Setup.exe
This report is generated from a file or URL submitted to this webservice on October 12th 2020 07:34:21 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.43 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to evade analysis by sleeping many times
Possibly tries to implement anti-virtualization techniques
Tries to sleep for a long time (more than two minutes) - Spreading
-
Detected a large number of ARP broadcast requests (network device lookup)
Opens the MountPointManager (often used to detect additional infection locations) - Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/71 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/68 Antivirus vendors marked dropped file "getopt.dll" as malicious (classified as "Malware.Generic" with 1% detection rate)
1/68 Antivirus vendors marked dropped file "plist.dll" as malicious (classified as "Malware.Generic" with 1% detection rate)
1/63 Antivirus vendors marked dropped file "iDevice Panic Log Analyzer.exe" as malicious (classified as "Unsafe.AI_Score_61%" with 1% detection rate)
1/68 Antivirus vendors marked dropped file "pcreposix.dll" as malicious (classified as "HEUR/QVM30.2.A034.Malware" with 1% detection rate)
22/68 Antivirus vendors marked dropped file "iDevice Panic Log Analyzer.exe" as malicious (classified as "Trojan.MSIL.Basic.3" with 32% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
22/68 Antivirus vendors marked spawned process "iDevice Panic Log Analyzer.exe" (PID: 484) as malicious (classified as "Trojan.MSIL.Basic.3" with 32% detection rate)
22/68 Antivirus vendors marked spawned process "iDevice Panic Log Analyzer.exe" (PID: 2208) as malicious (classified as "Trojan.MSIL.Basic.3" with 32% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistence
-
Allocates virtual memory in a remote process
- details
-
"Setup.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1"
"Update.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\iDevicePanicLogAnalyzer" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"Setup.exe" wrote 1500 bytes to a remote process "%LOCALAPPDATA%\SquirrelTemp\Update.exe" (Handle: 308)
"Setup.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\SquirrelTemp\Update.exe" (Handle: 308)
"Setup.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\SquirrelTemp\Update.exe" (Handle: 308)
"Setup.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\SquirrelTemp\Update.exe" (Handle: 308)
"Setup.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\SquirrelTemp\Update.exe" (Handle: 308)
"Update.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 820)
"Update.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 1432)
"Update.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 1432)
"Update.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 820)
"Update.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 820)
"Update.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 820)
"Update.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 1432)
"Update.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" (Handle: 1432) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Detected a large number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "169.254.28.242/32, 169.254.40.52/32, 169.254.44.138/32, 169.254.54.81/32, 169.254.61.38/32, 169.254.74.95/32, 169.254.78.175/32, 169.254.95.149/32, 169.254.202.159/32, 169.254.204.21/32, 169.254.224.168/32, 169.254.240.75/32, 192.168.240.1/32, 192.168.240.2/32, 192.168.240.18/32, 192.168.240.142/32, 192.168.240.200/32, 192.168.240.210/32, 192.168.241.4/32, 192.168.241.49/32, 192.168.241.74/32, 192.168.241.83/32, 192.168.241.93/32, 192.168.241.105/32, 192.168.241.119/32, 192.168.241.149/32, 192.168.241.160/32, 192.168.241.165/32, 192.168.241.172/32, 192.168.241.185/32, 192.168.241.188/32, 192.168.241.193/32, 192.168.241.195/32, 192.168.241.211/32, 192.168.241.224/32, 192.168.241.230/32, 192.168.241.234/32, 192.168.241.239/32, 192.168.241.240/32, 192.168.241.246/32, 192.168.242.3/32, 192.168.242.13/32, 192.168.242.21/32, 192.168.242.49/32, 192.168.242.61/32, 192.168.242.71/32, 192.168.242.75/32, 192.168.242.76/32, 192.168.242.88/32, 192.168.242.106/32, 192.168.242.125/32, 192.168.242.166/32, 192.168.242.196/32, 192.168.242.218/32, 192.168.242.240/32, 192.168.243.2/32, 192.168.243.5/32, 192.168.243.42/32, 192.168.243.65/32, 192.168.243.86/32, 192.168.243.101/32, 192.168.243.128/32, 192.168.243.136/32, 192.168.243.138/32, 192.168.243.169/32, 192.168.243.178/32, 192.168.243.242/32"
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1016 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected a large number of ARP broadcast requests (network device lookup)
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "Update.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "Setup.exe" (Show Process)
Spawned process "Update.exe" with commandline "--install ." (Show Process)
Spawned process "iDevice Panic Log Analyzer.exe" with commandline "--squirrel-install 1.2.7" (Show Process)
Spawned process "iDevice Panic Log Analyzer.exe" with commandline "--squirrel-firstrun" (Show Process)
Spawned process "DismHost.exe" with commandline "{87765E22-B8FC-47E2-A3F1-C41EC6D9E5ED}" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 29
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"Update.exe" at 00066491-00003532-00000033-7206819
"iDevice Panic Log Analyzer.exe" at 00067084-00000484-00000033-144472998
"iDevice Panic Log Analyzer.exe" at 00067770-00002208-00000033-152124769
"DismHost.exe" at 00075685-00002620-00000033-1185682 - source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"Update.exe" queried SystemProcessInformation at 00066491-00003532-00000033-14524995215888873
"Update.exe" queried SystemProcessInformation at 00066491-00003532-00000033-14524995215890648 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
-
"Update.exe" is allocating memory with PAGE_GUARD access rights
"iDevice Panic Log Analyzer.exe" is allocating memory with PAGE_GUARD access rights - source
- API Call
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.99875170757
- source
- Static Parser
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"vboxvideo.inf" (Indicator: "vbox")
"2020-10-12 08:04:40, Error DISM DISM Driver Manager: PID=2620 Failed opening driver package for x86: INF Name='%WINDIR%\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_54dffbe2252403f6\vboxguest.inf' - CDriverPackage::OpenDm" (Indicator: "vbox")
"2020-10-12 08:04:40, Error DISM DISM Driver Manager: PID=2620 Failed opening driver package for x86: INF Name='%WINDIR%\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_54dffbe2252403f6\vboxguest.inf' - CDriverPackage::OpenDm" (Indicator: "vboxguest") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"Update.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"iDevice Panic Log Analyzer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"DismHost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Found a potential E-Mail address in binary/memory
- details
- Pattern match: "ne0@2.a"
- source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistence
-
Drops executable files
- details
-
"DISMHOST.EXE.5F840C0F.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"SQLite.Interop.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"NuGet.Squirrel.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"zip.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libssl-1_1.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"getopt.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"libusb0.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"DeltaCompressionDotNet.MsDelta.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"libssl-1_1-x64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"zlib1.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"System.Data.SQLite.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"SQLite.Interop.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libiconv.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"readline.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"pcre.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"Mono.Cecil.Mdb.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"Mono.Cecil.Pdb.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"plist.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"Squirrel.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"bz2.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Detected increased number of ARP broadcast requests (network device lookup)
- details
- Attempt to find devices in networks: "169.254.74.95/32, 192.168.240.2/32, 192.168.241.83/32, 192.168.241.119/32, 192.168.242.125/32, 192.168.242.166/32, 192.168.243.169/32, 192.168.243.242/32, ..."
