PretonSaverHomeEdition64.exe
This report is generated from a file or URL submitted to this webservice on January 3rd 2018 08:10:59 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Spyware
- Accesses potentially sensitive information from local browsers
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Possibly checks for the presence of an Antivirus engine
- Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 1 domain and 1 host. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
Anti-Detection/Stealthyness
-
Modifies file/console tracing settings (often used to hide footprints on system)
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLEFILETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "ENABLECONSOLETRACING"; Value: "00000000")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "FILETRACINGMASK"; Value: "0000FFFF")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32"; Key: "CONSOLETRACINGMASK"; Value: "0000FFFF") - source
- Registry Access
- relevance
- 5/10
-
Modifies file/console tracing settings (often used to hide footprints on system)
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/9 Antivirus vendors marked sample as malicious (11% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 1056)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 1056)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 1056)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 1056) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Tries to access unusual system drive letters
- details
-
"msiexec.exe" touched "K:"
"msiexec.exe" touched "L:"
"msiexec.exe" touched "M:"
"msiexec.exe" touched "N:"
"msiexec.exe" touched "O:"
"msiexec.exe" touched "P:"
"msiexec.exe" touched "Q:"
"msiexec.exe" touched "R:"
"msiexec.exe" touched "S:"
"msiexec.exe" touched "T:"
"msiexec.exe" touched "U:"
"msiexec.exe" touched "V:"
"msiexec.exe" touched "W:" - source
- API Call
- relevance
- 9/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 27
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.42952672271
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
LoadResource@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
FindResourceW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{D47BF427-844E-4C23-B27A-078096B19810}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{D47BF427-844E-4C23-B27A-078096B19810}\_ISMSIDEL.INI" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"1.0.3.7"
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1"
Heuristic match: "ProductVersion=1.0.3.7" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Accesses potentially sensitive information from local browsers
- details
-
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\Cookies\index.dat" (Type: "FileHandle")
"<Input Sample>" had access to "%APPDATA%\Microsoft\Windows\IETldCache\index.dat" (Type: "FileHandle") - source
- Touched Handle
- relevance
- 7/10
-
Accesses potentially sensitive information from local browsers
-
System Destruction
-
Marks file for deletion
- details
-
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is6395.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is63DC.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is63F1.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is6406.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is6425.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is643A.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is644F.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is6464.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is64B6.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~64B5.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is64D5.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is64EA.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is655A.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~6559.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_is657A.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\~6579.tmp" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNHT6272\indexv2[1].php" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNHT6272\k[1].htm" for deletion
