24:09:D1:8D:48:61:0B:EC:D2)
File "iscsi.cat" is a certificate (Owner: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: c1008b3c3c8811d13ef663ecdf40; Valid From: 01/10/1997 07:00:00; Until: 12/31/2020 07:00:00; Fingerprints: MD5=2A:95:4E:CA:79:B2:87:45:73:D9:2D:90:BA:F9:9F:B6; SHA1=A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19)
File "iscsi.cat" is a certificate (Owner: CN=Microsoft Timestamping Service, OU=nCipher DSE ESN:D8A9-CFCC-579C, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 614752ba000000000004; Valid From: 09/16/2006 01:53:00; Until: 09/16/2011 02:03:00; Fingerprints: MD5=7A:C7:BC:5B:D9:63:74:21:D1:34:5C:D0:E0:01:24:32; SHA1=A1:DC:02:4F:C8:B2:A7:67:45:D4:66:1F:66:3B:87:41:C3:D3:53:13)
File "iscsi.cat" is a certificate (Owner: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc00025ab11db451f587a67a2; Valid From: 09/16/2006 01:04:47; Until: 09/15/2019 07:00:00; Fingerprints: MD5=B9:56:D5:DA:60:80:B3:42:72:D1:9D:08:03:A4:E7:AA; SHA1=3E:A9:9A:60:05:82:75:E0:ED:83:B8:92:A9:09:44:9F:8C:33:B2:45)
File "iscsi.cat" is a certificate (Owner: CN=Microsoft Windows Component Publisher, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Verification Intermediate PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 6102307e000000000006; Valid From: 03/10/2008 21:57:51; Until: 06/10/2009 22:07:51; Fingerprints: MD5=F2:36:AA:5B:DE:E9:8E:70:00:EF:46:82:BD:16:AF:3A; SHA1=01:2C:FC:A4:EE:C7:91:2F:7F:37:5A:24:9E:E9:DE:2D:8E:1A:A3:63)
File "iscsi.cat" is a certificate (Owner: CN=Microsoft Windows Verification Intermediate PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc0001bab11da3aa1b6dfec88; Valid From: 10/11/2005 21:55:20; Until: 04/26/2010 07:00:00; Fingerprints: MD5=55:F5:9A:E6:D2:95:A5:08:D5:05:25:46:0C:0F:E8:78; SHA1=1C:32:45:CA:95:17:DD:D6:C9:58:80:F2:92:DD:85:E2:67:1C:AE:9E) - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"6.3.0004.1"
Potential IPs "0.0.0.0"
"0.0.0.0" found in string "Note: When you view the MPIO Device Details, Source Portal shows 0.0.0.0 as the IP address. When viewing the details of the Targets on the connections page the Source Portal displays 0.0.0.0 as the Source IP." - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
"MSiSCSI_NICConfig - HBA initiator only, NIC configuration class." (Indicator: "nicconfig")
"MSiSCSI_BootConfiguration - HBA initiator only, Boot configuration class." (Indicator: "bootconfig") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
-
System Destruction
-
Marks file for deletion
- details
-
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\wow\wiscsium.dll" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\wow\wiscsids.dll" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\update.ver" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\eula.txt" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\updatebr.inf" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\update_wxp.inf" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\update_w03.inf" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\update.exe" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\updspapi.dll" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\iscsiupd.dll" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\update\iscsi200.cat" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\relnotes.txt" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\readme.txt" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\_349781_" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\msiscsi.sys" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\msiscdsm.sys" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\mpspfltr.sys" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\mpio.sys" for deletion
"C:\Initiator-2.08-build3825-x64fre.exe" marked "C:\d83f1769731a56c95a\mpdev.sys" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\wow\wiscsium.dll" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\wow\wiscsids.dll" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\update.ver" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\eula.txt" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\updatebr.inf" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\update_wxp.inf" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\update_w03.inf" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\update.exe" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\updspapi.dll" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\iscsiupd.dll" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\update\iscsi200.cat" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\relnotes.txt" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\readme.txt" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\msiscsi.sys" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\_349781_" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\msiscdsm.sys" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\mpspfltr.sys" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\mpio.sys" with delete access
