vipm-17.0.2014-windows-setup.exe
This report is generated from a file or URL submitted to this webservice on January 31st 2018 22:25:12 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
-
Opens the MountPointManager (often used to detect additional infection locations)
Tries to access unusual system drive letters - Network Behavior
- Contacts 1 host. View all details
Additional Context
Related Sandbox Artifacts
- Associated URLs
-
hxxp://traffic.libsyn.com/jkinc/vipm-17.0.2014-windows-setup.exe
hxxp://hwcdn.libsyn.com/p/9/2/8/9285038fa9f06231/vipm-17.0.2014-windows-setup.exe?c_id=17174573&expiration=1517315149&hwt=974d877c07e7456f3edc440222f6aa86
hxxp://hwcdn.libsyn.com/p/9/2/8/9285038fa9f06231/vipm-17.0.2014-windows-setup.exe?c_id=17174573&expiration=1523350376&hwt=752c2e2a30f2ddda2735f537e3fb5f0a
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/67 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/61 Antivirus vendors marked dropped file "vipm-setup.msi" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 1% detection rate)
1/68 Antivirus vendors marked dropped file "VIPMHelperRegistryWriter.exe" as malicious (classified as "Trojan.WisdomEyes.16070401.9500" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Loads the task scheduler interface DLL
- details
- "<Input Sample>" loaded module "%WINDIR%\SysWOW64\mstask.dll" at 73740000
- source
- Loaded Module
- relevance
- 5/10
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\SysWOW64\attrib.exe" (Handle: 120)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 120)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 120)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 120)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 132)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 132)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 132)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 132)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 124)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 124)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 124)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\attrib.exe" (Handle: 124) - source
- API Call
- relevance
- 6/10
-
Loads the task scheduler interface DLL
-
Unusual Characteristics
-
Contains native function calls
- details
- NtdllDefWindowProc_W@NTDLL.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3970.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3B74.tmp.bat" "" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\JKI\VIPM20~1.201\2F1E820\VIPM-S~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\JKI\VIPM20~1.201\2F1E820\VIPM-S~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE3970.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3970.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE3B74.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3B74.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 25
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
- OpenServiceW@ADVAPI32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00013269-00001148-00000033-62720942
- source
- API Call
- relevance
- 6/10
-
Contains ability to open/control a service
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "ResourceCleaner.dll.3748607311")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to query CPU information
- details
-
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid (Show Stream)
cpuid at 62335-737-10009C16 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Reads the active computer name
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Contains ability to query CPU information
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LockResource@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceExW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%USERPROFILE%\Users\%OSUSER%\Desktop\desktop.ini"
"<Input Sample>" read file "%WINDIR%\win.ini"
"<Input Sample>" read file "%USERPROFILE%\Searches\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Videos\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Pictures\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Contacts\desktop.ini"
"<Input Sample>" read file "%USERPROFILE%\Favorites\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"Prereq.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"tempFiles.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aicustact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ShortcutFlags.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aipackagechainer.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"NetFirewall.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"VIPMHelperRegistryWriter.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aischeduler.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aischeduler2.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"IniLocator.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ResourceCleaner.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"lzmaextractor.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"viewer.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"MSI371D.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSID9A9.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI5287.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI53F1.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.08.02.0134"