- source
- Network Traffic
- relevance
- 10/10
- ATT&CK ID
- T1046 (Show technique in the MITRE ATT&CK™ matrix)
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 140.82.112.5 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
- ATT&CK ID
- T1043 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected increased number of ARP broadcast requests (network device lookup)
-
System Destruction
-
Marks file for deletion
- details
- "C:\Setup.exe" marked "%TEMP%\.squirrel-lock-986DCA8BE7232B01013D9E2DD9495E998CCC3300" for deletion
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
- "Setup.exe" opened "%TEMP%\.squirrel-lock-986DCA8BE7232B01013D9E2DD9495E998CCC3300" with delete access
- source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"Update.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"Update.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "Update.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"DISMHOST.EXE.5F840C0F.bin" claimed CRC 141269 while the actual is CRC 11102942
"SQLite.Interop.dll" claimed CRC 1678563 while the actual is CRC 141269
"zip.dll" claimed CRC 141981 while the actual is CRC 567888
"libusb0.dll" claimed CRC 115837 while the actual is CRC 47208
"DeltaCompressionDotNet.MsDelta.dll" claimed CRC 64040 while the actual is CRC 115837
"zlib1.dll" claimed CRC 110924 while the actual is CRC 708385
"System.Data.SQLite.dll" claimed CRC 413349 while the actual is CRC 110924
"SQLite.Interop.dll" claimed CRC 1307179 while the actual is CRC 413349
"libiconv.dll" claimed CRC 938302 while the actual is CRC 1307179
"readline.dll" claimed CRC 141495 while the actual is CRC 938302
"pcre.dll" claimed CRC 410855 while the actual is CRC 141495
"Mono.Cecil.Mdb.dll" claimed CRC 103845 while the actual is CRC 410855
"Mono.Cecil.Pdb.dll" claimed CRC 98779 while the actual is CRC 103845
"bz2.dll" claimed CRC 103586 while the actual is CRC 246894
"lzma.dll" claimed CRC 172450 while the actual is CRC 103586
"DeltaCompressionDotNet.PatchApi.dll" claimed CRC 34755 while the actual is CRC 14598
"pcreposix.dll" claimed CRC 77339 while the actual is CRC 242226
"libxml2.dll" claimed CRC 1519869 while the actual is CRC 172558
"iMobileDevice-net.dll" claimed CRC 235688 while the actual is CRC 1519869
"libcharset.dll" claimed CRC 49677 while the actual is CRC 235688 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetFileAttributesW
GetTempPathW
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExA
UnhandledExceptionFilter
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
LoadLibraryW
VirtualProtect
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
FindNextFileW
FindFirstFileExW
CreateFileW
LockResource
GetCommandLineW
GetCommandLineA
GetModuleHandleW
FindResourceW
CreateProcessW
SetSecurityDescriptorDacl
GetVersionExW
OutputDebugStringA
GetVersionExA
GetTickCount
MapViewOfFile
CreateFileMappingW
CreateThread
FindResourceExW
Sleep
GetFileAttributesA
GetTempPathA
GetModuleFileNameA
ExitThread
LoadLibraryA
GetFileSize
DeleteFileA
FindFirstFileExA
CreateFileMappingA
FindNextFileA
CreateFileA
GetFileAttributesExW
GetFileSizeEx
RegCloseKey
RegDeleteValueA
RegOpenKeyExA
RegEnumKeyExA
DeviceIoControl
GetModuleHandleA
FindResourceA
GetUserNameA
FindFirstFileA
VirtualAlloc
SleepConditionVariableCS
recv
send
WSAStartup
connect
closesocket
socket
FindFirstFileW
SleepEx
listen
bind
OpenProcess
GetThreadContext
accept
recvfrom
sendto - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"Setup.exe" wrote bytes "b88011f873ffe0" to virtual address "0x77691368" (part of module "WS2_32.DLL")
"Setup.exe" wrote bytes "d83a6175" to virtual address "0x756201E0" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4366175" to virtual address "0x75620200" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4360200" to virtual address "0x75614EA4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4366175" to virtual address "0x756201E4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4360200" to virtual address "0x75614D68" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "68130000" to virtual address "0x77691680" (part of module "WS2_32.DLL")
"Setup.exe" wrote bytes "7111b5007a3bb400ab8b02007f950200fc8c0200729602006cc805001ecdb1007d26b100" to virtual address "0x772807E4" (part of module "USER32.DLL")
"Setup.exe" wrote bytes "a011f873" to virtual address "0x7635E324" (part of module "WININET.DLL")
"Setup.exe" wrote bytes "c0dfd7771cf9d677ccf8d6770d64d87700000000c011057700000000fc3e057700000000e0130577000000009457ab7525e0d777c6e0d77700000000bc6aaa7500000000cf310577000000009319ab75000000002c32057700000000" to virtual address "0x77D21000" (part of module "NSI.DLL")
"Setup.exe" wrote bytes "b81015f873ffe0" to virtual address "0x756136B4" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a6175" to virtual address "0x75620274" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b89012f873ffe0" to virtual address "0x75613AD8" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a0200" to virtual address "0x75614E38" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a0200" to virtual address "0x75614D78" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a6175" to virtual address "0x75620258" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4366175" to virtual address "0x75620278" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "b4366175" to virtual address "0x7562025C" (part of module "SSPICLI.DLL")
"Setup.exe" wrote bytes "d83a6175" to virtual address "0x756201FC" (part of module "SSPICLI.DLL")
"Update.exe" wrote bytes "b88011f873ffe0" to virtual address "0x77691368" (part of module "WS2_32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"Update.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"Update.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "SYEARMONTH")
"iDevice Panic Log Analyzer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Timestamp in PE header is very old or in the future
- details
-
"iMobileDevice-net.dll" claims program is from Tue Sep 5 01:19:07 2079
"Newtonsoft.Json.dll" claims program is from Fri Jan 21 16:48:49 2089
"Dapper.dll" claims program is from Fri May 7 04:13:14 2049
"SharpCompress.dll" claims program is from Sun Jul 6 04:31:16 2059 - source
- Static Parser
- relevance
- 10/10
-
CRC value set in PE header does not match actual value
-
Hiding 10 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 24
