aostsoft-all-document-converter-professional.exe
This report is generated from a file or URL submitted to this webservice on February 19th 2016 15:42:18 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.30 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
General
-
Contains ability to start/interact with device drivers
- details
-
DeviceIoControl@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
DeviceIoControl@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 8/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Writes a PE file header to disc
- details
-
"aostsoft_all_document_converter_professional.tmp" wrote 23312 bytes starting with PE header signature to file "%TEMP%\is-UCGFN.tmp\_isetup\_shfoldr.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-QQBR4.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-AI29N.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-S6Q8I.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-POHB1.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-JJ90K.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-KKSQS.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-8UR5C.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-G92U4.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-M32F1.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-R43DQ.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-DN0R1.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-9LMTB.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-NNSA4.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-LNIG8.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"aostsoft_all_document_converter_professional.tmp" wrote 65536 bytes starting with PE header signature to file "C:\Windows\System32\aostshell\aostsoft-all-document-converter-professional\is-7CHE8.tmp": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... - source
- API Call
- relevance
- 1/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a foreign process "aostsoft_all_document_converter_professional.tmp" (PID: 00003000)
"<Input Sample>" wrote 4 bytes to a foreign process "aostsoft_all_document_converter_professional.tmp" (PID: 00003000)
"<Input Sample>" wrote 32 bytes to a foreign process "aostsoft_all_document_converter_professional.tmp" (PID: 00003000)
"<Input Sample>" wrote 52 bytes to a foreign process "aostsoft_all_document_converter_professional.tmp" (PID: 00003000) - source
- API Call
- relevance
- 6/10
-
Writes a PE file header to disc
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
ExitWindowsEx@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Queries process information
- details
-
"aostsoft_all_document_converter_professional.tmp" queried SystemProcessInformation at 00225359-00003000-77BB61F8-408438
"aostsoft_all_document_converter_professional.tmp" queried SystemProcessInformation at 00225359-00003000-77BB61F8-408453 - source
- API Call
- relevance
- 4/10
-
Queries process information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 47 calls to GetProcAddress@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found 10 calls to GetProcAddress@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found 47 calls to GetProcAddress@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found 10 calls to GetProcAddress@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from PID 00002940
GetVersionExA@KERNEL32.DLL from PID 00002940
GetVersion@KERNEL32.DLL from PID 00003000
GetVersion@KERNEL32.DLL from PID 00003000
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersion@KERNEL32.DLL from PID 00003000
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersionExA@KERNEL32.DLL from PID 00003000
GetVersion@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-879-00419040")
which is directly followed by "cmp ax, 0004h" and "setnb byte ptr [0049B5C4h]". See related instructions: "...
+0 call 004059A4h ;GetVersion
+5 and ax, 000000FFh
+9 cmp ax, 0004h
+13 setnb byte ptr [0049B5C4h]" ... from PID 00003000
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-1005-0046E13C")
which is directly followed by "cmp ax, 00000601h" and "jc 0046E180h". See related instructions: "...
+10 call 004059A4h ;GetVersion
+15 xchg al, ah
+17 cmp ax, 00000601h
+21 jc 0046E180h" ... from PID 00003000
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-748-0042E09C")
which is directly followed by "cmp ax, 0005h" and "jc 0042E119h". See related instructions: "...
+71 xor eax, eax
+73 push ebp
+74 push 0042E280h
+79 push dword ptr fs:[eax]
+82 mov dword ptr fs:[eax], esp
+85 xor ebx, ebx
+87 call 004059A4h ;GetVersion
+92 and ax, 000000FFh
+96 cmp ax, 0005h
+100 jc 0042E119h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-2464-004116F4")
which is directly followed by "cmp ax, 0004h" and "jc 00411854h". See related instructions: "...
+147 call 00403634h
+152 call 004059A4h ;GetVersion
+157 and ax, 000000FFh
+161 cmp ax, 0004h
+165 jc 00411854h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-1125-0045CBC0")
which is directly followed by "cmp ax, 0005h" and "jnc 0045CBF5h". See related instructions: "...
+26 call 004059A4h ;GetVersion
+31 and ax, 000000FFh
+35 cmp ax, 0005h
+39 jnc 0045CBF5h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-885-0041F118")
which is directly followed by "cmp bl, 04h" and "jnc 0041F161h". See related instructions: "...
