cspy343.exe
This report is generated from a file or URL submitted to this webservice on February 29th 2020 14:21:32 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
- Writes data to a remote process
- Fingerprint
-
Contains ability to query information about shared network resources
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/69 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
Contains ability to start/interact with device drivers
- details
- DeviceIoControl@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
The analysis extracted a file that was identified as malicious
- details
- 1/68 Antivirus vendors marked dropped file "ShellExecAsUser.dll" as malicious (classified as "Malware.Generic" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "cspy343.exe" allocated memory in "%WINDIR%\SysWOW64\notepad.exe"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"cspy343.exe" wrote 8 bytes to a remote process "%WINDIR%\SysWOW64\notepad.exe" (Handle: 824)
"cspy343.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\notepad.exe" (Handle: 824)
"cspy343.exe" wrote 52 bytes to a remote process "%WINDIR%\SysWOW64\notepad.exe" (Handle: 824)
"cspy343.exe" wrote 4 bytes to a remote process "%WINDIR%\SysWOW64\notepad.exe" (Handle: 824) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Suspicious Indicators 22
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "cspy343.exe" at 00064840-00003204-00000033-143173997691
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.2538641676
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Contains ability to query information about shared network resources
- details
- NetShareGetInfo@NETAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read monitor info
- details
- GetMonitorInfoW@USER32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
- "cspy343.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "cspy343.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query information about shared network resources
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/69 reputation engines marked "http://www.clonespy.com/english/download/" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates new processes
- details
- "cspy343.exe" is creating a new process (Name: "%WINDIR%\SysWOW64\notepad.exe", Handle: 824)
- source
- API Call
- relevance
- 8/10
-
Drops executable files
- details
-
"UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ShellExecAsUser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CloneSpy.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CSUninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "cspy343.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Writes a file to the start menu
- details
-
"cspy343.exe" wrote to file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\CloneSpy\CloneSpy.lnk"
"cspy343.exe" wrote to file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\CloneSpy\Readme.lnk"
"cspy343.exe" wrote to file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\CloneSpy\Uninstall.lnk"
"cspy343.exe" wrote to file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\CloneSpy\Website.lnk"
"cspy343.exe" wrote to file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\CloneSpy\Help.lnk" - source
- API Call
- relevance
- 10/10
-
Creates new processes
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 85.13.134.227 on port 80 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
System Destruction
-
Marks file for deletion
- details
-
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsk7D26.tmp" for deletion
"C:\cspy343.exe" marked "%PROGRAMFILES%\(x86)\CloneSpy\Readme.txt" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp\modern-header.bmp" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp\modern-wizard.bmp" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp\nsDialogs.dll" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp\ShellExecAsUser.dll" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp\System.dll" for deletion
"C:\cspy343.exe" marked "%TEMP%\nsa7D76.tmp\UserInfo.dll" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"cspy343.exe" opened "%TEMP%\nsa7D76.tmp" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsk7D26.tmp" with delete access