"15.0.0.164"
"15.0.0.191"
Heuristic match: "MM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1Man:"ssdp:discover"MX:3"
"127.0.0.1"
"11.3.0.0"
"1.3.0.0"
Heuristic match: "6666"h77"7-787C7N7Y7d7o7z77777778.8.8.8.8.868A8L8W8b8m8x888888"#08889"l59B9J9U9`9"9999"999::"@G:T:_:_:g:r:r:"::::":",;"X);1;>;F;Q;Y;a;a;i;t;;;;;;;;;;;;;;;;;<<<!<
<7<?<"!r<<<<<<<<<"<<<<="$4="pm="=="S>p><" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "%TEMP%\MSI4F69.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5287.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5343.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI53C1.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI53F1.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\MSI3541c.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5450.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSID9A9.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI36FD.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\MSI371D.tmp" for deletion
"C:\e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\EXE3970.tmp" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\MSI4F69.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5287.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5343.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI53C1.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI53F1.tmp" with delete access
"<Input Sample>" opened "C:\MSI3541c.tmp" with delete access
"<Input Sample>" opened "%SAMPLEDIR%\MSI3541d.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5450.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSID9A9.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI36FD.tmp" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\MSI371D.tmp" with delete access
"<Input Sample>" opened "C:\Windows\Tasks\C__e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe.job" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\JKI\VIPM2017.0.2014-install\decoder.dll" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Roaming\JKI\VIPM2017.0.2014-install\2F1E820\vipm-setup.msi" with delete access
"<Input Sample>" opened "C:\Users\%USERNAME%\AppData\Local\Temp\EXE3970.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to lookup privileges
- details
- GetSecurityDescriptorDacl@ADVAPI32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Modifies Software Policy Settings
- details
-
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"tempFiles.dll" claimed CRC 120821 while the actual is CRC 330391
"aicustact.dll" claimed CRC 91993 while the actual is CRC 120821
"ShortcutFlags.dll" claimed CRC 162417 while the actual is CRC 91993
"aipackagechainer.exe" claimed CRC 289454 while the actual is CRC 162417
"NetFirewall.dll" claimed CRC 240464 while the actual is CRC 289454
"VIPMHelperRegistryWriter.exe" claimed CRC 80756 while the actual is CRC 240464
"decoder.dll" claimed CRC 154659 while the actual is CRC 80756
"aischeduler.dll" claimed CRC 133606 while the actual is CRC 154659
"aischeduler2.dll" claimed CRC 137562 while the actual is CRC 133606
"IniLocator.dll" claimed CRC 218757 while the actual is CRC 137562
"ResourceCleaner.dll" claimed CRC 398760 while the actual is CRC 218757
"lzmaextractor.dll" claimed CRC 19567 while the actual is CRC 398760
"viewer.exe" claimed CRC 31815 while the actual is CRC 19567 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegEnumKeyExW
RegDeleteValueW
StartServiceW
GetDriveTypeW
FindResourceExW
ConnectNamedPipe
CopyFileW
GetModuleFileNameW
IsDebuggerPresent
GetModuleFileNameA
UnhandledExceptionFilter
LoadLibraryExW
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
LoadLibraryA
GetStartupInfoA
GetFileSize
DeleteFileA
CreateDirectoryW
DeleteFileW
GetProcAddress
GetTempFileNameW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
CreateFileA
FindResourceW
LockResource
GetCommandLineA
GetModuleHandleA
FindFirstFileA
GetModuleHandleW
GetTempPathW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteExA
ShellExecuteExW
FindWindowW
OpenProcess
GetTempPathA
GetTempFileNameA
FindNextFileA
CreateProcessA
GetWindowThreadProcessId
GetStartupInfoW
OutputDebugStringW
GetCommandLineW
ShellExecuteW
ExitThread
GetFileAttributesA
GetDriveTypeA
GetFileAttributesW
CreateProcessAsUserW
CopyFileA
CreateDirectoryA
GetUserNameA
GetUserNameW
GetComputerNameW
GetComputerNameA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "c0dfbc771cf9bb77ccf8bb770d64bd7700000000c011d67600000000fc3ed67600000000e013d676000000009457cb7625e0bc77c6e0bc7700000000bc6aca7600000000cf31d676000000009319cb76000000002c32d67600000000" to virtual address "0x75601000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "7111d9017a3bd801ab8b02007f950200fc8c0200729602006cc805001ecdd5017d26d501" to virtual address "0x75E907E4" (part of module "USER32.DLL")
"<Input Sample>" wrote bytes "75dc0e77273e0e7751c10c77ee9c0c7794980c770fb3127710990c7790970c7700000000f516d676ead7d776d917d6766987d6760f77d8760c11d676a934d6762014d676f811d676ff10d67600000000" to virtual address "0x732EE000" (part of module "CLR.DLL")
"<Input Sample>" wrote bytes "f811d6762014d6760c11d676f516d676a911d6768548d676b934d676a934d6766834d67600000000a56bbc75e485bc75e04dbc759cc0bc75a3bfbc7592aebc750c7dbc7500000000" to virtual address "0x74331000" (part of module "MSIMG32.DLL")