+14 call 004059A4h ;GetVersion
+19 mov ebx, eax
+21 cmp bl, 04h
+24 jnc 0041F161h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-2706-0042D974")
which is directly followed by "cmp ax, 0006h" and "jc 0042D9CFh". See related instructions: "...
+32 call 004059A4h ;GetVersion
+37 and ax, 000000FFh
+41 cmp ax, 0006h
+45 jc 0042D9CFh" ... from PID 00003000
Found API call GetDiskFreeSpaceA@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-2957-00455E0C")
which is directly followed by "cmp byte ptr [ebp-02h], 00h" and "je 00455F13h". See related instructions: "...
+204 call 00403738h
+209 push eax
+210 call 004058E4h ;GetDiskFreeSpaceA
+215 neg eax
+217 sbb eax, eax
+219 neg eax
+221 mov byte ptr [ebp-02h], al
+224 cmp byte ptr [ebp-02h], 00h
+228 je 00455F13h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-3075-00462CD8")
which is directly followed by "cmp ax, 0006h" and "jnc 00462D4Dh". See related instructions: "...
+86 call 00418318h
+91 call 004059A4h ;GetVersion
+96 and ax, 000000FFh
+100 cmp ax, 0006h
+104 jnc 00462D4Dh" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-33299-3078-00462E30")
which is directly followed by "cmp ax, 0006h" and "jc 00462EA3h". See related instructions: "...
+48 call 004059A4h ;GetVersion
+53 and ax, 000000FFh
+57 cmp ax, 0006h
+61 jc 00462EA3h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-748-0042E09C")
which is directly followed by "cmp ax, 0005h" and "jc 0042E119h". See related instructions: "...
+71 xor eax, eax
+73 push ebp
+74 push 0042E280h
+79 push dword ptr fs:[eax]
+82 mov dword ptr fs:[eax], esp
+85 xor ebx, ebx
+87 call 004059A4h ;GetVersion
+92 and ax, 000000FFh
+96 cmp ax, 0005h
+100 jc 0042E119h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-879-00419040")
which is directly followed by "cmp ax, 0004h" and "setnb byte ptr [0049B5C4h]". See related instructions: "...
+0 call 004059A4h ;GetVersion
+5 and ax, 000000FFh
+9 cmp ax, 0004h
+13 setnb byte ptr [0049B5C4h]" ... from PID 00003000
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-885-0041F118")
which is directly followed by "cmp bl, 04h" and "jnc 0041F161h". See related instructions: "...
+14 call 004059A4h ;GetVersion
+19 mov ebx, eax
+21 cmp bl, 04h
+24 jnc 0041F161h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-1005-0046E13C")
which is directly followed by "cmp ax, 00000601h" and "jc 0046E180h". See related instructions: "...
+10 call 004059A4h ;GetVersion
+15 xchg al, ah
+17 cmp ax, 00000601h
+21 jc 0046E180h" ... from PID 00003000
Found API call GetDiskFreeSpaceA@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-2887-00455E0C")
which is directly followed by "cmp byte ptr [ebp-02h], 00h" and "je 00455F13h". See related instructions: "...
+204 call 00403738h
+209 push eax
+210 call 004058E4h ;GetDiskFreeSpaceA
+215 neg eax
+217 sbb eax, eax
+219 neg eax
+221 mov byte ptr [ebp-02h], al
+224 cmp byte ptr [ebp-02h], 00h
+228 je 00455F13h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-3008-00462E30")
which is directly followed by "cmp ax, 0006h" and "jc 00462EA3h". See related instructions: "...
+48 call 004059A4h ;GetVersion
+53 and ax, 000000FFh
+57 cmp ax, 0006h
+61 jc 00462EA3h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-2636-0042D974")
which is directly followed by "cmp ax, 0006h" and "jc 0042D9CFh". See related instructions: "...
+32 call 004059A4h ;GetVersion
+37 and ax, 000000FFh
+41 cmp ax, 0006h
+45 jc 0042D9CFh" ... from PID 00003000
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-2394-004116F4")
which is directly followed by "cmp ax, 0004h" and "jc 00411854h". See related instructions: "...
+147 call 00403634h
+152 call 004059A4h ;GetVersion
+157 and ax, 000000FFh
+161 cmp ax, 0004h
+165 jc 00411854h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-3005-00462CD8")
which is directly followed by "cmp ax, 0006h" and "jnc 00462D4Dh". See related instructions: "...
