cp-en-squash-setup20171.exe
This report is generated from a file or URL submitted to this webservice on September 5th 2017 17:20:06 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v6.90 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxp://download.toernooi.nl/cp-en-squash-setup20171.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 344)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 344)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 344)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 344) - source
- API Call
- relevance
- 6/10
-
Scans for the windows taskbar (often used for explorer injection)
-
Suspicious Indicators 15
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Opened the service control manager
- details
-
"msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"msiexec.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"msiexec.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service
"msiexec.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"msiexec.exe" called "OpenService" to access the "gpsvc" service
"msiexec.exe" called "OpenService" to access the "CryptSvc" service
"msiexec.exe" called "OpenService" to access the "cryptsvc" service
"msiexec.exe" called "OpenService" to access the "" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc" - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
-
"MSI7820.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"MSIF65E.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"MSIBA3F.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"MSI75A8.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: ",,--4L-(-4-@-L-X-d-p-|---- -!-"-#-$-%-&-'.).*.+$.
0.-H./T.2`.4l.5x.6.7.8.9.:.;.>.?.@.A.C.D/E /F
/G8/ID/JP/K\/Lh/Nt/O/P/R/V/W/Z/e/k/l//0@0 0", Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSIF65E.tmp" claimed CRC 110157 while the actual is CRC 188932
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyA
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
GetFileAttributesA
GetTempPathA
WriteFile
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
LoadLibraryExA
UnhandledExceptionFilter
LoadLibraryExW
GetModuleHandleA
TerminateProcess
GetModuleHandleExW
LoadLibraryW
GetTickCount
GetVersionExA
GetFileSize
OpenProcess
CreateDirectoryA
GetStartupInfoW
GetProcAddress
CreateFileW
CreateFileA
GetCommandLineA
GetModuleHandleW
CreateProcessA
Sleep
EnumProcesses
ShellExecuteExA
HttpSendRequestA
InternetOpenUrlA
InternetReadFile
HttpQueryInfoA
InternetCloseHandle
InternetOpenA
InternetConnectA
InternetQueryOptionA
InternetGetConnectedState
InternetCrackUrlA
GetFileAttributesW
ShellExecuteW
ShellExecuteExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053597758585a77186a5a77653c5b770000000000bfb8760000000056ccb876000000007ccab87600000000376873756a2c5b77d62d5b7700000000206973750000000029a6b87600000000a48d737500000000f70eb87600000000" to virtual address "0x76911000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/58 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~428F.tmp"
"<Input Sample>" created file "%TEMP%\~42C2.tmp"
"<Input Sample>" created file "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\splash_en409.bmp"
"<Input Sample>" created file "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\League Planner Squash.msi" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSI7820.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIF65E.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIBA3F.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI75A8.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6A9E0000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\League Planner Squash.msi" SETUPEXEDIR="C:" SETUPEXENAME="381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"League Planner Squash.msi" has type "Composite Document File V2 Document corrupt: Can't read SAT"
"MSI7820.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"~42C2.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Tar78DE.tmp" has type "data"
"Tar63DA.tmp" has type "data"
"D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_68C2934CCF7FBE9AE2184DB0AE3C3446" has type "data"
"~428F.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"MSIF65E.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"94308059B57B3142E455B38A6EB92015" has type "data"
"Cab63D9.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"MSIBA3F.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"Cab78DD.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7" has type "data"
"Cab8E1D.tmp" has type "Microsoft Cabinet archive data 52967 bytes 1 file"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"MSI75A8.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"Tar8E1E.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\msiexec.exe"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
- details too long to display
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"MSI7820.tmp" was detected as "Borland Delphi 3.0 (???)"
"MSIF65E.tmp" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
cp-en-squash-setup20171.exe
- Filename
- cp-en-squash-setup20171.exe
- Size
- 27MiB (27846176 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861
- MD5
- a6ee88534d34b397a95f8fcf8129374e
- SHA1
- 44915a542a555457e3feeca2da20f33b12bf45dd
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.5% (.EXE) DOS Executable Generic
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3368)
- msiexec.exe /i "%TEMP%\{2AD6FDDC-5DE3-40DE-B9DD-9C582EDC1F68}\League Planner Squash.msi" SETUPEXEDIR="C:" SETUPEXENAME="381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe (PID: 3596)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 4 file(s) are available in the full version and XML/JSON reports.