"Initiator-2.08-build3825-x64fre.exe" opened "c:\d83f1769731a56c95a\mpdev.sys" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"iscsidip.dll" claimed CRC 26474 while the actual is CRC 2731007
"iscsixip.dll" claimed CRC 58104 while the actual is CRC 26474
"iscsilog.dll" claimed CRC 50946 while the actual is CRC 58104
"iscsidsc.dll" claimed CRC 124186 while the actual is CRC 50946
"iscsiupd.dll" claimed CRC 197068 while the actual is CRC 124186
"iscsicpl.cpl" claimed CRC 252765 while the actual is CRC 197068
"iscsipp.dll" claimed CRC 131668 while the actual is CRC 252765
"wiscsium.dll" claimed CRC 29361 while the actual is CRC 131668
"iscsium.dll" claimed CRC 59782 while the actual is CRC 29361
"iscsiwmi.dll" claimed CRC 104966 while the actual is CRC 59782
"iscsicli.exe" claimed CRC 153760 while the actual is CRC 104966
"iscsiexe.exe" claimed CRC 199964 while the actual is CRC 153760
"wiscsids.dll" claimed CRC 72018 while the actual is CRC 199964
"spmsg.dll" claimed CRC 19419 while the actual is CRC 72018 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
SetSecurityDescriptorDacl
OpenProcessToken
DeviceIoControl
GetFileAttributesA
CopyFileA
GetVersionExA
GetModuleFileNameA
LoadLibraryA
CreateDirectoryA
DeleteFileA
UnhandledExceptionFilter
GetCommandLineA
GetProcAddress
CreateThread
FindFirstFileA
WriteFile
FindNextFileA
GetDriveTypeA
TerminateProcess
CreateProcessA
Sleep
CreateFileA
GetTickCount
GetFileSize
RegCloseKey
GetVersionExW
GetModuleHandleW
CreateFileW
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyA
RegOpenKeyExA
RegCreateKeyA
RegEnumKeyExA
CreateServiceA
StartServiceA
RegDeleteValueA
GetModuleHandleA
OutputDebugStringA
GetModuleFileNameW
GetFileAttributesW
LoadLibraryW
RegCreateKeyExW
RegOpenKeyExW
GetComputerNameExW
socket
WSAStartup
connect
closesocket
GetStartupInfoA
VirtualProtect
FindResourceW
MapViewOfFileEx
GetCommandLineW
CreateFileMappingW
VirtualAlloc
RegDeleteValueW
StartServiceCtrlDispatcherW
GetComputerNameExA
recv
bind
send
accept
recvfrom
sendto
listen - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b4360200" to virtual address "0x74894D68" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b880111a73ffe0" to virtual address "0x764A1368" (part of module "WS2_32.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "a0111a73" to virtual address "0x75E7E324" (part of module "WININET.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "d83a8974" to virtual address "0x748A01E0" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b4368974" to virtual address "0x748A0200" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "68130000" to virtual address "0x764A1680" (part of module "WS2_32.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b4360200" to virtual address "0x74894EA4" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b4368974" to virtual address "0x748A01E4" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b890121a73ffe0" to virtual address "0x74893AD8" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "d83a0200" to virtual address "0x74894E38" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "d83a0200" to virtual address "0x74894D78" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "d83a8974" to virtual address "0x748A0258" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b4368974" to virtual address "0x748A0278" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b4368974" to virtual address "0x748A025C" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "d83a8974" to virtual address "0x748A01FC" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "b810151a73ffe0" to virtual address "0x748936B4" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "c0dfff761cf9fe76ccf8fe760d64007700000000c0116e7600000000fc3e6e7600000000e0136e76000000009457947425e0ff76c6e0ff7600000000bc6a937400000000cf316e760000000093199474000000002c326e7600000000" to virtual address "0x757E1000" (part of module "NSI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "d83a8974" to virtual address "0x748A0274" (part of module "SSPICLI.DLL")
"Initiator-2.08-build3825-x64fre.exe" wrote bytes "7111ca007a3bc900ab8b02007f950200fc8c0200729602006cc805001ecdc6007d26c600" to virtual address "0x763B07E4" (part of module "USER32.DLL")
