ExcelViewer.exe
This report is generated from a file or URL submitted to this webservice on January 23rd 2018 04:19:28 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.21 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
-
Reads terminal service related keys (often RDP related)
Uses network protocols on unusual ports - Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 3 hosts. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://www.filecroco.com/download-file/download-microsoft-office-excel-viewer/165/156/
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Environment Awareness
-
Contains ability to check the local/global descriptor table
- details
- sgdt fword ptr [eax] from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to check the local/global descriptor table
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 284)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 284)
"<Input Sample>" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 284)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 284)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\msiexec.exe" (Handle: 284) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Network Related
-
Uses network protocols on unusual ports
- details
-
TCP traffic to 23.62.197.99 on port 56498
TCP traffic to 52.138.148.159 on port 56499 - source
- Network Traffic
- relevance
- 7/10
-
Uses network protocols on unusual ports
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
ExitWindowsEx@USER32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00013415-00001072-00000033-58468180
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
""K3%y=5&nbN65amznk`c-AwH
:V8KA&UjevbOX-C)7n(=2,C<\7o"TT0m8Hx"q" (Indicator: "vbox")
"YAevBoX%U+{t&qQ;)YI-lib]:i%0W 'a!\$*T\OORvoH%oe pbnPQqU[#AX%ArY'qP)jzAT-3,u|r"Dd;xMQZ@v.a;Ys" (Indicator: "vbox") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
- FindResourceA@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "msiexec.exe" read file "%WINDIR%\win.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "C:\", Handle: 284)
- source
- API Call
- relevance
- 8/10
-
Monitors specific registry key for changes
- details
-
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 711936)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\crypt32" (Filter: 4; Subtree: 32767232)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Root" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 32760321)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\SmartCardRoot" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Policies\Microsoft\SystemCertificates" (Filter: 5; Subtree: 32760321)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed" (Filter: 5; Subtree: 32767233)
"msiexec.exe" monitors "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\SystemCertificates\TrustedPeople" (Filter: 5; Subtree: 32767233) - source
- API Call
- relevance
- 4/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "msiexec.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Creates new processes
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
- "%WINDIR%\SysWOW64\msiexec.exe" marked "C:\MSI34008.tmp" for deletion
- source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"msiexec.exe" opened "C:\MSI34008.tmp" with delete access
"msiexec.exe" opened "%SAMPLEDIR%\MSI34009.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "711146017a3b4501ab8b02007f950200fc8c0200729602006cc805001ecd42017d264201" to virtual address "0x75D007E4" (part of module "USER32.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Installs hooks/patches the running process
