IronPortable_49.0.2600.0.paf.exe
This report is generated from a file or URL submitted to this webservice on April 7th 2016 06:57:44 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.41 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
Exploit/Shellcode
-
Contains escaped byte string (often part of obfuscated shellcode)
- details
-
"(\d)(\d{4})(\d{4})$1 $2 $3"*0NANANANANANANANAMUUdMNQQrartPasswordManager.SyncCredentialFilteredPasswordManager_SyncCredentialUsedAutofillSyncCredentialDisallowSyncCredentialsForReauthDisallowSyncCredentialsSUUUU TUUSS`oq`ss=======W=+Navigation.MainFrameSchemeNavigation.MainFrameSchemeDifferentPage`ldd:\google\iron1\src\components\autofill\content\browser\risk\fingerprint.cc`d`dautofill::risk::`anonymous-namespace'::FingerprintDataLoader::FingerprintDataLoaderddddedddddeddddde<e`5<e5eddedp\ddeeee5edddddddddddedp` t@pX@d:\google\iron1\src\components\password_manager\content\browser\credential_manager_dispatcher.cc_IpcMessageHandlerClass::OnStore_IpcMessageHandlerClass::OnRequireUserMediation_IpcMessageHandlerClass::OnRequestCredentialP0m ` pPP0p0jp@Pp0d:\google\iron1\src\out\release\gen\protoc_out\chrome\browser\sync_file_system\drive_backend\metadata_database.pb.ccsync_file_system.drive_backend.ServiceMetadatasync_file_system.drive_backend.FileDetailssync_file_system.drive_backend.FileMetadatasync_file_system.drive_backend.FileTrackerp0Drive.UploadProtocold:\google\iron1\src\components\drive\drive_uploader.ccdrive::DriveUploader::StartUploadFile(\bCell ID: ')([0-9a-fA-F]+)(')(\bLocation area code: ')([0-9a-fA-F]+)(')(?i-s)(\bssid[= ]')(.+)(')(?-s)(\bSSID - hexdump\(len=[0-9]+\): )(.+)()(?-s)(\[SSID=)(.+?)(\])(?i)((?:http|https|ftp|chrome|chrome-extension|android|rtsp):(?://(?:(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+,;=]|:)*@)?(?:\[(?:(?:(?:(?:[0-9a-f]){1,4}:){6}(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|::(?:(?:[0-9a-f]){1,4}:){5}(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:[0-9a-f]){1,4})?::(?:(?:[0-9a-f]){1,4}:){4}(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1,4}:){0,1}(?:[0-9a-f]){1,4})?::(?:(?:[0-9a-f]){1,4}:){3}(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1,4}:){0,2}(?:[0-9a-f]){1,4})?::(?:(?:[0-9a-f]){1,4}:){2}(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1,4}:){0,3}(?:[0-9a-f]){1,4})?::(?:(?:[0-9a-f]){1,4}:)(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1,4}:){0,4}(?:[0-9a-f]){1,4})?::(?:(?:[0-9a-f]){1,4}:(?:[0-9a-f]){1,4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1,4}:){0,5}(?:[0-9a-f]){1,4})?::(?:[0-9a-f]){1,4}|(?:(?:(?:[0-9a-f]){1,4}:){0,6}(?:[0-9a-f]){1,4})?::)|v[0-9a-f]+\.(?:[-a-z0-9._~]|[!$&'()*+
;=]|:)+)\]|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])|(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+,;=])*)(?::[0-9]*)?(?:/(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+
;=]|[:@])*)*|/(?:(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+,;=]|[:@])+(?:/(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+
;=]|[:@])*)*)?|(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+,;=]|[:@])+(?:/(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+
;=]|[:@])*)*)(?:\?(?:(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+,;=]|[:@])|[\x{E000}-\x{F8FF}\x{F0000}-\x{FFFFD}\x{100000}-\x{10FFFD}]|[/?])*)?(?:#(?:(?:(?:[-a-z0-9._~]|[\x{A0}-\x{D7FF}\x{F900}-\x{FDCF}\x{FDF0}-\x{FFEF}\x{10000}-\x{1FFFD}\x{20000}-\x{2FFFD}\x{30000}-\x{3FFFD}\x{40000}-\x{4FFFD}\x{50000}-\x{5FFFD}\x{60000}-\x{6FFFD}\x{70000}-\x{7FFFD}\x{80000}-\x{8FFFD}\x{90000}-\x{9FFFD}\x{A0000}-\x{AFFFD}\x{B0000}-\x{BFFFD}\x{C0000}-\x{CFFFD}\x{D0000}-\x{DFFFD}\x{E1000}-\x{EFFFD}])|%[0-9a-f][0-9a-f]|[!$&'()*+
;=]|[:@])|[/?])*)?)(?i)([0-9a-z._%+-]+@[a-z0-9.-]+\.[a-z]{2,6})IPv4(?i)((?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))IPv6(?i)((?:(?:(?:[0-9a-f]){1
4}:){6}(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|::(?:(?:[0-9a-f]){1
4}:){5}(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:[0-9a-f]){1
4})?::(?:(?:[0-9a-f]){1
4}:){4}(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1
4}:){0
1}(?:[0-9a-f]){1
4})?::(?:(?:[0-9a-f]){1
4}:){3}(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1
4}:){0
2}(?:[0-9a-f]){1
4})?::(?:(?:[0-9a-f]){1
4}:){2}(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1
4}:){0
3}(?:[0-9a-f]){1
4})?::(?:(?:[0-9a-f]){1
4}:)(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1
4}:){0
4}(?:[0-9a-f]){1
4})?::(?:(?:[0-9a-f]){1
4}:(?:[0-9a-f]){1
4}|(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9])\.(?:[0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-9]))|(?:(?:(?:[0-9a-f]){1
4}:){0
5}(?:[0-9a-f]){1
4})?::(?:[0-9a-f]){1
4}|(?:(?:(?:[0-9a-f]){1
4}:){0
6}(?:[0-9a-f]){1
4})?::))argc >= 1d:\google\iron1\src\components\feedback\anonymizer_tool.ccargc <= 3([0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]):([0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F])%s:%02x:%02x:%02x<%s: %s>(P,P30*pDPc`bdj( ,03+*0.)3@md:\google\iron1\src\out\release\gen\protoc_out\chrome\browser\profile_resetter\profile_reset_report.pb.ccreset_report.ChromeResetReport.Extensionreset_report.ChromeResetReportNDFAPI.DLLF*'UB5KQ.W?P?XCq?KAR?p??B.?K>@+eG?9B.?l?x5@Vbad exception????8A8A@G@GBBVYP9?VYP9?RANRAN4?4?c*GPc*GPb?b?AiFC.AiFC.Wdy>Wdy>1gU?1gU?wNo?wNo?k?k???9B.?9B.?0C0C99@@`@`@??@G?@?@?@?I???@(?@x?@?!?y??2???]??2?????@w??r??@x}?@w?r?@m?g?5b?\?`W?Q?L?4G?A?y<? 7?1?t,?"'?@!?@?<?@??@l?