+86 call 00418318h
+91 call 004059A4h ;GetVersion
+96 and ax, 000000FFh
+100 cmp ax, 0006h
+104 jnc 00462D4Dh" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "aostsoft_all_document_converter_professional.tmp", Stream UID: "00225359-00003000-28662-1125-0045CBC0")
which is directly followed by "cmp ax, 0005h" and "jnc 0045CBF5h". See related instructions: "...
+26 call 004059A4h ;GetVersion
+31 and ax, 000000FFh
+35 cmp ax, 0005h
+39 jnc 0045CBF5h" ... from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
- details
- "E@S~EBtPjg@z3ZYYdh@E[}y_^[]nil*@SVF~tFjttsv^[@PUQSVWE@|tthEp3Uh@d0d EnK|C3PEZQGKu3ZYYdh@ExEB_^[Y]@xu3QUQSEE@x~ME3Uh@d0d !lsEX{3ZYYdh@EQx[Y]@H@@@@@@SVWRSL_^[@SVWQ,S _^[@Q,USVW3MUE3Uh7@d0d E3Uh@d0d ERN|-F3ME8WEPEQEZ8W0CNu3ZYYdh!@EWEw3ZYYdh>@Ez(w_^[]@UQSE8@BrtEEN3Uh@d0d ER8EQ43ZYYdh@EvE+[Y]@S{uQ(C[USVE@pt,E8@qt'EE@}E@R^[]USUEEPh@EPh@UYh@E[YY]StringsHxu3Q(@USVW3MMUE3Uh@d0d EERER;u;N|0F3ME8WEPME8WUX{uCNuE3ZYYdh @EyFuE_^[]USVW3]]M3Uh@d0d M8WQEMU8WM8WUQ0V MU0VMUS 3ZYYdh@ETxt_^[]UPSVW3UE3Uh*@d0d ERu+3ESuE@@WxNFuE}t,CUE0VzE33}"u v" (Indicator: "qemu")
- source
- String
- relevance
- 4/10
-
Contains ability to query the machine version
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from aostsoft_all_document_converter_professional.exe (PID: 2940) (Show Stream)
FindResourceA@KERNEL32.DLL from aostsoft_all_document_converter_professional.exe (PID: 2940) (Show Stream)
FindResourceA@KERNEL32.DLL from PID 00003000
FindResourceA@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
FindResourceA@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
FindResourceA@KERNEL32.DLL from PID 00003000 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Reads configuration files
- details
- "aostsoft_all_document_converter_professional.tmp" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\gtt.exe"
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\libexpat-1.dll"
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\ptk.exe"
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\pts.exe"
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\gs\bin\gswin32.exe"
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\libcairo-2.dll"
"aostsoft_all_document_converter_professional.tmp" created file "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\ptt.exe" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
-
"aostsoft_all_document_converter_professional.tmp.224562" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"_shfoldr.dll.228906" has type "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows" - source
- Dropped File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
System Destruction
-
Opens file with deletion access rights
- details
-
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-3J5AJ.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-S2T94.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-QQBR4.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-DSEJB.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\Language\is-8D63J.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\data\is-9VK95.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\data\is-JHUA6.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\data\is-8989M.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\data\is-UAPAE.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\data\is-AUHUA.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\data\is-PM6IV.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-GDLGJ.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-57EJR.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-ELSGB.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%PROGRAMFILES%\Aostsoft All Document Converter Professional\is-5LRS7.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "%WINDIR%\system32\aostshell\aostsoft-all-document-converter-professional\is-AI29N.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "C:\Windows\system32\aostshell\aostsoft-all-document-converter-professional\is-S6Q8I.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "C:\Windows\system32\aostshell\aostsoft-all-document-converter-professional\is-POHB1.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "C:\Windows\system32\aostshell\aostsoft-all-document-converter-professional\is-JJ90K.tmp" with delete access
"aostsoft_all_document_converter_professional.tmp" opened "C:\Windows\system32\aostshell\aostsoft-all-document-converter-professional\is-KKSQS.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "_shfoldr.dll" claimed CRC 36336 while the actual is CRC 737904