"update.exe" wrote bytes "00100000" to virtual address "0xFD8B1748" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"Initiator-2.08-build3825-x64fre.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"update.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/68 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"sfxcab.pdb"
"iscsicli.pdb"
"iscsicpl.pdb"
"iscsidip.pdb"
"iscsidsc.pdb"
"iscsiexe.pdb"
"iscsipp.pdb"
"iscsiprt.pdb"
"iscsium.pdb"
"iscsiupd.pdb"
"iscsiwmi.pdb"
"iscsixip.pdb"
"mpdev.pdb"
"mpspfltr.pdb"
"msiscdsm.pdb"
"msiscsi.pdb"
"CopyFiles = iSCSI.ProgramFiles, iSCSI.INFFiles, iSCSI.MOFFiles, iSCSI.DriverFiles, iSCSI.CoreDriverFiles, iSCSI.AppFiles, iSCSI.PDBCplFiles, iSCSI.PDBDllFiles, iSCSI.PDBExeFiles, iSCSI.PDBSysFiles"
"iSCSI.PDBCplFiles = 10,iSCSI\Symbols\Cpl ; %windir%\iSCSI\Symbols\Cpl"
"iSCSI.PDBDllFiles = 10,iSCSI\Symbols\Dll ; %windir%\iSCSI\Symbols\Dll"
"iSCSI.PDBExeFiles = 10,iSCSI\Symbols\Exe ; %windir%\iSCSI\Symbols\Exe" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\ServicePackOrHotfix"
"Global\ServicePackOrHotfix" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "iscsidip.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "iscsixip.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "iscsilog.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "mpdev.inf" as clean (type is "data"), Antivirus vendors marked dropped file "mpio.cat" as clean (type is "data"), Antivirus vendors marked dropped file "iscsi.inf" as clean (type is "Windows setup INFormation ASCII text with CRLF line terminators"), Antivirus vendors marked dropped file "uguide.doc" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 Code page: 1252 Title: iSCSI Users Guide Template: Normal.dotm Revision Number: 1 Name of Creating Application: Microsoft Office Word Last Printed: Mon Jan 22 20:20:00 2007 Create Time/Date: Fri Jul 11 05:16:00 2008 Last Saved Time/Date: Thu Nov 13 18:38:00 2008 Number of Pages: 172 Number of Words: 37135 Number of Characters: 211675 Security: 0"), Antivirus vendors marked dropped file "iscsidsc.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "iscsiupd.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "iscsicpl.cpl" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "empty.cat" as clean (type is "data"), Antivirus vendors marked dropped file "iscsipp.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "wiscsium.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mpio.inf" as clean (type is "data"), Antivirus vendors marked dropped file "iscsium.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "iscsiwmi.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "msiscdsm.inf" as clean (type is "Windows setup INFormation ASCII text with CRLF line terminators"), Antivirus vendors marked dropped file "iscsicli.exe" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "iscsiexe.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "wiscsids.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Process launched with changed environment
- details
-
Process "update.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64", _SFX_CAB_SHUTDOWN_REQUEST="c:\d83f1769731a56c95a\$shtdwn$.req", _SFX_CAB_EXE_PATH="c:\d83f1769731a56c95a", __COMPAT_LAYER="ElevateCreateProcess WRPMitigationLayer", _SFX_CAB_EXE_PACKAGE="C:\Initiator-2.08-build3825-x64fre.exe""
Process "update.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "update.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "update.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp." (SHA1: A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp." (SHA1: 30:36:E3:B2:5B:88:A5:5B:86:FC:90:E6:E9:EA:AD:50:81:44:51:66; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" (SHA1: D5:7F:AC:60:F1:A8:D3:48:77:AE:B3:50:E8:3F:46:F6:EF:C9:E5:F1; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" (SHA1: A1:DC:02:4F:C8:B2:A7:67:45:D4:66:1F:66:3B:87:41:C3:D3:53:13; see report for more information)
The input sample is signed with a certificate issued by "CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp." (SHA1: 3E:A9:9A:60:05:82:75:E0:ED:83:B8:92:A9:09:44:9F:8C:33:B2:45; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
-
Installation/Persistence
-
Chained signature (with api-8702...). Detects file write then load as module
- details
- Chained signature (with api-8702...). Detects file write then load as module
- source
- Loaded Module
- relevance
- 8/10
-
Connects to LPC ports
- details
-
"Initiator-2.08-build3825-x64fre.exe" connecting to "\ThemeApiPort"
"update.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"iscsidip.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsixip.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsilog.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"iscsi200.cat" has type "data"