??@?z?@D?@??@??Y?@2?@" - source
- String
- relevance
- 3/10
-
Contains escaped byte string (often part of obfuscated shellcode)
-
Installation/Persistance
-
Writes a PE file header to disc
- details
-
"<Input Sample>" wrote 5632 bytes starting with PE header signature to file "%TEMP%\nso4252.tmp\LangDLL.dll": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 11776 bytes starting with PE header signature to file "(unnamed)": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 4096 bytes starting with PE header signature to file "(unnamed)": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 9728 bytes starting with PE header signature to file "(unnamed)": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000c80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 2560 bytes starting with PE header signature to file "%TEMP%\nso4252.tmp\modern-wizard.bmp": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000c00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "\Device\Mup\192.168.56.1\VM10\VxStream\": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "\Device\Mup\192.168.56.1\VM10\VxStream\": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 11776 bytes starting with PE header signature to file "\Device\Mup\192.168.56.1\VM10\VxStream\": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ...
"<Input Sample>" wrote 12288 bytes starting with PE header signature to file "\Device\Mup\192.168.56.1\VM10\IronPortable": 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000d80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000 ... - source
- API Call
- relevance
- 1/10
-
Writes a PE file header to disc
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
ExitWindowsEx@USER32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoClose" which indicates: "Runs when the Word document is closed"
- source
- String
- relevance
- 10/10
-
Detected known bank URL artifact
- details
- "4KPM0P,R2|SB|SMU>DB>BHDFG dI>Global Sun TechnologyEmbedded Wireless Technology Co., LtdShuttle, Inc.A835/E1000 GSM Phone (AT)Harmonix Guitar for PlayStation(R)3Portstation Dual PS/2 PortiPod Nano 7.GenTSP100ECO/TSP100IIK300 Series9300 seriesDeskJet 980cDongguan ChingLung Wire & Cable Co., Ltd.Computone Corp.American Power ConversionC350L/C450 (P2K)SM-MS/Pro-MMC-XD Card ReaderHarmonix Drum Kit for PlayStation(R)3NoteTakerController Board for Projected Capacitive Touch Screen DUS30001 port to Serial ConverterMT9234ZBA-USB MultiModem ZBAApple Mobile Device [Recovery Mode]Xlive Bluetooth XBM-100S MP3 PlayerL200 SeriesSmartMedia Card Reader Firmware LoaderX340 ScannerScanJet 4670vtDDEGG!,IJ" (Source: nsi40AB.tmp, Indicator: "td.com")
- source
- String
- relevance
- 8/10
-
References suspicious system modules
- details
-
"csrss.exe"
"lsass.exe" - source
- String
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
GetVersion@KERNEL32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
GetVersion@KERNEL32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
GetVersion@KERNEL32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL (Target: "IronPortable_49.0.2600.0.paf.exe"; Stream UID: "00328609-00002684-55866-1-004033B6")
which is directly followed by "cmp ax, 00000006h" and "je 004033FBh". See related instructions: "...
+34 call dword ptr [004080B4h] ;SetErrorMode
+40 call dword ptr [004080B0h] ;GetVersion
+46 cmp ax, 00000006h
+50 je 004033FBh" ... from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "IronPortable_49.0.2600.0.paf.exe"; Stream UID: "00328609-00002684-60923-1-004033B6")
which is directly followed by "cmp ax, 00000006h" and "je 004033FBh". See related instructions: "...
+40 call dword ptr [004080B0h] ;GetVersion
+46 cmp ax, 00000006h
+50 je 004033FBh" ... from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
- details
-
"uEPjQeMU:9_wt}~|@;\$}]9\$|8F" (Indicator: "qemu")
"UQEMUSXdVS" (Indicator: "qemu")
"X8.72{UEVWQEMuEt:N~+5~t"]6tt3W6Vo3_^]UQVEtjP^]UVtuMu6^]j)3t9u'MNtuN*5Q0^]Q30^]UVWjQ}jE3t3@P@@@x3PM)5EEPb^6PjPhkhkM]WPjM)5tvN)5~t"6tt3W6V3:uEEtQE`8EP9uEt:Nj)5~t"I6tt3W6V[3_^]USVu3WQ]8^uhmh~hmL4tL4FFFv_^[]UEVWQEuEt:N(5~t"n6tt3W6V3_^]UQEVEp@uEt<WN(5~t"6tt3WI6V3_^]U0EESVWptNEPM$j" (Indicator: "qemu"), "ju.j*t0Pp3|/Rjjj|EPPP!c=P/R|/RMQPlyyr;BPhQus3}ru)t-hM9EPS}ruW)C(K(RPj;mtV)[M_3^Kq]U$63EVEMPMjMH?EPjEPvM?MM3^DKq]UQEMUPQRE]U 63EEIVuW}PuEEuPPVWMM_3^Jq]UUSVWrtz 3tZ3EQEWSVrrauEt=V'_^[]UMVQtq3E0PAR^]USVuWs" (Indicator: "qemu"), "V}EuCEMPCj[tMEMENF3MEEE~}ru:M_3^!]UH63ES]2Vu{EEN|E{EtEECsW{QEMuEv|PZuMsV{_tCMEEjP CMECPsEC~EjPMEEEDs}EuCEMP}ruj%MEMENFrQKCMMv|PuMsVCMECPsEHjtMEMENF3MEEE~M^3[!]UMUMREEPE]UVEWv|N|}~GQPM~|Mj" (Indicator: "qemu"), "EEEEEEEEUu3U$I3u$I$331Eu333@$33}3]_]wuOM}]qEMU]IEM6^_[M3x]M2_3[w]UVu*WI+}*@+98S]~&Is@@@@IuMhBu[_^]@@[_@fH@^]_3^]UVW}~E;AuG;At*@;}[S^N$@LDDN;|[EAEDML|u_^]h0jh(h@U63E@*MS]V)WTL<@*iH4@d;q*DF\*@*ADHX;s`;|Nd;Q|C^P;T0\;A%C+KPXX+KQhljPtL;`dL`B;`LBh^;ZPOJ\;hO;}l+`lh+d@+`T+pp+p0`+QVWiThpKuXlhjPhPmLPXA;d\d;qM_^3[Js]US]V3W~$GPEEPEPuRFG;|_^[]U63ESVW}-Ks{CIBACAqy|h jPr*kWfEfo0AE*EEE*k33FvF;LODB|@;D;*@+++;}=~EI+ <EfGRj PP+|zE ~E