"C:\76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BPL0BFI3\meversion[1]" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is6395.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is63DC.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is63F1.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is6406.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is6425.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is643A.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is644F.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is6464.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is64B6.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~64B5.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is64D5.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is64EA.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is655A.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~6559.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_is657A.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\~6579.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNHT6272\indexv2[1].php" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNHT6272\k[1].htm" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BPL0BFI3\meversion[1]" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegCreateKeyW
RegEnumKeyW
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegOpenKeyW
RegOpenKeyExA
RegEnumKeyExW
RegDeleteValueW
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
LoadLibraryExW
GetThreadContext
FindResourceExW
CopyFileW
WriteProcessMemory
GetModuleFileNameW
GetVersionExA
GetModuleFileNameA
CreateThread
ExitThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
LoadLibraryA
GetStartupInfoA
GetFileSize
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
GetProcAddress
CreateFileW
CreateFileA
FindResourceW
LockResource
GetCommandLineW
GetCommandLineA
MapViewOfFile
GetModuleHandleA
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
ShellExecuteExW
FindWindowW
FindWindowExW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Hiding 10 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 28
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetLocalTime@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetLocalTime@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersion@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetVersionExW@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNELBASE.DLL from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe.bin"; Stream UID: "12127-3183-0045FA65")
which is directly followed by "cmp eax, 80000000h" and "jbe 00460031h". See related instructions: "...+1372 call dword ptr [0047E184h] ;GetVersion+1378 cmp eax, 80000000h+1383 jbe 00460031h" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe.bin"; Stream UID: "12127-4529-00463E07")
which is directly followed by "cmp eax, 80000000h" and "jbe 00463E17h". See related instructions: "...+0 call dword ptr [0047E184h] ;GetVersion+6 cmp eax, 80000000h+11 jbe 00463E17h" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe.bin"; Stream UID: "12127-2922-004586A2")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0045871Dh". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000114h+9 mov eax, dword ptr [ebp+08h]+12 push esi+13 mov esi, dword ptr [ebp+0Ch]+16 mov dword ptr [ebp-00000114h], 00000114h+26 and dword ptr [eax], 00000000h+29 lea eax, dword ptr [ebp-00000114h]+35 and dword ptr [esi], 00000000h+38 push eax+39 call dword ptr [0047E120h] ;GetVersionExW+45 cmp dword ptr [ebp-00000104h], 01h+52 jne 0045871Dh" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe.bin"; Stream UID: "12127-4702-00463DEB")
which is directly followed by "cmp eax, 80000000h" and "jbe 00463DFBh". See related instructions: "...+0 call dword ptr [0047E184h] ;GetVersion+6 cmp eax, 80000000h+11 jbe 00463DFBh" ... (Show Stream)
Found API call GetSystemTimeAsFileTime@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-217-0041F997")
which is directly followed by "cmp eax, esi" and "jne 00420367h". See related instructions: "...+2482 call 00425900h+2487 lea eax, dword ptr [ebp-000000CCh]+2493 push eax+2494 call dword ptr [0047E168h] ;GetSystemTimeAsFileTime+2500 mov eax, dword ptr [ebp-000000BCh]+2506 cmp eax, esi+2508 jne 00420367h" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-814-004213B5")
