GSAutoClicker-Setup.exe
This report is generated from a file or URL submitted to this webservice on April 23rd 2016 10:48:27 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v4.00 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the active computer name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 4
-
General
-
Contains ability to start/interact with device drivers
- details
-
DeviceIoControl@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
DeviceIoControl@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to start/interact with device drivers
-
Installation/Persistance
-
Writes a PE file header to disc
- details
-
"GSAutoClicker_Setup.tmp" wrote 65536 bytes starting with PE header signature to file "%PROGRAMFILES%\GSAutoClicker3\is-FMBD4.tmp": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000100100000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"GSAutoClicker_Setup.tmp" wrote 49960 bytes starting with PE header signature to file "%PROGRAMFILES%\GSAutoClicker3\conf\ext\is-MS1RB.tmp": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000c00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ... - source
- API Call
- relevance
- 1/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a foreign process "GSAutoClicker_Setup.tmp" (PID: 00002028)
"<Input Sample>" wrote 4 bytes to a foreign process "GSAutoClicker_Setup.tmp" (PID: 00002028)
"<Input Sample>" wrote 32 bytes to a foreign process "GSAutoClicker_Setup.tmp" (PID: 00002028)
"<Input Sample>" wrote 52 bytes to a foreign process "GSAutoClicker_Setup.tmp" (PID: 00002028) - source
- API Call
- relevance
- 6/10
-
Writes a PE file header to disc
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
ExitWindowsEx@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 19
-
Anti-Detection/Stealthyness
-
Queries process information
- details
-
"GSAutoClicker_Setup.tmp" queried SystemProcessInformation at 00133328-00002028-76F261F8-327547
"GSAutoClicker_Setup.tmp" queried SystemProcessInformation at 00133328-00002028-76F261F8-327562 - source
- API Call
- relevance
- 4/10
-
Queries process information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 10 calls to GetProcAddress@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found 47 calls to GetProcAddress@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found 10 calls to GetProcAddress@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found 47 calls to GetProcAddress@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from PID 00002244
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00002244
GetVersionExA@KERNEL32.DLL from PID 00002028
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00002028
GetVersion@KERNEL32.DLL from PID 00002028
GetVersion@KERNEL32.DLL from PID 00002028
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00002028
GetVersionExA@KERNEL32.DLL from PID 00002028
GetVersionExA@KERNEL32.DLL from PID 00002028
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersion@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00002028 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.exe"; Stream UID: "00130015-00002244-41275-118-00404654")
which is directly followed by "cmp ax, 00000600h" and "je 004046A5h". See related instructions: "...
+27 call 0040445Ch ;GetModuleHandleA
+32 mov edi, eax
+34 call 0040448Ch ;GetVersion
+39 xchg al, ah
+41 xor ebx, ebx
+43 cmp ax, 00000600h
+47 je 004046A5h" ... from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.exe"; Stream UID: "00130015-00002244-46941-118-00404654")
which is directly followed by "cmp ax, 00000600h" and "je 004046A5h". See related instructions: "...
+27 call 0040445Ch ;GetModuleHandleA
+32 mov edi, eax
+34 call 0040448Ch ;GetVersion
+39 xchg al, ah
+41 xor ebx, ebx
+43 cmp ax, 00000600h
+47 je 004046A5h" ... from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-887-0041F568")
which is directly followed by "cmp bl, 04h" and "jnc 0041F5B1h". See related instructions: "...
+14 call 004059B4h ;GetVersion
+19 mov ebx, eax
+21 cmp bl, 04h
+24 jnc 0041F5B1h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-881-00419490")
which is directly followed by "cmp ax, 0004h" and "setnb byte ptr [0049D5C8h]". See related instructions: "...
+0 call 004059B4h ;GetVersion
+5 and ax, 000000FFh
+9 cmp ax, 0004h
+13 setnb byte ptr [0049D5C8h]" ... from PID 00002028
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-1010-0046EE04")
which is directly followed by "cmp ax, 00000601h" and "jc 0046EE48h". See related instructions: "...