(!Ef jPPEoE};}^*+@+4" (Indicator: "qemu")
"_^[]USVu3W]Ft~3tFE]Qe8uhmh~hmL(tL(MGGE0vv_^[]USVuW~t^3?vtu3Q8tt{tuW_^[]USVW}3]Gtw3Qe8uhmh~hmL'tL'MFFwwz_^[]USVW}3]wt3}8uhmh~hmLtLE@EX@Et8~t2tNQM8_^[]3QM8_^[]tj_^[]UEH@M]UEVQEMuEtCFtPFFFC6V^]UUztExtEU]#T]USVW3]uj}t@@0bp3PMEEbPjO M}0;tIQMtDM;7uF$F$EHt0}6;7uEtkGtPGGG@G;t3KTSk;7u7[WU_^[]U]#USVCsfnXP~fZfnXP~fZ^/Kvbs" (Indicator: "qemu")
"SUkl$(63EVW{G0Au0A,Afn[Y,A,fn[Y,A,Pxwwp0PPwO;tQkGuPGtO3uG3PQxPPPNzu_F|tPxPtjjxohUtxQ3N|F|tjxPPNfxkM_3^][SUkl$63EVW{~x0Au0A,AfnC[Y,A,fnC[pY,A,t`PxjWp0pPPjxPnPNwx|M_3^][IxU ExS]VW3EC3+EE}MZUM2ED2ED22ED2D2EE;s1M;w(+;EujMQEMUt,o;EujMPEUtoEE3EGC+U;Tj _^[tMQu>3MRIEtP]SUkl$63E0AVW{u0A,AfnCps[sY,AW,fnC[dY,A,hdPjpPnPNRpM_3^w][SUkl$63E0AVW{u0A,AfnCps[sY,AW,fnC[dY,A,hdPj" (Indicator: "qemu")
"P<6_^]U VuENAY}uF@YSWQ@YE_}]}6u]6E;]O^3U4|s.8t(IA<r$<uAA$<tB9uU}u3Ep\_],|s&E]E@ @XUUMa|sQEMUUi|sc]|sWfE]}]WfEUMUM+|tMU|t]}t/+MU!|sWfEMU]UM}t/t$Fr$<u" (Indicator: "qemu")
"h+MEEE.Cj Esct6FPpFpnFvFKNt@3VMeMUE0RURP4MZe}rulrcjh+MEEE(.Cj E[rct6FPpFpnFPFKNt?3VMqeMUE0RURP4Me}ruqcjh+MEEE.Cj Eqct6FPpFpnFprFKNtF?3VMeMUE0RURP4M" (Indicator: "qemu")
"lPOjV7^[_]2_]U8MES]V@qEMuUEEWyt$tIEdU;MMdM+KIEdU;MMdM+K;uEMMMUMw%$pW+{Mq" (Indicator: "qemu")
"EGEG3WM V@EESPAPhhhMbPjMDV@t(&AttNf[_^[]3X[_^[]UQEMUVuPQuEuRVy^]UW}t7SVwttjV>>OU@W>>^[_]UVutHWN|~t.[At tOZVu>>_^]3ZVa>>_^]UVut@W~t.At tOCZV>>_^]3/ZV>>_^]UMh`(Bt" (Indicator: "qemu")
"3;_^[]j3;_^[]UES]WuCEuOGURPQEMuuP_[]VQjuuVPSu^_[]UWWl;u_]MVXOl;t90t;u^;t+_]U63ESVW}3u}]t~M33EtVMVEt(3(Est"MURP(x}ru&GF;ur_^[M33]Wy_^[M3]PM_^3[]UVW}t;tu_^]tW_^]U63ES]WES}tE_[M3_]VE1VPuE[u;u8S3;utu^_[M3]E3tJWEEt E1(uuGo;rMEEM;}^_3[M3a]~5MURP(}pru}&^_[M3*]Et G1(M^_3[]UIlV;tSu9ptSx" (Indicator: "qemu")
"GPuNW8MF}S]tut[_W^]sKwe$[_@^]tNjtt?HPtd-et } pVfP[w3_^]E 3[_^fA]_W^]UMyu@]EtAIjP'c3]]U63EVu~u@^M3g]FMW~QP(EuEEuOGURPQEMuMMuWGMQPRMEQNPWb}_ruD&M33^cg]UIl3Vu8jPQFFfU?^]U863EVuW}E~u@_^M3f]uW_^M3f]NJN;uNJjEjPMEE}u5EPEP|)xrP 'M3}ruC&M_3^+f]UMyu@]W}tEPu" (Indicator: "qemu")
"EEoENW<NWLL_3^]_UW}u@_]ES]VuOEPLM++H5uYOEt!EPO5M@MQOwSVOVVL^[3_]^[W_]U(63ES]VuW}u~u@_^[M3u]FNUMRP(}@Eru%E;wZ;wV;wRvE+W}SPoWMWIL3_^[M3]MW_^3[]U63EVu~u@^M3]FMW~QP(EuEEuWGMQPRENPPW}_ru%M33^<]U63EVu~u@^M3]}tW^M3]FMW~QP(EuEEuOGURPQEMuMMuWGMQPRMEQNPW}_ru%M33^W]l${9UIl3VuPjPQFFf5^]UMVu+~1EW8$+;<|p+_^]AAUEVtV%^]U(SVW3}3#HEP#" (Indicator: "qemu")
"@VB}ru77}ru&7M3^Yt]UWEVEGwPOLPBPMyMuj6t.FgF MNMtEF3VMMOEPE0.BMJMM"^_]UD63EESVEH3+*u]E3uWIMEEH8+*;j>EjPMEE\MMtE]j0E5KOtCOtCwfGtoFF}sE@tPEPV~GtEEEFEFEEEEFMtEFWVjEPKM}ru4MEEEdE]H8+*;uM>PI0C]u;]Yu_NfFuEt8t)vP(/6!4FFV4M^3[Vt]h6Yw_XwUSVWjE3tGG3^@NLqEPPMMu0j3t+FgFMNt-EF3VMIEEPQ8PMIM_^[]UEVQEMu uEt8t)vP-62FFV2^]UP63ES]VWELO|@EPEqEEPEEPMMuj(%2t"EPNFF3VMOHwESPEE0PEh0P~PEP|PhAhxhPM=PVrMWHMOHM'ut8t)vPO
6H1FFV+1MuEt8t)vP
60FFV0M_^3[ySt]U63EESVW}3jME]0Et5j(^0HtHtf@3uM$WM!2&E3MEE4ut]vM+]~FWE>;;tL~$NQUr_rE};BPQuouM;r;y6E}}PEPhS1BZ1yPPVEP1yuEN(;t" (Indicator: "qemu")
"_^[]UEVQEMAPquEt8t)vP6FFV^]UEVQEMuEt8t)vP6FFVq^]UE VQE QEEE0E0EuQt@MuEtb<VM E tj^]UEVuEuQMuEt8t)vP6FFV{^]U(SVW}EPET#EEPjh@BjjMEUMoE{3RPW+SPhvhxhM#=PEt2pyt$tV_^[]3V_^[]USVuEWKDEEPtA" (Indicator: "qemu")
"EqEMuA]+U+EUEMIE;1M+0gfffJU_U(MUE^[;|" (Indicator: "qemu")
"uMuCCWvv_^[]USVu3WE~t3tMEtN MEQe8uhmh~hmHtHuMuCCWvvp_^[]USVu3WE~t3tMEtN MEuQe8uhmh~hmL5tL1uMuCCWvv=_^[]UUVWJt3tz BJVW_^]3BJVW_^]USVu3W]Ft~|3tFE]Qe8uhmh~hmLHtLHMuGGFPvv_^[]UUVWJtr(3tz 3v6BwJ7_^]UUVJtur BJV^]u3BJV^]USVW}3]Gtw3Qe8uhmh~hmL7tL7MFFGPww6_^[]UVuW~tN3TWvH_^]USVW}3]Gtw3Qe8uhmh~hmLwtLwMFFGPwi_^[]UEVWQEuNM}Et:O4wt"tt3V1WQ_^]UEVWQENM}Et:Oj4wt"itt3VW{Q_^]UEVQEMuEt=t.uMQvP6)QFFVQ^]U$VWjQ}t" (Indicator: "qemu")
"Y3AyA E3UM@(P,3PMuEEPWQMu0PMttjSMtjEtMn_^[]UVutPN,F,tjWN h~FttjWbVY_^]UEoA]USVWj At&SsKE`WOwoG3KQuu8uuP_^[]UEVu EQuuEQEuMuEttjVdMEtj^]USVWjN}]t@@`TXx3PMzEEPPjNoNtEPjpMNtWSP_^[]U}SVWuRjt/MuEKCtWGOw3E8tjEPE0@uEttjVMEtj_^[]UlSVu3W]~tN(3MtF E]tFE]tFE]uQe8uhmh~hmDDtDAMuuAAMQeE8uhmh~hmtMAAM7v._^[]UEV0EQEuE0EQEMuEttjVMEtj^]UVjut6MUW}FNVNtjF_3VuF^]UVuW};t0>rv3FfF F;u_^]UEVu;tNSW}_t.VKBC3jPCRf+E ;u_[^]E^]UUVW}FPFBFNtjN FEjFEF3PuAAf_^]U63EESVEE3WEE]jl|Ft.jhME]]/jEPo3Ft}ru"ENuFFFFMF$nNEPE7quhhhtjt.NEPOt]jF$G3FE~t5xt%btt3W`mEP$t
Et"xatt3W#mh@tEQEv3tOjF~t xnattOtjPjt@@)p3PM~E:t]FG<tKjG8_8tX`tt" (Indicator: "qemu") - source
- String
- relevance
- 4/10
-
Contains ability to query the machine version
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
- "<Input Sample>" created file "%WINDIR%\Fonts\staticcache.dat"
- source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
-
"LangDLL.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"FindProcDLL.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"w7tbp.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Dropped File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "jY%6SWBi,gSealle<k=:Ia&PPyhVJM3bCTW8Nftvnc?L7O; tlBa:b" (Indicator for product: Generic VNC)