which is directly followed by "cmp word ptr [ebp-00000124h], 0001h" and "jnc 004216ECh". See related instructions: "...+187 lea eax, dword ptr [ebp-00000238h]+193 mov dword ptr [ebp-00000238h], 0000011Ch+203 push eax+204 call dword ptr [0047E120h] ;GetVersionExW+210 cmp word ptr [ebp-00000124h], 0001h+218 jnc 004216ECh" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-904-00463DCF")
which is directly followed by "cmp eax, 80000000h" and "jbe 00463DDFh". See related instructions: "...+0 call dword ptr [0047E184h] ;GetVersion+6 cmp eax, 80000000h+11 jbe 00463DDFh" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-825-004421C2")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "ret ". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000114h+9 lea eax, dword ptr [ebp-00000114h]+15 mov dword ptr [ebp-00000114h], 00000114h+25 push eax+26 call dword ptr [0047E120h] ;GetVersionExW+32 xor eax, eax+34 cmp dword ptr [ebp-00000104h], 01h+41 sete al+44 leave +45 ret " ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-524-004421F0")
which is directly followed by "cmp dword ptr [ebp-00000104h], 02h" and "ret ". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000114h+9 lea eax, dword ptr [ebp-00000114h]+15 mov dword ptr [ebp-00000114h], 00000114h+25 push eax+26 call dword ptr [0047E120h] ;GetVersionExW+32 xor eax, eax+34 cmp dword ptr [ebp-00000104h], 02h+41 sete al+44 leave +45 ret " ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-828-0041B227")
which is directly followed by "cmp dword ptr [ebp-00000210h], 05h" and "jne 0041B3ECh". See related instructions: "...+5 call 004461A8h+10 sub esp, 00000208h+16 push ebx+17 push esi+18 lea eax, dword ptr [ebp-00000214h]+24 push edi+25 mov dword ptr [ebp-20h], ecx+28 push eax+29 mov dword ptr [ebp-00000214h], 0000011Ch+39 call dword ptr [0047E120h] ;GetVersionExW+45 cmp dword ptr [ebp-00000210h], 05h+52 jne 0041B3ECh" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-1014-00430364")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...+0 call dword ptr [0047E184h] ;GetVersion+6 mov ecx, 80000000h+11 cmp ecx, eax+13 sbb eax, eax+15 neg eax+17 ret " ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-2070-0045FA65")
which is directly followed by "cmp eax, 80000000h" and "jbe 00460031h". See related instructions: "...+1372 call dword ptr [0047E184h] ;GetVersion+1378 cmp eax, 80000000h+1383 jbe 00460031h" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-1809-004586A2")
which is directly followed by "cmp dword ptr [ebp-00000104h], 01h" and "jne 0045871Dh". See related instructions: "...+0 push ebp+1 mov ebp, esp+3 sub esp, 00000114h+9 mov eax, dword ptr [ebp+08h]+12 push esi+13 mov esi, dword ptr [ebp+0Ch]+16 mov dword ptr [ebp-00000114h], 00000114h+26 and dword ptr [eax], 00000000h+29 lea eax, dword ptr [ebp-00000114h]+35 and dword ptr [esi], 00000000h+38 push eax+39 call dword ptr [0047E120h] ;GetVersionExW+45 cmp dword ptr [ebp-00000104h], 01h+52 jne 0045871Dh" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"; Stream UID: "00015406-00000952-23872-3361-00463DEB")
which is directly followed by "cmp eax, 80000000h" and "jbe 00463DFBh". See related instructions: "...+0 call dword ptr [0047E184h] ;GetVersion+6 cmp eax, 80000000h+11 jbe 00463DFBh" ... from 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Queries volume information
- details
- "msiexec.exe" queries volume information of "C:\" at 00018795-00003600-0000010C-51956390
- source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "msiexec.exe" queries volume information of "C:\" at 00018795-00003600-0000010C-51956390
- source
- API Call
- relevance
- 8/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/64 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts domains
- details
- "www.preton.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "174.129.237.94:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Prerequisites_Unicode\setupPreReqW.pdb"
"C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb"