"cmd.exe" wrote bytes "7111d9017a3bd801ab8b02007f950200fc8c0200729602006cc805001ecdd5017d26d501" to virtual address "0x75E907E4" (part of module "USER32.DLL")
"attrib.exe" wrote bytes "7111d9017a3bd801ab8b02007f950200fc8c0200729602006cc805001ecdd5017d26d501" to virtual address "0x75E907E4" (part of module "USER32.DLL") - source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"attrib.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 30
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll at 62335-703-1000FD11 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API CorExitProcess@MSCOREE.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
Found reference to API IsWow64Process@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetSystemTime@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetSystemTime@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetVersionExW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetVersionExW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetVersionExW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetVersionExW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
EnumSystemLocalesA@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.dll (Show Stream)
GetDiskFreeSpaceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExW@KERNEL32.DLL (Target: "e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe"; Stream UID: "00013269-00001148-37047-296-0033F740")
which is directly followed by "cmp dword ptr [ebp-0Ch], 01h" and "jne 0033F80Bh". See related instructions: "...+0 push ebp+1 lea ebp, dword ptr [esp-00000304h]+8 sub esp, 00000384h+14 mov eax, dword ptr [003F0770h]+19 xor eax, ebp+21 mov dword ptr [ebp+00000300h], eax+27 push esi+28 push edi+29 lea eax, dword ptr [ebp-1Ch]+32 push eax+33 mov dword ptr [ebp-1Ch], 00000114h+40 call dword ptr [003B1190h] ;GetVersionExW+46 cmp dword ptr [ebp-0Ch], 01h+50 jne 0033F80Bh" ... from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetProcessHeap@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetProcessHeap@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetProcessHeap@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetProcessHeap@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetProcessHeap@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"<Input Sample>" queries volume information of "C:\" at 00013269-00001148-00000046-63529646
"<Input Sample>" queries volume information of "%TEMP%\AI_EXTUI_BIN_1148\VIPM2017WelcomeScreen.jpg" at 00013269-00001148-00000046-63912514
"<Input Sample>" queries volume information of "C:\share" at 00013269-00001148-00000046-63989347
"<Input Sample>" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017WelcomeScreen.jpg" at 00013269-00001148-00000046-64004836
"<Input Sample>" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017installbanner.jpg" at 00013269-00001148-00000046-69985288
"<Input Sample>" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017installbanner.jpg" at 00013269-00001148-00000046-83030309
"<Input Sample>" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017installbanner.jpg" at 00013269-00001148-00000046-84486466
"<Input Sample>" queries volume information of "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017WelcomeScreen.jpg" at 00013269-00001148-00000046-93206488 - source
- API Call
- relevance
- 2/10
-
Queries volume information of an entire harddrive
- details
- "<Input Sample>" queries volume information of "C:\" at 00013269-00001148-00000046-63529646
- source
- API Call
- relevance
- 8/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"<Input Sample>" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contacts server
- details
- "95.101.199.200:80"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"D:\BranchAI\win\Release\stubs\x86\ExternalUi.pdb"
"mrtstub.pdb"
"D:\BranchAI\win\Release\custact\x86\AICustAct.pdb"
"D:\BranchAI\win\Release\custact\x86\aischeduler2.pdb"
"D:\BranchAI\win\Release\custact\x86\aischeduler.pdb"
"D:\BranchAI\win\Release\custact\x86\ShortcutFlags.pdb"
"D:\BranchAI\win\Release\custact\x86\ResourceCleaner.pdb"
"D:\BranchAI\win\Release\custact\x86\tempFiles.pdb"
"Could not open HKEY_LOCAL_MACHINE,TEXT\SOFTWARE\Classes with required permissions, error: %dCould not find VIPM HelperHP@08@RSDSWF=K5|t)c:\Dev\lvaddon\LV2P\VIPMHelperRegistryWriter\dev\trunk\Release\VIPMHelperRegistryWriter.pdb+-Z--.i&@}&@)@++@?+@,@,@"8@@-@"8@-@"9@-@-@-@-@-@-@-@.@.@.@.@.@.@).@", "!"#$%&'()*+,-./0123456789:;<=>?@ABCaicustact.dllAI_AuthorSinglePackageAI_ResolveKnownFoldersAI_SearchOfficeAddinsActiveInternetConnectionAddCaspolSecurityPolicyBrowseForFileCheckFreeTCPPortCheckIfUserExistsChooseTextStylesCloseApplicationCollectFeaturesWithoutCabComputeReplaceProductsListConfigureServFailActionsCreateExeProcessDeleteEmptyDirectoryDeleteFromComboBoxDeleteFromListBoxDeleteShortcutsDetectProcessDetectServiceDisableFeaturesDoEventsDpiContentScaleEnumStartedServicesExtractComboBoxDataExtractListBoxDataGetArpIconPathGetFreeTCPPortGetLocalizedCredentialsGetPathFreeSpaceGetVideoMemoryIsRunningOnVMJoinFilesLaunchAppLaunchLogFileLoadShortcutDirsLogOnAsAServiceMixedAllUsersInstallLocationMsgBoxMsmTrialMessagePlayAudioFilePopulateComboBoxPopulateListBoxPrepareUpgradePreserveInstallTypePreventInstancesUpgradePrintRTFProcessFailActionsRemoveCaspolSecurityPolicyRequiredJdkExistsRequiredJreExistsResolveKnownFolderResolveServicePropertiesRestoreLocationRunAllExitActionsRunAsAdminRunFinishActionsSetLatestVersionPathStopProcessStopWinServiceTrialMessageUninstallPreviousVersionsUpdateFeatureStatesUpdateInstallModeUpdateMsiEditControlsValidateInstallFolderViewReadMeWarningMessageBoxRSDS=MyKqe=D:\BranchAI\win\Release\custact\x86\AICustAct.pdb0X0h/p/h/\/D.8..p.\.P..,---,p-<-,---,tX8\`\x0<hD\PD8P P.("