-
Environment Awareness
-
Queries volume information
- details
-
"Update.exe" queries volume information of "%LOCALAPPDATA%\SquirrelTemp\setupIcon.ico" at 00066491-00003532-00000046-16840415
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll" at 00066491-00003532-00000046-17376601
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll" at 00066491-00003532-00000046-17602200
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll" at 00066491-00003532-00000046-17612537
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll" at 00066491-00003532-00000046-17658725
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll" at 00066491-00003532-00000046-17667275
"Update.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\SquirrelTemp\Update.exe" at 00066491-00003532-00000046-14524995202918480
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll" at 00066491-00003532-00000046-14524995209607008
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll" at 00066491-00003532-00000046-14524995217493711
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.DataAnnotations\v4.0_4.0.0.0__31bf3856ad364e35\System.ComponentModel.DataAnnotations.dll" at 00066491-00003532-00000046-14524995217535151
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll" at 00066491-00003532-00000046-14524995217650372
"Update.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll" at 00066491-00003532-00000046-14524995217663446
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iDevice Panic Log Analyzer.exe" at 00067084-00000484-00000046-1559286
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll" at 00067084-00000484-00000046-2203455
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dll" at 00067084-00000484-00000046-2828925
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Local\iDevicePanicLogAnalyzer\app-1.2.7\iMobileDevice-net.dll" at 00067084-00000484-00000046-2977671
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\v4.0_4.0.0.0__31bf3856ad364e35\WindowsBase.dll" at 00067084-00000484-00000046-144437171
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll" at 00067084-00000484-00000046-144542534
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework\v4.0_4.0.0.0__31bf3856ad364e35\PresentationFramework.dll" at 00067084-00000484-00000046-144553671
"iDevice Panic Log Analyzer.exe" queries volume information of "C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll" at 00067084-00000484-00000046-144645919 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"Update.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IDEVICE PANIC LOG ANALYZER.EXE")
"Update.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\IDEVICE PANIC LOG ANALYZER.EXE")
"Update.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IDEVICEPANICLOGANALYZER") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent" (SID: 2027390, Rev: 3, Severity: 3) categorized as "Unknown Traffic"
Detected alert "ET INFO Windows OS Submitting USB Metadata to Microsoft" (SID: 2025275, Rev: 3, Severity: 3) categorized as "Misc activity" - source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
- "api.github.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "140.82.112.5:443"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"%USERPROFILE%\code\Squirrel\Squirrel.Windows\src\Setup\bin\Release\Setup.pdb"
"lib/net45/Mono.Cecil.Pdb.dll"
"compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DK" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
- "Update.exe" created file "%TEMP%\.squirrel-lock-986DCA8BE7232B01013D9E2DD9495E998CCC3300"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\__DDrawCheckExclMode__"
"Local\ZonesCacheCounterMutex"
"Local\__DDrawExclMode__"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"RasPbFile"
"\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
"\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
"\BaseNamedObjects\Global\WdsSetupLogInit" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "DISMHOST.EXE.5F840C0F.bin" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "SQLite.Interop.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "NuGet.Squirrel.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "zip.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "libssl-1_1.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "libusb0.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "DeltaCompressionDotNet.MsDelta.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "libssl-1_1-x64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "zlib1.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "System.Data.SQLite.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "SQLite.Interop.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "libiconv.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "readline.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "pcre.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "Mono.Cecil.Mdb.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "Mono.Cecil.Pdb.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "Squirrel.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "bz2.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "lzma.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "imobiledevice-net-lighthouse.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
-
"Update.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\36eaccfde177c2e7b93b8dbdde4e012a\mscorlib.ni.dll" at 72210000
"iDevice Panic Log Analyzer.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_64\mscorlib\fe2524177eb3088c77be666722039f52\mscorlib.ni.dll" at EE4A0000
"iDevice Panic Log Analyzer.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_64\mscorlib\fe2524177eb3088c77be666722039f52\mscorlib.ni.dll" at ED9D0000 - source
- Loaded Module
-
Overview of unique CLSIDs touched in registry
- details
-
"Update.exe" touched "NDP SymBinder" (Path: "HKCU\WOW6432NODE\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\INPROCSERVER32")
"Update.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"Update.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"Update.exe" touched "UsersFiles" (Path: "HKCU\WOW6432NODE\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"Update.exe" touched "Property System Both Class Factory" (Path: "HKCU\WOW6432NODE\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}")