"mpdev.inf" has type "data"
"update_wxp.inf" has type "ASCII text with very long lines with CRLF line terminators"
"mpio.cat" has type "data"
"iscsi.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"uguide.doc" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 Code page: 1252 Title: iSCSI Users Guide Template: Normal.dotm Revision Number: 1 Name of Creating Application: Microsoft Office Word Last Printed: Mon Jan 22 20:20:00 2007 Create Time/Date: Fri Jul 11 05:16:00 2008 Last Saved Time/Date: Thu Nov 13 18:38:00 2008 Number of Pages: 172 Number of Words: 37135 Number of Characters: 211675 Security: 0"
"updatebr.inf" has type "ASCII text with CRLF line terminators"
"iscsidsc.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"iscsiupd.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"iscsicpl.cpl" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"empty.cat" has type "data"
"iscsipp.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"wiscsium.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"mpio.inf" has type "data"
"iscsium.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"update_w03.inf" has type "ASCII text with very long lines with CRLF line terminators"
"iscsiwmi.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"Initiator-2.08-build3825-x64fre.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"Initiator-2.08-build3825-x64fre.exe" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"update.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"update.exe" touched file "C:\Windows\AppPatch\AppPatch64\AcGenral.dll"
"update.exe" touched file "C:\Windows\setupapi.log"
"update.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"update.exe" touched file "C:\Windows\System32\en-US\newdev.dll.mui"
"update.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"update.exe" touched file "C:\Windows\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Chained signature (with api-8702...). Detects file write then load as module
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "empty.cat"
Heuristic match: "iscsi.cat"
Heuristic match: "update\iscsi200.cat"
Pattern match: "crl.microsoft.com/pki/crl/products/CSPCA.crl0H"
Pattern match: "http://www.microsoft.com/pki/certs/CSPCA.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/tspca.crl0H"
Pattern match: "http://www.microsoft.com/pki/certs/tspca.crt0"
Pattern match: "http://www.microsoft.com0"
Heuristic match: "CatalogFile=iscsi.cat"
Heuristic match: "CatalogFile=%SP_SHORT_TITLE%.cat"
Heuristic match: "%SP_SHORT_TITLE%.cat, update\%SP_SHORT_TITLE%.cat"
Heuristic match: "mpio.cat"
Heuristic match: "%SP_SHORT_TITLE%.cat"
Pattern match: "http://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/iscsicluster.mspxhttp://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/iscsicluster.mspx"
Pattern match: "www.ietf.org"
Pattern match: "http://www.microsoft.com/technet/prodtechnol/exchange/2003/esrp.mspxhttp://www.microsoft.com/technet/prodtechnol/exchange/2003/esrp.mspx"
Pattern match: "http://www.microsoft.com/downloads/details.aspx?FamilyID=12cb3c1a-15d6-4585-b385-befd1319f825&DisplayLang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyID=12cb3c1a-15d6-4585-b385-befd1319f825&DisplayLang=en"
Pattern match: "http://www.microsoft.com/downloadswww.microsoft.com/downloads"
Pattern match: "http://www.microsoft.com/downloads/details.aspx?familyid=12CB3C1A-15D6-4585-B385-BEFD1319F825&displaylang=en"
Pattern match: "http://support.microsoft.com/kb/256986/http://support.microsoft.com/kb/256986/"
Pattern match: "http://www.sysinternals.com"
Pattern match: "http://support.microsoft.com/default.aspx?scid=kb;EN-US;239924http://support.microsoft.com/default.aspx?scid=kb;EN-US;239924"
Pattern match: "http://www.Microsoft.comwww.Microsoft.com"
Pattern match: "http://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/default.mspxhttp://www.microsoft.com/windowsserver2003/technologies/storage/iscsi/default.mspx"
Pattern match: "http://www.windowsservercatalog.com/http://www.windowsservercatalog.com/"
Pattern match: "http://www.microsoft.com/whdc/hwtest/default.mspxhttp://www.microsoft.com/whdc/hwtest/default.mspx"
Pattern match: "Ply8hPbik.OP/rPV+"
Pattern match: "x.Bx/BwX{?HGvj"
Pattern match: "x.Bx/p9~=z@2~Ibo:vg"
Pattern match: "www.microsoft.com/windowsserver2003/technologies/storage/iscsi/iscsicluster.mspxyX;H,]'cDyKyK^http://www.microsoft.com/downloadsyX;H,]'cQDd"
Pattern match: "K4Kki.cF/=/:_=o=z_tG"
Pattern match: "www.microsoft.com/technet/prodtechnol/exchange/2003/esrp.mspxyX;H,]'c"