"X"LT "p"T\p"P"RSDSjB![]WC:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdbh@H@h8 H8@`pHH`@p @pH8pH8@(0H@pH(@8((H@pH(@P0xX P@@`8pxX p@xX @X @ @H` @@ @0H @@` x@8Px@(@P@(@@p@xP@@pHP @ h@H` @@@(@@pPxP@BP0" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is6395.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\Setup.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\_ISMSIDEL.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is63DC.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\0x0804.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is63F1.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\0x0404.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is6406.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\0x0409.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is6425.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\0x0411.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is643A.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{D47BF427-844E-4C23-B27A-078096B19810}\0x0412.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is644F.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\!IETld!Mutex"
"\Sessions\1\BaseNamedObjects\Local\c:!users!8wwhiaa!appdata!roaming!microsoft!windows!ietldcache!"
"Local\ZonesCounterMutex"
"Local\c:!users!8wwhiaa!appdata!roaming!microsoft!windows!ietldcache!"
"Local\ZonesCacheCounterMutex"
"IESQMMUTEX_0_208"
"Local\WininetConnectionMutex"
"Local\_!MSFTHISTORY!_"
"Local\WininetProxyRegistryMutex"
"Local\WininetStartupMutex"
"IESQMMUTEX_0_191"
"Local\ZonesLockedCacheCounterMutex"
"Local\c:!users!8wwhiaa!appdata!local!microsoft!windows!temporary internet files!content.ie5!"
"Local\ZoneAttributeCacheCounterMutex"
"Local\c:!users!8wwhiaa!appdata!local!microsoft!windows!history!history.ie5!"
"Local\!IETld!Mutex" - source
- Created Mutant
- relevance
- 3/10
-
GETs files from a webserver
- details
- "GET /Downloads/WebInstall/x64/PretonSaver%20Home%20Edition.msi HTTP/1.1Referer: http://www.preton.com/Downloads/WebInstall/x64/PretonSaver Home Edition.msiUser-Agent: dwplayerHost: www.preton.comConnection: Keep-AliveCache-Control: no-cache"
- source
- Network Traffic
- relevance
- 5/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 703F0000
"<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6B260000 - source
- Loaded Module
-
Reads Windows Trust Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE") - source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%TEMP%\{D47BF427-844E-4C23-B27A-078096B19810}\PretonSaver Home Edition.msi" RESELLER_ID=123456789_39 ACTIVATION_KEY=None TRANSFORMS="%TEMP%\{D47BF427-844E-4C23-B27A-078096B19810}\1033.MST" SETUPEXEDIR="C:" SETUPEXENAME="76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA" (SHA1: 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US" (SHA1: 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: C8:72:21:36:4E:C1:84:2B:F0:8C:72:5E:59:FE:34:BD:A6:80:75:63; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"<Input Sample>" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"PretonSaver%20Home%20Edition[1].msi" has type "Composite Document File V2 Document Can't read SAT"
"PretonSaver Home Edition.msi" has type "Composite Document File V2 Document Can't read SAT"
"1033.MST" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 Code page: 1252 Title: Installation Database Subject: PretonSaver Home Edition Author: Preton Ltd. Keywords: InstallerMSIDatabase Comments: Contact: Your local administrator Create Time/Date: Wed Feb 2 13:27:10 2011 Name of Creating Application: InstallShield 2009 - Premier Edition 15 Security: 1 Template: x64;01033205210281041104210341036 Last Saved By: x64;1033 Revision Number: {AB1CF8F1-C0B8-4EDD-B5B1-E6B19B6CBCA4}1.0.3.7;{AB1CF8F1-C0B8-4EDD-B5B1-E6B19B6CBCA4}1.0.3.7;{235E3106-1A86-4EE1-9F3D-0A12035239A7} Number of Pages: 200 Number of Characters: 1"
"0x040c.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_is6395.tmp" has type "zlib compressed data"
"_is644F.tmp" has type "zlib compressed data"
"PretonSaver Home Edition.isc" has type "AmigaOS bitmap font"
"_is643A.tmp" has type "zlib compressed data"
"_is655A.tmp" has type "zlib compressed data"
"_is973E.tmp" has type "zlib compressed data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~6559.tmp" has type "ASCII text with CRLF line terminators"
"~64B5.tmp" has type "ASCII text with CRLF line terminators"
