G9SP_Configurator_v2.10.1125.exe
This report is generated from a file or URL submitted to this webservice on October 29th 2018 12:50:53 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Drops a Windows autorun file
- details
- "autorun.inf" has type "Microsoft Windows Autorun file ASCII text with CRLF line terminators"
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1091 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"G9SP_Configurator_v2.10.1125.exe" wrote 1500 bytes to a remote process "C:\G9SP_Configurator_v2.10.1125.exe" (Handle: 316)
"G9SP_Configurator_v2.10.1125.exe" wrote 4 bytes to a remote process "C:\G9SP_Configurator_v2.10.1125.exe" (Handle: 316)
"G9SP_Configurator_v2.10.1125.exe" wrote 32 bytes to a remote process "C:\G9SP_Configurator_v2.10.1125.exe" (Handle: 316)
"G9SP_Configurator_v2.10.1125.exe" wrote 52 bytes to a remote process "C:\G9SP_Configurator_v2.10.1125.exe" (Handle: 316) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops a Windows autorun file
-
Suspicious Indicators 16
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "G9SP_Configurator_v2.10.1125.exe" at 00031335-00002632-00000105-18492498841
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
- "G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/67 reputation engines marked "http://www.installengine.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
-
"G9SP_Configurator_v2.10.1125.exe" read file "%TEMP%\ISPackFiles.ini"
"G9SP_Configurator_v2.10.1125.exe" read file "%TEMP%\byeD1E2.tmp\Disk1\setup.ini"
"G9SP_Configurator_v2.10.1125.exe" read file "%TEMP%\issD2BF.tmp\setup.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
-
"isrtcc1.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"temp.000" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\issD2BF.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "%COMMONPROGRAMFILES%\InstallShield\Professional\RunTime\10\50\Intel32\ispD479.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setD484.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\ispD51B.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD51C.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\igdD531.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\_seD55A.tmp" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\skind585.rra" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\skinf95a.rra" for deletion
"C:\G9SP_Configurator_v2.10.1125.exe" marked "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iKe65F.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\_isdelet.ini" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\ISPackFiles.ini" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\issD2BF.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "%COMMONPROGRAMFILES%\InstallShield\Professional\RunTime\10\50\Intel32\ispD479.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setD484.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD479.tmp\temp.000" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\setup.dll" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD479.tmp\setup.dll" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD479.tmp\" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\ispD51B.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD51C.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\igdD531.tmp" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD51C.tmp\temp.000" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\iGdi.dll" with delete access
"G9SP_Configurator_v2.10.1125.exe" opened "C:\Program Files\Common Files\InstallShield\Professional\RunTime\10\50\Intel32\ispD51C.tmp\iGdi.dll" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegOpenKeyA
RegCloseKey
OpenProcessToken
RegOpenKeyExA
GetFileAttributesA
GetTempPathA
WriteFile
CopyFileA
GetModuleFileNameA
LoadLibraryExA
UnhandledExceptionFilter
TerminateProcess
CreateThread
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
ExitThread
GetStartupInfoA
GetFileSize
CreateDirectoryA
DeleteFileA
GetProcAddress
FindFirstFileA
GetTempFileNameA
CreateFileMappingA
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