"*AI_ApplyShortcutFlagslnkComponent_Directory_ShortcutAI_SHORTCUTTABLE_FLAGSCOLUMNCustomActionDataH`_1RSDSFN`WI|cRW%D:\BranchAI\win\Release\custact\x86\ShortcutFlags.pdb,\<\H\d\@,\@\\d\<\\\H\d\<@\\\]]H\d\\@\|L]\]d]|@L]]]]d]@]]]]d\@],^<^H^d]@,^x^^^]d]@x^\^^^@^0$_4_@_d\0@$_[\ yPgIl@0Up" - source
- File/Memory
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
-
CreateNamedPipeW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
CreateNamedPipeW@KERNEL32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\MSI4F69.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\MSI5287.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\Up"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\exit.vbs"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPMHelperRegistryWriter.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\install.ico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\tabback"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017WelcomeScreen.jpg"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\exclamic"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\VIPM2017installbanner.jpg"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\New"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\removico"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\completi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\custicon"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\info"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\repairic"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\IniLocator.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\banner"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\NetFirewall.dll"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\AI_EXTUI_BIN_1148\Prereq.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "Prereq.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "tempFiles.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "aicustact.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ShortcutFlags.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "aipackagechainer.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "NetFirewall.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "decoder.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "aischeduler.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "aischeduler2.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IniLocator.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ResourceCleaner.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "lzmaextractor.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "viewer.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "exit.vbs" as clean (type is "ASCII text with CRLF line terminators"), Antivirus vendors marked dropped file "MSI371D.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSID9A9.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI5287.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI53F1.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 740D0000
- source
- Loaded Module
-
Reads Windows Trust Settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
-
"%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3970.tmp.bat" "" on 2018-1-31.22:34:24.083
"%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3B74.tmp.bat" "" on 2018-1-31.22:34:24.185
"%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3970.tmp.bat" "" on 2018-1-31.22:34:24.732
"%WINDIR%\system32\cmd.exe /S /D /c" cls"" on 2018-1-31.22:34:24.755
"%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3B74.tmp.bat" "" on 2018-1-31.22:34:24.880
"%WINDIR%\system32\cmd.exe /S /D /c" cls"" on 2018-1-31.22:34:24.896 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3970.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3B74.tmp.bat" "" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\JKI\VIPM20~1.201\2F1E820\VIPM-S~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "\\?\%APPDATA%\JKI\VIPM20~1.201\2F1E820\VIPM-S~1.MSI"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE3970.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3970.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process)
Spawned process "attrib.exe" with commandline "ATTRIB -r "%TEMP%\EXE3B74.tmp.bat"" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3B74.tmp.bat" "" (Show Process)