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 21
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API InitializeCriticalSectionAndSpinCount@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
Found reference to API GetNativeSystemInfo@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
GetVersionExA@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
GetVersionExA@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
GetVersionExA@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExA@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetDiskFreeSpaceExA@KERNEL32.DLL (Target: "4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe"; Stream UID: "00013033-00002472-2263-2425-2F8669C6")
which is directly followed by "cmp dword ptr [ebp-00000084h], eax" and "je 2F866A09h". See related instructions: "...+19 call 2F851DFFh+24 push dword ptr [ebp+14h]+27 mov eax, dword ptr [eax]+29 push dword ptr [ebp+10h]+32 push dword ptr [ebp+0Ch]+35 push eax+36 call dword ptr [2F8410A8h] ;GetDiskFreeSpaceExA+42 mov esi, eax+44 lea eax, dword ptr [ebp-80h]+47 cmp dword ptr [ebp-00000084h], eax+53 je 2F866A09h" ... from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe"; Stream UID: "00013033-00002472-2263-3169-2F896271")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 2F8962B2h". See related instructions: "...+36 call dword ptr [2F841080h] ;GetVersionExA+42 cmp dword ptr [ebp-00000088h], 02h+49 jne 2F8962B2h" ... from 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"msiexec.exe" queries volume information of "C:\" at 00013415-00001072-00000046-58681580
"msiexec.exe" queries volume information of "C:\share" at 00013415-00001072-00000046-59286069
"msiexec.exe" queries volume information of "C:\" at 00013415-00001072-00000046-75558352 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
-
"msiexec.exe" queries volume information of "C:\" at 00013415-00001072-00000046-58681580
"msiexec.exe" queries volume information of "C:\" at 00013415-00001072-00000046-75558352 - source
- API Call
- relevance
- 8/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/66 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts server
- details
-
"92.122.122.144:80"
"23.62.197.99:56498"
"52.138.148.159:56499" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"t:\ses\x86\ship\0\opatchinst.pdb"
"hip\0\opatchinst.exe\bbtopt\opatchinstO.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 72B30000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "msiexec /i xlview.msi PATCH="%PROGRAMFILES%\(x86)\MSECache\xlview_en-us\Updates\xlviewsp1-en-us.msp"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"xlview.msi" has type "Composite Document File V2 Document Can't read SAT"
"xlviewsp1-en-us.msp" has type "Composite Document File V2 Document Can't read SAT" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\SysWOW64\msi.dll"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\shell32.dll"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\shell32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\msxml3r.dll"
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\user32.dll.mui"
"<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"msiexec.exe" touched file "%WINDIR%\SysWOW64\msiexec.exe"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"msiexec.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "QSi0)<.Cc"
Heuristic match: "zQN:u/.Ms"
Heuristic match: "[dwFKC).mE"
Heuristic match: "`:Yp_LZ.NC"
Heuristic match: "SYS.LANG.NAME"
Heuristic match: "NG.NAME"
Pattern match: "www.microsoft.com/exporting.\par"
Heuristic match: "?<.bD"
Pattern match: "QoUdM.cSc/WFj]PBcz"
Pattern match: "Ox.vbV/-g*E_`IEk4,fB2V5H__C"