"cspy343.exe" opened "C:\nsk6239.tmp" with delete access
"cspy343.exe" opened "C:\Program Files (x86)\CloneSpy\Readme.txt" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\modern-header.bmp" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\modern-wizard.bmp" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\nsDialogs.dll" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\ShellExecAsUser.dll" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\System.dll" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\UserInfo.dll" with delete access
"cspy343.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsa7D76.tmp\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Tries to obtain the highest possible privilege level without UAC dialog
- details
- "<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.04</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/" (Indicator: "requestedExecutionLevel level="highestAvailable"")
- source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1088 (Show technique in the MITRE ATT&CK™ matrix)
-
Tries to obtain the highest possible privilege level without UAC dialog
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
OpenProcessToken
RegDeleteValueA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteExA
FindWindowExA
GetUserNameA
GetVersionExA
OutputDebugStringA
ShellExecuteA
RegCreateKeyExW
RegDeleteValueW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyW
RegDeleteKeyW
GetDriveTypeW
GetFileAttributesW
FindResourceExW
DeviceIoControl
CopyFileW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExW
ExitThread
TerminateProcess
GetModuleHandleExW
LoadLibraryW
GetVersionExW
VirtualProtect
LoadLibraryA
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetTempFileNameW
CreateFileMappingW
GetFileSizeEx
FindNextFileW
CreateFileMappingA
FindFirstFileW
FindFirstFileExW
GetTempPathW
CreateFileW
LockResource
GetCommandLineW
UnhandledExceptionFilter
MapViewOfFile
GetModuleHandleW
GetFileAttributesExW
FindResourceW
CreateProcessW
VirtualAlloc
NetShareGetInfo
ShellExecuteW
ShellExecuteExW
GetCursorPos
SetWindowsHookExW
GetUpdateRect
GetLastActivePopup
GetWindowThreadProcessId
InternetOpenW
InternetQueryDataAvailable
InternetQueryOptionW
InternetWriteFile
InternetCloseHandle
InternetCrackUrlW
InternetOpenUrlW
InternetReadFile
WSAStartup
URLDownloadToFileW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"cspy343.exe" wrote bytes "711140017a3b3f01ab8b02007f950200fc8c0200729602006cc805001ecd3c017d263c01" to virtual address "0x75CA07E4" (part of module "USER32.DLL")
"cspy343.exe" wrote bytes "94020000b8020000dc0200000003000024030000480300006c03000090030000b4030000d8030000fc0300002004000044040000680400008c040000b0040000d4040000f804000034050000" to virtual address "0x73CD2000" (part of module "RICHED20.DLL")
"cspy343.exe" wrote bytes "d055c2746473cb740000000051c1a3759498a375ee9ca37575dca575273ea5750fb3a9750000000085486e7669876e760f777076d9176e76ead76f76a9346e76f8116e7620146e764cbc7076f5166e7654146e76ff106e7632146e7600000000" to virtual address "0x73D31000" (part of module "SHFOLDER.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"cspy343.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"notepad.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 29
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
- GetVersionExW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
- Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 00699050h" (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
-
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-132925528396
"cspy343.exe" queries volume information of "%PROGRAMFILES%\(x86)\CloneSpy\CloneSpy.exe" at 00064840-00003204-00000046-132945529180
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-133577917648
"cspy343.exe" queries volume information of "C:\Program Files (x86)\CloneSpy\CloneSpy.chm" at 00064840-00003204-00000046-133579107938
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-133655203126
"cspy343.exe" queries volume information of "C:\Program Files (x86)\CloneSpy\CSUninstall.exe" at 00064840-00003204-00000046-133656577099
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-134433260289
"cspy343.exe" queries volume information of "C:\Program Files (x86)\CloneSpy\CloneSpy.exe" at 00064840-00003204-00000046-134434243283