+10 call 004059B4h ;GetVersion
+15 xchg al, ah
+17 cmp ax, 00000601h
+21 jc 0046EE48h" ... from PID 00002028
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-748-0042E4EC")
which is directly followed by "cmp ax, 0005h" and "jc 0042E569h". See related instructions: "...
+71 xor eax, eax
+73 push ebp
+74 push 0042E6D0h
+79 push dword ptr fs:[eax]
+82 mov dword ptr fs:[eax], esp
+85 xor ebx, ebx
+87 call 004059B4h ;GetVersion
+92 and ax, 000000FFh
+96 cmp ax, 0005h
+100 jc 0042E569h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-920-004063F4")
which is directly followed by "cmp ax, 00000600h" and "je 00406445h". See related instructions: "...
+27 call 00405954h ;GetModuleHandleA
+32 mov edi, eax
+34 call 004059B4h ;GetVersion
+39 xchg al, ah
+41 xor ebx, ebx
+43 cmp ax, 00000600h
+47 je 00406445h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-1065-0045D3BC")
which is directly followed by "cmp ax, 0005h" and "jnc 0045D3F1h". See related instructions: "...
+26 call 004059B4h ;GetVersion
+31 and ax, 000000FFh
+35 cmp ax, 0005h
+39 jnc 0045D3F1h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-2462-00411B44")
which is directly followed by "cmp ax, 0004h" and "jc 00411CA4h". See related instructions: "...
+147 call 00403634h
+152 call 004059B4h ;GetVersion
+157 and ax, 000000FFh
+161 cmp ax, 0004h
+165 jc 00411CA4h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-2932-00450994")
which is directly followed by "cmp ax, 0006h" and "jc 00450A8Ch". See related instructions: "...
+43 call 004059B4h ;GetVersion
+48 and ax, 000000FFh
+52 cmp ax, 0006h
+56 jc 00450A8Ch" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-3087-004638CC")
which is directly followed by "cmp ax, 0006h" and "jnc 00463941h". See related instructions: "...
+86 call 00418768h
+91 call 004059B4h ;GetVersion
+96 and ax, 000000FFh
+100 cmp ax, 0006h
+104 jnc 00463941h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-3090-00463A24")
which is directly followed by "cmp ax, 0006h" and "jc 00463A97h". See related instructions: "...
+48 call 004059B4h ;GetVersion
+53 and ax, 000000FFh
+57 cmp ax, 0006h
+61 jc 00463A97h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetDiskFreeSpaceA@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-2967-004565A8")
which is directly followed by "cmp byte ptr [ebp-02h], 00h" and "je 004566AFh". See related instructions: "...
+204 call 00403738h
+209 push eax
+210 call 004058F4h ;GetDiskFreeSpaceA
+215 neg eax
+217 sbb eax, eax
+219 neg eax
+221 mov byte ptr [ebp-02h], al
+224 cmp byte ptr [ebp-02h], 00h
+228 je 004566AFh" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-53799-2710-0042DDC4")
which is directly followed by "cmp ax, 0006h" and "jc 0042DE1Fh". See related instructions: "...
+32 call 004059B4h ;GetVersion
+37 and ax, 000000FFh
+41 cmp ax, 0006h
+45 jc 0042DE1Fh" ... from PID 00002028
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-49905-887-0041F568")
which is directly followed by "cmp bl, 04h" and "jnc 0041F5B1h". See related instructions: "...
+14 call 004059B4h ;GetVersion
+19 mov ebx, eax
+21 cmp bl, 04h
+24 jnc 0041F5B1h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-49905-920-004063F4")
which is directly followed by "cmp ax, 00000600h" and "je 00406445h". See related instructions: "...
+27 call 00405954h ;GetModuleHandleA
+32 mov edi, eax
+34 call 004059B4h ;GetVersion
+39 xchg al, ah
+41 xor ebx, ebx
+43 cmp ax, 00000600h
+47 je 00406445h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-49905-748-0042E4EC")
which is directly followed by "cmp ax, 0005h" and "jc 0042E569h". See related instructions: "...