Pattern match: "O.dc/4C$Pl!s8%~PTw{W0eehQ1`m#65"
Pattern match: "x.TsT/BzB"
Heuristic match: "F_}eH.eR"
Pattern match: "nyVS0.XqoQ/e'dtG,[E1|f{rPLWFE=RJHlt/:o1S}:tqYQy(i*{:)JhnjWs[wlqF"
Pattern match: "Xu.qH/iI_B=j"
Pattern match: "1.SV/SK}/xoc{q_H{i/v!8%I7S2=Zfe`3yiH"
Heuristic match: "xd6nGeNEvXN?qkN,X0d[gE@dQf RsoI*K8uLY5Ue%kanPZ6~&X4IzO-Qk]+N~K`ZqGw7zflUzIZN~r&M8q.NPLOQ;]N_4FX=x76Iy*NV${EKzD[$\ZePE5FFwv@gI#qdsNuc^~:64or)f]|u=.yt"
Pattern match: "pYsyLsKU.cFzz/JEE.F.GHJ.}\%\KC"
Heuristic match: "A-DJD,?HJj;VlaD)},!b%8rTa`yhg:vTi}AfqdtRV2yT#I'sZ=OJ0){A@K.A|.ni"
Pattern match: "E.UU/B#Oa\Vf^"
Pattern match: "Y.rtbD/7NZ;Jl"
Heuristic match: "Z+xh-T]WO;LpzZ#.fi"
Pattern match: "Qjo.BF/a[y+3Tapb7aj7"
Pattern match: "jJ.rx/uScvp+1Yt+UW"
Pattern match: "2j0EK.An/^[TLU?i4X7\"
Pattern match: "TSz1.Yf/vPVL_RH}F"
Heuristic match: "j gb'7+}]^$vDlL_]l}'y1~8^@(9<Ig6s<P$w7[ia.gF"
Pattern match: "C.xQN/tQx87eg{g"
Heuristic match: "Jv49\6xqGK|<N-q}^ #S#Ttsp7}ig.TR"
Heuristic match: "dy~4PkC&5mw4_pwx~Z/W[6m#3u6&B1'z8j0uB$f>,[G&dNleaxm*i%1WI}}vr1F=klbu$WTFi.Hr"
Heuristic match: "8-~:h8D1Tt;s7*`[bQ<p,t|.KI"
Pattern match: "o.LJgU/{G?|U*|%"
Pattern match: "Xiezu.xIow//ASt%elN\VZ3Zye6VcV+"
Pattern match: "x.okm/yS4"
Heuristic match: "<~%dDu?5%P<NXv,.cv"
Pattern match: "I0.ji/diU"
Pattern match: "35.Oue/H7b82"
Pattern match: "8.eh/'8JwqcwKBoVGKxTlo\Ww"
Pattern match: "D.GM/[w"
Pattern match: "g.zco/Oew"
Heuristic match: "*+Z#i$N7\YDLrga5&Q@; rrj\t[-MHDy%wAv0ILDj(]_r^'!;1{yZ!:!BETM}c.nZ"
Heuristic match: "[ .KP"
Pattern match: "qZX.xH/6FlD^l]mZpA"
Pattern match: "1OtlG.rT/R7xHoCr]c8mL"
Pattern match: "f-bRX.EQN/GL7a0f"
Pattern match: "YwO.oKlW/HS\.S83"
Pattern match: "r.Nf/vDyGL"
Pattern match: "6.uD/%V|Ec%/!H'D6K;{'}AGQrY3"
Pattern match: "H7O.EN/\6LZBBaaM:h!!y1l-JC"
Heuristic match: "y^t~V\`PO!'[19t/6v}?kIHxCe4!Q3&;`T,nup_B<E~38piIEZp^\ecJSOk3:If_t};3j6|JN4)0-HYg|t{rJeJ%Y4>^GSs{Wv{%M\~G@@-kQlddbjZPvjCWw0a7|D0.lY"
Pattern match: "l.nF/akcXNN~~wTt[^M$+EFw"
Heuristic match: "4vuJ!L>CEh,hIg>YTLxLuP^ gPv.nz"
Pattern match: "ugt.efE/ah"
Pattern match: "OZE.Ip/DLP"
Pattern match: "Z.oL/8Q_w8qQ!1^zFe"
Heuristic match: "#m=PWB:qA*[n@)1wrF.{7sBFJjy&>4]HY[QIJ.GB"
Pattern match: "5ROenw.Ndo//~~g,mi1Y#r"
Pattern match: "TH.JZXk/@M8gpd@C5yA,yKn`WrJe=z^!b^fVl]ch#^`{'|"
Heuristic match: "v6u{eKQ;(7tIt4-IJA>SJzf`.gh"
Pattern match: "aI.zE/n.NDp79^+X8"
Heuristic match: "MiQmARq->|~+UCim||N.rs"
Heuristic match: "i p}3LGT#d;*p~^5L^M,@vm 'GWw6$kaiRxblEuP=%C0A*:B=n::4MKlesYNcJ&R3.-dMV0UU_H^h-8Ir=Ev-!>VJW.*|@LU[DUTN-H1zsJ5qZHXK VAgoG6=~&L TZsi1RkFoWa~ fiYt28GOu.Iq"
Pattern match: "QW251h.QT/#pAk$i"
Heuristic match: "(jh:[2}X lyn5ZW'#[WWA(U3]xDeD5EL<l[^Ti0|YwM]7'Op;Q;n1:io6=C/cuK+Xt!?GDaD/,E8(g`j?rPNZl_>%{$@`.bY"
Pattern match: "7z.XGP/E[{#"
Pattern match: "i.bAY/GNEJnHrm[?fkus87$n]Rh|vV[dPE"
Pattern match: "x.FSvy/hL"
Pattern match: "LoQZg5fGuy.vp/-Ww@m}rP~*MN@rO1cG"
Pattern match: "66jB.qr/IraM"
Pattern match: "rFG4T9Uw.HH/mYWOJlQ,Bif&'Nzu83b&-m"
Heuristic match: "bKR#Nc{?8E=mdc-V~s6~BnMeGYZn*A/5%.cO"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4eaab2738416342f HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6f76c9e0a123a44c HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s2.symcb.com"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "GET /CRL/Omniroot2025.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: cdp1.public-trust.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAt%2BEJA8OEkP%2Bi9nmoehp7k%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSLIycRsoI3J6zPns4K1aQgAqaqHgQUZ50PIAkMzIo65YJGcmL88cyQ5UACEAG2Yem3HYLmNssdMr3TCFk%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Pattern match: "www.microsoft.com"