- source
- String
- relevance
- 10/10
-
Contains references to WMI/WMIC
- details
-
"WMIADAP.exe" (Indicator: "wmiadap.exe")
"WmiPrvSE.exe" (Indicator: "wmiprvse.exe") - source
- String
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
OpenClipboard@USER32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"%SAMPLEDIR%\IronPortable_49.0.2600.0.paf.exe" marked "%TEMP%\nso4252.tmp" for deletion
"%SAMPLEDIR%\IronPortable_49.0.2600.0.paf.exe" marked "\192.168.56.1\VM10\IronPortable\~PRESERVEFILE1\" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\nso4252.tmp" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\App\Iron\Dictionaries" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\App\Iron\extensions" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\App\Iron\Plugins" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\~PRESERVEDIRECTORY1" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\~PRESERVEDIRECTORY2" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\~PRESERVEDIRECTORY3" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\IronPortable\~PRESERVEFILE1\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "w7tbp.dll" claimed CRC 24854 while the actual is CRC 69237
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "ShowWindow" which indicates: "May hide the application"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "FindWindow" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleHandleW
GetProcAddress
LoadLibraryW
VirtualAlloc
VirtualProtect
Sleep
TerminateProcess
OpenProcess
GetVersionExW
GetFileAttributesW
FindWindowExA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 13
-
Environment Awareness
-
Contains ability to query machine time
- details
- GetSystemTime@KERNEL32.DLL at 00328609-00002684-779F228D-427015
- source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL at 00328609-00002684-779F228D-403923
GetDiskFreeSpaceExW@KERNEL32.DLL at 00328609-00002684-779F228D-407190
GetDiskFreeSpaceW@KERNEL32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from IronPortable_49.0.2600.0.paf.exe (PID: 2684) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 3/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/55 Antivirus vendors marked sample as malicious (0% detection rate)
0/43 Antivirus vendors marked sample as malicious (0% detection rate) - source
- Anti-Virus Test Result
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"MoreInfo.dllGetCommentsGetCompanyNameGetFileDescriptionGetFileVersionGetInternalNameGetLegalCopyrightGetLegalTrademarksGetOSUserinterfaceLanguageGetOriginalFilenameGetPrivateBuildGetProductNameGetProductVersionGetSpecialBuildGetUserDefinedRSDS7v Bt:\untgz\MoreInfo\SRC\Release\MoreInfo.pdb(H`x0A(XB@E"hEMAINICON( wpwp"xpzpxxppxwwwwwwpxwwwwww( @wwpwpxwxwxxp'x""'p""j""x*"xx*#xxxxpxnnnnwnnwwwpwwwwwwwwxwwwwwxpwxxwwwwwwwwwpwp???a( 4VS_VERSION_INFO?\StringFileInfo8040904E4.CompanyName(none)~+FileDescriptionHelper plugin to retreive file information0FileVersion1.0.1.2RInternalNameThe MoreInfo NSIS Plugin8", "rowid missing from index wrong # of entries in index okencodingunsupported encoding: %sschema_versionuser_versionfreelist_countmalformed database schema (%s)%s - %sinvalid rootpageunsupported file formatSELECT name
rootpage
sql FROM '%q'.%sdatabase schema is locked: %sstatement too longunknown or unsupported join type: %T %T%s%TRIGHT and FULL OUTER JOINs are not currently supporteda NATURAL join may not have an ON or USING clausecannot have both ON and USING clauses in the same joincannot join using column %s - column not present in both tablesonly a single result allowed for a SELECT that is part of an expressionrowid%s.%sUNION ALLINTERSECTEXCEPTUNION%s:%dORDER BY clause should come after %s not beforeLIMIT clause should come after %s not beforeSELECTs to the left and right of %s do not have the same number of result columnsno such index: %ssqlite_subquery_%p_no such table: %sno tables specifiedtoo many columns in result setDISTINCT aggregates must have exactly one argumenttoo many terms in compound SELECTsqlite3_get_table() called with two or more incompatible queriestemporary trigger may not have qualified nametriggercannot create triggers on virtual tablestrigger %T already existscannot create trigger on system tableBEFOREAFTERcannot create %s trigger on view: %Scannot create INSTEAD OF trigger on table: %SINSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')type='trigger' AND name='%q'no such trigger: %S-- TRIGGER %sno such column: %srows updated_rowid_cannot VACUUM from within a transactionATTACH '' AS vacuum_db;PRAGMA vacuum_db.synchronous=OFFBEGIN EXCLUSIVE;SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %' SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence' SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';INSERT INTO vacuum_db.sqlite_master SELECT type