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
VirtualAlloc
GetModuleHandleA
GetCommandLineA
WriteFile
GetFileSize
CreateFileA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
OpenProcessToken
GetUserNameA
TerminateProcess
Sleep
OpenProcess
LockResource
LoadLibraryExA
LoadLibraryA
GetVersionExA
GetTickCount
GetProcAddress
GetModuleFileNameA
GetFileAttributesA
GetDriveTypeA
GetComputerNameA
FindResourceA
FindNextFileA
FindFirstFileA
DeviceIoControl
DeleteFileA
CreateThread
CreateProcessA
CreateDirectoryA
CopyFileA
SetWindowsHookExA
GetWindowThreadProcessId
FindWindowA
ShellExecuteExA
ShellExecuteA
CreateDirectoryW
FindResourceExW
GetFileAttributesW
SetSecurityDescriptorDacl
RegOpenKeyA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "aostsoft_all_document_converter_professional.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API ShutdownBlockReasonDestroy@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API MonitorFromWindow@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API MonitorFromRect@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API DisableProcessWindowsGhosting@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API SHCreateItemFromParsingName@SHELL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API ShutdownBlockReasonCreate@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API SHPathPrepareForWriteA@SHELL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API VerSetConditionMask@NTDLL.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API NotifyWinEvent@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API SHGetKnownFolderPath@SHELL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API ChangeWindowMessageFilter@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API SHPathPrepareForWriteA@SHELL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API ChangeWindowMessageFilterEx@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API AllowSetForegroundWindow@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API MonitorFromWindow@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API UnRegisterTypeLib@OLEAUT32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API ShutdownBlockReasonDestroy@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API MonitorFromWindow@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API MonitorFromRect@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
Found reference to API ShutdownBlockReasonCreate@USER32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.DLL from aostsoft_all_document_converter_professional.exe (PID: 2940) (Show Stream)
GetSystemTime@KERNEL32.DLL from PID 00002940
GetSystemTime@KERNEL32.DLL from PID 00002940
GetSystemTime@KERNEL32.DLL from aostsoft_all_document_converter_professional.exe (PID: 2940) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003000
GetSystemTime@KERNEL32.DLL from PID 00003000
GetSystemTime@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003000
GetSystemTimeAsFileTime@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetLocalTime@KERNEL32.DLL from PID 00003000
GetLocalTime@KERNEL32.DLL from PID 00003000
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003000
GetSystemTime@KERNEL32.DLL from PID 00003000
GetSystemTimeAsFileTime@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003000
GetLocalTime@KERNEL32.DLL from PID 00003000
GetLocalTime@KERNEL32.DLL from PID 00003000
GetSystemTime@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExA@KERNEL32.DLL at 00225359-00003000-77BD228D-317581
GetDiskFreeSpaceExA@KERNEL32.DLL at 00225359-00003000-77BD228D-317595
GetDiskFreeSpaceA@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from aostsoft_all_document_converter_professional.tmp (PID: 3000) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 3/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/54 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
- "aostsoft_all_document_converter_professional.tmp" created file "%TEMP%\is-UCGFN.tmp\vcredist.exe"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "aostsoft_all_document_converter_professional.tmp.224562" as clean (type is "PE32 executable (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "_shfoldr.dll.228906" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB)
for MS Windows") - source
- Dropped File
- relevance
- 10/10
-
Loads modules at runtime
- details
-
"aostsoft_all_document_converter_professional.tmp" loaded module "COMCTL32.DLL" at base 74B90000
"aostsoft_all_document_converter_professional.tmp" loaded module "RICHED20.DLL" at base 6F4A0000
