fraps.exe
This report is generated from a file or URL submitted to this webservice on February 22nd 2016 12:18:02 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v3.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware/Leak
-
Contains ability to open the clipboard
Contains ability to retrieve keyboard strokes - Fingerprint
- Reads the active computer name
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
Anti-Detection/Stealthyness
-
Creates a resource fork (ADS) file (often used to hide data)
- details
-
"<Input Sample>" created file "SCSI0:"
"<Input Sample>" created file "C:" - source
- API Call
- relevance
- 8/10
-
Creates a resource fork (ADS) file (often used to hide data)
-
Environment Awareness
-
Reads the system/video BIOS version
- details
- "<Input Sample>" (Path: "HKLM\HARDWARE\DESCRIPTION\SYSTEM", Key: "SYSTEMBIOSVERSION")
- source
- Registry Access
- relevance
- 9/10
-
Reads the system/video BIOS version
-
Installation/Persistance
-
Allocates virtual memory in foreign process
- details
- "<Input Sample>" allocated memory in "C:\Fraps\fraps.exe"
- source
- API Call
- relevance
- 7/10
-
Writes a PE file header to disc
- details
-
"<Input Sample>" wrote 6144 bytes starting with PE header signature to file "%TEMP%\nsmD672.tmp\AdvSplash.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 7168 bytes starting with PE header signature to file "%TEMP%\nsmD672.tmp\StartMenu.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "C:\Fraps\fraps.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "C:\Fraps\fraps.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "C:\Fraps\fraps64.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "C:\Fraps\frapslcd.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "C:\Fraps\fraps64.dat": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 16384 bytes starting with PE header signature to file "%WINDIR%\System32\frapsvid.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 10240 bytes starting with PE header signature to file "%TEMP%\nsmD672.tmp\System.dll": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 33280 bytes starting with PE header signature to file "C:\Fraps\uninstall.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... - source
- API Call
- relevance
- 1/10
-
Allocates virtual memory in foreign process
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
-
"<Input Sample>" checked file "SCSI0:"
"<Input Sample>" checked file "C:" - source
- API Call
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from fraps.exe (PID: 2380) (Show Stream)
ExitWindowsEx@USER32.DLL from fraps.exe (PID: 2380) (Show Stream)
ExitWindowsEx@USER32.DLL from fraps.exe (PID: 2380) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Entrypoint in PE header is within an uncommon section
- details
- "fraps.exe" has an entrypoint in section ".text1"
- source
- Static Parser
- relevance
- 5/10
-
Checks for a resource fork (ADS) file
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 31
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003376
SetUnhandledExceptionFilter@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003376
SetUnhandledExceptionFilter@KERNEL32.dll at 1355-1214-635815B3
SetUnhandledExceptionFilter@KERNEL32.dll at 5439-144-0000000140007DD0
SetUnhandledExceptionFilter@KERNEL32.dll at 5439-134-0000000140018390
SetUnhandledExceptionFilter@KERNEL32.dll at 5439-104-0000000140008F20
SetUnhandledExceptionFilter@KERNEL32.dll at 5439-118-0000000140008E80
SetUnhandledExceptionFilter@KERNEL32.dll at 5439-227-000000014000CF50
SetUnhandledExceptionFilter@KERNEL32.dll at 11456-237-63577F50
SetUnhandledExceptionFilter@KERNEL32.dll at 13567-1957-0046CD4C - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
PE file has unusual entropy sections
- details
- .pdata with unusual entropies 7.99398843061
- source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from fraps.exe (PID: 2380) (Show Stream)
GetVersion@KERNEL32.DLL from fraps.exe (PID: 2380) (Show Stream)
GetVersion@KERNEL32.DLL from fraps.exe (PID: 2380) (Show Stream)
GetVersionExA@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetVersionExA@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetVersionExA@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00003376
GetVersionExA@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetVersionExA@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetVersionExA@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00003376
GetVersionExA@KERNEL32.dll at 5439-279-0000000140001670
GetVersionExA@KERNEL32.dll at 13567-1-004674C2
GetVersionExA@KERNEL32.dll at 13567-1002-004511D0 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL (Target: "fraps.exe", Stream UID: "00019186-00003376-48982-100-00453410")
which is directly followed by "cmp dword ptr [ebp-00000750h], 02h" and "je 004539B7h". See related instructions: "...
