fx-991ES PLUS Emulator Ver.4.00.exe
This report is generated from a file or URL submitted to this webservice on June 25th 2020 03:41:30 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- debed2ee1899dd8ad277f8b965c61b1d919352d069e65e1aba61898e2dfa6ec2
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/69 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"fx-991ESPLUSEmulatorVer.4.00.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 84)
"fx-991ESPLUSEmulatorVer.4.00.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 84)
"fx-991ESPLUSEmulatorVer.4.00.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 84)
"fx-991ESPLUSEmulatorVer.4.00.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 84)
"msiexec.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 504)
"msiexec.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 504)
"msiexec.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 504)
"msiexec.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 504) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Unusual Characteristics
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to access unusual system drive letters
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 21
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"msiexec.exe" at 00136165-00005076-00000105-12171854510
"msiexec.exe" at 00136386-00005036-00000105-18077291809
"msiexec.exe" at 00136582-00005224-00000105-23579191269 - source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.72454556126
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Queries the installation properties of user installed products
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INSTALLER\USERDATA\S-1-5-18\PRODUCTS\047A13E0FD1CDFE46873EB2879D8BF35\INSTALLPROPERTIES")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
- details
- "msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries the installation properties of user installed products
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "udu@ia.x"
Pattern match: "8x@8p.text"
Pattern match: "spmugvpepjuuupnymn3@m.3"
Pattern match: "3uvy@xpu.eujxu3"
Pattern match: "pq3@hkc.ujuu"
Pattern match: "sv@xshpt.jejpl"
Pattern match: "l3@d.v"
Pattern match: "tyytret@ht1hudj.t7vwp"
Pattern match: "9u3@3hwwwpwwuuudep.4mup"
Pattern match: "j@t.pm"
Pattern match: "tejqeqm@qpm.hlvnhyye"
Pattern match: "3jwe@jp.y"
Pattern match: "2u@d7i.o" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Opened the service control manager
- details
- "msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Drops executable files
- details
- "MSI8FFF.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "fx-991ESPLUSEmulatorVer.4.00.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
- "%WINDIR%\System32\msiexec.exe" marked "%TEMP%\MSI8FFF.tmp" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "msiexec.exe" opened "%TEMP%\MSI8FFF.tmp" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "MSI8FFF.tmp" claimed CRC 231891 while the actual is CRC 14086143
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleFileNameW
GetVersionExA
GetModuleFileNameA
LoadLibraryA
LockResource
GetCommandLineW
UnhandledExceptionFilter
GetStartupInfoW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
CreateThread
GetModuleHandleA
GetTempPathW
GetStartupInfoA
GetCommandLineA
IsDebuggerPresent
TerminateProcess
FindResourceW
CreateFileW
CreateProcessW
Sleep
CreateFileA
GetTickCount
VirtualAlloc
RegOpenKeyExA
RegCloseKey
DeleteFileA
GetTempPathA
GetTempFileNameA
CreateProcessA
GetFileSize
FindWindowExA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"msiexec.exe" wrote bytes "48124a75" to virtual address "0x754B8364" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "a0112972" to virtual address "0x7637E324" (part of module "WININET.DLL")
"msiexec.exe" wrote bytes "b890122972ffe0" to virtual address "0x754A1248" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8110000" to virtual address "0x754A12CC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "b880112972ffe0" to virtual address "0x75CE1368" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "b810152972ffe0" to virtual address "0x754A11F8" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8114a75" to virtual address "0x754B83C4" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8114a75" to virtual address "0x754B834C" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8114a75" to virtual address "0x754B83E0" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8114a75" to virtual address "0x754B8368" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "f8110000" to virtual address "0x754A1408" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48124a75" to virtual address "0x754B83C0" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48120000" to virtual address "0x754A139C" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48124a75" to virtual address "0x754B8348" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "48124a75" to virtual address "0x754B83DC" (part of module "SSPICLI.DLL")