"aostsoft_all_document_converter_professional.tmp" loaded module "USP10.DLL" at base 77660000
"aostsoft_all_document_converter_professional.tmp" loaded module "MSLS31.DLL" at base 70AC0000
"aostsoft_all_document_converter_professional.tmp" loaded module "%WINDIR%\SYSTEM32\EXPLORERFRAME.DLL" at base 71EC0000
"aostsoft_all_document_converter_professional.tmp" loaded module "%WINDIR%\SYSTEM32\SFC.DLL" at base 70CA0000
"aostsoft_all_document_converter_professional.tmp" loaded module "SETUPAPI.DLL" at base 76FE0000
"aostsoft_all_document_converter_professional.tmp" loaded module "DEVRTL.DLL" at base 754C0000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "aostsoft_all_document_converter_professional.tmp" loaded module "%WINDIR%\system32\RICHED20.DLL" at 6F4A0000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"ScriptGetProperties@USP10.dll"
"ScriptItemize@USP10.dll"
"ImmLockIMC@IMM32.DLL"
"ImmUnlockIMC@IMM32.DLL"
"ImmSetCompositionFontW@IMM32.DLL"
"ImmGetCompositionWindow@IMM32.DLL"
"ImmSetCompositionWindow@IMM32.DLL"
"GetHashInterface@bcryptprimitives.dll"
"DllGetClassObject@explorerframe.dll"
"DllCanUnloadNow@explorerframe.dll"
"SfcIsFileProtected@sfc.dll"
"PnpIsFilePnpDriver@SETUPAPI.dll"
"DevRtlGetThreadLogToken@DEVRTL.dll" - source
- API Call
- relevance
- 1/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
-
GetUserNameA@ADVAPI32.DLL from PID 00003000
GetUserNameA@ADVAPI32.DLL from PID 00003000 - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Dropped files
- details
-
"aostsoft_all_document_converter_professional.tmp.224562" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"_shfoldr.dll.228906" has type "PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows"
"is-3J5AJ.tmp.409578" has type "data"
"is-S2T94.tmp.413390" has type "data"
"is-QQBR4.tmp.425640" has type "data"
"is-DSEJB.tmp.430703" has type "data"
"is-8D63J.tmp.430953" has type "data"
"is-9VK95.tmp.431140" has type "data"
"is-JHUA6.tmp.431296" has type "data"
"is-8989M.tmp.431437" has type "data"
"is-UAPAE.tmp.431546" has type "data"
"is-AUHUA.tmp.431656" has type "data"
"is-PM6IV.tmp.431796" has type "data"
"is-GDLGJ.tmp.431937" has type "data"
"is-57EJR.tmp.432031" has type "data"
"is-ELSGB.tmp.432125" has type "data"
"is-5LRS7.tmp.432234" has type "data"
"is-AI29N.tmp.432359" has type "data"
"is-S6Q8I.tmp.442562" has type "data"
"is-POHB1.tmp.456437" has type "data" - source
- Dropped File
- relevance
- 3/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Heuristic match: "COMMAND.COM"
Pattern match: "http://www.innosetup.com/"
Pattern match: "http://www.remobjects.com/ps"
Heuristic match: "@.3ZYYdhhBE-3UhBd0d EftMU3ZYYd+U(ID.Et"
Heuristic match: "G.EIp<GOuEIOHG.uEI.TG"
Pattern match: "http://www.remobjects.com/psUjSVW3Uh|%Hd0d"
Heuristic match: "Font.ColorclWindowTextFont.HeightFont.Name"
Heuristic match: "/Lbx.cv"
Heuristic match: "D$CD$tD$D$LD$D$.Au"
Pattern match: "rsrcresource.frk/.resource/%.AppleDouble/smooth-lcdvsmooth-lcdsmoothrbwinfontsotvalidpcfPCFpfrPFRpsnamesload_sfntget_sfntStartFontMetricsType"
Pattern match: "http://www.ijg.org"
Pattern match: "http://www.iec.chIEC"
Pattern match: "http://schemas.mic"
Pattern match: "rosoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1800\margr1800\margt1440\margb1440\gutter0\ltrsect" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
- "aostsoft_all_document_converter_professional.tmp" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably
- source
- Static Parser
- relevance
- 10/10
-
Found Delphi 4 - Delphi 2006 artifact
File Details
aostsoft-all-document-converter-professional.exe
- Filename
- aostsoft-all-document-converter-professional.exe
- Size
- 31MiB (32302724 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- ed12ddb17ab622211279b4034062b25bc47fe3185c8e97b48acbcb08b0869aa0
- MD5
- 8cc5162141b373b651a0068447be0202
- SHA1
- 800c7bfa78ba20ce4e4f12155330240c65d2a023
Classification (TrID)
- 78.3% (.EXE) Inno Setup installer
- 9.3% (.SCR) Windows Screen Saver
- 4.6% (.DLL) Win32 Dynamic Link Library (generic)
- 3.2% (.EXE) Win32 Executable (generic)
- 1.4% (.EXE) Win16/32 Executable Delphi generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
aostsoft_all_document_converter_professional.exe
(PID: 2940)
- aostsoft_all_document_converter_professional.tmp /SL5="$40172,32038337,56832,%SAMPLEDIR%\aostsoft_all_document_converter_professional.exe" (PID: 3000)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 12 file(s) are available in the full version and XML/JSON reports.