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-134517601208
"cspy343.exe" queries volume information of "C:\Program Files (x86)\CloneSpy\Readme.txt" at 00064840-00003204-00000046-134518615171
"notepad.exe" queries volume information of "C:\Program Files (x86)\CloneSpy\Readme.txt" at 00069264-00003512-00000046-144989775731 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-132925528396
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-133577917648
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-133655203126
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-134433260289
"cspy343.exe" queries volume information of "C:\" at 00064840-00003204-00000046-134517601208 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"cspy343.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\NOTEPAD.EXE")
"cspy343.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\NOTEPAD.EXE")
"cspy343.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS")
"cspy343.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CLONESPY.EXE")
"cspy343.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CLONESPY")
"cspy343.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CSPY343.EXE")
"cspy343.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CSPY343.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
- "www.clonespy.info"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "85.13.134.227:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains SQL queries
- details
-
"INSERT OR REPLACE INTO csc (key, value) VALUES (?, ?);"
"INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);"
"SELECT * FROM csc WHERE key="%s";" - source
- File/Memory
- relevance
- 2/10
-
Creates a writable file in a temporary directory
- details
-
"cspy343.exe" created file "%TEMP%\nsk7D65.tmp"
"cspy343.exe" created file "%TEMP%\nsa7D76.tmp\System.dll"
"cspy343.exe" created file "%TEMP%\nsa7D76.tmp\modern-header.bmp"
"cspy343.exe" created file "%TEMP%\nsa7D76.tmp\modern-wizard.bmp"
"cspy343.exe" created file "%TEMP%\nsa7D76.tmp\nsDialogs.dll"
"cspy343.exe" created file "%TEMP%\nsa7D76.tmp\UserInfo.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "UserInfo.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "CSUninstall.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /iupdate/update_eng.txt HTTP/1.1
User-Agent: CloneSpy - Auto Update Check
Host: www.clonespy.info
Cache-Control: no-cache" - source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
- "cspy343.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73C60000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"cspy343.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"cspy343.exe" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}")
"cspy343.exe" touched "Network" (Path: "HKCU\WOW6432NODE\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\SHELLFOLDER")
"cspy343.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"cspy343.exe" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"cspy343.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"cspy343.exe" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"cspy343.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"cspy343.exe" touched "ShellWindows" (Path: "HKCU\WOW6432NODE\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\TREATAS")
"cspy343.exe" touched "PSOAInterface" (Path: "HKCU\WOW6432NODE\CLSID\{00020424-0000-0000-C000-000000000046}\TREATAS")
"cspy343.exe" touched "PSDispatch" (Path: "HKCU\WOW6432NODE\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS")
"cspy343.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{A4A1A128-768F-41E0-BF75-E4FDDD701CBA}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
- "cspy343.exe" searching for class "#32770"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "notepad.exe" with commandline "%PROGRAMFILES%\(x86)\CloneSpy\Readme.txt" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "notepad.exe" with commandline "%PROGRAMFILES%\(x86)\CloneSpy\Readme.txt" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "6f1c39f521d7ccdc2c0cfb8a69d456c57b6094e95afc9d9294d85f35eb116a45.bin" (Offset: 4703431)
- source
- Binary File
- relevance
- 5/10
-
Contacts domains