"66AE3BFDF94A732B262342AD2154B86E_81090793760C81EFD702CA65D8D0174F" has type "data"
"TarE31D.tmp" has type "data"
"0x0804.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Tar9C9C.tmp" has type "data"
"~6579.tmp" has type "ASCII text with CRLF line terminators"
"CabE31C.tmp" has type "Microsoft Cabinet archive data 50939 bytes 1 file"
"_is64EA.tmp" has type "zlib compressed data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\wininet.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\wininet.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
"<Input Sample>" touched file "C:\Windows\System32\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\System32\en-US\urlmon.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\msxml3r.dll"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\PretonSaver%20Home%20Edition[1].msi"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BPL0BFI3\PretonSaver%20Home%20Edition[1].msi" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "www.digicert.com110/"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl05"
Pattern match: "http://crl4.digicert.com/sha2-assured-cs-g1.crl0B"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://ocsp.digicert.com0N"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"
Pattern match: "www.digicert.com1$0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"
Pattern match: "http://www.preton.com"
Pattern match: "http://www.preton.com/Downloads/WebInstall/x64/PretonSaver"
Pattern match: "http://ts-aia.ws.symantec.com/ts~"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSi~"
Pattern match: "http://ocsp.verisign.com0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0D"
Pattern match: "https://www.verisign.com/r"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0"
Pattern match: "https://www.verisign.com/cps0*"
Pattern match: "https://www.verisign.com/rpa0"
Pattern match: "http://logo.verisign.com/vslogo.gif0"
Pattern match: "http://ocsp.verisign.com01"
Pattern match: "http://crl.verisign.com/pca3.crl0"
Pattern match: "www.verisign.com/rpa"
Pattern match: "http://www.flexerasoftware.com0"
Pattern match: "http://schemas.microsoft.com/office/word/2003/wordml}{\xmlns2"
Pattern match: "crl4.digicert.com/Digi"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAFTm1dnqX20CTg1vUczuuo%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Pattern match: "http://schemas.openxmlformats.org/drawingml/2006/mai"
Pattern match: "www.preton.com"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl0531/http://crl4.digicert.com/sha2-assured-cs-g1.crl0BU"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0:864http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0OU"
Pattern match: "http://https://True1YYes:ILu~:ILu~###o~"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl0DU"
Pattern match: "csc3-2009-2-aia.verisign.com/CSC3-2009-2.cer0U#0k&p?-50`HB0"
Pattern match: "w.jYEP/YEM"
Pattern match: "http://www.w3.org/1999/XSL/Transform"
Pattern match: "www.preton.com}}}\sectd"
Pattern match: "2.ABT/H0-7{%b@ou5"
Pattern match: "siC0.ni/flk"
Heuristic match: "T#^\i0n\B.`Ao.N_Xtf0v1tK0nQ~(_ZCScwze-7^6W#<5Ju/[1wGN.sm"
Heuristic match: "*10o]?0MH}u`oFBGCF{}.Vu"
Pattern match: "U.jvG/]:C$M?^pxWwWe5I+1@X%'4,u'tPioWX54HM&s.BbB9"
Pattern match: "jnQ.ty/7`gw7f|h=uK"
Pattern match: "Dz.NMy/mEYN8EJ%8yKUNiIB?%kadNZi-5H"
Heuristic match: "=K!R\Rr8:bH*w@=^K<}:?0Gh}^- !/MBdasdp`u5-s]N^d*Zg.ee"
Pattern match: "SkLhc.ae/[Z0&fg*ngvyQ,Qw"
Heuristic match: "`kv):;bYsME;O<v\}4kFGWBwkwY].HR"
Pattern match: "0.IKy/LQ}9'V?@N,I@gU"
Pattern match: "mUVY.BT/7Nqef[SiYZlVA8Z-ELpz"
Pattern match: "S.uUr/4XOR?4"
Heuristic match: "(-2Burg.ES"
Pattern match: "htC5.mP/]:V[E"
Heuristic match: ")$9<9<d(AyrByh+QGnh.MK"
Pattern match: "u1.TO/xguoE6}LLM!Z~"
Pattern match: "8q.rS/cqS9M'R%\{8jAu=1c8Y49=Qz\CnNzf5oPL;tN{f"
Pattern match: "7X.rb/@F5UQTGp"
Heuristic match: "2hC0O9v_RMNlWa3q2K,`yV}g+.'>RvBJ|rc%/9Ac|'yjat-AFV%O@mx&)z[.cL"
Pattern match: "7B.Vfd/Y%M51EC{S8T64C_YxG48iO:R`T!vX{N%bO!NT"
Heuristic match: "u_${P to;EeXJ)4dl;)}qauFeC%]}]nOXT.in"
Heuristic match: "Jf{WYM.nc.#n;y)XzXU8r2LZ?ueo`{RFqx.ci"
Heuristic match: "q2mU5r;a.;Z%jn*&b?bnoJrH$nyjV?DdA.pr"
Heuristic match: "29+0cY967qI-/;H'(w$uz]ynzAAY(1,{/Kc<2w 7gy(j,k<~z,TqE%#I{H|3G,3'K^!n<~rkLMI?_jZ'H@j:t\d.gD"