-
Clean 2
-
-
aostsoft_all_document_converter_professional.tmp
- Size
- 691KiB (707072 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/56
- MD5
- 1305181de520f125aeabf85dc24a89d6
- SHA1
- 98b7548fede3f1468ccbdee405abdc4e5d2ec671
- SHA256
- 0e19765b89a1a29afee09810dcb3ec5cc7c66053947be8f1aebdbb7c801dfeaf
-
_shfoldr.dll
- Size
- 23KiB (23312 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
- AV Scan Result
- 0/55
- MD5
- 92dc6ef532fbb4a5c3201469a5b5eb63
- SHA1
- 3e89ff837147c16b4e41c30d6c796374e0b8e62c
- SHA256
- 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
-
-
Informative 18
-
-
is-8D63J.tmp
- Size
- 44KiB (44618 bytes)
- Type
- data
- MD5
- a589712cd99a1b2812b44a39991ac680
- SHA1
- 4604f56d83b8f24bdc8872c6279736c9fb85f9ff
- SHA256
- 84f6612b05381e6a62a07722a1c4b36347cfe3a505692540fb8c86921caf28d8
-
is-8989M.tmp
- Size
- 17KiB (17380 bytes)
- Type
- data
- MD5
- 244f05fbd7816e0623e6d826bb54aac9
- SHA1
- 0aeae6cec599e6bd74ce646a63702cf4b2388691
- SHA256
- 08498a58ecff1a82272d3607d9d8c90e55f628f26b52bc3d176da677d53dd155
-
is-9VK95.tmp
- Size
- 56KiB (57292 bytes)
- Type
- data
- MD5
- c513c29a100ac356d648f6bdd2282e5a
- SHA1
- e67e3b0a8cbc5f83d6a5346af424af9cc6bc410d
- SHA256
- 44bb1eb78c0f3d7b69f04c193570c481177a5e5dfc09ab4547a1948a8e54ea0e
-
is-AUHUA.tmp
- Size
- 57KiB (58558 bytes)
- Type
- data
- MD5
- f9743cd2da414b79a9039479c260dbe0
- SHA256
- 69bb852e066954188bc3a76a3249e08ef53dfdd493fb50ed3d52b26285efe96f
-
is-JHUA6.tmp
- Size
- 30KiB (30720 bytes)
- Type
- data
- MD5
- 98ec7ba11e46a3733f0840aa71a2b669
- SHA256
- 72b7bcd02e3dd2cfe3046f89332c3a4b00d4477f42c791d7fe5ba19e3078a510
-
is-PM6IV.tmp
- Size
- 17KiB (17384 bytes)
- Type
- data
- MD5
- b86706f76a2fb69d93e74eb7a1fa3071
- SHA1
- ce1d7ae21aca8e3dee899d0f665e4319eb6b5beb
- SHA256
- 5a84e8f3decfa3235ad19654e0463b5f1ffa59cc71e700cde0ded130be760a09
-
is-UAPAE.tmp
- Size
- 19KiB (19630 bytes)
- Type
- data
- MD5
- 783ece131335183eb071ae37111572bc
- SHA1
- 0e2fec66fac5d64d2eb8807b16a82dc1c28c03a7
- SHA256
- 5c3444295d31350096c88fa6462bf8561c9f5fe1cd11891920a494cb6c8af8d5
-
is-3J5AJ.tmp
- Size
- 1.4MiB (1425573 bytes)
- Type
- data
- MD5
- d4f6b7b5fcacd99a74d1e23c89e7653d
- SHA1
- eb20fa1ad17b77da38689e653b689dd5e1454b8a
- SHA256
- 290c9e6c0c090afe32808d085b843dd6622332c00b92fa52ae77fa3542dac67c
-
is-57EJR.tmp
- Size
- 13KiB (12852 bytes)
- Type
- data
- MD5
- c53e0eb341b59d2442dfe9b363446a23
- SHA1
- d0e0922c5fa675f81a034d821c015df1430146e0
- SHA256
- 7ab8ddc2c36307331da356b58e3c6ec23a20551da22f229482f11fda3797823c
-
is-5LRS7.tmp
- Size
- 6.1KiB (6256 bytes)
- Type
- data
- MD5
- 85a817cfa9542f4d754d4cbea31a80d8
- SHA1
- 8bdb1258e98781ee8664c57df7af7e17c867acc1
- SHA256
- 429b97e089fa32071837de6d5c62a4ceb054cc60d92c9f64c210e74d064e97c6
-
is-DSEJB.tmp
- Size
- 75KiB (76922 bytes)
- Type