"Update.exe" touched "delegate folder that appears in Users Files Folder" (Path: "HKCU\WOW6432NODE\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SHELLFOLDER")
"Update.exe" touched "Shell File System Folder" (Path: "HKCU\WOW6432NODE\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\INPROCSERVER32")
"Update.exe" touched "Security Manager" (Path: "HKCU\WOW6432NODE\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TREATAS")
"Update.exe" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\INPROCSERVER32")
"Update.exe" touched "TF_TransitoryExtensionUIEntry" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\INPROCSERVER32")
"Update.exe" touched "Task Bar Communication" (Path: "HKCU\WOW6432NODE\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\INPROCSERVER32")
"DismHost.exe" touched "PSDispatch" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS")
"DismHost.exe" touched "PSSupportErrorInfo" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{DF0B3D60-548F-101B-8E65-08002B2BD119}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "Update.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64", __PROCESS_HISTORY="C:\Setup.exe""
Process "iDevice Panic Log Analyzer.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "DismHost.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "DismHost.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, HOMEPATH, HOMEDRIVE, __PROCESS_HISTORY" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "Update.exe" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "Update.exe" with commandline "--install ." (Show Process)
Spawned process "iDevice Panic Log Analyzer.exe" with commandline "--squirrel-install 1.2.7" (Show Process)
Spawned process "iDevice Panic Log Analyzer.exe" with commandline "--squirrel-firstrun" (Show Process)
Spawned process "DismHost.exe" with commandline "{87765E22-B8FC-47E2-A3F1-C41EC6D9E5ED}" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "Update.exe" with commandline "--install ." (Show Process)
Spawned process "iDevice Panic Log Analyzer.exe" with commandline "--squirrel-install 1.2.7" (Show Process)
Spawned process "iDevice Panic Log Analyzer.exe" with commandline "--squirrel-firstrun" (Show Process)
Spawned process "DismHost.exe" with commandline "{87765E22-B8FC-47E2-A3F1-C41EC6D9E5ED}" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "c266c3588c1876c3740a701a49bb9ca1d7dadfbff6a6a9e0a58f1d2c6909f7bc.bin" (Offset: 4733385)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
-
Installation/Persistence
-
Accessed IE Quick Launch directory
- details
- "Update.exe" obtained handle to "%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk" (Type: "FileHandle")
- source
- Touched Handle
- relevance
- 10/10
-
Connects to LPC ports
- details
-
"Setup.exe" connecting to "\ThemeApiPort"
"Update.exe" connecting to "\ThemeApiPort"
"iDevice Panic Log Analyzer.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"DISMHOST.EXE.5F840C0F.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"SQLite.Interop.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"NuGet.Squirrel.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"zip.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libssl-1_1.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"getopt.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"libusb0.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"DeltaCompressionDotNet.MsDelta.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"libssl-1_1-x64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"zlib1.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"System.Data.SQLite.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"SQLite.Interop.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"libiconv.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"readline.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"pcre.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"Mono.Cecil.Mdb.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"Mono.Cecil.Pdb.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"plist.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"Squirrel.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"bz2.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"Setup.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"Setup.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"Setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"Update.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\36eaccfde177c2e7b93b8dbdde4e012a\mscorlib.ni.dll.aux"
"Update.exe" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"Update.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\d9f0293b9d57900da85de5a4190de717\System.Xaml.ni.dll.aux"
"Update.exe" touched file "C:\Windows\SysWOW64\tzres.dll"
"Update.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"Update.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config"
"Update.exe" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"Update.exe" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll"
"Update.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"Update.exe" touched file "C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\e6043b7909fbac58c21772f1d2ad5cd1\PresentationFramework-SystemXml.ni.dll.aux"
"Update.exe" touched file "C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll"
"Update.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Accessed IE Quick Launch directory
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=397707-http://go.microsoft.com/fwlink/?LinkId=780596"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=863262"
Heuristic match: "api.github.com"
Pattern match: "chemas.microsoft.com/packaging/2013/05/nuspec.xsd" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "iDevice Panic Log Analyzer.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"Setup.exe" opened "\Device\KsecDD"
"Update.exe" opened "\Device\KsecDD"
"iDevice Panic Log Analyzer.exe" opened "\Device\KsecDD"
"DismHost.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"c266c3588c1876c3740a701a49bb9ca1d7dadfbff6a6a9e0a58f1d2c6909f7bc.bin" was detected as "VC8 -> Microsoft Corporation"
"NuGet.Squirrel.dll" was detected as "Morphine v1.2 (DLL)"
"zip.dll" was detected as "Borland Delphi 3.0 (???)"
"libssl-1_1.dll" was detected as "Microsoft visual C++ 8.0"
"libusb0.dll" was detected as "Borland Delphi 3.0 (???)"