Sleep
FindResourceA
VirtualAlloc
ShellExecuteExA
FindWindowA
FindNextFileA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "G9SP_Configurator_v2.10.1125.exe" wrote bytes "4053f3765858f476186af476653cf5760000000000bf15760000000056cc1576000000007cca157600000000376816756a2cf576d62df57600000000206916750000000029a6157600000000a48d167500000000f70e157600000000" to virtual address "0x77041000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 15
-
Environment Awareness
-
Reads the registry for installed applications
- details
-
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{14C459E3-0ECB-4CC3-B85F-E3F6F54B805F}")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{14C459E3-0ECB-4CC3-B85F-E3F6F54B805F}")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADDRESSBOOK")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ADOBE FLASH PLAYER NPAPI")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AUTOITV3")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONNECTION MANAGER")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DIRECTDRAWEX")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DXM_RUNTIME")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\FONTCORE")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE40")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE4DATA")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IE5BAKEX")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA0")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA1")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA10")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA100")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA101")
"G9SP_Configurator_v2.10.1125.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IEDATA102") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/66 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
-
"G9SP_Configurator_v2.10.1125.exe" created file "%TEMP%\ISPackFiles.ini"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\autorun.inf"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\data1.cab"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\data1.hdr"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\engine32.cab"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\layout.bin"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\setup.exe"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\setup.ibt"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\setup.ini"
"G9SP_Configurator_v2.10.1125.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\byeD1E2.tmp\Disk1\setup.inx" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\14C459E3-0ECB-4CC3-B85F-E3F6F54B805F"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "iKernel.rgs" as clean (type is "ASCII text with CRLF line terminators")
Antivirus vendors marked dropped file "isrtcc1.rra" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "temp.000" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows") - source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"G9SP_Configurator_v2.10.1125.exe" loaded module "%WINDIR%\System32\riched32.dll" at 71EB0000
"G9SP_Configurator_v2.10.1125.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6F0D0000 - source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Process launched with changed environment
- details
- Process "G9SP_Configurator_v2.10.1125.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="VistaSetup""
- source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
- Spawned process "G9SP_Configurator_v2.10.1125.exe" with commandline "-deleter" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "G9SP_Configurator_v2.10.1125.exe" with commandline "-deleter" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
- "G9SP_Configurator_v2.10.1125.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"setup.inx" has type "data"
"autorun.inf" has type "Microsoft Windows Autorun file ASCII text with CRLF line terminators"
"layout.bin" has type "data"
"iKernel.rgs" has type "ASCII text with CRLF line terminators"
"igdD531.tmp" has type "MS Compress archive data"
"_seD55A.tmp" has type "MS Compress archive data"