Heuristic match: "\Hy<M,3.mydc aJqM3f\vi)`Y#~i/~.JrOnk.BO"
Pattern match: "i-.wx/Y}2ZW^4u/"
Pattern match: "aZkj6-P.Ki/}kFlo~[|yqgK7||/w?B"
Pattern match: "MgR5Mj.QRi/?+SNge_'~|1|t_Tg+"
Heuristic match: "b^0[QU^ugl<Egi[O:?W*-KKkvKwH+egNLjc`ZVeB65kiD=>j4E`ad$wC)rt*WiO)\QW/+elV(`|v.gg"
Pattern match: "00W.md/KumM" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"Initiator-2.08-build3825-x64fre.exe" opened "\Device\KsecDD"
"update.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"b1ab5008e25eb7bd05983391ca6451bf409450d499dde21b2be79bdd836a9134.bin" was detected as "Microsoft visual C++ v7.1 EXE"
"iscsilog.dll" was detected as "Microsoft visual C++ vx.x DLL"
"wiscsium.dll" was detected as "MSVC++ DLL v.8 (typical OEP recognized - h)"
"wiscsids.dll" was detected as "MSVC++ DLL v.8 (typical OEP recognized - h)"
"spmsg.dll" was detected as "Microsoft visual C++ vx.x DLL" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Initiator-2.08-build3825-x64fre.exe
- Filename
- Initiator-2.08-build3825-x64fre.exe
- Size
- 2.6MiB (2677632 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- b1ab5008e25eb7bd05983391ca6451bf409450d499dde21b2be79bdd836a9134
- MD5
- 57ae55c31db3b173648820af1cb778df
- SHA1
- 0fbccb931eb87efd1597e43df576c48113e913e3
- ssdeep
- 49152:2BEXWP/WZ1J5Yr+YVDLYLSL/luABDeizs/uaXf5scdW0wlPuUFGEAgjMY92Pk0XU:PGP/8J5oFVDLWSLfTz8uaXxscdpUFGET
- imphash
- a1f6f100bff4507a3332f3f0cdfc24f5
- authentihash
- 663fd8fab1864b4de1e7303c2c8569c2affbfdbfb49c419e5f74e156dfcc7c91
- Compiler/Packer
- Microsoft visual C++ v7.1 EXE
- PDB Timestamp
- 12/06/2006 23:48:12 (UTC)
- PDB Pathway
- sfxcab.pdb
- PDB GUID
- 352F144904304D35B8ED12E6F3FA9964
Version Info
- LegalCopyright
- Microsoft Corporation. All rights reserved.
- InternalName
- SFXCAB.EXE
- FileVersion
- 6.3.0004.1 built by: dnsrv
- CompanyName
- Microsoft Corporation
- ProductName
- Microsoft Windows Operating System
- ProductVersion
- 6.3.0004.1
- FileDescription
- Self-Extracting Cabinet
- OriginalFilename
- SFXCAB.EXE
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 82.1% (.EXE) MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU)
- 7.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 6.4% (.EXE) Win64 Executable (generic)
- 1.5% (.DLL) Win32 Dynamic Link Library (generic)
- 1.0% (.EXE) Win32 Executable (generic)
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 1 .RES Files linked with CVTRES.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 32 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
- 15 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 1 .ASM Files assembled with MASM 7.10 (Visual Studio .NET 2002) (build: 4035)
- File appears to contain raw COFF/OMF content
- File is the product of a medium codebase (32 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Download Certificate File (6.7KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. | CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. Serial: c1008b3c3c8811d13ef663ecdf40 |
01/10/1997 07:00:00 12/31/2020 07:00:00 |
2A:95:4E:CA:79:B2:87:45:73:D9:2D:90:BA:F9:9F:B6 A4:34:89:15:9A:52:0F:0D:93:D0:32:CC:AF:37:E7:FE:20:A8:B4:19 |
CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US | CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. Serial: 2eab11dc50ff5c9dcbc0 |
08/22/2007 22:31:02 08/25/2012 07:00:00 |
33:14:0F:BB:D4:F7:8B:32:64:BD:AF:83:99:4C:67:90 30:36:E3:B2:5B:88:A5:5B:86:FC:90:E6:E9:EA:AD:50:81:44:51:66 |
CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US | CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US Serial: 610f784d000000000003 |
08/23/2007 00:23:13 02/23/2009 00:33:13 |
F6:EE:46:86:F1:61:84:03:27:ED:85:AB:1B:C4:B7:50 D5:7F:AC:60:F1:A8:D3:48:77:AE:B3:50:E8:3F:46:F6:EF:C9:E5:F1 |
CN=Microsoft Timestamping Service, OU=nCipher DSE ESN:D8A9-CFCC-579C, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US | CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US Serial: 614752ba000000000004 |
09/16/2006 01:53:00 09/16/2011 02:03:00 |
7A:C7:BC:5B:D9:63:74:21:D1:34:5C:D0:E0:01:24:32 A1:DC:02:4F:C8:B2:A7:67:45:D4:66:1F:66:3B:87:41:C3:D3:53:13 |
CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US | CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp. Serial: 6a0b994fc00025ab11db451f587a67a2 |
09/16/2006 01:04:47 09/15/2019 07:00:00 |
B9:56:D5:DA:60:80:B3:42:72:D1:9D:08:03:A4:E7:AA 3E:A9:9A:60:05:82:75:E0:ED:83:B8:92:A9:09:44:9F:8C:33:B2:45 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
Initiator-2.08-build3825-x64fre.exe
(PID: 2804)
- update.exe (PID: 1664)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 35 extracted file(s). The remaining 23 file(s) are available in the full version and XML/JSON reports.