"DeltaCompressionDotNet.MsDelta.dll" was detected as "Microsoft visual C# / Basic .NET"
"SQLite.Interop.dll" was detected as "Borland Delphi 3.0 (???)"
"libiconv.dll" was detected as "Borland Delphi 3.0 (???)"
"readline.dll" was detected as "Borland Delphi 3.0 (???)"
"Mono.Cecil.Mdb.dll" was detected as "Microsoft visual C# / Basic .NET"
"Mono.Cecil.Pdb.dll" was detected as "Microsoft visual C# / Basic .NET"
"bz2.dll" was detected as "Borland Delphi 3.0 (???)"
"DeltaCompressionDotNet.PatchApi.dll" was detected as "Microsoft visual C# / Basic .NET"
"Splat.dll" was detected as "Microsoft visual C# / Basic .NET"
"iDevice Panic Log Analyzer.exe" was detected as "VC8 -> Microsoft Corporation"
"libusb-1.0.dll" was detected as "Borland Delphi 3.0 (???)"
"iMobileDevice-net.dll" was detected as "Microsoft visual C# / Basic .NET"
"irecovery.dll" was detected as "Borland Delphi 3.0 (???)"
"pcreposix.dll" was detected as "Borland Delphi 3.0 (???)"
"vcruntime140.dll" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
Setup.exe
- Filename
- Setup.exe
- Size
- 11MiB (11085312 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- c266c3588c1876c3740a701a49bb9ca1d7dadfbff6a6a9e0a58f1d2c6909f7bc
- MD5
- 618dafee3f8be56b61e7c288343c07da
- SHA1
- 071a5274b456b2805683056d53a0a821a4ee13b2
- ssdeep
- 196608:Vc8Mbiu6JS0w5s7kMAHLhrp6JM/0oQsoM1WW3DcgeLFy4T37v/7/ExzRBs/VMdpa:VtMqJSV5Lrhrpk21Wocg54T37n7KA/KW
- imphash
- bcf80497fe587a3956d64dc513da9548
- authentihash
- e2494e8feb838db811221e9d9538b42ceea78f9943ad6bb7036a054f2adf5b41
- Compiler/Packer
- VC8 -> Microsoft Corporation
- PDB Timestamp
- 02/08/2019 02:59:34 (UTC)
- PDB Pathway
- C:\Users\ana\code\Squirrel\Squirrel.Windows\src\Setup\bin\Release\Setup.pdb
- PDB GUID
- B5161020817C4DF9BAC186594C116155
Version Info
- LegalCopyright
- Copyright 2020 Wayne Bonnici
- InternalName
- Setup.exe
- FileVersion
- 1.2.7
- CompanyName
- Wayne Bonnici
- SquirrelAwareVersion
- 1
- ProductName
- A quick and easy panic log extraction and analysis tool for iDevices.
- ProductVersion
- 1.2.7
- FileDescription
- A quick and easy panic log extraction and analysis tool for iDevices.
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 42.7% (.EXE) Win32 Executable (generic)
- 19.2% (.EXE) OS/2 Executable (generic)
- 18.9% (.EXE) Generic Win/DOS Executable
- 18.9% (.EXE) DOS Executable Generic
File Metadata
- 1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 27026)
- 1 Unknown Resource Files (build: 0)
- 6 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 27026)
- 7 .LIB Files generated with LIB.EXE 11.00 (Visual Studio 2012) (build: 65501)
- 1 .C Files (converted from .NET IL) compiled with CVTCIL.EXE 17.00 (Visual Studio 2012) (build: 65501)
- 52 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 2 .C Files compiled with CL.EXE 17.00 (Visual Studio 2012) (build: 65501)
- 18 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26706)
- 19 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- File contains Visual Basic code
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (6 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 5 processes in total (System Resource Monitor).
-
Setup.exe
(PID: 3580)
2/71
-
Update.exe
--install .
(PID: 3532)
- iDevice Panic Log Analyzer.exe --squirrel-install 1.2.7 (PID: 484) 22/68
- iDevice Panic Log Analyzer.exe --squirrel-firstrun (PID: 2208) 22/68
-
Update.exe
--install .
(PID: 3532)
- DismHost.exe {87765E22-B8FC-47E2-A3F1-C41EC6D9E5ED} (PID: 2620)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
api.github.com
OSINT |
140.82.112.5
TTL: 59 |
MarkMonitor, Inc.