+71 xor eax, eax
+73 push ebp
+74 push 0042E6D0h
+79 push dword ptr fs:[eax]
+82 mov dword ptr fs:[eax], esp
+85 xor ebx, ebx
+87 call 004059B4h ;GetVersion
+92 and ax, 000000FFh
+96 cmp ax, 0005h
+100 jc 0042E569h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-49905-1065-0045D3BC")
which is directly followed by "cmp ax, 0005h" and "jnc 0045D3F1h". See related instructions: "...
+26 call 004059B4h ;GetVersion
+31 and ax, 000000FFh
+35 cmp ax, 0005h
+39 jnc 0045D3F1h" ... from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-49905-881-00419490")
which is directly followed by "cmp ax, 0004h" and "setnb byte ptr [0049D5C8h]". See related instructions: "...
+0 call 004059B4h ;GetVersion
+5 and ax, 000000FFh
+9 cmp ax, 0004h
+13 setnb byte ptr [0049D5C8h]" ... from PID 00002028
Found API call GetVersion@KERNEL32.DLL (Target: "GSAutoClicker_Setup.tmp"; Stream UID: "00133328-00002028-49905-1010-0046EE04")
which is directly followed by "cmp ax, 00000601h" and "jc 0046EE48h". See related instructions: "...
+10 call 004059B4h ;GetVersion
+15 xchg al, ah
+17 cmp ax, 00000601h
+21 jc 0046EE48h" ... from PID 00002028 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
- details
-
"E@zEoPj,l@<v3ZYYdh@Eyiu_^[]nil*@SVF~tFpt#r^[@PUQSVWE@,pthEp3Uh@d0d EnK|C3PEZQGKu3ZYYdh@EtEB_^[Y]@xu3QUQSEE@x~ME3Uh^@d0d !oEX{3ZYYdhe@Et[Y]@H@@@@@@SVWRSL_^[@SVWQ,S _^[@Q,USVW3MUE3Uh@d0d E3Uhj@d0d ERN|-F3ME8WEPEQEZ8W0CNu3ZYYdhq@EWr3ZYYdh@Ezvr_^[]@UQSE@mtEEN3Uh@d0d ER8EQ43ZYYdh@EorE+[Y]@S{uQ(C[USVE@pt,E@]mt'EE@}E@R^[]USUEEPhl@EPh@UY@E[YY]StringsHxu3Q(@USVW3MMUE3Uhi@d0d EERER;u;N|0F3ME8WEPME8WUX@wuCNuE3ZYYdhp@EtpE_^[]USVW3]]M3Uh@d0d M8WQEMU8WM8WUQ0V MU0VMUS 3ZYYdh$@EtBp_^[]UPSVW3UE3Uhz@d0d ERu+3ESuE@tNFuE}t,CUE0VfvE33}"u v" (Indicator: "qemu"), "UdUCqEMUUR3ZYYdhhIE}t_^[]SVW@_^[USVW3]MUu}3UhjId0d E
rtu]CUt6hjIW6hjIUCWM3EMTuC;EugCUt6hjIWE6hjIUCM3YEMu" (Indicator: "qemu") - source
- String
- relevance
- 4/10
-
Contains ability to query the machine version
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
FindResourceA@KERNEL32.DLL from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
FindResourceA@KERNEL32.DLL from PID 00002028
FindResourceA@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
FindResourceA@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
FindResourceA@KERNEL32.DLL from PID 00002028 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"GSAutoClicker_Setup.tmp" created file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker"
"GSAutoClicker_Setup.tmp" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"GSAutoClicker_Setup.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"GSAutoClicker_Setup.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db"
"GSAutoClicker_Setup.tmp" created file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\GS Auto Clicker.lnk"
"GSAutoClicker_Setup.tmp" created file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\Uninstall GS Auto Clicker.lnk" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
- "GSAutoClicker_Setup.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Extracted File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
System Destruction
-
Opens file with deletion access rights
- details
-
"GSAutoClicker_Setup.tmp" opened "%PROGRAMFILES%\GSAutoClicker3\is-4D8BO.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Program Files\GSAutoClicker3\is-FMBD4.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Users\%USERNAME%\Documents\AutomaticSolution Software\GSAutoClicker\conf\is-BML6A.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Users\%USERNAME%\Documents\AutomaticSolution Software\GSAutoClicker\conf\is-QGIVE.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Program Files\GSAutoClicker3\conf\ext\is-EFG5A.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Program Files\GSAutoClicker3\conf\ext\is-OCJBU.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Program Files\GSAutoClicker3\conf\ext\is-MS1RB.tmp" with delete access