"msiexec.exe" wrote bytes "68130000" to virtual address "0x75CE1680" (part of module "WS2_32.DLL")
"msiexec.exe" wrote bytes "c04e717720547277e0657277b53873770000000000d0077600000000c5ea07760000000088ea077600000000e9688b7582287377ee29737700000000d2698b75000000007dbb07760000000009be8b7500000000ba18077600000000" to virtual address "0x75B31000" (part of module "NSI.DLL")
"msiexec.exe" wrote bytes "48120000" to virtual address "0x754A12DC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"fx-991ESPLUSEmulatorVer.4.00.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 18
-
Environment Awareness
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00136165-00005076-0000010C-18446743964794105453
"msiexec.exe" queries volume information of "C:\" at 00136386-00005036-0000010C-19548191060 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00136165-00005076-0000010C-18446743964794105453
"msiexec.exe" queries volume information of "C:\" at 00136386-00005036-0000010C-19548191060 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Contains PDB pathways
- details
-
"e:\Develope\msi2exe\release\msi2exestub.pdb"
"\VS2010\CheckInstallKey\Release\CheckInstallKey.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains SQL queries
- details
- "SELECT `Directory_` FROM `Component` WHERE `Component`= '%s'ProductCodeFileComponentSELECT `Component_` FROM `File` WHERE `File`= '%s'InstalledBinaryBinaryDeferedLocal%[^','], %s=][;"
- source
- File/Memory
- relevance
- 2/10
-
Creates a writable file in a temporary directory
- details
-
"msiexec.exe" created file "%TEMP%\MSI98e8.LOG"
"msiexec.exe" created file "%TEMP%\MSI8FFF.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\MSILOG_1ea760be1d64aa3GOL.8e89ISM_pmeT_lacoL_ataDppA_qtPE1PR_sresU_:C"
"Global\MSILOG_1ea760be1d64aa3GOL.8e89ISM_pmeT_lacoL_ataDppA_qtPE1PR_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSI8FFF.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Overview of unique CLSIDs touched in registry
- details
-
"msiexec.exe" touched "Msi install server" (Path: "HKCU\CLSID\{000C101C-0000-0000-C000-000000000046}\TREATAS")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\CLSID\{000C103E-0000-0000-C000-000000000046}\TREATAS")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, TMP, USERDOMAIN, Path, USERPROFILE, TEMP, APPDATA"
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, HOMEPATH, HOMEDRIVE"
Process "msiexec.exe" (Show Process) was launched with new environment variables: "LOGONSERVER="\\HAPUBWS-PC", HOMEPATH="\Users\RP1EPtq", HOMEDRIVE="C:""
Process "msiexec.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, TMP, USERDOMAIN, Path, USERPROFILE, TEMP, APPDATA" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "msiexec.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "msiexec.exe" with commandline "/i %TEMP%\MSI73BD.tmp" (Show Process)
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding D0979942BBD0C046898632D427961231 C" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "msiexec.exe" with commandline "/i %TEMP%\MSI73BD.tmp" (Show Process)
Spawned process "msiexec.exe" with commandline "/V" (Show Process)
Spawned process "msiexec.exe" with commandline "-Embedding D0979942BBD0C046898632D427961231 C" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"fx-991ESPLUSEmulatorVer.4.00.exe" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"MSI73BD.tmp" has type "Composite Document File V2 Document Can't read SAT"
"MSI8FFF.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"fx-991ESPLUSEmulatorVer.4.00.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\System32\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"msiexec.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"msiexec.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"msiexec.exe" touched file "%WINDIR%\AppPatch\msimain.sdb"