Pattern match: "M.Zp/gl\4R+KE:E"
Pattern match: "QCz.fRu/gK"
Pattern match: "RA8qZiAu.JR/lQIuW"
Pattern match: "o.aAj/,WFVW8~q"
Heuristic match: "Ct.ar"
Heuristic match: "[_VELqT{dPKnpST,[(MIm{lVIm8X)k9Cpy`A&Q/nDqK}t:&;LXe%7I'r(u_C^0=.gu"
Heuristic match: "w#![\l;6;DPiS,Cpvf.([U}&~<4bAKgK[DYZ7~a.4>d6DEA4+[&,|@VOhVY6=.|8.eu"
Heuristic match: "BcIi4]n<=;b;uG<lbGtZFq;lqaEH92o7.As"
Heuristic match: "j7z/2Wn7,.pe"
Pattern match: "9.Zz/I@$"
Pattern match: "Y.zwj/};#z^]D+~ErCvA:9#J\T_IypvW'8nR/l7a8tH*X~sdi7hI'@F="
Pattern match: "mXY.bpxD/^\7z0$-=V?YTr7SwBuSUIxLAv"
Pattern match: "Vtn.UitU/jNT#tx.i?V4M=aX-w#pA"
Pattern match: "u1i0XA.vNXt/b?.#|xanY@#]Q{?Os~2__HnXbJ7=qu+"
Pattern match: "s.sa/g^c{m"
Pattern match: "dTb.zCq/ui\@V"
Heuristic match: "k.1ptJ!,!/z{\Z\e@)J'S['[-cygzu-b;M>p:jHrjG3h^:B|QQYGYT16cC.uz"
Heuristic match: "v/z!0)hCr-~.nO"
Heuristic match: "\6[E0WpeczaJ+wEvTEdY*#oj.mR"
Heuristic match: "21[6(2G+7E||J{gY=w1h;F;b MAFL)it6O/x&T$4'3R-}.;Wi5.cX"
Pattern match: "k.CR/X^e'kT#\$bo"
Heuristic match: "hm3q_4y=-w2pWFuLUM[}~U.Fnp1tK.?YrC56RQ*wrcM-T+4km#+p`IR#</[IZh0-Cdu]D -0&O+$g9|s5u}?b7QWK=ix<.=*ut''>(vbNfz{RqqvL RKY.{x\^b;i5=2P&Swmj`N|q0hmlJLa;|a:`.RE"
Heuristic match: "Cfpd@.0h'Tsm.CM"
Pattern match: "A..KgP/VN}mU"
Heuristic match: "b]rsf.Nl"
Pattern match: "Sf.co/Cq67O$JEqcWd#9R0phz#qliu'02seahM"
Pattern match: "ykA.Ak/T9$h"
Heuristic match: "?uJ)eyAt;=]M_%+ybkwVfsD.Je"
Pattern match: "n.mr/{=a'g"
Pattern match: "UiVc.sx/seu"
Pattern match: "g.JoY/[G{\|A@`d5X#f"
Pattern match: "6.gl/og1q7XzGBbiYZ=ep_-Sw1_=@CMGkW!7,j%6^"
Heuristic match: "%ul7SM+<ze<1@ZKO<hOd.Ch"
Pattern match: "i.lSXF/wV1vm"
Pattern match: "K.guR/qm" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
ExcelViewer.exe
- Filename
- ExcelViewer.exe
- Size
- 74MiB (77738888 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca
- MD5
- cb4f2202fc368af9476effed5cc7b8a4
- SHA1
- 610cdc9a6684a5ef57ee5b4c1ca127384f3fb7e1
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.4% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2472)
- msiexec.exe msiexec /i xlview.msi PATCH="%PROGRAMFILES%\(x86)\MSECache\xlview_en-us\Updates\xlviewsp1-en-us.msp" (PID: 1072)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
92.122.122.144 |
80
TCP |
compattelrunner.exe PID: 2644 |
European Union |
23.62.197.99 |
56498
TCP |
devicedisplayobjectprovider.exe PID: 1248 |
United States |
52.138.148.159 |
56499
TCP |
devicedisplayobjectprovider.exe PID: 1248 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
watson.microsoft.com | Domain/IP reference | 00013033-00002472-2263-3805-2F884361 |
Extracted Strings
Extracted Files
-
Informative Selection 2
-
-
xlviewsp1-en-us.msp
- Size
- 5MiB (5224448 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472)
- MD5
- bc41e1acd69f23a542dc05e816554e9f
- SHA1
- 7d74668cfd1e911f561486131a9a4509b6878f8b
- SHA256
- 121028f5bb69d47ad5940d086ee61e8886aec71bb6b9a3d70301a0c8b0831834
-
xlview.msi
- Size
- 5MiB (5210112 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- 4fc8e08237e8b458091c83dde68139e779fe401b4884d92d66ec843b5ca4a2ca.exe (PID: 2472)
- MD5
- c0be7c03aa13364555c4fea37d06240d
- SHA1
- 5a90207263b9826b81b948e16eb667bfbb0fb7ae
- SHA256
- c43063ff4e13b7294fb5d4255c32186475f87c739773ea949d02d5763843616c
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "xlview.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c43063ff4e13b7294fb5d4255c32186475f87c739773ea949d02d5763843616c/analysis/1516678105/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-31" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report