Spawned process "cmd.exe" with commandline "%WINDIR%\system32\cmd.exe /S /D /c" cls"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.DLL from e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"Prereq.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"tempFiles.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aicustact.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ShortcutFlags.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aipackagechainer.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"vipm-setup.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Code page: 1252 Title: Installation Database Subject: VI Package Manager 2017 Author: JKI Keywords: Installer MSI Database Comments: VI Package Manager 2017 - Build and manage your LabVIEW add-ons. Create Time/Date: Fri Dec 11 11:47:46 2009 Name of Creating Application: Advanced Installer 11.3 build 57288 Security: 0 Template: ;1033 Last Saved By: ;1036 Revision Number: {9BAF2B99-C63E-4D72-B21B-201BA2F1E820}17.0.2014;{EF4D5DA2-4DCB-4527-A421-27E968C423FB}17.0.2014;{5663F4AC-5EC4-4D6D-851F-C5C5BBE495CE} Number of Pages: 200 Number of Characters: 63"
"NetFirewall.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"VIPMHelperRegistryWriter.exe" has type "PE32 executable (console) Intel 80386 for MS Windows"
"EXE3970.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"EXE3B74.tmp.bat" has type "DOS batch file ASCII text with CRLF line terminators"
"aischeduler.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"aischeduler2.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"IniLocator.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ResourceCleaner.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"lzmaextractor.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"viewer.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"exit.vbs" has type "ASCII text with CRLF line terminators"
"MSI371D.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"dialog" has type "JPEG image data JFIF standard 1.02 aspect ratio density 100x100 segment length 16 baseline precision 8 500x316 frames 3" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"<Input Sample>" touched file "C:\Windows\SysWOW64\msimsg.dll"
"<Input Sample>" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"<Input Sample>" touched file "C:\Windows\AppPatch\msimain.sdb"
"<Input Sample>" touched file "C:\Windows\SysWOW64\sxs.dll"
"<Input Sample>" touched file "C:\Windows\SysWOW64\ar-SA\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\SysWOW64\bg-BG\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\SysWOW64\cs-CZ\sxs.DLL.mui"
"<Input Sample>" touched file "C:\Windows\SysWOW64\da-DK\sxs.DLL.mui" - source
- API Call
- relevance
- 7/10
-
Contains ability to lookup the windows account name
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://cs-g2-crl.thawte.com/ThawteCSG2.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "http://crl.thawte.com/ThawtePCA.crl0"
Pattern match: "http://www.advancedinstaller.com0"
Heuristic match: "gVTS<m.KE"
Heuristic match: "S|Ccg,VO.Kw"
Pattern match: "http://www.google.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.example.com"
Pattern match: "www.ni.com/support"
Pattern match: "ni.com/support"
Pattern match: "http://dmd.metaservices.microsoft.com/dms/metadata.svc"
Pattern match: "http://schemas.microsoft.com/windowsmetadata/services/2007/09/18/dms/DeviceMetadataService/GetDeviceMetadata"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3ea3ba94a711f768 HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e96399636a125a6e HTTP/1.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 Apr 2017 16:02:20 GMTIf-None-Match: 04e707defb9d21:0User-Agent: Microsoft-CryptoAPI/6.1Hos"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAkn9%2FLlpsxpwY6%2FKpZEPKI%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?9d6bcf7cc56fc701 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ctldl.windowsupdate.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s2.symcb.com"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /pca3-g5.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: s1.symcb.com"
Heuristic match: "GET /sv.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcb.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEBuN56dlW1Lzehhu%2FtdSD3U%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "GET /CRL/Omniroot2025.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: cdp1.public-trust.com"
Heuristic match: "HEAD /v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1801312129 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agen%WINDIR%\Update-AgentHost: ds.download.windowsupdate.com"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAt%2BEJA8OEkP%2Bi9nmoehp7k%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Pattern match: "www.microsoft.com/pkiops/crl/Microsoft%20Update%20Secure%20Server%20CA%202.1.crl0u"
Pattern match: "www.microsoft.com/pkiops/certs/Microsoft%20Update%20Secure%20Server%20CA%202.1.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^"
Pattern match: "www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSLIycRsoI3J6zPns4K1aQgAqaqHgQUZ50PIAkMzIo65YJGcmL88cyQ5UACEAG2Yem3HYLmNssdMr3TCFk%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.digicert.com"
Heuristic match: "HEAD /v11/3/windowsupdate/selfupdate/WSUS3/x64/Win7SP1/wsus3setup.cab?1801312129 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: ds.download.windowsupdate.com"
Heuristic match: "GET /d/msdownload/update/others/2018/01/26066719_4fc6c615b134f928be23d0443d9ddcdff2b1fdef.cab HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: download.windowsupdate.com"