Pattern match: "jZq.hW/bW[9u7k}%P3f5"
Pattern match: "H9.Fz.JD/v|%8mdvS3_?;I"
Heuristic match: "},K:.BV"
Pattern match: "f.PEFO/N&PP{,eNLX\s"
Pattern match: "v.HD/2}64NsD%/+EEfcedO|e@"
Pattern match: "UBB.FIP/6aI0]CD'0"
Pattern match: "4mS.fY/R+ILSl5]4E=VEz6hWjioT4U"
Pattern match: "Ees7OC.qb/yR2r"
Pattern match: "7jcI.Zmn/usF~DZnX"
Heuristic match: "Q)+(C2<rZfR.mx"
Pattern match: "AnSYU.esL/:XEPqH]{1#|{G~g&9ey{2BC{~,NUm"
Heuristic match: "\Q8<R+eLa7M='=3 WHO]3NStN%uaA1ru(>u+n?gWN~bJ^`~$9.]d^gi-zh-/`|t6ywYoujV!p}H[_lTx#[bHvEw,uw?zc:>=[&?W#HBHq[.Aq"
Heuristic match: "^UHHjdn2VEqUT@V&X Wgz=I*F+D#|J`/)u]w3_QtK+0xTV+<>j}FM hKjjYqM6Z,F6~^\\87%'BNqZ>KRNPcN&x!oat$uO:VL1KQ-zf95+K~'RL!f'6pC$.Ee"
Pattern match: "c5.Zx/G$yVy'$O8j~"
Pattern match: "Bp.ivj/1A;.qxI^]:Wg,f"
Heuristic match: "V/Zuf%U6'eVcG0+g{<]->UTT%b<[VOUYf0JX=%|v'8KQ/r.Tp"
Pattern match: "65nvWe.GL/Emy,-~"
Pattern match: "U.ben/g|.|s^LfNGIf+qTXz9^3S4YN"
Pattern match: "c.AJ/ssw*k54Pe?0#"
Pattern match: "hX.Ak/v5Es8+\"
Pattern match: "6AP.HqdD/{@Nd%f7M"
Pattern match: "a.dlU/:?0m[:mXNF5+kT86iFTw%"
Pattern match: "YD-.OJb/EDMo&]A}#tbOPwEruK$P0b!pATO%U^QY4K1=W^Srar(wD)k-Jv6HhJHp4c~"
Pattern match: "b.RBB/,rh\Rz_'4"
Heuristic match: "rT3O3iZ_A\c4PCyQe'Ts&O;|/zvv _N*hi.=$];P+$)$S|,d+`9NKyjB Xje6Q#;s:N,wT<$|'QaG;K#9jd3%(jH].vEj'kJJG#nR]PS~LI3u&i/`}f t'Q$n+kdKs%eWJeN(@.\Dy=n4KNd8S4QyNpR6'GqD`T]tdx%]SGQzetI0q49tIe%tY26f,[l6|K`qOHLJ.PS"
Heuristic match: "}Od@TmYSY8PDLr8;Dj|x*O<A.nA>.AT"
Pattern match: "Wa.ofW/ZYi6Vd,;yi?v4Jo"
Pattern match: "S.XK/uXix/!]W8.Fs"
Pattern match: "2.uLK/zj"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVN"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAFTm1dnqX20CTg"
Pattern match: "7jpV.Aw/3F"
Pattern match: "http://www.installengine.com/Msiengine30/WindowsInstaller-KB893803-x86.exe"
Pattern match: "http://www.installengine.com/Msiengine20/instmsiw.exe" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"<Input Sample>" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
PretonSaverHomeEdition64.exe
- Filename
- PretonSaverHomeEdition64.exe
- Size
- 901KiB (922472 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3
- MD5
- c07d5a1af1bfd0e550f4c539ef59f9a3
- SHA1
- 20ff464fb29d5a2f8c29d0486f40bb5d5484c7a2
- ssdeep
- 24576:7scaIeB5iMOP3twjeSy9ll5cOiSYvlL2GoswfWmtTAkm7ParrWRxA2ft:7s/IeB5jMdwjeSyl5tiSYF2GosuWoTAP
- imphash
- 8e9143421e5b76a73aa0992f04566913
- authentihash
- ee4e48d39393a3b4ec51b87a1ccba510283cd4477c0ae7f065ce48b56d634533
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- InternalName
- Setup
- FileVersion
- 1.0.3.7
- CompanyName
- Preton Ltd.
- Internal Build Number
- 82160
- ProductName
- PretonSaver Home Edition
- ProductVersion
- 1.0.3.7
- FileDescription
- Setup Launcher Unicode
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 78.5% (.EXE) Win32 Executable MS Visual C++ (generic)
- 11.3% (.EXE) Win32 Executable (generic)
- 5.0% (.EXE) Generic Win/DOS Executable
- 5.0% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (6KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/21/2012 01:00:00 12/31/2020 00:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/18/2012 01:00:00 12/30/2020 00:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN=Preton Ltd, O=Preton Ltd, L=Tel Aviv, ST=HaMerkaz, C=IL | CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 1539b5767a97db4093835bd4733baea |
07/01/2014 01:00:00 09/02/2016 13:00:00 |
53:0E:1C:0E:B5:E2:A0:62:BA:4D:06:31:72:12:F9:C4 C8:72:21:36:4E:C1:84:2B:F0:8C:72:5E:59:FE:34:BD:A6:80:75:63 |
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 409181b5fd5bb66755343b56f955008 |
10/22/2013 13:00:00 10/22/2028 13:00:00 |
B6:56:37:6C:3D:2A:CE:BB:A1:88:49:D6:04:36:1B:D5 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
Input Sample
(PID: 952)
1/70
- msiexec.exe /i "%TEMP%\{D47BF427-844E-4C23-B27A-078096B19810}\PretonSaver Home Edition.msi" RESELLER_ID=123456789_39 ACTIVATION_KEY=None TRANSFORMS="%TEMP%\{D47BF427-844E-4C23-B27A-078096B19810}\1033.MST" SETUPEXEDIR="C:" SETUPEXENAME="76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe" (PID: 3600)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
www.preton.com
OSINT |
174.129.237.94 |
TUCOWS, INC.