- data
- MD5
- 7a37da4bc5d5e95bbf942713af819ef6
- SHA1
- 3028321a2c3a1e14aeb1158b6b0f52079b2c1830
- SHA256
- cc5f58b0458820e4d2cb04b931fc874aa8f0043175ca5012d35a2de02d2b940d
-
is-ELSGB.tmp
- Size
- 6.1KiB (6256 bytes)
- Type
- data
- MD5
- 593a0d7f90db1f659a906a2725c17ffe
- SHA1
- 5705da6bdf8dead413f365f8064e5ec31f39aa5f
- SHA256
- 144ddfdaa63b411cbcf3cfb364992c30086c4877da0bd2d658ae44bee9cc9d5f
-
is-GDLGJ.tmp
- Size
- 378B (378 bytes)
- Type
- data
- MD5
- 14a79e84a19d6c145d3f2112e064cf48
- SHA1
- a26986aa082f4ab16f9a0a70a7784adf68ad082b
- SHA256
- ec14df1d254864add39906b1c51361141aee9b380f8711b38d08f945a750a6fb
-
is-QQBR4.tmp
- Size
- 3.3MiB (3481600 bytes)
- Type
- data
- MD5
- d2299aeeee9ffa0654a4d45f8964c06c
- SHA1
- 65a354ccd890f42e4dbd29c3b90987ad755f387b
- SHA256
- 8ab5d642f5ae96be41ed7e9f7fa1d212db806f30bc89ea7fce383a35621aa787
-
is-S2T94.tmp
- Size
- 7.8MiB (8182784 bytes)
- Type
- data
- MD5
- fd805803d5bbe411920afe5f59bae7ce
- SHA1
- 35e88095e79ff94a0b8d4e7640f31d5391d140ce
- SHA256
- 1f2244442b521fbe59d4d9257882f5704e3353f0aa6ef18120608d7cb8aca2fc
-
is-7CHE8.tmp
- Size
- 450KiB (461058 bytes)
-
is-8UR5C.tmp
- Size
- 665KiB (680960 bytes)
-
is-9LMTB.tmp
- Size
- 2.3MiB (2364888 bytes)
-
Notifications
-
Runtime
- Added comment to VirusTotal report
- Dropped file "is-3J5AJ.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/290c9e6c0c090afe32808d085b843dd6622332c00b92fa52ae77fa3542dac67c/analysis/1455918746/")
- Dropped file "is-8989M.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/08498a58ecff1a82272d3607d9d8c90e55f628f26b52bc3d176da677d53dd155/analysis/1455918752/")
- Dropped file "is-AUHUA.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/69bb852e066954188bc3a76a3249e08ef53dfdd493fb50ed3d52b26285efe96f/analysis/1455918754/")
- Dropped file "is-DSEJB.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/cc5f58b0458820e4d2cb04b931fc874aa8f0043175ca5012d35a2de02d2b940d/analysis/1455918750/")
- Dropped file "is-JHUA6.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/72b7bcd02e3dd2cfe3046f89332c3a4b00d4477f42c791d7fe5ba19e3078a510/analysis/1455918751/")
- Dropped file "is-PM6IV.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/5a84e8f3decfa3235ad19654e0463b5f1ffa59cc71e700cde0ded130be760a09/analysis/1455918755/")
- Dropped file "is-QQBR4.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8ab5d642f5ae96be41ed7e9f7fa1d212db806f30bc89ea7fce383a35621aa787/analysis/1455918749/")
- Dropped file "is-UAPAE.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/5c3444295d31350096c88fa6462bf8561c9f5fe1cd11891920a494cb6c8af8d5/analysis/1455918752/")
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "stream-39" are available in the report
- Not all sources for signature ID "stream-41" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files