Heuristic match: "GET /c/msdownload/update/others/2018/01/26024375_33a0ca3f0bfe076e3fd817a7ada00aee3a2cc07a.cab HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: download.windowsupdate.com"
Heuristic match: "GET /c/msdownload/update/others/2018/01/26012042_856b7d8e2a11135e06a6233e0a4970303c80d8af.cab HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: download.windowsupdate.com"
Heuristic match: "GET /c/msdownload/update/others/2018/01/26012200_e20b145a7f1283a8382d7dbe2bedff062af86b03.cab HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: download.windowsupdate.com"
Heuristic match: "GET /c/msdownload/update/others/2018/01/26012198_8d795576010f1e01d1df0ce4e40131b2e0631cc4.cab HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: download.windowsupdate.com"
Pattern match: "www.microsoft.com"
Heuristic match: "HEAD /v11/2/windowsupdate/redir/v6-win7sp1-wuredir.cab?1801312131 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: ds.download.windowsupdate.com"
Heuristic match: "HEAD /c/msdownload/update/software/uprl/2018/01/windows-kb890830-x64-v5.56_67c691cf664b117408db0273b43b5af41b6260a5.exe HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: au.download.windowsupdate.com"
Heuristic match: "HEAD /c/msdownload/update/software/secu/2017/11/windows6.1-kb4054518-x64-express_db28ce70ccefa582bf52abdc5c6d440f08667426.cab HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-AgentHost: au.download.windowsupdate.com"
Heuristic match: "HEAD /c/msdownload/update/software/uprl/2018/01/windows-kb890830-x64-v5.56_67c691cf664b117408db0273b43b5af41b6260a5.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityUser-Agent: Microsoft BITS/7.5Host: au.download.windowsupdat"
Heuristic match: ":cMX)[.vE"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVN"
Pattern match: "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAkn9%2FLlpsxpw"
Pattern match: "http://schemas.microsoft.com/office/word/2003/wordml}{\xmlns2"
Pattern match: "jkisoft.com/legal"
Pattern match: "jki.net/vipmCtrlEvtchangeschangesARPURLUPDATEINFOCtrlEvtRepairingRepairingCtrlEvtremovesremovesPROMPTROLLBACKCOSTPWindowsTypeNTDisplayWindows"
Pattern match: "http://cs-g2-crl.thawte.com/ThawteCSG2.crl0U%0+"
Pattern match: "www.usertrust.com10UUTN-USERFirst-Object0"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05+"
Pattern match: "http://crl.thawte.com/ThawtePCA.crl0U02+&0$0+0http://ocsp.thawte.com0U%0++0"
Pattern match: "www.usertrust.com10UUTN-USERFirst-ObjectGY?B0+]0*H"
Heuristic match: ")-IyY\]#5sjI#whAAAAAC.]< A++.SY"
Heuristic match: "uPreparing...P2SkipUMS Shell DlgP/7lSysListView32PLP2Browse...P9Download Folder:P7Next PPrerequisites PThese programs are needed for the application to run. Click on the check box next to a prerequisite to select it for install or to skip it.PA"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl0531/http://crl4.digicert.com/sha2-assured-cs-g1.crl0BU"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0Uz0x0:864http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:864http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0OU"
Pattern match: "https://www.digicert.com/CPS0"
Heuristic match: "Q:TH!o>WH?\~#}aCG^g_}.HM"
Heuristic match: "hW.PG"
Heuristic match: "`pM_^3[~_kUWWQulP`wt_]Uu5*7h]UhP`lPth@`PhPtu]UuYuQjYj!YUVt;ur^]UVu3ut;ur^]U=WthW.Yt"
Pattern match: "WINDOWSAGEWINDOWCLASSmstask.exeScheduleSYSTEM.job/cmdloc"
Pattern match: "jDohMUeEPM.hEPE/kvW|$f?f8I@@w_VUSVW_u%_uuEuuuPq_^[UjFeuuuuuVD]+D$V4~Pt$PQ2X^+D$V4tPt$PQX^jnEMu}EMt" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "<Input Sample>" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"Prereq.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"tempFiles.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"ShortcutFlags.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"aipackagechainer.exe" was detected as "VC8 -> Microsoft Corporation"
"NetFirewall.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"VIPMHelperRegistryWriter.exe" was detected as "Visual C++ 2005 Release -> Microsoft"
"decoder.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"aischeduler.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"aischeduler2.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"IniLocator.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"ResourceCleaner.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"viewer.exe" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
vipm-17.0.2014-windows-setup.exe
- Filename
- vipm-17.0.2014-windows-setup.exe
- Size
- 85MiB (88762432 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f
- MD5
- c7871425b06090c319e5a4e095fccd83
- SHA1
- b1ecdf056c0983b984d726c5e8e47517e07ccd7f
Classification (TrID)
- 55.5% (.OCX) Windows ActiveX control
- 20.5% (.EXE) InstallShield setup
- 19.8% (.EXE) Win32 EXE PECompact compressed (generic)
- 2.1% (.EXE) Win32 Executable (generic)
- 0.9% (.EXE) Generic Win/DOS Executable
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 11 processes in total (System Resource Monitor).
-
Input Sample
(PID: 1148)
1/67
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3970.tmp.bat" "
(PID: 344)
- attrib.exe ATTRIB -r "\\?\%APPDATA%\JKI\VIPM20~1.201\2F1E820\VIPM-S~1.MSI" (PID: 2232)