name
tbl_name
rootpage
sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)CREATE VIRTUAL TABLE %TUPDATE %Q.%s SET type='table'
name=%Q
tbl_name=%Q
rootpage=0
sql=%Q WHERE rowid=#%dvtable constructor failed: %svtable constructor did not declare schema: %shidden hiddenno such module: %stable %s: xBestIndex returned an invalid planat most %d tables in a joincannot use index: %sTABLE %s%s AS %s%s WITH INDEX %s%s VIA MULTI-INDEX UNION%s USING PRIMARY KEY%s VIRTUAL TABLE INDEX %d:%s%s ORDER BYparser stack overflowset listnear "%T": syntax errortoo many arguments on function %Tqualified table names are not allowed on INSERT
UPDATE
and DELETE statements within triggersthe INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggersthe NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggersinterruptunrecognized token: "%T"createtemptemporaryendexplainunable to close due to unfinalised statementsunable to close due to unfinished backup operationunknown errorunable to delete/modify user-function due to active statementsunable to delete/modify collation sequence due to active statementsno such vfs: %sRTRIMNOCASEmainMicrosoft Strong Cryptographic ProviderChromePasswordsCould not create key container!Could not create hash object!Could not hash password!Could not derive key from hash!Could not get the size of the encrypted password!Could not encrypt the password!Could not decrypt the password!Missing parameter.UT^tQpa"'Dort;huV&nq?-{@`+AYi}5=Hu[9bdqJQau82X1kw1Failed to open source database.Failed to open destination database.CREATE TABLE IF NOT EXISTS `logins` (`origin_url` VARCHAR NOT NULL, `username_element` VARCHAR, `username_value` VARCHAR, `password_element` VARCHAR, `password_value` BLOB, `submit_element` VARCHAR, `signon_realm` VARCHAR NOT NULL, UNIQUE (`origin_url`, `username_element`, `username_value`, `password_element`, `submit_element`, `signon_realm`))Failed to prepare create table statement.Failed to create database table.DELETE FROM `logins`Failed to prepare clear table statement.Failed to clear database table.INSERT INTO `logins` (`origin_url`, `username_element`, `username_value`, `password_element`, `password_value`, `submit_element`, `signon_realm`) VALUES (?, ?, ?, ?, ?, ?, ?)Failed to prepare insert password statement.SELECT `origin_url`, `username_element`, `username_value`, `password_element`, `password_value`, `submit_element`, `signon_realm` FROM `logins`Failed to prepare dump passwords statement.Failed to add password to table.Failed to finish iterating through results.ChromePasswordsUPDATE OR REPLACE `logins` SET `password_value` = ? WHERE `origin_url` = ? AND `username_element` = ? AND `username_value` = ? AND `password_element` = ? AND `submit_element` = ? AND `signon_realm` = ?Failed to prepare update password statement.Failed to prepare select passwords statement.Failed to update password to table.:{\O*`'=pC#"R=.Jo/XYI&MB*V-'Wis.JZ1W1!E(etZHVX5z\@Could not get hash size!Could not get hash data!$@MDaTR'>@v@fffff^@@@}<A?pA@@@@H@v@>@L@@wKA@3#I9:0yE>AnF?Zd;M@Y@A.B}TeA8@ @.BmTse+000k[uE*bad exception1#QNAN1#INF1#IND1#SNANRSDS{%|O3TF:\User\Programming\NSIS\GoogleChromePortable\ChromePasswords\Release\ChromePasswords.pdbpZZZp@Zp[[ [<[p@[4p@X[h[<[4pX[ [[[<[ @[", "KP7(787H7s!^7f7p7y7dialogsEx.dllFileBoxFolderBoxInputBoxInputRegBoxRSDS8~.GF@OW)Nt:\untgz\Joel_plugins_src\dialogsEx\dialogs\Release\dialogsEx.pdb0", "Mb]4N|rLIIPur_]CHK|l|333333?Xh|brotli-encodingDownloadResumptionExperimentalFrameworkUpdateRendererPriorityOnStartupWebFontsInterventionGETHEADenable-appcache-executable-handlersIndex\?defaultdefault_public_interface_onlydisable_non_proxied_udp?PluginUtilityZygoteSandbox helperGPUPepper PluginPepper Plugin Broker
T|$@\t8P0Hh4Ld(D`|(p,D\x<ladialhk.dllacpiz.dllactivedetect32.dllactivedetect64.dllairfoilinject3.dllakinsofthook32.dllassistant_x64.dllavcuf64.dllavgrsstx.dllbabylonchromepi.dllbtkeyind.dllcmcsyshk.dllcmsetac.dllcooliris.dllcplushook.dlldockshellhook.dlleasyhook32.dllesspd.dllgoogledesktopnetwork3.dllfwhook.dllhookprocesscreation.dllhookterminateapis.dllhookprintapis.dllimon.dllicatcdll.dllicdcnl.dllioloHL.dllkloehk.dlllawenforcer.dlllibdivx.dlllvprcinj01.dllmadchook.dllmdnsnsp.dllmoonsysh.dllmpk.dllnpdivx32.dllnpggNT.desnpggNT.dlloawatch.dllpastali32.dllpavhook.dllpavlsphook.dllpavshook.dllpavshookwow.dllpctavhook.dllpctgmhk.dllpicrmi32.dllpicrmi64.dllprntrack.dllprotector.dllradhslib.dllradprlib.dllrapportnikko.dllrlhook.dllrooksdol.dllrndlpepperbrowserrecordhelper.dllrpchromebrowserrecordhelper.dllr3hook.dllsahook.dllsbrige.dllsc2hook.dllsdhook32.dllsguard.dllsmum32.dllsmumhook.dllssldivx.dllsyncor11.dllsystools.dlltfwah.dllwblind.dllwbhelp.dllwindowsapihookdll32.dllwindowsapihookdll64.dllwinstylerthemehelper.dlld:\google\iron1\src\content\common\sandbox_win.cc::OpenProcessToken(::GetCurrentProcess()