-
Clean 22
-
-
empty.cat
- Size
- 5KiB (5149 bytes)
- Type
- data
- AV Scan Result
- 0/57
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- b1035a2e505af840eaaa5ed685d072d6
- SHA1
- 5ad58a9ff76dab1fb530079d516c3b4eef75dcc8
- SHA256
- 70738ef2b86cbd25c9655eb25d506e44c36ed69ce713d05eae846b0286457544
-
iscsi.cat
- Size
- 16KiB (16450 bytes)
- Type
- data
- AV Scan Result
- 0/58
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- b05c575f63b58a027495d0452e83e3d0
- SHA1
- ef32e5196eae4f21c1c1ce7c0ab6ccc1715712c1
- SHA256
- 9c1cc94211d6aa1dad3c082c64ddbfb0d12bcc7f40258caa7ae35f7785256092
-
iscsi.inf
- Size
- 3.8KiB (3939 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- AV Scan Result
- 0/56
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 2bac5cccfbc4db3f79336906f89d8192
- SHA1
- 7934c2732615a52e7acdf1fe068afa170b7909f6
- SHA256
- 10d029b93befc1f26dc740086b59c3a12ac2986f152812f30a8c6ef2d58e84a1
-
iscsicli.exe
- Size
- 111KiB (113152 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- ac4ec8a15de200e0b270ac305e6d7a52
- SHA1
- 780221b3627350cee2a870ad7ca28da6050e1542
- SHA256
- 0c8e5c6a465bfcba2f763e8b1d3776f423982df8d71e1188f1109dc158af2a8c
-
iscsicpl.cpl
- Size
- 188KiB (192512 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 2c18b63a4aca9b6f3d0f899661126475
- SHA1
- 85bbde8e1cc66a06714c61bfee48480cb0d5e7c2
- SHA256
- bfdd83d068ee23ed2b778f9b1ce5b1ba89383ae77f4a85ebadfe98e766d0cfb4
-
iscsidip.dll
- Size
- 16KiB (16384 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 6896411303d9553a958ffcf562be0ffa
- SHA1
- d30d3ab40053b3958b05092c76443c6f219ecd9e
- SHA256
- ba2743366857a927495c027e9b1361b9099dc83e0c7eb6a42923b77266ee5016
-
iscsidsc.dll
- Size
- 90KiB (92216 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 96a3abbaecb410b67ce3da1afdc1f565
- SHA1
- 2bd09468d3725e9261d7893efd8cb3b55f1b3b1b
- SHA256
- 8c853d464af7fe1c0c3dc051d394f4ed688b8677df879e0bea0973f25f92cae3
-
iscsiexe.exe
- Size
- 174KiB (177720 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 2f53e5fc443a3955daac963c5ccd65d1
- SHA1
- fa81b02a3ff403d8ccdae735ac23273326f1869e
- SHA256
- 5dea7e8dacc4c5d3e6e8741f45b616dd9ebaca3de1e1b3f00f715b68ddc1e213
-
iscsilog.dll
- Size
- 16KiB (15872 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- d005cbcde6fedbd60dc6b2c4a98d9a3e
- SHA1
- caee0348e79649de4cc2a2a5159f04f0ff86b05a
- SHA256
- 923e5691d8e18a1c387019534967028497cc33b112c5d224d8073cb9b10c4f35
-
iscsipp.dll
- Size
- 98KiB (100352 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 0340fdcb16877717d3f73554af60812e
- SHA1
- 63612e64a838fb868d2fdcbe147bbfd4d3fe042a
- SHA256
- dbb37955f449dd3cf235062367f84aabde90777dc5481c5cbc852bc41a650c60
-
iscsium.dll
- Size
- 41KiB (41984 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 9b23dbc445d9f9e7b01debeb5e5d0026
- SHA1
- a5aa65f92f1b055e4c1135218b117504999c4bd0
- SHA256
- 0a9ee0ade1aedfa325e85fa29ec95bf942a8ed7f3819bb4571d33ed260e186cc
-
iscsiwmi.dll
- Size
- 92KiB (94208 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- ca9409f84b7804e6f6c0badcb7a7f150
- SHA1
- 085a9cec7b008a62c969406b915d6d3bb703d9f9
- SHA256
- 6578696dbbd7f45b11efd0f20bb8effa734c82ea7e1cf399184e048972d8c49e
-
iscsixip.dll
- Size
- 16KiB (16384 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 291e856a566c813054df5cced39ace14
- SHA1
- 20ba9f9abdd84de36f438825ddbfe6897c8e04f5