Organization: GitHub, Inc. Name Server: NS-1283.AWSDNS-32.ORG Creation Date: Tue, 09 Oct 2007 00:00:00 GMT |
United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
140.82.112.5 |
443
TCP |
idevice panic log analyzer.exe PID: 484 idevice panic log analyzer.exe PID: 2208 |
United States |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.54.64.202:80 (TCP) | Misc activity | ET INFO Windows OS Submitting USB Metadata to Microsoft | 2025275 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.54.64.202:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 184.84.68.43:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.54.64.202:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.54.64.202:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
local -> 20.54.64.202:80 (TCP) | Unknown Traffic | ET USER_AGENTS Microsoft Device Metadata Retrieval Client User-Agent | 2027390 |
Extracted Strings
Extracted Files
Displaying 50 extracted file(s). The remaining 33 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
iDevice Panic Log Analyzer.exe
- Size
- 179KiB (182784 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- Labeled as "Trojan.MSIL.Basic.3" (22/68)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 9d91fc8b430570377a453c4b9480432b
- SHA1
- 9df36d50a89ae763c5cf79f198bc307ede8d3b74
- SHA256
- d24f114558529fa986d11dcb599663b41e187f2df7b2abbb4b36bf9648f5834f
-
pcreposix.dll
- Size
- 11KiB (10752 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "HEUR/QVM30.2.A034.Malware" (1/68)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 31fd4f11908485be6013b150b4e8b618
- SHA1
- 7fad7bf86aaa7b4d3965f60afbb460ceff357eed
- SHA256
- b64e5cd4d4b7de433f9dba638d7a0d917d32d1b1be8e1bafa810070da7a2072d
-
-
Clean 28
-
-
Dapper.dll
- Size
- 188KiB (192512 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- c847cc8b4f5050e7f3ac32e34923c884
- SHA1
- 5ce723d446b5673990c92494be5b8c3b3f62989a
- SHA256
- 1b8a662d0bc41421e18ced49290760a20b44e2b593f1b49558bc318532d0d208
-
DeltaCompressionDotNet.MsDelta.dll
- Size
- 5.5KiB (5632 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- c848a2f5fa5feaa71409795e8e8c69d0
- SHA1
- 9074f5b0ca107ab915164f790533bd672048c7b4
- SHA256
- 1ce872ed466a8a3466c808a7babf3b597ec12e1cb84870e7a0cf00b2f5ef6df4
-
DeltaCompressionDotNet.PatchApi.dll
- Size
- 5KiB (5120 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- a1e92e6cda95789e88b732eafa276b2b
- SHA1
- dd488c17b6ef509769602fc7d5f12d06544cc4a7
- SHA256
- 684dc7547bd5490184bc76e7f4b80cf40869f817a12e964dfc502c3f3db07515
-
DeltaCompressionDotNet.dll
- Size
- 4.5KiB (4608 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- ffa8ab2e87481d9da99d224e0389c8d5
- SHA1
- 087df6bcf23eebc46f064c48674d4fe5db3a9b1d
- SHA256
- 13950b911243e13269ef2487a00147c824e2223a7fb9103eb21f765c795be45e
-
Mono.Cecil.Mdb.dll
- Size
- 44KiB (45056 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 3c6cff9ef0ba7748d6c61dfacb6890a7
- SHA1
- 9eef83f72a47d40d93fd8a7a8e4faa7520aee629
- SHA256
- b8625ace855a3086e2086af418e17daf24a30a4fbffc559c42f329edec52806e
-
Mono.Cecil.Pdb.dll
- Size
- 80KiB (81920 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- c7a0b5173df5bea531a20fbace30fc89
- SHA1
- 67406903ad483ab36418b13171fa5b686d2be457
- SHA256
- 25eb34cf9a7038d71ca15ddbfb3c180b4a2119219d487fd760437f5da7edf292
-
Mono.Cecil.Rocks.dll
- Size
- 23KiB (23552 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 7c9a0c59ce05aba61485eb46883ba933
- SHA1
- e48767493cf6a8a3c16dd5e386438d75b90e264d
- SHA256
- 822c94d1c2ab96efeb19bc5f1d304586e70a004d2f44f372377f33f2545eb921
-
Newtonsoft.Json.dll
- Size
- 684KiB (700336 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 6815034209687816d8cf401877ec8133
- SHA1
- 1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
- SHA256
- 7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
-
NuGet.Squirrel.dll
- Size
- 499KiB (510976 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 1306e8406b64ef7a7cbef6cdcfe75f56
- SHA1
- 667bc50e1147015a9647e93ca732c5f99c67ab73
- SHA256
- b678531c7ba7c873fcd5584bd066cec819b94095eb6caf1d0470ab8c10dd8e8b
-
SharpCompress.dll
- Size
- 444KiB (454144 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- c549482f392b4a426d293121bd26ebe2
- SHA1
- cd30ba0c9b94b2d8453e94614bac8f9943f6e01c
- SHA256
- 21d9b05a5c703f6754b8fbd6e3d0d58fc6dd31215d1118af64d4305f7d92d585
-
Splat.dll
- Size
- 45KiB (46080 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 1975e684c48457d72f37696bb1b880e6
- SHA1
- eb254b470df9172aa07f13e7280bced746d95e22
- SHA256
- 7a6f255cf59d6594c8f5bc466956f09305a3a10c8d683e485c7e1f14371701c4
-
Squirrel.dll
- Size
- 234KiB (239104 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- dbf38866ff6429b9348217792c272672
- SHA1
- 460016e65ac2818c409cf10344844e55067a1c49
- SHA256
- b702955fd9f77a877ccc793d5745bf882b665bd8a21adf5e9abb0456ce0c3e47
-
System.Data.SQLite.dll
- Size