TOKEN_QUERY
&token)::GetTokenInformation(token, TokenSessionId, &session_id, sizeof(session_id)
&session_id_length)\Sessions\%lu%lsSection\??\pipe\chrome.*\\.\pipe\chrome.sync.**.pdbEvent\Device\DeviceApiHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet SettingsKeyYou are attempting to duplicate a privileged handle into a sandboxed process.", "PXd:\google\iron1\src\out\release\gen\protoc_out\extensions\common\api\cast_channel\cast_channel.pb.ccextensions.api.cast_channel.CastMessageextensions.api.cast_channel.AuthChallengeextensions.api.cast_channel.AuthResponseextensions.api.cast_channel.AuthErrorextensions.api.cast_channel.DeviceAuthMessageP!0 P*2 0!0`0$00 `!00@'1d:\google\iron1\src\out\release\gen\protoc_out\extensions\common\api\cast_channel\logging.pb.ccextensions.api.cast_channel.proto.SocketEventextensions.api.cast_channel.proto.AggregatedSocketEventextensions.api.cast_channel.proto.Logper-viewkeepexclude_matchesmatch_about_blankrun_atall_framesinclude_globsexclude_globsbackwardmatchCaseserial.onReceiveserial.onReceiveErrorseveneightoddevenbitratedataBitsparityBitstopBitsctsFlowControlreceiveTimeoutsendTimeoutdtrrtsdcdctsridsrdevice_lostframe_erroroverrunbuffer_overflowparity_errorsocketTypeprefixLengthenableAutoSizerectsmaxImagesdataUrlscast.channel.onMessagecast.channel.onErrorclosingchannel_not_openauthentication_errorconnect_errortransport_errorinvalid_messageinvalid_channel_idconnect_timeoutping_timeoutssl_verifiedpingIntervallivenessTimeoutcapabilitieschannelIdconnectInforeadyStateerrorStatekeepAliveaudioOnlynamespace_sourceIdeventTypechallengeReplyErrorTypenetReturnValuenssErrorCodenumOfProcessorsarchNameprocessorsactiveColorinactiveColordefaultWidthdefaultHeightdefaultLeftdefaultTopimeresizablesingletonvisibleOnAllWorkspacesH65`E`E@C-RSDSJLJ~G0VwD:\google\iron1\src\out\Release\chrome.dll.pdbH7z5z5z5z5H7@z5h7@{5${5
{5h7@{57\{5l{5|{5z5z57@\{57{5{5{5|{5z5z57@{57|5|5|57@|57H|5X|5d|5|57@H|5 7|5|5|5d|5|5 7@|5L7|5|5}5d|5|5L7@|5(74}5D}5T}5z5z5(7@4}5x7@}5}5p}5}5z5z57@}5}5}5z5z57~5~5
~5H~5p}5}5z5z57@~57@d~5t~5H~5p}5}5z5z5 7~5~5~5~5$5`5z5 7@~5H7@55~5$5`5z5p7@@5P5$5`5z57@|55`5z57@555z5z57555z5z57@5(785H5`5|55z5z5(7@85T7@55|55z5z5x7@555z5z5755
5z5z57@5x757p5555z5z57@p57555z5z57@5075$505z507@5T7`5p5|5z5T7@`5|7555z5|7@57555z57@57D5T5`5z57@D57555z57@57555z57@57(585P555z5z57@(5$75555z5z5$7@5L7@555z5z5T75p7$545P5H~5p}5}5z5z5p7@$57555~5$5`5z57@5L757555z5z57@57<5L5d555z5z57@<547@5555z5z5475t75555z5z5t7@57<5L5d555z5z57@<57@5555z5z575$7555z5$7@5D745D5T5z5z5D7@457555T}5z5z57@5l755555z5l7@57@45D555z57457|555z57@|57555T5z5z57@5 75
5D55T5z5z5 7@5P7t555T5z5z5P7@t5|75555T5z5z5|7@57 505D5T5z5z57@ 57t555D5T5z5z57@t5755555z57@5@7 505@5z5z5@7@ 5p7p555@5z5z5p7@p575555@5z5z57@575
5@5@5z5z57@57p555@5z5z57@p5H7555@5z5z5H7@5|75(5<5@5z5z5|7@57l5|555z57@l57555z5z57@54755
5z5z547@5X7\5l555z5z5X7@\5|7555z5|7@575555z57@57L5\5l5z5z57@L57555z5z57@5L7555
5z5z5L7@5p7@H5X5
5z5z57|555l5z5z57@|5p7H575555z5z57@5P785H5X5z5z5P7@8575555z5z57@5(7555z5z5(7@5H7
5<5T5~5$5`5z5H7@
5p7555H~5p}5}5z5z5p7@57555p}5}5z5z57@5785H5`555z5z57@85755555z5z57@57555z5z57@5785H5\55z5z57@8575555z5z57@575555z57@5705@5T55z5z57@05@75555z5z5@7@5l75555z5z5l7@57
5<5H5z57@
57x555z57@x57555H5z57@575$545z5z57@587d5t55z587@d5
7555|55z5z5
7@5d755(5z5z5d7@57X5h5|5(5z5z57@X57555(5z5z57@5755$5(5z5z57@57T5d5t5z5z57@T5075555z507@5d75555z5d7@57D5T5h55z5z57@D575555z5z57@57@555z5z57(585H5z5z57@(57x555|55z5z57@x575555z5z57@507$545H55z5z507@$5X7x555z5z5X7@x57555z57@575$5455z57@5757x555z57@x587555z587@5`75 5455z5z5`7@57d5t55z57@d575555z5z57@5755$5z5z57@57T5d5p5z57@T5755555z5z57@5D7@5555z5z5D757L5\5p5T5z5z57@L57555z5z57@5755545X5z5z57@57@P5`545X5z5z57555z5z57@5T7555z5T7@5(7$545H55z5z5(7@$5p7x55545X5z5z5p7@x575555z5z57@57$545L555z5z57@$57|55555z5z57@|5755555z5z57@5(7
5<5P55z5z5(7@
5P75555z5z5P7@5x75555z5z5x7@57(585L55z5z57@(57|55555z5z57@|57@5555z5z575$5<5L55z5z57@5
7l5|5555z5z5
7@l5H7555|55z5z5H7@5T75
585z5T7@57h5x55H5z57@h57555z57@5755 5z57@57P5`5l5z57@P57555l5z57@5(75555z5z5(7@5P7@5P5\5z5P7@@5p75555z5z5p7@575555z5z57@5745D5T5H5z57@457555H5z57@57555z5z57@5@7$545D5z5z5@7@$5d7t555z5d7@t57555z57@5755
55z57@57\5l5|55z57@\58555z5z58@50855 55z5z508@5T8P5`5p5z5z5T8@P5x8555p5z5z5x8@58555p5z5z58@58H5X5l5p5z5z58@H58555p5z5z58@5
8555p5z5z5
8@5\8D5T5h5p5z5z5\8@D58555p5z5z58@58555p5z5z58@58@5P5`5z5z58@@57P575755545X5z5z57@585 505z5z58@588`5p5505z5z588@`5d8555z5z5d8@5855(55z5z58@58X5h5p58@X58555z5z58@58555855z5z5|58@58@T5d5855z5z5|58@X5858T54855548@5X85
5<5z5z5X8@5|8l5|55<5z5z5|8@l5757|58555z5z58@57}58L5\5p5}5z5z58@L5p7@5x7}57d~5H75<85555z5z5<8@5d8D5T5d5z5z5d8@D58555H~5p}5}5z5z58@58555~5$5`5z58@58H5X5h5z5z58@H58555z5z58@5
8555z5z5