- attrib.exe ATTRIB -r "%TEMP%\EXE3970.tmp.bat" (PID: 2272)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3970.tmp.bat" " (PID: 2676)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" cls" (PID: 2036)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3B74.tmp.bat" "
(PID: 2596)
- attrib.exe ATTRIB -r "\\?\%APPDATA%\JKI\VIPM20~1.201\2F1E820\VIPM-S~1.MSI" (PID: 656)
- attrib.exe ATTRIB -r "%TEMP%\EXE3B74.tmp.bat" (PID: 2264)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" del "%TEMP%\EXE3B74.tmp.bat" " (PID: 2028)
- cmd.exe %WINDIR%\system32\cmd.exe /S /D /c" cls" (PID: 1576)
-
cmd.exe
%WINDIR%\system32\cmd.exe /c ""%TEMP%\EXE3970.tmp.bat" "
(PID: 344)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
95.101.199.200 |
80
TCP |
- | European Union |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://www.yahoo.com | Domain/IP reference | 00013269-00001148-37047-760-00335BBF |
http://www.example.com | Domain/IP reference | 00013269-00001148-37047-760-00335BBF |
http://www.google.com | Domain/IP reference | 00013269-00001148-37047-760-00335BBF |
Extracted Strings
Extracted Files
Displaying 30 extracted file(s). The remaining 17 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
vipm-setup.msi
- Size
- 3MiB (3146240 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: VI Package Manager 2017, Author: JKI, Keywords: Installer, MSI, Database, Comments: VI Package Manager 2017 - Build and manage your LabVIEW add-ons., Create Time/Date: Fri Dec 11 11:47:46 2009, Name of Creating Application: Advanced Installer 11.3 build 57288, Security: 0, Template: ;1033, Last Saved By: ;1036, Revision Number: {9BAF2B99-C63E-4D72-B21B-201BA2F1E820}17.0.2014;{EF4D5DA2-4DCB-4527-A421-27E968C423FB}17.0.2014;{5663F4AC-5EC4-4D6D-851F-C5C5BBE495CE}, Number of Pages: 200, Number of Characters: 63
- AV Scan Result
- Labeled as "Trojan.WisdomEyes.16070401.9500" (1/61)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 23400695f3d18a91c5eff1a960e9a9a9
- SHA1
- bcc11d265e9ca7433d8b6b37ec44607e961a0604
- SHA256
- e18368f517e79b279cd7cc827f8ce3a8586a2dc8640e87471e5d0c23e0bd4f0d
-
VIPMHelperRegistryWriter.exe
- Size
- 18KiB (18432 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.WisdomEyes.16070401.9500" (1/68)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 3bbaae6de4450a0d88b805d22df7a649
- SHA1
- 4fb5a79c2c3a675f39d397362a35ac682f2263f5
- SHA256
- 808593ef27624eb5c5922a04c3ab8944b439ff59104bdd852a55cb127fc387f5
-
-
Clean 18
-
-
decoder.dll
- Size
- 126KiB (128664 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 603bae97e35e9c011fc9fdf08921d038
- SHA1
- 14e18d818028dfc32af0647a15781ea8e3e45ad4
- SHA256
- 6b17c79eb8986535cce67e93a94ee97ec65e284a28de243d701c92a6a9da6f09
-
IniLocator.dll
- Size
- 163KiB (167064 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/73
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 7c26cc63d14693733452ae646c26a30f
- SHA1
- 9528a89bb2e2092ec94646c751ed6758438f6904
- SHA256
- b73919a58b3f836222f9793b94305e04f3b1838c7ca48d1a87d5d02e786ea9b4
-
NetFirewall.dll
- Size
- 182KiB (186520 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 0843cf24d284d54856466a410c5cd372
- SHA1
- 7455ccd6afdbb713c9786d5ff7c24fb73fb19a8b
- SHA256
- 9c08f8d0575c8503e0ede4b239cb4ab5bea12bf29dbd9d9f350552449be01d39
-
Prereq.dll
- Size
- 294KiB (300696 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- deb6a165749b73a6bb023b1ee8bcc4dc
- SHA1
- a0fa253b99be211e5c1112ef0f7fe79ab265ada1
- SHA256
- 5062fcce45aed7be8ba57eda5ff76aaa3ffc03761cf2a8210c096608e2bf7a27
-
ResourceCleaner.dll
- Size
- 352KiB (360088 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 4fd14890662c039cc6ce907f3d063e3f
- SHA1
- 473385a7aa2d6083b299a17601d0caab0b0c0ce0
- SHA256
- df8da62a4fbaaa12d24224aace27d7d0a34dc8a650c07037889ab75848766fa0
-
ShortcutFlags.dll
- Size
- 115KiB (117400 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 9f1cac1b440a31c903576626822450e5
- SHA1
- 43f43da4356eb15489adfd1b2ef6d859426cae38
- SHA256
- 6764b99974733c88940e74563ce028b45603d3f0ca255a91f0365c1acf796c69
-
aicustact.dll
- Size
- 90KiB (91800 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f0498d26ba9738e1e5ff2c131104b58b
- SHA1
- 2aa1d88d602b5ce0239ce8c178927a024b25c670
- SHA256
- 688aae652cbeecc28705065c0c8d1e6cf6b5f3ee1c657d4dbe2d9320c9a8c445
-
aipackagechainer.exe
- Size
- 276KiB (282880 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 871ca3876de72177f9b6bca16c67e2ed
- SHA1
- b572d6a187e8e0d621940441bed1c8814e7bc8bd
- SHA256
- 4c511180f3afdd9998fa9d8d5f75131fc48d3291aa248f670b83e77f856999bb
-
aischeduler.dll
- Size
- 99KiB (101528 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- fcedcaa8e5b481a7c7183315acb30e66
- SHA1
- 5b65424aea0e1b24bc0515bf32a6adb58dfcd8bd
- SHA256
- e72e9825fa46ff28d9f427bbd6fd4a90ea35c155eefac566121e41c166344d5f
-
aischeduler2.dll
- Size
- 132KiB (135320 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 1f6b63b88c7020f5bbc853c91e7609d8
- SHA1
- 55ba7a540a7c2ae9742494093fb0c62002e4375f
- SHA256
- 86a407e09e24d055617167cffc54f366476b0e91ca917778cc71245d33d9f512
-
exit.vbs
- Size
- 157B (157 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- AV Scan Result
- 0/56
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 8d69e8975bf64b043cc43fdd8dd433fe