- 348KiB (356352 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 83dfd2fe35efb2154bcdd3b475f378f2
- SHA1
- 43eaf586250bf5c8b32eb832cf3479a8dbf7cca2
- SHA256
- 7a4dde948b573b5a92cb1f63a2201006e61ea24107d9668a36efa378e8d48f08
-
iMobileDevice-net.dll
- Size
- 177KiB (180736 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- b281a386be2c8c19ad63e6e008815945
- SHA1
- 3111efbd55617d763ade4eaaa51185e19b0b735a
- SHA256
- 130edcc799e6e6d69d0254cf6874e6d9ec5ef628ea5c750cabebf95de3b97bd0
-
ideviceactivation.dll
- Size
- 27KiB (27648 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 5c4cdcba0db9f10500ced5c4325b5863
- SHA1
- c282f5ce601c3d9ef9cca40219751d6bba3505db
- SHA256
- 405c6ca69401bfec40869fcaa367c05647a227eb8d18ccb935418cdaecf0396b
-
libcrypto-1_1-x64.dll
- Size
- 3.3MiB (3440640 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 584dcb9fd8c486b35f76fa2514635f06
- SHA1
- 4a68860caa8475f1bc6e5264df2cfe57b639e2c7
- SHA256
- 34510c24aef573eb75c36c5598d08a18d0c73e787f73fb23a5bbf395fe96b5eb
-
libssl-1_1-x64.dll
- Size
- 668KiB (683520 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 72f31fe80faa34bc897d160cfa17e0af
- SHA1
- a1a5d3e6a4bfd49ff004cfd14680b399e97a1b1b
- SHA256
- 1915d1ba65f8a3d627c31b6281d118623fc43945b0c67b2531a4c96792ddf92c
-
libxml2.dll
- Size
- 1.1MiB (1134080 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 80c77725c67de7b1d42df550835ecdd6
- SHA1
- aba80d1f163b4b20ff040dd91cecca29bfec9b4b
- SHA256
- 8b8f064f741921e09336e253ed1c1d776bcb91fa1793fc866062de90173017d7
-
plist.dll
- Size
- 56KiB (56832 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- b1b5765189736838d7c35497f5a7a7d5
- SHA1
- 2ed4e92ea04e2ad93ad3461c5314b91e5440a0af
- SHA256
- 0ad42886e36045cff8128c780620e741b59b0dfdcbccc1734f9708c18b4a0088
-
bz2.dll
- Size
- 74KiB (75264 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- a3718a8dd20c160dd6e22e3d8653815e
- SHA1
- 955371bee336e53cb2cbc405aff8a6c507e52dc4
- SHA256
- 549669a385b382e29b2ddabfb19891fc62534faa2ebbae4ee23be62d2e498b69
-
imobiledevice-net-lighthouse.dll
- Size
- 9KiB (9216 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 78bc748267db65d7b9287bdbb082a9e4
- SHA1
- 383f9a9ecd805409d94774a7ba4c6d716ab1eb44
- SHA256
- 52c513b1180372cb94b9b23390494e296d7e6719f527918b0bc06332ff1c48c9
-
libssl-1_1.dll
- Size
- 522KiB (534016 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 30aedfd98e31ebdcb00ea2a79d2c7467
- SHA1
- 26c78e5e4392f5696bd21ef6be22f4a9329170ce
- SHA256
- 36dd266c862edd3f79b8f87486dea6e5c0a75a2182278fd997ba4b1e7376f64a
-
libusb0.dll
- Size
- 84KiB (85504 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 6a5c08b05eacb6fdee126b075860b613
- SHA1
- 8aa2c432e1d2648ab2b6666cc47dd80617e7e8f9
- SHA256
- addc45ee8c04d4484a017ad48353355beb7385a1e6b53324804e1f46e3256d0f
-
readline.dll
- Size
- 170KiB (174080 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 66518876a9fde5853cae88a353b55afe
- SHA1
- 661b82682ab019f5bf99fedd14e04c48a381bf89
- SHA256
- 437a63db1879196b9346590c2984cfe79a9826ca157e4fa90e48638d092bb155
-
vcruntime140.dll
- Size
- 86KiB (87736 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/72
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 6888a93e3be0d92bf2293e2bd3043ddb
- SHA1
- 403c038f61d45d4bd74b59d13b3eb0dea9e04a9d
- SHA256
- b989172491bcf631322d87d7b812fb5598b8fcdd1e2a30c119f5265080cd13b8
-
zip.dll
- Size
- 97KiB (98816 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 61b1a14a6e1c5cc2c7b4614356d1c658
- SHA1
- 4e0156c5f189188dce392ef2cf691b662ce07c84
- SHA256
- 4f8fecc277193ddd878e382a43e179f9596825daa5f8d097c808a07898959250
-
SQLite.Interop.dll
- Size
- 1.2MiB (1280000 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 1d5041dc5a86b787d9701b78a9e0b121
- SHA1
- 88873d0af22c924869f8c10c46e9b8f765d9b998
- SHA256
- 4870018813eff9a5b050044c5eb639bb3e536ec1cd3ad03da389b83216c0f4d5
-
DISMHOST.EXE.5F840C0F.bin
- Size
- 95KiB (96768 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- MD5
- 516a5fce06bb388499238a5f9286cb74
- SHA1
- 958be7d02fca674fb386482090b9a5024d0a1538
- SHA256
- 9a4b735603297448841758b29d3c387a4ce84e5fd0dae05622f43ce53b8c85e6
-
-
Informative Selection 1
-
-
Update.exe
- Size
- 1.7MiB (1826816 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- c5f6cda4976ae38cd9fba3d1e5ebd244
- SHA1
- 2006c37f01d010963a4331c42e579b87a2d16039
- SHA256
- dae7bd888b715b8e215482bc5ea6f028ded32a3ad88bf4acb6431d2a62ffe3f4
-
-
Informative 19
-
-
SquirrelSetup.log
- Size
- 3.5KiB (3601 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- f7ee9c248cc25a95af5c851a8517a0d0
- SHA1
- 3e1c6008427ff938a9cc138deac3bb92e8adafa7
- SHA256
- d6e23b063258df0ab105a285f3abceb8b3db4fe281e131accd2822f50242124b
-
setupIcon.ico
- Size
- 17KiB (16958 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 0f1263b1f5bea660cd78a1a7cbba76cb
- SHA1
- fde446127e0e51a43ff7e758748f5172a2cb5f4d
- SHA256
- 45b6232d785bed16036507ab57bd6437c93a8ea1241f22a3fd662457c351fef8