"GSAutoClicker_Setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\GS Auto Clicker.lnk" with delete access
"GSAutoClicker_Setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\GS Auto Clicker.pif" with delete access
"GSAutoClicker_Setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\GS Auto Clicker.url" with delete access
"GSAutoClicker_Setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\Uninstall GS Auto Clicker.lnk" with delete access
"GSAutoClicker_Setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\Uninstall GS Auto Clicker.pif" with delete access
"GSAutoClicker_Setup.tmp" opened "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GS Auto Clicker\Uninstall GS Auto Clicker.url" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Users\%USERNAME%\Desktop\GS Auto Clicker.lnk" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Users\%USERNAME%\Desktop\GS Auto Clicker.pif" with delete access
"GSAutoClicker_Setup.tmp" opened "C:\Users\%USERNAME%\Desktop\GS Auto Clicker.url" with delete access - source
- API Call
- relevance
- 7/10
-
Opens file with deletion access rights
-
System Security
-
Contains ability to elevate privileges
- details
-
SetEntriesInAclW@ADVAPI32.DLL at 00133328-00002028-76F4228D-335943
SetSecurityDescriptorDacl@ADVAPI32.DLL at 00133328-00002028-76F4228D-335989
SetSecurityDescriptorDacl@ADVAPI32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "GSAutoClicker_Setup.tmp" claimed CRC 0 while the actual is CRC 951964
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
VirtualAlloc
GetModuleHandleA
GetCommandLineA
WriteFile
GetFileSize
CreateFileA
RegOpenKeyExA
RegCloseKey
OpenProcessToken
VirtualProtect
Sleep
LockResource
LoadLibraryA
GetVersionExA
GetProcAddress
GetModuleFileNameA
GetFileAttributesA
FindResourceA
DeleteFileA
CreateProcessA
CreateDirectoryA
SetSecurityDescriptorDacl
RegEnumKeyExA
RegDeleteValueA
RegDeleteKeyA
RegCreateKeyExA
GetUserNameA
TerminateProcess
OpenProcess
LoadLibraryExA
GetTickCount
GetDriveTypeA
GetComputerNameA
FindNextFileA
FindFirstFileA
DeviceIoControl
CreateThread
CopyFileA
SetWindowsHookExA
GetWindowThreadProcessId
GetLastActivePopup
FindWindowA
ShellExecuteExA
ShellExecuteA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "GSAutoClicker_Setup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 14
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API ShutdownBlockReasonDestroy@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API MonitorFromWindow@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API MonitorFromRect@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API DisableProcessWindowsGhosting@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API SHCreateItemFromParsingName@SHELL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API NotifyWinEvent@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API SHPathPrepareForWriteA@SHELL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API VerSetConditionMask@NTDLL.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API SHPathPrepareForWriteA@SHELL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API SHGetKnownFolderPath@SHELL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API ChangeWindowMessageFilterEx@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API ShutdownBlockReasonCreate@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API ChangeWindowMessageFilter@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API AllowSetForegroundWindow@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API SHGetFolderPathA@SHELL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API MonitorFromWindow@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API UnRegisterTypeLib@OLEAUT32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API MonitorFromWindow@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API ShutdownBlockReasonDestroy@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