"setD484.tmp" has type "MS Compress archive data"
"setup.ibt" has type "data"
"skind585.rra" has type "ASCII text with CRLF line terminators"
"corec99.rra" has type "ASCII text with CRLF line terminators"
"setup.isn" has type "Atari MSA archive data 53900 sectors per track starting track: 22332 ending track: 3470"
"Fontca3.rra" has type "ASCII text with CRLF line terminators"
"ISPackFiles.ini" has type "data"
"setuc53.rra" has type "data"
"isrtcc1.rra" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"setup.ini" has type "ASCII text with CRLF line terminators"
"defacdf.rra" has type "RIFF (little-endian) data palette version 1028 0 entries"
"temp.000" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"5802db7b1ed595d85d675129b2565f37_e47c61d2-1dae-480e-827a-ae8d797649df" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"G9SP_Configurator_v2.10.1125.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"G9SP_Configurator_v2.10.1125.exe" touched file "%WINDIR%\AppPatch\AcSpecfc.dll"
"G9SP_Configurator_v2.10.1125.exe" touched file "%WINDIR%\AppPatch\AcLayers.dll"
"G9SP_Configurator_v2.10.1125.exe" touched file "%WINDIR%\AppPatch\AcGenral.dll"
"G9SP_Configurator_v2.10.1125.exe" touched file "%WINDIR%\System32\en-US\setupapi.dll.mui"
"G9SP_Configurator_v2.10.1125.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.installengine.com/oci_range_check.txt"
Heuristic match: "omrg9spusb.cat"
Pattern match: "http://deviis4.installshield.com/NetNirvana/"
Heuristic match: "kG= vl.MR"
Heuristic match: "DG4+ch.SG"
Heuristic match: "r+%*~.aR"
Heuristic match: "Gi<H,,p|.Pa"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "G9SP_Configurator_v2.10.1125.exe" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"isrtcc1.rra" was detected as "Armadillo v1.xx - v2.xx"
"temp.000" was detected as "Armadillo v1.xx - v2.xx" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
G9SP_Configurator_v2.10.1125.exe
- Filename
- G9SP_Configurator_v2.10.1125.exe
- Size
- 43MiB (45552442 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- c2f77c1cfd04199d00bbfa98b9ab65075306fd31181b3823ed9a24d87efa2daf
- MD5
- 78abeced0e4d6b5c2571943decbb76ae
- SHA1
- a69bf3fda7ddf5e0ac705cf29ede1ae0b3af419c
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
G9SP_Configurator_v2.10.1125.exe
(PID: 2336)
- G9SP_Configurator_v2.10.1125.exe -deleter (PID: 2632)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 14 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
iKernel.rgs
- Size
- 33KiB (34186 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- AV Scan Result
- 0/55
- MD5
- ed554e2481d8a311aeebb9c9e06f7aca
- SHA1
- 4dc598090b7afd2b9d032d8ae6b94749376fb9af
- SHA256
- a3c4825e42ad0f81385fc8cefc25a053a7909f0f039fd3b8d41f8467a89f735e
-
-
Informative 19
-
-
5802db7b1ed595d85d675129b2565f37_e47c61d2-1dae-480e-827a-ae8d797649df
- Size
- 79B (79 bytes)
- Type
- data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 96279abce668a3cf6bb5cb39bb401c99
- SHA1
- 07e0fbf732920639445a4aab46891e7d87977ab3
- SHA256
- b302ff5b8a1503443d9e91717bf8bfc1451c1e73a35584222cb32bf40cb76ed0
-
setD484.tmp
- Size
- 173KiB (177459 bytes)
- Type
- data
- Description
- MS Compress archive data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- cd0af02a64a5af90e3ff32f06ca940b5
- SHA1
- 39f612aff2fa220f3acfbaf9b4213b18c78d79a6
- SHA256
- 6769c52cecf36828197f19ebaf3f9934d6cd8e2e2ceba6e811280efd3381f8bd
-
ISPackFiles.ini
- Size
- 917B (917 bytes)
- Type
- data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- eb59c902d139860f1059f12f3e81e852
- SHA1
- 0939d6fa3c2b404873ecd09133f7a533ee7b336c
- SHA256
- 9b1f9e692fd67321718698b8a1b92c91cd0d1a2348b0e6ee5d2cc961ac5089e9
-
_seD55A.tmp
- Size
- 42KiB (43487 bytes)
- Type
- data
- Description
- MS Compress archive data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 0a9c3a5c372f278748765f74df616002
- SHA1
- 74c0d0a0d965dff96f7c1bde0b19cb92ccb63f96
- SHA256
- e568ce94901c3c0944eff763195926634b1d65e20bb3989b37b70f3359806f69
-
autorun.inf
- Size
- 31B (31 bytes)
- Type
- text
- Description
- Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- c07dab9aac81b03af3400b6fd5201475