-
LICENSES.txt
- Size
- 1001B (1001 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 94be38636fa9eb00d95d7d778bf327e7
- SHA1
- 613b420531722e578f41e7d022b95571ef9d0c27
- SHA256
- f65b21b931d79402fdbf560fbba21b146f78c12887ed4881a2cfbbbd54c120e1
-
Mono.Cecil.dll
- Size
- 274KiB (280576 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 6d6292bc8e698e53e69556add6f62442
- SHA1
- fab26eb07adab421797689da27ad754aa1c31810
- SHA256
- 0f6465ce57a0cbabc37013c8e3c9f110672de1c127b6192177d59eb1c7809772
-
System.Data.SQLite.dll.config
- Size
- 736B (736 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 8ab01db32f56322275cbd0864feb5d55
- SHA1
- cbdb70f5fc04485af0d09ef7484faa7f8b3047bb
- SHA256
- cde00e0a0f52ed121d52c17338da42ffd9656d4f81a76df2dceda05c88f783ef
-
definitions.db
- Size
- 48KiB (49152 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 9a0ef18b4b3dec9b34d0405f58b6b85a
- SHA1
- f5bfdf37097880b9f8b079284c63f9a0e82cb81a
- SHA256
- d31e09b987c00c3a117cab1620a83b5b0316fc17491e9d3663caa93704052c76
-
imobiledevice.dll
- Size
- 152KiB (155648 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 3b23cfd2413d07e6bcc0d25799a4cd5c
- SHA1
- cfb1171f3c26d1dfd55e830555af16e684ee0f31
- SHA256
- 8a5e19cc5375cd16d1edb019d154e71c2b8d0dfd3d9a062c0f64eee672ec7b91
-
libcharset.dll
- Size
- 9.5KiB (9728 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- dfb4e08eb2b9ce521217bd9deb61e098
- SHA1
- c1169de5360d40e1ed9ed8e2bac7724329181aeb
- SHA256
- 5a633afebbceee414b7a237648da47c58b2d63472b40073553248d5d4a9b5e71
-
libcurl.dll
- Size
- 442KiB (452096 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- af1eff64bb5a3a8e596535d90de4f962
- SHA1
- a142d91f8f995cba058b153780f4aa6ceb95de9e
- SHA256
- 697d746933b3df49170240704c49aa22da1a23e5c88231d67fb47cbf4f664820
-
libiconv.dll
- Size
- 915KiB (936960 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 5ac04a19742697a45af58fd258aadde8
- SHA1
- dea81a871e3c1bfc1ea2acebabf1fea8b88dc767
- SHA256
- 18fcce3ae1974133191128397710d94c8cfa040dd3326d27b47d1a61cd34add2
-
lzma.dll
- Size
- 127KiB (130048 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 8077700d7f8353d3b70ac71d8cdf0e72
- SHA1
- 007f57c586ba7aece5fe7900fc3b5ac7d422a5f2
- SHA256
- 7520fba7df42f147b6e0364b1da711186ba529e0b1f45265d3f938b8aa4a00b9
-
usbmuxd.dll
- Size
- 32KiB (32768 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 473d6cb4f7837c847d5b6c90b3b096e7
- SHA1
- a195b3cee9cc5b8cadb770468b1eb843678b0965
- SHA256
- 18276284b825db13623558b546f352e74d1451657085f9ff17eb7bd0d5a215a3
-
zlib1.dll
- Size
- 73KiB (74752 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 8a31caad0d8637f6c4ea6b5e3725b50a
- SHA1
- 390e3c83b1acd0af3975639e8d544ddfad65182b
- SHA256
- 28885fef41e32898ba99165a5c0336b88a605552c75591cf63f2a3b44730ea40
-
getopt.dll
- Size
- 18KiB (17920 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 84543c0a6f446a2ba8a90bebba550ec4
- SHA1
- bb571e0bcad08087117281bbd236e608b9c8e27c
- SHA256
- 21dddf9bf26af23c19c7df777e0270df50ce0e24bdb12975f2241197863d0dd0
-
irecovery.dll
- Size
- 46KiB (47104 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 02c360b0cbc6aa9c554d790115a75c8a
- SHA1
- 06d2ddd8497e648932aba8f505bff8c4321b1de7
- SHA256
- f0d7a7dbfc01eb5ef86ccdc39190280874b3a56edd4f44d2566abe9aad436e3a
-
libcrypto-1_1.dll
- Size
- 2.5MiB (2571264 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 55f20c7e70763c71ade5d7b22e6e4f05
- SHA1
- 13579d7b2752c1f5794ca435e6f75983f2451393
- SHA256
- 3960b91dafc276aaf2630f73dfba3353247e73201522d3c644bf58c9d7acafd4
-
libusb-1.0.dll
- Size
- 165KiB (168960 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 007fcb8693852853ff35ed3293b2e673
- SHA1
- 46ca887ac46065fe4d3d9a9e5e0bee94d88a3a3d
- SHA256
- 0678a2ff1caf38ed5b2ff75d7bebe3fe547c6c8fc41ecd3c90453b0e770ee4da
-
pcre.dll
- Size
- 342KiB (349696 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- 611f331ef0ed18325cdc2c2b4518fed4
- SHA1
- 8f5c22edbf0e431d8853e465537dafc07bb66772
- SHA256
- c989fdf7de3404b6961ec5fe12d70d2b3bd1220ff9d97da74d36bfe6708cfd61
-
pthreadVC3.dll
- Size
- 64KiB (65536 bytes)
- Runtime Process
- Update.exe (PID: 3532)
- MD5
- c34168ad7031eb281195377b95d31d66
- SHA1
- edc0679d38efa9b6443d9436a706c123fd6958da
- SHA256
- 35cb339b6dabfec731a9ac7a2c2f7a026f30ee10657962a091a62eee181f4185
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all sources for indicator ID "api-1" are available in the report
- Not all sources for indicator ID "api-11" are available in the report
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-47" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "network-32" are available in the report
- Not all sources for indicator ID "static-0" are available in the report
- Not all sources for indicator ID "static-18" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Some low-level data is hidden, as this is only a slim report