+1302 mov byte ptr [ebp-000006C1h], 01h
+1309 mov dword ptr [ebp-00000760h], 00000094h
+1319 lea edx, dword ptr [ebp-00000760h]
+1325 push edx
+1326 call dword ptr [0048F1A8h] ;GetVersionExA
+1332 cmp dword ptr [ebp-00000750h], 02h
+1339 je 004539B7h" ... from fraps.exe (PID: 3376) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "fraps.exe", Stream UID: "00019186-00003376-48982-267-004511D0")
which is directly followed by "cmp dword ptr [ebp-00000090h], 02h" and "xor ecx, ebp". See related instructions: "...
+30 mov dword ptr [ebp-000000A0h], 00000094h
+40 lea ecx, dword ptr [ebp-000000A0h]
+46 push ecx
+47 call dword ptr [0048F1A8h] ;GetVersionExA
+53 xor edx, edx
+55 cmp dword ptr [ebp-00000090h], 02h
+62 sete dl
+65 mov byte ptr [00495858h], dl
+71 mov byte ptr [00495859h], 01h
+78 mov al, byte ptr [00495858h]
+83 mov ecx, dword ptr [ebp-04h]
+86 xor ecx, ebp" ... from PID 00003376
Found API call GetVersionExA@KERNEL32.DLL (Target: "fraps.exe", Stream UID: "00019186-00003376-57656-100-00453410")
which is directly followed by "cmp dword ptr [ebp-00000750h], 02h" and "je 004539B7h". See related instructions: "...
+1302 mov byte ptr [ebp-000006C1h], 01h
+1309 mov dword ptr [ebp-00000760h], 00000094h
+1319 lea edx, dword ptr [ebp-00000760h]
+1325 push edx
+1326 call dword ptr [0048F1A8h] ;GetVersionExA
+1332 cmp dword ptr [ebp-00000750h], 02h
+1339 je 004539B7h" ... from fraps.exe (PID: 3376) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "fraps.exe", Stream UID: "00019186-00003376-57656-267-004511D0")
which is directly followed by "cmp dword ptr [ebp-00000090h], 02h" and "xor ecx, ebp". See related instructions: "...
+30 mov dword ptr [ebp-000000A0h], 00000094h
+40 lea ecx, dword ptr [ebp-000000A0h]
+46 push ecx
+47 call dword ptr [0048F1A8h] ;GetVersionExA
+53 xor edx, edx
+55 cmp dword ptr [ebp-00000090h], 02h
+62 sete dl
+65 mov byte ptr [00495858h], dl
+71 mov byte ptr [00495859h], 01h
+78 mov al, byte ptr [00495858h]
+83 mov ecx, dword ptr [ebp-04h]
+86 xor ecx, ebp" ... from PID 00003376
Found API call GetVersionExA@KERNEL32.dll (Target: "fraps64.dat.137699308", Stream UID: "5439-279-0000000140001670")
which is directly followed by "cmp dword ptr [rsp+00000080h], 02h" and "jne 0000000140001936h". See related instructions: "...