8@5T885H5X5z5z5T8@85|8555z5z5|8@58555z5z58@58(585H5z5z58@(5t55<5z5z58@d585555<5z5z58@5@85 5855<5z5z5@8@5h8h5x555<5z5z5h8@h58555<5z5z58@585$545z5z58@58d5t5555z5z58@d58@5555z5z5(8@555z5z5X885H5d5555z5z5X8@8585555z5z58@58@555z5z5 505z5z58@5\5p505z5z58@L555p505z5z588@5p85555p505z5z5p8@58@5P5d5X5z5z58@@58555d5z5z58@58555z58@5
845D5P5z5
8@45H8555z5z5H8@5l85555z5z5l8@58$545L5p}5}5z5z58@$585(8585855505z5z58@585545p505z5z58@5`5t505z5z50" - source
- String
- relevance
- 1/10
-
Contains SQL queries
- details
- "CREATE TABLE keyword_search_terms (keyword_id INTEGER NOT NULL,url_id INTEGER NOT NULL,lower_term LONGVARCHAR NOT NULL,term LONGVARCHAR NOT NULL)X/windexvisits_time_indexvisitsCREATE INDEX visits_time_index ON visits (visit_time)X/windexvisits_from_indexvisitsCREATE INDEX visits_from_index ON visits (from_visit)O-gindexvisits_url_indexvisitsCREATE INDEX visits_url_index ON visits (url)n%%tablevisit_sourcevisit_sourceCREATE TABLE visit_source(id INTEGER PRIMARY KEY,source INTEGER NOT NULL)k1tablevisitsvisitsCREATE TABLE visits(id INTEGER PRIMARY KEY,url INTEGER NOT NULL,visit_time INTEGER NOT NULL,from_visit INTEGER,transition INTEGER DEFAULT 0 NOT NULL,segment_id INTEGER,visit_duration INTEGER DEFAULT 0 NOT NULL)tableurlsurlsCREATE TABLE urls(id INTEGER PRIMARY KEY,url LONGVARCHAR,title LONGVARCHAR,visit_count INTEGER DEFAULT 0 NOT NULL,typed_count INTEGER DEFAULT 0 NOT NULL,last_visit_time INTEGER NOT NULL,hidden INTEGER DEFAULT 0 NOT NULL,favicon_id INTEGER DEFAULT 0 NOT NULL)f/tablemetametaCREATE TABLE meta(key LONGVARCHAR NOT NULL UNIQUE PRIMARY KEY, value LONGVARCHAR)';indexsqlite_autoindex_meta_1meta"
- source
- String
- relevance
- 2/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\nsi40AB.tmp"
"<Input Sample>" created file "%TEMP%\nso4252.tmp\LangDLL.dll"
"<Input Sample>" created file "%TEMP%\nso4252.tmp\System.dll" - source
- API Call
- relevance
- 1/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "LangDLL.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "System.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "FindProcDLL.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "w7tbp.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Dropped File
- relevance
- 10/10
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "DWMAPI.DLL" at base 74580000
"<Input Sample>" loaded module "COMCTL32.DLL" at base 74960000
"<Input Sample>" loaded module "UXTHEME.DLL" at base 74820000
"<Input Sample>" loaded module "%WINDIR%\SYSTEM32\OLE32.DLL" at base 777A0000
"<Input Sample>" loaded module "ADVAPI32.DLL" at base 77080000
"<Input Sample>" loaded module "%TEMP%\NSO4252.TMP\LANGDLL.DLL" at base 10000000
"<Input Sample>" loaded module "%TEMP%\NSO4252.TMP\SYSTEM.DLL" at base 10000000
"<Input Sample>" loaded module "%TEMP%\NSO4252.TMP\FINDPROCDLL.DLL" at base 745B0000
"<Input Sample>" loaded module "KERNEL32.DLL" at base 77430000
"<Input Sample>" loaded module "PSAPI.DLL" at base 77B30000
"<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\RICHED20.DLL" at base 72950000
"<Input Sample>" loaded module "%TEMP%\NSO4252.TMP\NSDIALOGS.DLL" at base 280000
"<Input Sample>" loaded module "IMM32.DLL" at base 75F40000
"<Input Sample>" loaded module "C:\WINDOWS\SYSTEM32\SHELL32.DLL" at base 76290000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\system32\RichEd20.dll" at 72950000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"DwmIsCompositionEnabled@dwmapi.dll"
"RegOpenKeyExW@ADVAPI32.dll"
"RegQueryInfoKeyW@ADVAPI32.dll"
"RegEnumValueW@ADVAPI32.dll"
"RegCloseKey@ADVAPI32.dll"
"RegQueryValueExW@ADVAPI32.dll"
"RegQueryValueExA@ADVAPI32.dll"
"RegEnumKeyExW@ADVAPI32.dll"
"LangDialog@LangDLL.dll"
"StrAlloc@LangDLL.dll"
"Call@LangDLL.dll" - source
- API Call
- relevance
- 1/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"nsi40AB.tmp" has type "data"
"LangDLL.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"FindProcDLL.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"modern-header.bmp" has type "PC bitmap Windows 3.x format 300 x 114 x 24"
"modern-wizard.bmp" has type "PC bitmap Windows 3.x format 328 x 628 x 24"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"w7tbp.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Dropped File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "pW4Ui3.cF"
Pattern match: "Uv.JW/|f"
Heuristic match: "}a
,>.Fi"
Heuristic match: "GN$s|D.AU"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "https://secure.comodo.net/CPS0C"
Pattern match: "crl.comodoca.com/COMODORSACodeSigningCA.crl0t"
Pattern match: "crt.comodoca.com/COMODORSACodeSigningCA.crt0$"
Pattern match: "http://ocsp.comodoca.com0"
Pattern match: "http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q"
Pattern match: "http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$"
Pattern match: "https://www.globalsign.com/repository/0"