- SHA256
- 90ba0f39a6091a6b7792a17a3d0497fda88f79a3b656ef38507d36311cad25fa
-
mpdev.inf
- Size
- 1.9KiB (1935 bytes)
- Type
- data
- AV Scan Result
- 0/56
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 86cd7c1942f3f1dd7d476a67d064dd34
- SHA1
- 591c38ae885fc1626413f8d6d74a95396e4fb28a
- SHA256
- abb58fe0ff47a3bcffe0625f2d957025b89868dd50a66878aa6f468260a65913
-
mpio.cat
- Size
- 8.5KiB (8700 bytes)
- Type
- data
- AV Scan Result
- 0/58
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 57ed03226c6589697457607fb122cf7e
- SHA1
- 4c78c7e730ee31446c01f382c9f3bbc1a0b175e2
- SHA256
- db8ef79d2b8464173607f96059b0ef2b63b9f911fa93951e3160e7c56ae0112d
-
mpio.inf
- Size
- 9.5KiB (9725 bytes)
- Type
- data
- AV Scan Result
- 0/56
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- cb839ee0a0f5c5e3da267db41e09b50c
- SHA1
- fa794968a4f0f89ad57d21aa80863b7e237e5cff
- SHA256
- f93a05acb20db39fa8bfe26a4942b667c057869e7be3b16a24a160822797a3f3
-
msiscdsm.inf
- Size
- 2.6KiB (2631 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- AV Scan Result
- 0/56
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 5b4c3c9626490eeff582539ace5150d1
- SHA1
- 8b7107ad27c0614f45555dd2201f1b8b8e39d821
- SHA256
- 84c398b552659be9c7109e3ebd27770dede5b79bf7706569fde21feb5becf6ad
-
spmsg.dll
- Size
- 14KiB (14560 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/54
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- ffa4d17fdd6ad585956b84102bec9b97
- SHA1
- 241ac55c9e22d0ebac6f4f5315330fa4480779a8
- SHA256
- 7e4c6150ba67170c8c257f632309bd5f30e6fbe57583a1731b6d25b6a140e014
-
uguide.doc
- Size
- 2.3MiB (2452992 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: iSCSI Users Guide, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Last Printed: Mon Jan 22 20:20:00 2007, Create Time/Date: Fri Jul 11 05:16:00 2008, Last Saved Time/Date: Thu Nov 13 18:38:00 2008, Number of Pages: 172, Number of Words: 37135, Number of Characters: 211675, Security: 0
- AV Scan Result
- 0/59
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 3d56bfc16fceb368088decaf86286c5c
- SHA1
- f2b98b99be714f176110a5283dd6545236809c7b
- SHA256
- 6718718d8546fb361c0d0cc3b8d0f72d45b1a49ef0fb5fad4a5008850baeb6b0
-
iscsiupd.dll
- Size
- 147KiB (150072 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/55
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- b8ce2241934dd7aec2e68ffab48bc0c6
- SHA1
- 2270c65a9b9575e1e09f00bc531f36cb8c06ea11
- SHA256
- 6cef0f762d29b4fe6f7ddf11fe56cdbe288461d4c2bf7ce182f0122348793a14
-
wiscsids.dll
- Size
- 55KiB (56320 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 78ef1ba46723124c1e9358862def5c0b
- SHA1
- caa185e5205a74fadad5d9bbd774b50b3340f034
- SHA256
- abff71278a2a67eb44a5664d44cf22d88ece451c727aa66829c5df551426b369
-
wiscsium.dll
- Size
- 26KiB (26624 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 50b8cd6035bb800091d74837b608586a
- SHA1
- 4bf5081e67a5707046bd5123058c0463dc193999
- SHA256
- 92358240129929d95424d2a4266781f45918a50148f2755084e59c60a8fd4101
-
-
Informative 13
-
-
updatebr.inf
- Size
- 274B (274 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- update.exe (PID: 1664)
- MD5
- 9d04171a1a12d47e031b399aa86282d5
- SHA1
- 02344f411a5da3dcc4ab9ec302c8cb7b3178d9c7
- SHA256
- 42c366dd2367456e0c8b0988eeb99b4852672b140df1ae5e3cfd7ac165908f6e
-