+644 lea rcx, qword ptr [rsp+70h]
+645 lea ecx, dword ptr [rsp+70h]
+649 mov qword ptr [rsp+00000330h], rdi
+650 mov dword ptr [rsp+00000330h], edi
+657 mov dword ptr [rsp+70h], 00000094h
+665 call qword ptr [000000014001A1E0h] ;GetVersionExA
+671 cmp dword ptr [rsp+00000080h], 02h
+679 mov dword ptr [0000000140022E88h], r13d
+680 mov dword ptr [0000000140022E88h], ebp
+686 mov ebx, 00000001h
+691 jne 0000000140001936h" ... at 5439-279-0000000140001670
Found API call GetVersionExA@KERNEL32.dll (Target: "fraps.exe.1067796882", Stream UID: "13567-1002-004511D0")
which is directly followed by "cmp dword ptr [ebp-00000090h], 02h" and "xor ecx, ebp". See related instructions: "...
+30 mov dword ptr [ebp-000000A0h], 00000094h
+40 lea ecx, dword ptr [ebp-000000A0h]
+46 push ecx
+47 call dword ptr [0048F1A8h] ;GetVersionExA
+53 xor edx, edx
+55 cmp dword ptr [ebp-00000090h], 02h
+62 sete dl
+65 mov byte ptr [00495858h], dl
+71 mov byte ptr [00495859h], 01h
+78 mov al, byte ptr [00495858h]
+83 mov ecx, dword ptr [ebp-04h]
+86 xor ecx, ebp" ... at 13567-1002-004511D0 - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll at 5439-202-0000000140016CB0
- source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Possibly tries to implement anti-virtualization techniques
- details
-
"\MQUEPMQUB0Pc.MA0}s3)UB$-9EvMQ$UE+EMMUREPMQ0R\EMHdUEBTMQ03MA@UER@HPEH03A3M#QLEP@EMMU9UwpEMP@IPEH0E3\3M#QLEP@MQ@EH<3fQEMU#Q,EH8fEfQMQ@EH<fEfQ|}tE3[]UQ}tExtMy tUz$u" (Indicator: "qemu")
"SMQUExt#M9uUzuExu}tMHQExuMHQEMUB EMUQ Ex*MQ(UEH|M}vEUEEMydtU UE3+MMUBqEPMQDUzdt/EH0QUR%EH0QURE@0Myt(UR=ExuMA 3-Uzu$E;E}tMHQExuMytUHBsMyu#Uzlu}ExMQUREH|kx$IE}t}u" (Indicator: "qemu")
"}u3ExluzMylrtUER@HPEHdE@03\3M#QLEP@MQ@EH<3fQEMUAd#B,MQ8fMfBUB@MQ<MfIdfB}t;UBd+EMQ$;w"EtMQURUMAXUzXzEHXMUEJd+HhfMUMfMfBUMMUMfUffUE%301IUffM301IMfU}E%30/IMU300IEMUffMUfEU39EMUAl+BXMAlUEJX;HxUzlEHXUJXEHdUJdEMP@IPEHdE@03\3M#QLEP@MQ@EH<3fQEMUAd#B
MQ8fMfBUB@MQ<MfIdfBUBXMAXUzXaEHdUJdaEHdUJXEHdMAXUB0MQd3UJ@EMP@IPEHdE@03\3M#QLEP@MQ0EHd" (Indicator: "qemu"), "}u3Exlu]MylrtUER@HPEHdE@03\3M#QLEP@MQ@EH<3fQEMUAd#B
MQ8fMfBUB@MQ<MfIdfBUEHXJpUEHhJ\UBX}EMPp;QxsvEHd+MUB$-;w^MtUREPMAXUzXw3EtMyXuUEJd+Hhv" (Indicator: "qemu"), "UEHpMUBdM+A\fEUMfMfBUMMUMfUffUE%301IUffM301IMfU}E%30/IMU300IEMUffMUfEU39EMQpEHl+UJlEHpUJpEHdUJdEHd;MwtUER@HPEHdE@03\3M#QLEP@MQ@EH<3fQEMUAd#B