Pattern match: "crl.globalsign.com/gs/gstimestampingsha2g2.crl0X"
Pattern match: "http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0"
Pattern match: "https://www.globalsign.com/repository/06"
Pattern match: "http://crl.globalsign.net/root-r3.crl0" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Spyware/Information Retrieval
-
Found a reference to a known community page
- details
-
""www.facebook.com:443": {" (Indicator: "facebook.com")
"dhab.yamaguchUuzzo.ga_.^hrko.chieno.osakvDot|shiri.hokkaido.rtc.Vborte.nLIsprod.fastly.ne000.hkapp.com0.bgfile:///%25%3B%23#%3F?/\_$,4<DLT\dlt|conprnauxnulcom1com2com3com4com5com6com7com8com9lpt1lpt2lpt3lpt4lpt5lpt6lpt7lpt8lpt9clock$desktop.inithumbs.db.localhostlocalhostlocalhost.localdomainlocalhost6localhost6.localdomain6.google.com.youtube.com.gmail.com.doubleclick.net.gstatic.com.googlesyndication.com.google-analytics.com.googleadservices.com.googleapis.com.ytimg.comsockssocks4socks5quicdirect://socks4://socks5://quic://DIRECTPROXY SOCKS SOCKS5 HTTPS QUIC pac_mandatorysingle_proxyfallbackproxy_per_schemereverse_bypassbypass_listd$Px!dddy!py!mm:0x!x!d:P$PN 00`x!$@;d:\google\iron1\src\net\url_request\url_request_redirect_job.ccreasonnet::URLRequestRedirectJob::StartHTTP/1.1 %i Internal Redirect" (Indicator: "youtube")
"Many artistspoweredperformfictiontype ofmedicalticketsopposedCouncilwitnessjusticeGeorge Belgium...</a>twitternotablywaitingwarfare Other rankingphrasesmentionsurvivescholar</p>" (Indicator: "twitter") - source
- String
- relevance
- 7/10
-
Found a reference to a known community page
File Details
IronPortable_49.0.2600.0.paf.exe
- Filename
- IronPortable_49.0.2600.0.paf.exe
- Size
- 46MiB (48135176 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- adf61d389194553f7c9c9926952c15b9eb385754058a383ecc81a1be01582ec2
- MD5
- e2087c73ebcdd5ae078c30f02cf752e7
- SHA1
- 7923f640f1cf64fc5f88de3231f819a5c439ef5e
Classification (TrID)
- 52.9% (.EXE) Win32 Executable (generic)
- 23.5% (.EXE) Generic Win/DOS Executable
- 23.4% (.EXE) DOS Executable Generic
- 0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total (System Resource Monitor).
- IronPortable_49.0.2600.0.paf.exe (PID: 2684)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00328609-00002684-55866-65-00402E41 |
portableapps.com | Domain/IP reference | 00328609-00002684-55866-121-00403D72 |
Extracted Strings
Extracted Files
-
Clean 5
-
-
FindProcDLL.dll
- Size
- 4KiB (4096 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/57
- MD5
- ba4c1dfe226d573d516c0529f263011e
- SHA1
- d726e947633ea75c09bba1cb6a14a79ce953be24
- SHA256
- 2ffe1ac2555e822b4a383996168031e456f09f9cf3bb763fccee35be178cf58a
-
LangDLL.dll
- Size
- 5.5KiB (5632 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/58
- MD5
- be828e6e1885cc5a25e18f123e2a76a0
- SHA1
- 96432bf2da4e1c454f49f76e20855f27c2fce2f9
- SHA256
- 01773690efda3c1fa609287f4bf2277f3d366fe4a1ddc099d2949fab54f0fbd4
-
System.dll
- Size
- 12KiB (11776 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/78
- MD5
- ee260c45e97b62a5e42f17460d406068
- SHA1
- df35f6300a03c4d3d3bd69752574426296b78695
- SHA256
- e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/78
- MD5
- 477b78e5db22b4e651b6bec39d5c1acf
- SHA1
- 418038f8d4db22471f55206aa8eb372f3f133d0d
- SHA256
- 80d84f6c405f4e7b51d3e0c7c10b06ce60b28a43451bbe0e6e464d5e4783fc35
-
w7tbp.dll
- Size
- 2.5KiB (2560 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/78
- MD5
- 9a3031cc4cef0dba236a28eecdf0afb5
- SHA1
- 708a76aa56f77f1b0ebc62b023163c2e0426f3ac
- SHA256
- 53bb519e3293164947ac7cbd7e612f637d77a7b863e3534ba1a7e39b350d3c00
-
-
Informative 3
-
-
nsi40AB.tmp
- Size
- 44MiB (45870352 bytes)
- Type
- data
- MD5
- f8923539b33ca8b04a77a5cb63696559
- SHA1
- d18cdb5ae96c7584d0329d975a6a3a73c9570aff
- SHA256
- 703e6c1823b8094855529e0fecfce0c1610fa0a0895aa93a13e2855d635db716
-
modern-header.bmp
- Size
- 100KiB (102654 bytes)
- Type
- PC bitmap, Windows 3.x format, 300 x 114 x 24
- MD5
- e104cbe3c6778ac6948ed47ae47e2f31
- SHA1
- 441e0825170859d35d8fc0d5db8b20803d754079
- SHA256
- 335be1e57b7c608f90c7ea686894d8765421b76339b76fe9b80a5df55b484a13
-
modern-wizard.bmp
- Size
- 1.2MiB (1236016 bytes)
- Type
- PC bitmap, Windows 3.x format, 328 x 628 x 24
- MD5
- 776bc4124f9b671028085255373e80a9
- SHA1
- a15c9c7f201968d15f4dfb3edbe72a0f47c4e6cc
- SHA256
- e8c0c29133ef3728a1fb8ad8aea470030d9164dabd8c2b3081471a2337262142
-
Notifications
-
Runtime
- No static analysis parsing on sample was performed
- Not all sources for signature ID "api-38" are available in the report
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-7" are available in the report
- Not all sources for signature ID "api-8" are available in the report
- Not all sources for signature ID "string-1" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-24" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)