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"cspy343.exe" connecting to "\ThemeApiPort"
"notepad.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"CloneSpy.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Sat Oct 12 06:46:48 2019 mtime=Fri Jan 31 14:25:08 2020 atime=Fri Jan 31 14:25:10 2020 length=5467648 window=hide"
"UserInfo.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ShellExecAsUser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"CloneSpy.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Readme.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Sat Oct 5 16:28:32 2019 mtime=Fri Jan 31 14:25:10 2020 atime=Fri Jan 31 14:25:12 2020 length=44582 window=hide"
"Uninstall.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Fri Jan 31 14:25:12 2020 mtime=Fri Jan 31 14:25:12 2020 atime=Fri Jan 31 14:25:12 2020 length=67673 window=hide"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Website.lnk" has type "MS Windows shortcut Item id list present Has Working directory ctime=Mon Jan 1 00:00:00 1601 mtime=Mon Jan 1 00:00:00 1601 atime=Mon Jan 1 00:00:00 1601 length=0 window=hide"
"CSUninstall.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"Help.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Sat Oct 12 06:44:44 2019 mtime=Fri Jan 31 14:25:08 2020 atime=Fri Jan 31 14:25:10 2020 length=961513 window=hide"
"CloneSpy.chm" has type "MS Windows HtmlHelp Data"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Readme.txt" has type "ASCII text with CRLF line terminators"
"nsk7D65.tmp" has type "data"
"nsk6239.tmp" has type "ASCII text with CRLF line terminators"
"modern-header.bmp" has type "PC bitmap Windows 3.x format 150 x 57 x 8"
"modern-wizard.bmp" has type "PC bitmap Windows 3.x format 164 x 314 x 8" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"cspy343.exe" touched file "C:\Windows\SysWOW64\oleaccrc.dll"
"cspy343.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000019.db"
"cspy343.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"cspy343.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"cspy343.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"cspy343.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CloneSpy"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CloneSpy\Help.lnk"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CloneSpy\Uninstall.lnk"
"cspy343.exe" touched file "C:\Windows\SysWOW64\en-US\ieframe.dll.mui"
"cspy343.exe" touched file "C:\Windows\SysWOW64\ieframe.dll"
"cspy343.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CloneSpy\Website.lnk" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "/>OW_Q{.Uy"
Pattern match: "http://www.clonespy.com"
Pattern match: "www.clonespy.info"
Heuristic match: ",ZwO\c.bY"
Pattern match: "www.clonespy.comopen"
Pattern match: "Basics.htmJ/Html/CommandLine.htm/"
Pattern match: "CSCExport.htmt/Html/CSCMerge.htmD/Html/CSCView.htmi/Html/History.htmK/Html/ImportantNote.htmu/Html/InsertMask.htmN"
Pattern match: "OptDelMakeLinks.htmV/Html/OptDelMoveTo.htm*/Html/OptExportList.htm3E/Html/OptFileExclude.htm?/Html/OptFileExtAliases.htm=/Html/OptFileIgnLongPaths.htmGH/Html/OptFileRestrict.htm\,/Html/OptFolderHidden.htma^/Html/OptFolderIgnore.htmV/Html/OptFolderReparse.h"
Pattern match: "OptPrioAudio.htmp/Html/OptPrioMainWndSize.htm"
Pattern match: "OptTiSiTime.htmr/Html/OptTiSiZeroLen.htm?/Html/Overview.htmn/Html/PresentAllFiles.htmF/Html/PresentSingleFiles.htmR/Html/PresentZeroLenFiles.htmeV/Html/QuickStart.htmr/Html/ResultWindows.htmC/Html/SpecifyingPaths.htmT[/Html/Statistics.htm;R/Html/Support.ht"
Pattern match: "InsertMaskWindow2.pngt/Images/MainActionFrame.pngO/Images/MainChecksumFrame.pngwz/Images/MainModeFrame.pngqz/Images/MainOnAutoDelFrame.pngQU/Images/MainPoolFrame.pngPt#/Images/MainPoolFrameLockButton.pngD,%/Images/MainPoolFrameUnlockButton.pngp/Images/Main"
Pattern match: "OptLogEnableFrame.png/Images/OptLogFileFrame.pngG/Images/OptLogWindow2.pngs"
Pattern match: "Statistics2.png/m/toc.hhc"
Pattern match: "OptPageFiles.htmH/Html/OptPageFolders.htm|/Html/OptPageLogging.htmxD/Html/OptPageNames.htm"
Pattern match: "P.KU/Vs"
Pattern match: "Z.bd/']t2"
Pattern match: "5Y.vhh/RE_^1DIcu*-"
Pattern match: "x7jKD.Jh/\^s"