Found reference to API MonitorFromRect@USER32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.DLL from PID 00002244
GetSystemTime@KERNEL32.DLL from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
GetSystemTime@KERNEL32.DLL from PID 00002244
GetSystemTime@KERNEL32.DLL from GSAutoClicker_Setup.exe (PID: 2244) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002028
GetSystemTime@KERNEL32.DLL from PID 00002028
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002028
GetSystemTimeAsFileTime@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetLocalTime@KERNEL32.DLL from PID 00002028
GetLocalTime@KERNEL32.DLL from PID 00002028
GetLocalTime@KERNEL32.DLL from PID 00002028
GetLocalTime@KERNEL32.DLL from PID 00002028
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002028
GetSystemTimeAsFileTime@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00002028
GetSystemTime@KERNEL32.DLL from PID 00002028
GetLocalTime@KERNEL32.DLL from PID 00002028
GetLocalTime@KERNEL32.DLL from PID 00002028 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExA@KERNEL32.DLL at 00133328-00002028-76F4228D-199783
GetDiskFreeSpaceExA@KERNEL32.DLL at 00133328-00002028-76F4228D-199796
GetDiskFreeSpaceA@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from GSAutoClicker_Setup.tmp (PID: 2028) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates mutants
- details
-
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "GSAutoClicker_Setup.tmp" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
- source
- Extracted File
- relevance
- 10/10
-
Loads modules at runtime
- details
-
"GSAutoClicker_Setup.tmp" loaded module "%COMMONPROGRAMFILES%\MICROSOFT SHARED\INK\TIPTSF.DLL" at base 6FEB0000
"GSAutoClicker_Setup.tmp" loaded module "COMCTL32.DLL" at base 73EF0000
"GSAutoClicker_Setup.tmp" loaded module "%WINDIR%\SYSTEM32\EXPLORERFRAME.DLL" at base 711B0000
"GSAutoClicker_Setup.tmp" loaded module "C:\WINDOWS\SYSTEM32\SFC.DLL" at base 70240000
"GSAutoClicker_Setup.tmp" loaded module "SETUPAPI.DLL" at base 75600000
"GSAutoClicker_Setup.tmp" loaded module "DEVRTL.DLL" at base 74830000
"GSAutoClicker_Setup.tmp" loaded module "PROPSYS.DLL" at base 73DF0000
"GSAutoClicker_Setup.tmp" loaded module "C:\WINDOWS\SYSTEM32\PROPSYS.DLL" at base 73DF0000
"GSAutoClicker_Setup.tmp" loaded module "NTMARTA.DLL" at base 745C0000
"GSAutoClicker_Setup.tmp" loaded module "SHELL32.DLL" at base 75B30000 - source
- API Call
- relevance
- 1/10
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"DllGetClassObject@tiptsf.dll"
"DllCanUnloadNow@tiptsf.dll"
"ImmLockIMC@IMM32.DLL"
"ImmUnlockIMC@IMM32.DLL"
"ImmSetCompositionFontW@IMM32.DLL"
"ImmGetCompositionWindow@IMM32.DLL"
"ImmSetCompositionWindow@IMM32.DLL"
"GetHashInterface@bcryptprimitives.dll"
"DllGetClassObject@explorerframe.dll"
"DllCanUnloadNow@explorerframe.dll"
"SfcIsFileProtected@sfc.dll"
"PnpIsFilePnpDriver@SETUPAPI.dll"
"DevRtlGetThreadLogToken@DEVRTL.dll"
"PSCreateMemoryPropertyStore@propsys.dll"
"CM_Get_Device_Interface_List_Size_ExW@SETUPAPI.dll"
"CM_Get_Device_Interface_List_ExW@SETUPAPI.dll"
"DllGetClassObject@propsys.dll"
"DllCanUnloadNow@propsys.dll"
"InitializeSecurityDescriptor@advapi32.dll" - source
- API Call
- relevance
- 1/10
-
Sample shows a variety of benign indicators
- details
-
The file was not detected as malicious
drops clean files and is signed with a certificate - source
- Indicator Combinations
- relevance
- 10/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE" (SHA1: C0:E4:9D:2D:7D:90:A5:CD:42:7F:02:D9:12:56:94:D5:D6:EC:5B:71; see report for more information)
The input sample is signed with a certificate issued by "CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=BE" (SHA1: B3:63:08:B4:D4:CD:ED:4F:CF:BD:66:B9:55:FA:E3:BF:B1:2C:29:E6; see report for more information)