Organization: Preton Ltd. Name Server: NS1.EASY-CGI.COM Creation Date: Sat, 04 Dec 2004 14:07:55 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
174.129.237.94 |
80
TCP |
<Input Sample> PID: 952 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
174.129.237.94:80 (www.preton.com) | GET | www.preton.com/Downloads/WebInstall/x64/PretonSaver%20Home%20Edition.msi | GET /Downloads/WebInstall/x64/PretonSaver%20Home%20Edition.msi HTTP/1.1Referer: http://www.preton.com/Downloads/WebInstall/x64/PretonSaver Home Edition.msi
User-Agent: dwplayer
Host: www.preton.com
Connection: Keep-Alive
Cache-Control: no-cache 200 OK More Details |
174.129.237.94:80 (www.preton.com) | GET | www.preton.com/Downloads/WebInstall/x64/PretonSaver%20Home%20Edition.msi | GET /Downloads/WebInstall/x64/PretonSaver%20Home%20Edition.msi HTTP/1.1Referer: http://www.preton.com/Downloads/WebInstall/x64/PretonSaver Home Edition.msi
User-Agent: dwplayer
Host: www.preton.com
Connection: Keep-Alive
Cache-Control: no-cache 200 OK More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 12127-816-0041C823 |
2.0.0.0 | Domain/IP reference | 12127-816-0041C823 |
2.5.4.3 | Domain/IP reference | 00015406-00000952-23872-2004-0046A661 |
2.9.0.0 | Domain/IP reference | 12127-817-00432A7D |
2.5.4.11 | Domain/IP reference | 00015406-00000952-23872-2004-0046A661 |
2.5.4.10 | Domain/IP reference | 00015406-00000952-23872-2004-0046A661 |
49.1.9.1 | Domain/IP reference | 00015406-00000952-23872-2004-0046A661 |
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 16 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 5
-
-
_is64B6.tmp
- Size
- 1.4KiB (1383 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- fd33ce03361e71dfcb9496af6b38a543
- SHA1
- 8e257019cceb70bedcbd62fd273c5c364485e7f4
- SHA256
- 8fd977f3bb73b510e5743fc4437164720e7257c019bfc72c4c925b1d425d3282
-
_is655A.tmp
- Size
- 1.4KiB (1383 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- fd33ce03361e71dfcb9496af6b38a543
- SHA1
- 8e257019cceb70bedcbd62fd273c5c364485e7f4
- SHA256
- 8fd977f3bb73b510e5743fc4437164720e7257c019bfc72c4c925b1d425d3282
-
1033.MST
- Size
- 3.5KiB (3584 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: PretonSaver Home Edition, Author: Preton Ltd., Keywords: Installer,MSI,Database, Comments: Contact: Your local administrator, Create Time/Date: Wed Feb 2 13:27:10 2011, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Security: 1, Template: x64;0,1033,2052,1028,1041,1042,1034,1036, Last Saved By: x64;1033, Revision Number: {AB1CF8F1-C0B8-4EDD-B5B1-E6B19B6CBCA4}1.0.3.7;{AB1CF8F1-C0B8-4EDD-B5B1-E6B19B6CBCA4}1.0.3.7;{235E3106-1A86-4EE1-9F3D-0A12035239A7}, Number of Pages: 200, Number of Characters: 1
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 014176088821d87b9ac8ad595095e20b
- SHA1
- 16db24006e52bb574c5913d339728e743a9a2568
- SHA256
- f172820e5c0ddbc5c23decc237c38ee4087e1ed3734feb318056ea08cc6433c9
-
PretonSaver Home Edition.msi
- Size
- 4.9MiB (5177344 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- a83b6c4ec57cc1ca8d878bd6d0188459
- SHA1
- 4fb66ed0a8e14baa75736d31460a9665cc597332
- SHA256
- cd9f2b2ba28706ccc398029a5742d861f491e64fc25dfcfd2272012631ea10e6
-
~6579.tmp
- Size
- 3.2KiB (3304 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- ba55d788138d9f39263ec7726023f74e
- SHA1
- e65bcab8d1b339dafb0e6d0d3fcd758701039dcd
- SHA256
- 962257daf665c94fa9df2a797779ea842fdad6a7bf287a19c9609986a8ef9960
-
-
Informative 18
-
-
PretonSaver%20Home%20Edition[1].msi
- Size
- 5MiB (5241844 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 581cce06fcdc2a22426b0236ff7a4e1e
- SHA1
- f0a3c5526a9be27d1bfe521511c56fc59111a62e
- SHA256
- 20636c2cefe0b5172ba3637b7298d8d10f18d5f0d4b6d9490fd80b52a8b8b9b2
-
42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
- Size
- 471B (471 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 79f59dbd743451f87833c1cdf544a19d
- SHA1
- f77ea9738e206b287e1cebe814696f2f0ac0220a
- SHA256