Heuristic match: ";T{[?*t]=m.]g^8{/R4>ssdUwrRcpn)h$Xock}XAyHwN/GJ<o][Ca=(M>0w:3Z3XJ}'!k+wNcndvM3u}F<>Sv7sv1D%?Y~)^@RGtO().x/+T${N#gH'`Y__:G.MZ"
Heuristic match: "I_#]Dd{m?WaTK\?ymV.eS"
Heuristic match: "Z_^-.do"
Pattern match: "7qUgL.Ap/`Axmyb{V]c~#qO86"
Heuristic match: "\9-b3)'[D:eRm>ZuOiOUW.bw"
Heuristic match: "Unknown error code %d: Please report this error code to technical@clonespy.com"
Pattern match: "www.clonespy.com"
Pattern match: "http://www.clonespy.info/iupdate/update_eng.txt"
Pattern match: "http://www.clonespy.info/iupdate/latest_eng.txt"
Pattern match: "http://www.clonespy.com/english/download/" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"cspy343.exe" opened "\Device\KsecDD"
"notepad.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"ShellExecAsUser.dll" was detected as "Microsoft visual C++ 6.0 DLL"
"CloneSpy.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
cspy343.exe
- Filename
- cspy343.exe
- Size
- 4.6MiB (4775004 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 6f1c39f521d7ccdc2c0cfb8a69d456c57b6094e95afc9d9294d85f35eb116a45
- MD5
- f200bc324ae1c57ede1476aec22a9089
- SHA1
- 7e6e48325a7bda96245010811e65d93c25d4a3ad
- ssdeep
- 98304:1AU51fKxGATbAuGbA5E0BShw9jo76rFJiB0Cl3B9fJNL:6UDHbAa0n9U7aY0Cd7L
- imphash
- 57e98d9a5a72c8d7ad8fb7a6a58b3daf
- authentihash
- b38b73e63d055902431c24d4dd2b4d0fd1ccad36efa29a102edd67643ba15c24
Version Info
- LegalCopyright
- 2001 - 2019 Marcus Kleinehagenbrock
- InternalName
- CloneSpy
- FileVersion
- 3.43
- CompanyName
- Marcus Kleinehagenbrock
- WWW
- http://www.clonespy.com
- Comments
- Duplicate file removal tool
- ProductName
- CloneSpy
- ProductVersion
- 3.43
- FileDescription
- CloneSpy Installer
- OriginalFilename
- cspy343.exe
- Translation
- 0x0409 0x04e4
Classification (TrID)
- 64.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 13.6% (.DLL) Win32 Dynamic Link Library (generic)
- 9.3% (.EXE) Win32 Executable (generic)
- 4.1% (.EXE) OS/2 Executable (generic)
- 4.1% (.EXE) Generic Win/DOS Executable
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 10 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 15 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
cspy343.exe
(PID: 3204)
2/69
- notepad.exe %PROGRAMFILES%\(x86)\CloneSpy\Readme.txt (PID: 3512)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.clonespy.info
OSINT |
85.13.134.227
TTL: 7199 |
Mesh Digital Limited
Name Server: NS2.NAMESPACE4YOU.DE Creation Date: Wed, 07 May 2003 17:30:51 GMT |
Germany |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
85.13.134.227 |
80
TCP |
clonespy.exe PID: 2944 |
Germany |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
85.13.134.227:80 (www.clonespy.info) | GET | www.clonespy.info/iupdate/update_eng.txt | GET /iupdate/update_eng.txt HTTP/1.1
User-Agent: CloneSpy - Auto Update Check
Host: www.clonespy.info
Cache-Control: no-cache More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 15415-74-00402DB3 |
Extracted Strings
Extracted Files
Displaying 17 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
ShellExecAsUser.dll
- Size
- 7KiB (7168 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Generic" (1/68)
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 86a81b9ab7de83aa01024593a03d1872
- SHA1
- 8fd7c645e6e2cb1f1bcb97b3b5f85ce1660b66be
- SHA256
- 27d61cacd2995f498ba971b3b2c53330bc0e9900c9d23e57b2927aadfdee8115
-
-
Clean 4
-
-
CSUninstall.exe
- Size
- 66KiB (67673 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- 0/71
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 54db18e00d12cfba4a0a2c73fc2f9638
- SHA1
- 39597644d04ac82e6b674dc4d984926ba16f1c3e
- SHA256
- 48c236404f978821a35a0f56a1a18e27523003be1ad954115ebb4a66f8901d17
-
System.dll
- Size
- 12KiB (11776 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- fbe295e5a1acfbd0a6271898f885fe6a
- SHA1
- d6d205922e61635472efb13c2bb92c9ac6cb96da
- SHA256
- a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
-
UserInfo.dll
- Size
- 4KiB (4096 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 7836f464ae0102452e94a363b491b759
- SHA1
- 59909a48448b99e2eb9cd336d81d60764da59f31
- SHA256
- 11adf8916947b5a20a071b494fa034cf62769dcc6293a1340b29a5bb29ac8e87
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- ab101f38562c8545a641e95172c354b4
- SHA1
- ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
- SHA256
- 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
-
-
Informative Selection 1
-
-
Readme.txt
- Size
- 43KiB (44349 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- notepad.exe (PID: 3512)
- MD5
- 395e46f2c8dd56f3f96aa0396ff06e90
- SHA1
- 8c95fe951cbd8045335345ec3282f939b88240cb
- SHA256
- 641f3b8150bd162d7e67325187edd8f5b46168169335c411ae8aae10a8c32171
-
-
Informative 11
-
-
CloneSpy.lnk
- Size
- 1KiB (1043 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 12 06:46:48 2019, mtime=Fri Jan 31 14:25:08 2020, atime=Fri Jan 31 14:25:10 2020, length=5467648, window=hide
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 8d0aa71d47b13a11a987e41e0b39aaeb
- SHA1
- af73bbbb7302b06a72dd5bd18a41f8d81bd922ea
- SHA256
- 7882cec202722fa2d2bb17d1d094ee636c857f945d8e9ced609f455d29210ce3
-
Help.lnk
- Size
- 1KiB (1043 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 12 06:44:44 2019, mtime=Fri Jan 31 14:25:08 2020, atime=Fri Jan 31 14:25:10 2020, length=961513, window=hide
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 9c7e0579dd5b2af0ecf66aee099c53e2
- SHA1
- f37abf38f3ac95b369949ef2cc99f0a367ff94ad
- SHA256
- ece1bcc2b7aabafd0926b82b7f2d87068be972d907d0433f631a3efa48d917e2
-
Readme.lnk
- Size
- 1KiB (1031 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Oct 5 16:28:32 2019, mtime=Fri Jan 31 14:25:10 2020, atime=Fri Jan 31 14:25:12 2020, length=44582, window=hide
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 45fae7eb277e9210106956f5b255d68a
- SHA1
- e65ced33b04468c33a4cebbd6e5eb65ca09b6f88
- SHA256
- a84e07ee1c85fa5200bea3a3cae53915868012e0b88cbdcd17a7f6ae32e9cb8f
-
Uninstall.lnk
- Size
- 1KiB (1058 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Jan 31 14:25:12 2020, mtime=Fri Jan 31 14:25:12 2020, atime=Fri Jan 31 14:25:12 2020, length=67673, window=hide
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- ab66d852a4690b7cc14d3a9d5d4ece51
- SHA1
- 4ca6898c769a7f2590b8c23ddfdf5aff7abde261
- SHA256
- 9db51bbb42413ce3c7192fa4132afe88449c6a4779b6010ec99838a56a83fbf1
-
Website.lnk
- Size
- 268B (268 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Has Working directory, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 7e5e3488dc9fc6f3bc0ebfb02bf2d04b
- SHA1
- c54e03c624242ed8076b674ca202d6c97e8af950
- SHA256
- 7525247d861409700eb5b4f8c57638fa857e035a4180e121cc37a789c9a8717f
-
CloneSpy.chm
- Size
- 939KiB (961513 bytes)
- Type
- text mshelp
- Description
- MS Windows HtmlHelp Data
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 6cb1fd8d524be5d5910e3a0cf83c2674
- SHA1
- 08d5674f528796fcce10de58e25dcdd75a74d967
- SHA256
- 4479a6caae1acfd8ab3be35d4d1265a9b9ef356e5b80b252aa8f481cb58ff0af
-
CloneSpy.exe
- Size
- 5MiB (5226496 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 57be9d1524d6118f8c88fba9bd062726
- SHA1
- 5c3efd39007a793e69f4d9cc5b583a42a05ff0f1
- SHA256
- d1a11bf96f026066f852d85fd6905d19b7e2d83559a99f43e2e9eb2c564cd41b
-
modern-header.bmp
- Size
- 9.5KiB (9742 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 150 x 57 x 8
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 732bedf95585dfc1023573f0fa4f6e60
- SHA1
- 59600621a925c1f0812b8a96e0e489ed05c67b15
- SHA256
- 670abb7576d8a890a7d4b480fa2f26fabacd873e11da23c5d4d55720e0791dc6
-
modern-wizard.bmp
- Size
- 51KiB (52574 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 164 x 314 x 8
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 6ee89c3a81f6498bf40ebcd6cbb709bf
- SHA1
- fe9b0ca29d346c7f86babf8cf20b871caa23f9c8
- SHA256
- bb7b5fe94607e65dd6e5e066051288e4cd7b87cdb52fa25be69bec4990f549be
-
nsk7D65.tmp
- Size
- 5MiB (5229491 bytes)
- Type
- rtf
- Description
- data
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- ab72da9be1da32d949f04a334726babb
- SHA1
- 1c7b6ae85ef21d61bd65ac28fd83a7aa5ddcdbce
- SHA256
- e417ae99c154951b45f583864e6c9a037f763ccd9498864f29e4c94cd220fc6b
-
nsk6239.tmp
- Size
- 44KiB (44582 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- cspy343.exe (PID: 3204)
- MD5
- 9904d3f19a1668fd7536a3043681eeee
- SHA1
- e73ce57c5d1411ba8b4fef4c1523f502a5eec6b1
- SHA256
- 8e731cab878b4cea6d4aaf9f1432b52595a812c3ff52df2c153d04189f2a5c63
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report