The input sample is signed with a certificate issued by "CN=StartCom Class 2 Object CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL" (SHA1: 52:E2:E2:6A:4A:99:9F:5D:F7:93:35:3C:49:26:26:F3:5B:85:C7:E3; see report for more information)
The input sample is signed with a certificate issued by "CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL" (SHA1: 1F:64:21:C1:76:CF:03:ED:52:CC:37:F2:1B:58:7F:16:6C:EB:82:8B; see report for more information)
The input sample is signed with a certificate issued by "CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL" (SHA1: 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F; see report for more information) - source
- Certificate Data
- relevance
- 10/10
-
Creates mutants
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
-
GetUserNameA@ADVAPI32.DLL from PID 00002028
GetUserNameA@ADVAPI32.DLL from PID 00002028 - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"GSAutoClicker_Setup.tmp" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"is-4D8BO.tmp" has type "data"
"is-FMBD4.tmp" has type "data"
"is-BML6A.tmp" has type "data"
"is-QGIVE.tmp" has type "data"
"is-EFG5A.tmp" has type "data"
"is-OCJBU.tmp" has type "data"
"is-MS1RB.tmp" has type "data"
"GS Auto Clicker.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Archive ctime=Sat Apr 23 22:53:12 2016 mtime=Sat Apr 23 22:53:12 2016 atime=Sat Apr 16 08:14:24 2016 length=946184 window=hide"
"Uninstall GS Auto Clicker.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Description string Has Relative path Has Working directory Archive ctime=Sat Apr 23 22:53:09 2016 mtime=Sat Apr 23 22:53:09 2016 atime=Sat Apr 23 22:49:53 2016 length=725157 window=hide"
"unins000.dat" has type "data" - source
- Extracted File
- relevance
- 3/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.globalsign.com/repository/03"
Pattern match: "http://crl.globalsign.net/root.crl0"
Pattern match: "https://www.globalsign.com/repository/0"
Pattern match: "crl.globalsign.com/gs/gstimestampingg2.crl0T"
Pattern match: "secure.globalsign.com/cacert/gstimestampingg2.crt0"
Pattern match: "http://ocsp.startssl.com07"
Pattern match: "http://aia.startssl.com/certs/sca.code2.crt06"
Pattern match: "http://crl.startssl.com/sca-code2.crl0#"
Pattern match: "http://www.startssl.com/0P"
Pattern match: "http://www.startssl.com/policy0"
Pattern match: "http://crl.startssl.com/sfsca.crl0f"
Pattern match: "http://ocsp.startssl.com00"
Pattern match: "http://aia.startssl.com/certs/ca.crt0"
Pattern match: "http://cert.startcom.org/sfsca-crl.crl0+"
Pattern match: "http://crl.startcom.org/sfsca-crl.crl0"
Pattern match: "http://cert.startcom.org/policy.pdf05"
Pattern match: "http://cert.startcom.org/intermediate.pdf0"
Pattern match: "http://cert.startcom.org/policy.pdf0"
Pattern match: "http://www.goldensoft.org"
Heuristic match: "goldensoft.org" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Found Delphi 4 - Delphi 2006 artifact
- details
-
"GSAutoClicker_Setup.exe.bin" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably
"GSAutoClicker_Setup.tmp" has a PE timestamp using the buggy magic timestamp 0x2A425E19. The real compilation date is probably Thu Jun 5 04:33:26 2008 - source
- Static Parser
- relevance
- 10/10
-
Found Delphi 4 - Delphi 2006 artifact
File Details
GSAutoClicker-Setup.exe
- Filename
- GSAutoClicker-Setup.exe
- Size
- 879KiB (900560 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 7aaa05ad28304054003d25819c3483c158f816fa642a5dab644e125d86db9e60
- MD5
- 652b47858a01d22ac884acae626bfbd0
- SHA1
- a040704e422e9d00214e4101f6347fada31f8bae
- ssdeep
- 24576:17blmFd6FzNWpylbpspF00kaOSVRX467aRq8Imj4Y2:175MANW4MpFph/+sm8Y2
- imphash
- 2fb819a19fe4dee5c03e8c6a79342f79
- authentihash
- 22200187f85aa1d8361aaf94195f4061c29c41c09077dddf22afdebe02351139
Version Info
- LegalCopyright
- www.goldensoft.org
- FileVersion
- GS Auto Clicker V3.1
- CompanyName
- goldensoft.org
- Comments
- This installation was built with Inno Setup.