- 49aa7099c8b95c6b2ec995caa68df62440df4db6e4291a3fe4e08a4f44539432
-
66AE3BFDF94A732B262342AD2154B86E_81090793760C81EFD702CA65D8D0174F
- Size
- 471B (471 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- ba425c90b4ac84f94c0f80dea3beb680
- SHA1
- 45612562accb88eda489e042d3bc375da21c7ac9
- SHA256
- 23963e4339e52385f505001fced0eae2daf8e781a2b962acd1f958f154d56c9f
-
Cab9C9B.tmp
- Size
- 50KiB (50939 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
CabE31C.tmp
- Size
- 50KiB (50939 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 50939 bytes, 1 file
- Runtime Process
- msiexec.exe (PID: 3600)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Tar9C9C.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
TarE31D.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 3600)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
_is6395.tmp
- Size
- 1.4KiB (1383 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- fd33ce03361e71dfcb9496af6b38a543
- SHA1
- 8e257019cceb70bedcbd62fd273c5c364485e7f4
- SHA256
- 8fd977f3bb73b510e5743fc4437164720e7257c019bfc72c4c925b1d425d3282
-
_is63DC.tmp
- Size
- 2.7KiB (2776 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 7fad844bb39cac256a39b6c4bd1023e6
- SHA1
- c211bc12db1df7061e5091ac4b40b4a4a338cda6
- SHA256
- 46ab629a346792dacc46d5500ab0176d03d91b692ccba8516592fa428f43f383
-
_is63F1.tmp
- Size
- 2.7KiB (2814 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 67cf8043c21be2d50b1837542377027c
- SHA1
- cd99de8891b75a6063c1a946495a8b5e23b52990
- SHA256
- bfcc48b008ab6397c92b5f75764a0d5557a0f704d470455ca634629800e25da5
-
_is6406.tmp
- Size
- 2.9KiB (3017 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- ae10f061af304517f6e3f3157795a5b7
- SHA1
- f80822a26461dbcaf29ed0de91fd41c2bb370c44
- SHA256
- c1c419be1398addbd82f88be6c3ff810ed04b8c970ab7349b07ec11b07368043
-
_is6425.tmp
- Size
- 3KiB (3069 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- e4ddcc59dbd874ae01b6f69288e299d5
- SHA1
- 2ca6fdba92e2cfc9105586d0e335d90db521a5e8
- SHA256
- 74378930c57508d7076cbcbdeee4c7e61ebb0ed860bd372c874b3766f5c6643e
-
_is643A.tmp
- Size
- 2.9KiB (2938 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 8cbaf1e03debaca8ba931733373395bc
- SHA1
- c0ae1bff38256aa7d64d1ac386a3d8cfd0c62418
- SHA256
- 47fe976b6385f31c50d1b88fd8e7f4b38aa32b1dfb867004cd1668a4033b6335
-
_is644F.tmp
- Size
- 3.3KiB (3364 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 3c55994652fc918cff1c21e3c02b658d
- SHA1
- d15b29d40244669014b08526ebbc995e7dcb1808
- SHA256
- 4ae311e127b1717e7ae0618354648850d4536f31234f4c99212e06d103980d58
-
_is6464.tmp
- Size
- 3.3KiB (3414 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 61d05b39a99b7d92f650842f8b043cbc
- SHA1
- 8b7fac2d7742cd9eccb005f870ed62b8cc8f430f
- SHA256
- 40d51e85e23ba1f7fde3685eee7ce0ea045504441cb89f5122346188d566f817
-
_is64D5.tmp
- Size
- 712B (712 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- 8c9746e9acc4474db04237a238b8acf1
- SHA1
- ac506b3c60f77e1a304525af87a34a20260525ad
- SHA256
- b0f2ec41a0d3be6efd952dd16b470dc51a4e45ccec8f5fa0c72fa268e0a1d8c4
-
_is64EA.tmp
- Size
- 692B (692 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- a963f89487bd76851179185c25a67a1a
- SHA1
- 355e24209d8ef9a64d07a328623151bf7efbcd72
- SHA256
- e97db949e0dd33c050a632801e7184ca1be996f9354e8303c9c04ba137ed77e7
-
_is657A.tmp
- Size
- 1.4KiB (1383 bytes)
- Runtime Process
- 76f6472afb84b23d589cc6454a6835a3270ce802cf624dcc666e3b99f2c204b3.exe (PID: 952)
- MD5
- fd33ce03361e71dfcb9496af6b38a543
- SHA1
- 8e257019cceb70bedcbd62fd273c5c364485e7f4
- SHA256
- 8fd977f3bb73b510e5743fc4437164720e7257c019bfc72c4c925b1d425d3282
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-12" are available in the report
- Not all sources for signature ID "api-25" are available in the report
- Not all sources for signature ID "api-26" are available in the report
- Not all sources for signature ID "api-31" are available in the report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report