-
Clean 4
-
-
MSI75A8.tmp
- Size
- 103KiB (105736 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 54c40fa8ccf09c8e2242788004592ca0
- SHA1
- f6ba96b16d13785c767c48241c0e9509a1dd4a00
- SHA256
- ea3ddf0bc111526028bda02a384829e649c79188b3c60d67755ae18965e78919
-
MSI7820.tmp
- Size
- 169KiB (172792 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 60050e5719ac81c0a1f941b2fc4e3cee
- SHA1
- 26829cf747a5dfdcf2c8b6503a06f075167a38f6
- SHA256
- d850c1a06bbf846fdc91ac626de9c37b421daeec61af76ddfa474fd03a7e03cd
-
MSIBA3F.tmp
- Size
- 169KiB (172792 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 60050e5719ac81c0a1f941b2fc4e3cee
- SHA1
- 26829cf747a5dfdcf2c8b6503a06f075167a38f6
- SHA256
- d850c1a06bbf846fdc91ac626de9c37b421daeec61af76ddfa474fd03a7e03cd
-
MSIF65E.tmp
- Size
- 103KiB (105736 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 54c40fa8ccf09c8e2242788004592ca0
- SHA1
- f6ba96b16d13785c767c48241c0e9509a1dd4a00
- SHA256
- ea3ddf0bc111526028bda02a384829e649c79188b3c60d67755ae18965e78919
-
-
Informative Selection 3
-
-
Tar63DA.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
League Planner Squash.msi
- Size
- 5MiB (5230442 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, corrupt: Can't read SAT
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 6c52adf0166370fe1f87ebeb085819da
- SHA1
- 8765d3dd72d7f4f277709357797c70e07d558285
- SHA256
- 5073bcd31822c9fadd7d33b636a2dc0d58094a294d9c3f1868956038f7ab7cb7
-
Setup.INI
- Size
- 5.2KiB (5352 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- 381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe (PID: 3368)
- MD5
- 0169f04ed603755209e532f585ab4b95
- SHA1
- 37a5d39bece92a5af8b65ddd4341e93b026b19ff
- SHA256
- c1447034d111a221e867b111ef970c027e088d7523a32f5aba22306fb06e3f6c
-
-
Informative 13
-
-
5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
- Size
- 404B (404 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- cab2a402836c9f707fa7bf2226795ca2
- SHA1
- 5e5c2c3d76f9721a9db3205ce0271401ec219d88
- SHA256
- 98b32d286eed16359741974eb796263efd77c8b9bdee05f58cda4013e7c1a39c
-
94308059B57B3142E455B38A6EB92015
- Size
- 52KiB (52967 bytes)
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 26763abb95381e4931c194e34023c33a
- SHA1
- e1b8114caa3a6b173c2e04e356a5065e7b2ca968
- SHA256
- 49f2686e30a59fabf11db1234c377497cf09e941ff50a0346854d087e8b08587
-
D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_68C2934CCF7FBE9AE2184DB0AE3C3446
- Size
- 404B (404 bytes)
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 1bafdac4ea3d379481e2988cfd0bcdd4
- SHA1
- 92ac4b746c836da61a840dcfce8037ef34c79e20
- SHA256
- 06fdf2b5a500d826bbfed925272eb92872c9d6cf95da4e7f2f5ee9558be6bef4
-
Cab63D9.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Cab78DD.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Cab8E1D.tmp
- Size
- 52KiB (52967 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 52967 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 26763abb95381e4931c194e34023c33a
- SHA1
- e1b8114caa3a6b173c2e04e356a5065e7b2ca968
- SHA256
- 49f2686e30a59fabf11db1234c377497cf09e941ff50a0346854d087e8b08587
-
MSIBAD6.tmp
- Size
- 153KiB (156928 bytes)
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 69e9bb71d4d394e87f0109734d328371
- SHA1
- 82fbef8f36aecefbca489d58c09cdf4b0386f787
- SHA256
- c3a87617d5ba229a62da7fd4e0929be26cac33c58470fd5e5f0b54c30ff4d172
-
Tar78DE.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
Tar8E1E.tmp
- Size
- 123KiB (126167 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3596)
- MD5
- 0dab7711a89d642ffe6ea216d92e56c1
- SHA1
- f2295d85679189d4fc1aac7c761be81447299ec5
- SHA256
- 163a6d7aaf9374ae4f1b4ee744a906b68da772aaa22095b4ecae709fb6d889e5
-
0x0409.ini
- Size
- 22KiB (22480 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- 381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe (PID: 3368)
- MD5
- a108f0030a2cda00405281014f897241
- SHA1
- d112325fa45664272b08ef5e8ff8c85382ebb991
- SHA256
- 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
-
_ISMSIDEL.INI
- Size
- 884B (884 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- 381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe (PID: 3368)
- MD5
- c154b286d7a4f58ba7d95d8700eb9b40
- SHA1
- 24b3348d7a5e53d88ee303d88ff1c79ba9655c24
- SHA256
- 5a24ea1e60bfe6e1d29b42e96f35ab5d7b244f8c0c2a987ad6dcff6e0b6ddc19
-
splash_en409.bmp
- Size
- 421KiB (430904 bytes)
- Runtime Process
- 381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe (PID: 3368)
- MD5
- f6078a5c2911d01fa671b8ae354f43cb
- SHA1
- 85ece33be313a33e565a40cfc1c827ec6e52b7a3
- SHA256
- f09a16f144b7f6fb38cf4d3005218cd5dfc7fe55d6c55bb4ee09ce8ebf26a31a
-
~428F.tmp
- Size
- 5.2KiB (5352 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- 381ca44e0134c7ad2f08993f8763d758ea05df9c77f0780fee30e7eec1604861.exe (PID: 3368)
- MD5
- 0169f04ed603755209e532f585ab4b95
- SHA1
- 37a5d39bece92a5af8b65ddd4341e93b026b19ff
- SHA256
- c1447034d111a221e867b111ef970c027e088d7523a32f5aba22306fb06e3f6c
-
Notifications
-
Runtime
- Added comment to Virus Total report
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)