iscsicli.pdb
- Size
- 163KiB (166912 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 0e4cb569a024255189ecace4134e67ba
- SHA1
- 0095366a8bd12f361521414b3d5a111f2146be81
- SHA256
- 1d6e7d5e4f572f7bac44c2fa76431d9c2ec52a46c08ffb70cc4e3a00cbe9f611
-
iscsicpl.pdb
- Size
- 115KiB (117760 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- f020fe03750bd4f1ea7dae096edf6795
- SHA1
- eb7c51511cf299e4df0abdcd69f79c416799dccb
- SHA256
- c0a5c7ce663a1f2faea53a6f71e0db8d28ea5c3cdc99e884a9e7c16b62e7c519
-
iscsidip.pdb
- Size
- 43KiB (44032 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 6e294960e6e62226a8c69e526ebc33d9
- SHA1
- be0f95fc167798b009e71824b1f7e0cb6742852a
- SHA256
- e21b917a0a1e5a9fcfb9680cda226344ed2905cf83d5cce8765e59d98528c172
-
iscsidsc.mof
- Size
- 27KiB (27652 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 150a888bbbf08ecec6ba73d770d7fea0
- SHA1
- a5c753cebce9fdf868acce3d45c86eabfe2e518a
- SHA256
- 4cae1ecb70265114d20f8b72f0caea90852a6505d6401f96071541f18a21f906
-
iscsidsc.pdb
- Size
- 83KiB (84992 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- d045b98c366ff368a879d248f1ebd570
- SHA1
- 8b7063fa93dfe8112dcae7a93cf97aac41302c9a
- SHA256
- 0ffe366997cb29a7712e64ef540cd6820223daa7e76cf660a6ef501bf2fed8fa
-
iscsievt.mof
- Size
- 33KiB (33961 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- a89a78e9e78758db7e62fadbb2b4a813
- SHA1
- 6d6c8399afd97d3fa55f389066b164ca81c50c47
- SHA256
- 33c32bef9c9b4bbf7f5856cfd90b58b8424048e13f675e2ceb2be3190847d749
-
iscsiexe.pdb
- Size
- 163KiB (166912 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- b7c7df4f934d71c8d720e13de3766f48
- SHA1
- dbd4f835eae6484dd67d5d5ec676b8b455009649
- SHA256
- fc379e593bc8140e111fac799fc9d2f04bf3b796e816a304f9361fab85427d2d
-
iscsihba.mof
- Size
- 108KiB (110759 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 592e137b4c28d63404ced667556e5db6
- SHA1
- f3727f361a43ed14c50b69ebe651cd40921bc9b7
- SHA256
- 2c825e9a15c454ae40bc89bb93bc8ac99defdd2098275ba3183e09d08a91bcdc
-
iscsipp.pdb
- Size
- 67KiB (68608 bytes)
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- fb597ab1295c2a3b55c50926bbce8e82
- SHA1
- cd9a05005be0aca492b4f5540e4995d1d768f732
- SHA256
- b3632485bad05f33c76199ee501b1e79788d5d806be8b4fcbcea5ce97b669d3c
-
iscsi200.cat
- Size
- 22KiB (22554 bytes)
- Type
- data
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 7566980555fc094553f63cd7fd34e7d5
- SHA1
- 96955df180b6310ab06166f58507b09954f78664
- SHA256
- 41ab6f3d76e31048a077bd9cae07bd5739eea07b25ef90a149a9969d4d6a27c7
-
update_w03.inf
- Size
- 10KiB (10419 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- 1c043f70b7739f84e6b838ee25aefb90
- SHA1
- 60c210f5fe83e8673fbcf5fa5177e1b7709735b6
- SHA256
- 5055f0ec9b7fec3daf2e8b4bbe3a0c571ac381caa5da1662faf4e7cc92633cc7
-
update_wxp.inf
- Size
- 10KiB (10462 bytes)
- Type
- text
- Description
- ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- Initiator-2.08-build3825-x64fre.exe (PID: 2804)
- MD5
- f6d7664ec9d47518f5cdac3da20bb1b6
- SHA1
- 125ea066084155422e2ca2afb0cb1768354eea63
- SHA256
- 98361d0325f5148dc00a3788f9ffb2f92800f746dc9b662cdcdb5a52e009d60b
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-26" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all sources for indicator ID "string-7" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)