- ProductName
- GS Auto Clicker
- ProductVersion
- V3.1.3
- FileDescription
- GS Auto Clicker
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 86.4% (.EXE) Inno Setup installer
- 5.1% (.DLL) Win32 Dynamic Link Library (generic)
- 3.5% (.EXE) Win32 Executable (generic)
- 1.6% (.EXE) Win16/32 Executable Delphi generic
- 1.5% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=BE | CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE Serial: 400000000012f4ee152d7 |
04/13/2011 05:00:00 01/28/2028 06:00:00 |
95:C7:FF:05:1A:81:D4:5B:FA:80:B2:CA:4D:92:4F:A0 C0:E4:9D:2D:7D:90:A5:CD:42:7F:02:D9:12:56:94:D5:D6:EC:5B:71 |
CN=GlobalSign TSA for MS Authenticode - G2, O=GMO GlobalSign Pte Ltd, C=SG | CN=GlobalSign Timestamping CA - G2, O=GlobalSign nv-sa, C=BE Serial: 112106a081d33fd87ae5824cc16b52094e03 |
02/02/2015 18:00:00 03/02/2026 18:00:00 |
F5:42:28:BB:F6:BD:67:C6:A5:50:95:79:26:76:4E:D4 B3:63:08:B4:D4:CD:ED:4F:CF:BD:66:B9:55:FA:E3:BF:B1:2C:29:E6 |
CN=Yang Cai, O=Yang Cai, L=NanChong, ST=Sichuan, C=CN | CN=StartCom Class 2 Object CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL Serial: 13a87ca7dcd4db8ca85d41e9da4cad73 |
04/08/2016 05:37:46 04/08/2018 05:37:46 |
1E:79:3D:FF:C0:9E:B0:2F:44:4A:F7:9B:AB:2F:21:61 52:E2:E2:6A:4A:99:9F:5D:F7:93:35:3C:49:26:26:F3:5B:85:C7:E3 |
CN=StartCom Class 2 Object CA, OU=StartCom Certification Authority, O=StartCom Ltd., C=IL | CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Serial: 6c3bd27edd3c949e958e28a9b3c757a0 |
12/15/2015 19:00:05 12/15/2030 19:00:05 |
F5:36:51:02:6C:7D:89:17:36:13:D8:62:09:13:73:2F 1F:64:21:C1:76:CF:03:ED:52:CC:37:F2:1B:58:7F:16:6C:EB:82:8B |
CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL | CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL Serial: 1 |
09/17/2006 14:46:36 09/17/2036 14:46:36 |
22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 3E:2B:F7:F2:03:1B:96:F3:8C:E6:C4:D8:A8:5D:3E:2D:58:47:6A:0F |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
GSAutoClicker_Setup.exe
(PID: 2244)
- GSAutoClicker_Setup.tmp /SL5="$300CE,642235,57856,%SAMPLEDIR%\GSAutoClicker_Setup.exe" (PID: 2028)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.remobjects.com/ps | Domain/IP reference | 00133328-00002028-49905-3225-00483598 |
http://www.innosetup.com/ | Domain/IP reference | 00133328-00002028-49905-3225-00483598 |
Extracted Strings
Extracted Files
-
Clean 1
-
-
GSAutoClicker_Setup.tmp
- Size
- 697KiB (713728 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/80
- MD5
- 832dab307e54aa08f4b6cdd9b9720361
- SHA1
- ebd007fb7482040ecf34339e4bf917209c1018df
- SHA256
- cc783a04ccbca4edd06564f8ec88fe5a15f1e3bb26cec7de5e090313520d98f3
-
-
Informative 10
-
-
GS Auto Clicker.lnk
- Size