- SHA1
- 9a82e50525b2835acb63ba34e9c412c2e0382dbe
- SHA256
- e67065072b9e4bcf7e78347fe351e7abd25909e905133c31571dcd522b4b1c7a
-
data1.cab
- Size
- 565KiB (578128 bytes)
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- a34ca8eddda5ad440c60429e39b4945a
- SHA1
- 7006bf1944637ba48ab397b93d61fcb01d87c78e
- SHA256
- 2a847c9c8603299ba5731287552e633b0ae91b8ddbd3989a5a7b657a95664759
-
data1.hdr
- Size
- 96KiB (98483 bytes)
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 996fbe79723f54ed5a5d871c191a8df8
- SHA1
- 8ea01d617906789ec461be1da0f77182bac54c34
- SHA256
- 44df619631f843a9ccb9160bffa47ea8e93a61c1aec2f683049148726400f1c7
-
engine32.cab
- Size
- 459KiB (470174 bytes)
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 24655802945e37e33098d96965caf99e
- SHA1
- fdce25c9dd6568b58fff3d0c30842d8e093774ab
- SHA256
- 9cf09b05e5870ce0294b2362da173ae346628512a3b80077ebd176cf9390acec
-
layout.bin
- Size
- 493B (493 bytes)
- Type
- data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- d6cf46adcbdbf29070ac54bda4c93d9a
- SHA1
- ade02da3276b163320287c28cf0356ae4d64c23b
- SHA256
- 1e90e14818a04e2ec10bbc17202ecfac8240afe544b638f6ed4fbda7b1ebe261
-
setup.ibt
- Size
- 368KiB (376643 bytes)
- Type
- data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- ad5cab3fe70538a702ef5033af67891b
- SHA1
- 8b84aace5588d2dd29a70d47845ac7ef50084708
- SHA256
- 2f7241efb48000c1c722c84a59b73a5e75d75e26eba81b96dd9a8cd042cbf713
-
setup.inx
- Size
- 202KiB (206871 bytes)
- Type
- data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- b233ec05700eb90f9e613e41b2109824
- SHA1
- d8d85f8fbac2b476e315d11eaf23cdbaea2689f0
- SHA256
- cf97c6e58a30709acac13c1dc4a1c45346cd24cf1901b25c36bdc47b25e9fb2e
-
igdD531.tmp
- Size
- 112KiB (115096 bytes)
- Type
- data
- Description
- MS Compress archive data
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 7517406bc1efcc19fa572683c34206f1
- SHA1
- 3d0ca25bffb226df14dc5628107fa76516a86c86
- SHA256
- 44e5eda0261b7d34793a879e3f3483accf6e1bf4cf3862ec7dd8f368910ed081
-
temp.000
- Size
- 144KiB (147456 bytes)
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- aa1cc8c27e6d0935cf61829e1b81cb66
- SHA1
- a2165c4293045ad33b770050b5aea10be0eb17e4
- SHA256
- 3b9df52d83d39e58ce0d0a6cdfc44775746ee3e087686e3e1bd61b73bd6758b0
-
setup.ini
- Size
- 475B (475 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 7826bb7de6c05bf728429e25dabd86f2
- SHA1
- cb55e1bd2907095b2d617c98deab37694e388387
- SHA256
- 764d75a5acc1f0a80d3ffe0024ab7e3b981a77be8d4b58d4dd61c9c5964a62d8
-
setup.isn
- Size
- 44KiB (44941 bytes)
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 13b4a6beb33353b63de31e771072cb6b
- SHA1
- ac6a74b83a528a038f7e8432b0d09ddbe1f36054
- SHA256
- 37441528c8ba2d1eb1ef5821689d689d6f95dec5febeb3d59d77689610e624e0
-
skind585.rra
- Size
- 20KiB (20614 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 3404dde4ab0beecdf433fa994899c027
- SHA1
- e164c70e4b50cd8c9be29dabfa6ec47ede39096f
- SHA256
- 8b61ed55bb996cc9d6d7ce706e702bb968152bf8f46249ab87182908e342d8a2
-
skinf95a.rra
- Size
- 20KiB (20614 bytes)
- Runtime Process
- G9SP_Configurator_v2.10.1125.exe (PID: 2632)
- MD5
- 3404dde4ab0beecdf433fa994899c027
- SHA1
- e164c70e4b50cd8c9be29dabfa6ec47ede39096f
- SHA256
- 8b61ed55bb996cc9d6d7ce706e702bb968152bf8f46249ab87182908e342d8a2
-
corec99.rra
- Size
- 64KiB (65503 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- MD5
- 09d38ceca6a012f4ce5b54f03db9b21a
- SHA1
- 01fcb72f22205e406ff9a48c5b98d7b7457d7d98
- SHA256
- f6d7bc8ca6550662166f34407968c7d3669613e50e98a4e40bec1589e74ff5d1
-
Fontca3.rra
- Size
- 39B (39 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- MD5
- 00f313e3e007599349a0c4d81c7807c4
- SHA1
- f0171f15aab836a1979d3833e46b5e59e4ea32e0
- SHA256
- 766ee687d90b0217eb41cb85aca04375bdc24db986a33536631f864b7ce1a08a
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Network whitenoise filtering (Process) was applied
- No static analysis parsing on sample was performed
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "registry-55" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report