"msiexec.exe" touched file "%WINDIR%\System32\sxs.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\msiexec.exe.mui"
"msiexec.exe" touched file "%WINDIR%\System32\msimsg.dll"
"msiexec.exe" touched file "%WINDIR%\System32\en-US\msimsg.dll.mui"
"msiexec.exe" touched file "%WINDIR%\Fonts\StaticCache.dat" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "umn in a predefined Error table.Database: [2]. Specified Modify [3] operation invalid for table joins.Database: [2]. Code page [3] not supported by the system.Database: [2]. Failed to save table [3].Database: [2]. Exceeded number of expressions limit of 32"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0"
Pattern match: "http://www.acresso.com0"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://www.apple.com/DTDs/PropertyList-1.0.dtd"
Pattern match: "ns.adobe.com/xap/1.0/"
Pattern match: "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
Pattern match: "http://www.iec.ch"
Pattern match: "http://ns.adobe.com/xap/1.0/"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "msiexec.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"4827e4bb59141161da2470ee3bf00ec24343fc6bad16185f7558f30b627a7923.bin" was detected as "VC8 -> Microsoft Corporation"
"MSI8FFF.tmp" was detected as "Armadillo v1.xx - v2.xx" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
fx-991ES PLUS Emulator Ver.4.00.exe
- Filename
- fx-991ES PLUS Emulator Ver.4.00.exe
- Size
- 13MiB (14061568 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 4827e4bb59141161da2470ee3bf00ec24343fc6bad16185f7558f30b627a7923
- MD5
- bab061d6e4b17b8ec84bd4994427ce71
- SHA1
- 6a6b2dd8e801863d6a18a68b68ddd74ad79cbd57
- ssdeep
- 196608:HONHUhctE3OnE+HaGCwLtuNxsOd95Q74ppJPOOM5v3S6bG0O1q+tNDr:HgHUYaGCwLtyVn5QcpROXfZOE+zr
- imphash
- 0f7d0ed8477bf9ca9b4b2ce07e02a90e
- authentihash
- f2f99ad84ea80a137b82b87c4b47f99513b504c4e9a83a751ce70128fa451ae8
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 01/13/2009 02:29:20 (UTC)
- PDB Pathway
- e:\Develope\msi2exe\release\msi2exestub.pdb
- PDB GUID
- 2110710BF95949879191E348CE4C9CF2
Version Info
- LegalCopyright
- Copyright (C) 2009 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- PrivateBuild
- -
- InternalName
- Setup
- FileVersion
- 4.00.0000
- CompanyName
- CASIO COMPUTER CO., LTD.
- Internal Build Number
- 92881
- LegalTrademarks
- -
- Comments
- -
- ProductName
- CASIO fx-991ES PLUS Emulator Ver. 4 (Single License)
- SpecialBuild
- -
- ProductVersion
- 4.00.0000
- FileDescription
- Setup Launcher Unicode
- OriginalFilename
- Setup.exe
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 26.8% (.EXE) InstallShield setup
- 25.8% (.EXE) Win32 EXE PECompact compressed (generic)
- 19.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 17.2% (.EXE) Win64 Executable (generic)
- 4.0% (.DLL) Win32 Dynamic Link Library (generic)
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 1 .RES Files linked with CVTRES.EXE 8.00 (Visual Studio 2005) (build: 50727)
- 2 .CPP Files (with LTCG) compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 7 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 104 .C Files compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 44 .CPP Files compiled with CL.EXE 14.00 (Visual Studio 2005) (build: 50727)
- 17 .ASM Files assembled with MASM 8.00 (Visual Studio 2005) (build: 50727)
- File contains C++ code
- File appears to contain raw COFF/OMF content
- File was optimized using LTCG and/or POGO
- File is the product of a small codebase (2 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
fx-991ESPLUSEmulatorVer.4.00.exe
(PID: 5020)
1/69
- msiexec.exe /i %TEMP%\MSI73BD.tmp (PID: 5076)
-
msiexec.exe
/V
(PID: 5036)
- msiexec.exe -Embedding D0979942BBD0C046898632D427961231 C (PID: 5224)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
MSI8FFF.tmp
- Size
- 217KiB (222520 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- msiexec.exe (PID: 5076)
- MD5
- f0f5f49b27bd489fe0bcb3bd94d6eca9
- SHA1
- 4e03c60afa2a39efabc6473040a4f5262e8c8a57
- SHA256
- 16adf43e64af3ecc46a9460af85926446bc2aa73dc76ba9b1d7900ef67de9bc7
-
-
Informative Selection 1
-
-
MSI73BD.tmp
- Size
- 5MiB (5234688 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- fx-991ESPLUSEmulatorVer.4.00.exe (PID: 5020)
- MD5
- 3ed87e9393a3279ed0615ea29a4826cf
- SHA1
- 5548086ab117e3cc969156f44d6991e6765da74a
- SHA256
- 415512f03776caecb3259a26528f05c8d31e088fd539347d193b611478bc5371
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report