- 2.1KiB (2154 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Sat Apr 23 22:53:12 2016, mtime=Sat Apr 23 22:53:12 2016, atime=Sat Apr 16 08:14:24 2016, length=946184, window=hide
- MD5
- 618e15c99ed44b08e6e47b6f9e2c329e
- SHA256
- 96182e8a7ff637f0a6a2b4141b51b9557ee966e7b3f134ea6b8ddb1039e2c5a6
-
Uninstall GS Auto Clicker.lnk
- Size
- 1.1KiB (1081 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Sat Apr 23 22:53:09 2016, mtime=Sat Apr 23 22:53:09 2016, atime=Sat Apr 23 22:49:53 2016, length=725157, window=hide
- MD5
- 1dc459f057b41c595d4f3e993c2e21e9
- SHA256
- 5c6f6cb3e33d362254a5752e0627598fd7ab7d2b3fcbb48d207e124087426828
-
is-EFG5A.tmp
- Size
- 63KiB (64076 bytes)
- Type
- data
- MD5
- 502fcc7ba8096f043f236994c00d5acb
- SHA1
- 150b8c3d0a1e04a1f95ec0162959b30b674cfe71
- SHA256
- 46f37694e5dd7b6efa760f5e7ae4e6b6c74fcc6648a5869a23eccf5268d48f7f
-
is-MS1RB.tmp
- Size
- 98KiB (99920 bytes)
- Type
- data
- MD5
- 1b093e96e2c5aaf0c815267fc23dd9c2
- SHA1
- fac7b8a80772f754370935484e9f8a6a37002892
- SHA256
- fe9001ab369862d0e2f7271102490c48836d65e92f7f9f6ea1fc083d152635e8
-
is-OCJBU.tmp
- Size
- 4.5KiB (4642 bytes)
- Type
- data
- MD5
- 803a8ca90d6e81a54311489fe838cdff
- SHA1
- 786466e3f65e20b3dca8a8515b3c78599f4eb759
- SHA256
- e70367030885433a39cdf5ca138ead98316fb3360727e00a37fe90559b22ef25
-
is-4D8BO.tmp
- Size
- 1.4MiB (1438889 bytes)
- Type
- data
- MD5
- 3d5e7193371afeecaad4ec1b47f779fb
- SHA1
- 948dad62e2f2aa48cd9af7cafff8351e2bb32404
- SHA256
- 1289949ec9d2afd3596fb1ac34890255361225db2ad1fd29acc07fbfb71bc580
-
is-FMBD4.tmp
- Size
- 1.8MiB (1892368 bytes)
- Type
- data
- MD5
- 7d401fc21df1d31b54a79beb9dd00c65
- SHA1
- de7823b0f75fb4576da155bfd3ef587e820b3003
- SHA256
- 266e21d5b49115516659d3d4424be0947cd5d1190e17e7794e4e49616675eaf9
-
unins000.dat
- Size
- 2.7KiB (2805 bytes)
- Type
- data
- MD5
- c44638abc6d47a0f342d2e19960ca0c2
- SHA1
- 9412bd6275243a085e014c9802fe15243437bbf5
- SHA256
- 512250cc94172144bc72ce22292d7bd5aa7f25cfcad5ddb053ea32e160dcf7d4
-
is-BML6A.tmp
- Size
- 524B (524 bytes)
- Type
- data
- MD5
- dd6d41627beb00df6c7f01a61c25477a
- SHA1
- 4b6b4257673d6e09bf4aaf975166a868e953366f
- SHA256
- 334407e44315be885dc339dfd887ce6c6decd2210856a2401055b43ac8bf8177
-
is-QGIVE.tmp
- Size
- 12B (12 bytes)
- Type
- data
- MD5
- 589d5b2beeef87dfcbfff696b0c4ac71
- SHA1
- d4d31d3782365f5955575111049d5279b4fb3845
- SHA256
- a2c72b0b8b28e3336bedfda7bf316ff8013fa9b38d77025f332f2649476740aa
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Dropped file "is-4D8BO.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/1289949ec9d2afd3596fb1ac34890255361225db2ad1fd29acc07fbfb71bc580/analysis/1461426958/")
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "stream-39" are available in the report
- Not all sources for signature ID "stream-41" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)