- SHA1
- 6af65f4e77679ffe81878d13261ba3acd047d7c8
- SHA256
- 55a02f243c795a6913645bcf1a258def4a32d99cfacb3d287742fb4321097f7b
-
lzmaextractor.dll
- Size
- 12KiB (12440 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 189cbb7ed899646fbec864ffe4029bae
- SHA1
- aa41f54178ad4350321a30b573233e8797435f77
- SHA256
- 33018f133fc084ddca76e6a3c63232e9688f8319e2390712499af1de06095826
-
tempFiles.dll
- Size
- 101KiB (103576 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/73
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f4cc1932d7d9993060e6e24186df8424
- SHA1
- 67361d71a45f63f498efdfeaee5eea54dae122a3
- SHA256
- 87816ac27379805d4e4da9f89cd2a0224c7030e2b405f105adea1556a7a559c5
-
viewer.exe
- Size
- 13KiB (12952 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/73
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 7a5794f82039a76e0162741e5fca875b
- SHA1
- b63435f019f082dcc9dfa9e832ffc88b031aa0e5
- SHA256
- fc75cfa84c2ec07e1435e3705ffac719e0fa37c3b6f02ef71cd919d46ebb4cb9
-
MSI371D.tmp
- Size
- 294KiB (300696 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- deb6a165749b73a6bb023b1ee8bcc4dc
- SHA1
- a0fa253b99be211e5c1112ef0f7fe79ab265ada1
- SHA256
- 5062fcce45aed7be8ba57eda5ff76aaa3ffc03761cf2a8210c096608e2bf7a27
-
MSI5287.tmp
- Size
- 90KiB (91800 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f0498d26ba9738e1e5ff2c131104b58b
- SHA1
- 2aa1d88d602b5ce0239ce8c178927a024b25c670
- SHA256
- 688aae652cbeecc28705065c0c8d1e6cf6b5f3ee1c657d4dbe2d9320c9a8c445
-
MSI53F1.tmp
- Size
- 90KiB (91800 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f0498d26ba9738e1e5ff2c131104b58b
- SHA1
- 2aa1d88d602b5ce0239ce8c178927a024b25c670
- SHA256
- 688aae652cbeecc28705065c0c8d1e6cf6b5f3ee1c657d4dbe2d9320c9a8c445
-
MSID9A9.tmp
- Size
- 90KiB (91800 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/75
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f0498d26ba9738e1e5ff2c131104b58b
- SHA1
- 2aa1d88d602b5ce0239ce8c178927a024b25c670
- SHA256
- 688aae652cbeecc28705065c0c8d1e6cf6b5f3ee1c657d4dbe2d9320c9a8c445
-
-
Informative Selection 2
-
-
EXE3970.tmp.bat
- Size
- 416B (416 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- c6cf3aba97a0ed24d7aa1fb8a0bd4b72
- SHA1
- 013aa4b1483eb130cf68c2e34fd3135c1b0e400b
- SHA256
- 245fb02dc8f57bc327a5e772f9794997134a8faab546dbf5d6545cc3e122222a
-
EXE3B74.tmp.bat
- Size
- 416B (416 bytes)
- Type
- text
- Description
- DOS batch file, ASCII text, with CRLF line terminators
- Runtime Process
- cmd.exe (PID: 2596)
- MD5
- 85b27df6b80066933c9b3e71860763e1
- SHA1
- 1222868ae74e8401a5af4ff37f7a6d81b98d03e4
- SHA256
- c8b936c8693388844866412bb123ff9b1f6bd8cd04bb1461bd308dab985dd36e
-
-
Informative 8
-
-
42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
- Size
- 434B (434 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f1ea0df0defcd65c35b0345cf4e7276b
- SHA1
- bf2663698afa37cc23adf37482222b5a74174584
- SHA256
- b56410d2cbed6ce2e4cb9f2ad596f3451f6ceb7a4ddd8d7fe670f2a6a0ec0864
-
57C8EDB95DF3F0AD4EE2DC2B8CFD4157
- Size
- 340B (340 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 11004a27073d411f136bf9fe917a5b80
- SHA1
- a10fe18eb78befac76964265a74bf61e7ef924f7
- SHA256
- bad2fe2fe738aeffa76abd2ba95a624dbd133f55cee757c4d1822e7308b1f270
-
66AE3BFDF94A732B262342AD2154B86E_BD4E0949A1552BCAC7484CEDB8B79F2D
- Size
- 471B (471 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- f9752684dfed2928cb1662c9d7c7ac7a
- SHA1
- 66a6945c68d17101b0e88441ed2e5f269f99e905
- SHA256
- 9273ce04863ed1c53065b891065149adbeea6935160b8320ebf0715af410eebe
-
New
- Size
- 318B (318 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- c23cbf002d82192481b61ed7ec0890f4
- SHA1
- dd373901c73760ca36907ff04691f5504ff00abe
- SHA256
- 4f92e804a11453382ebff7fb0958879bae88fe3366306911dec9d811cd306eed
-
Up
- Size
- 318B (318 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- 83730ac00391fb0f02f56fe2e4207a10
- SHA1
- 139fed8f0216132450e66bda0fbbdc2a5bd333af
- SHA256
- 573e3260eed63604f24f6f10ce5294e25e22fda9e5bfd9010134de6e684bab98
-
VIPM2017WelcomeScreen.jpg
- Size
- 11KiB (10799 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- a035545f7761f32c6155895033d35a6c
- SHA1
- 48cefd546bf7b28a52a2b7e9cb0f5a829d24ea76
- SHA256
- 83efa83e4546f7a5f73e44c0bf8bea5bfcbdfcf7e0f466cd239761608328d88f
-
VIPM2017installbanner.jpg
- Size
- 2.4KiB (2438 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- b1ecfe3f791f9f582a728c91d390972c
- SHA1
- a0b9d39a6b72a996055f320571ea94087ada2841
- SHA256
- ab5ec5c9037d6245eb522c2961204334fa3321f3bf882cd010f1b3e15067ad11
-
banner
- Size
- 3.9KiB (4033 bytes)
- Runtime Process
- e1e0c8c79820212fbda813ec6d29d483634dadb6294f7d978a2691b7bc62030f.exe (PID: 1148)
- MD5
- c6b57f973a3273cb37a77c11b1aa498f
- SHA1
- 6af839d76eca45aeeafdbb47a54b73c1a960e105
- SHA256
- 4503e6a9fa0484ab39cee9bdf0aad9a9186658f5d74727e96dd33f7cfa64c8ef
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Extracted file "EXE3B74.tmp.bat" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/c8b936c8693388844866412bb123ff9b1f6bd8cd04bb1461bd308dab985dd36e/analysis/1517434499/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-31" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report
- Static report size exceeded maximum capacity and may have missing stream data