MQ8fMfBUB@MQ<MfIdfBUBpMApUzpVE@`MAXUBdMAd}tlUzT|EH0UJTMEjEMPd+QTREPMQUEHdJTUP4Mzu3hEx`3MQdEH0TUEUfHMEE" (Indicator: "qemu"), "M9A}}tE[UEB MUQEMHUE+MQEPMUEMH4UREPMQ#UUE3MEEMMUUVEMQ3IUREHUJEEMMUzs+EH3IEHUBMAUBEPMQ$REPMQUBPE}MM}u UBPMQ(REP$MUEB MUQEMHUE+MQEPMUEMH4UREPMQ@"IUBEMQUEME9PhMQUE;E}tE[MUQ EMHUEBMU+EHUJEMUEB4MQUREP!MMU3MMMUUEEVMU#pIEHUE3HMUBE}s:UMUE+EEMQEHEMQEPC}uEMMUUE$EMM9M}tE[UEB MUQEMHUE+MQEPMUEMH4UREPMQ9 BUUE3MEEMMUUQEMEM+MMUE#pIMMUMUE+EEMQUEHMUUEM;w}}MQREH(QUR$EMA$HEUEB MUQEMHUE+MQEPMUEMH4UREPMQ}uUBMTUEEEMQEMUUEE}uMUQmE@EEMQUEPMQ$REPMQUREPMQREPMQv$E}}u UBPMQ(REP$MUUEMH UEBMUQEM+UBMAUEMUQ4EPMQUREPMQUREPMQE}ubEUEB MUQEMHUE+MQEPMUEMH4UREPMQ#UEBMQREH(QUR$EMUQ EMHUEBMU+EHUJEMUEB4MQUREPE}tMQUREPyEMQUBPMUEHMUB EMQUEH4MUE;B0sMQ0+UUEH,+MMUUExuMUEMH4UREPMQEUB4EMU;Q0sEH0+MMUB,+EEMMUEJ0;H4t[UEB MUQEMHUE+MQEPMUEMH4UREPMQ%.UEEMH UEBMUQEM+UBMAUEMUQ4EPMQUREEMH UEBMUQEM+UBMAUEMUQ4EPMQURXdEEMH UEBMUQEM+UBMAUEMUQ4EPMQUR]FsFF[FjF{F!F"F#F#FFFFFUjEPMQUB(PMQ(REP$MQ$REH(QUR$EPMQ(REP$3]UEPMQUB(P!$MQ(UEP4MUB4A0]UE38]UQjjEH(QUR E}t-EMUQEMHUEBMUQE]UTEHMUEMQUEH MUBEMQ4UEM;H0sUB0+EEMQ,+UUEEUE}<M$!3F}}" (Indicator: "qemu")
"'<$f>=$?POY@~>)kF?W;??%cO5M2LVXxylM,!nvNq}N\cQ-&Yh_La>0F%%3<rnpzx6R*ANVBOxp1B{(Jdfxftb^o0vwdvI?OH[L2#kNS>2.~8FfKW0=`1s|WN.LpFgeyR<~K" (Indicator: "vbox") - source
- String
- relevance
- 4/10
-
Contains ability to query the machine version
-
General
-
Reads configuration files
- details
-
"<Input Sample>" read file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"<Input Sample>" read file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"<Input Sample>" created file "C:\Windows\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" created file "%APPDATA%\Microsoft\Windows\Start Menu"
"<Input Sample>" created file "C:\Windows\system32"
"<Input Sample>" created file "C:\Windows\system32\frapsvid.dll"
"<Input Sample>" created file "%APPDATA%\Microsoft\Windows\Start Menu\Programs"
"<Input Sample>" created file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
-
"fraps64.dat.137699308" has type "PE32+ executable (GUI) x86-64, for MS Windows"
"fraps64.dll.196419592" has type "PE32+ executable (DLL) (GUI) x86-64, for MS Windows"
"frapsvid.dll.929935688" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"fraps.dll.979716456" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"fraps.exe.1067796882" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"StartMenu.dll.1282673192" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"System.dll.1471584872" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"AdvSplash.dll.1618021064" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"frapslcd.dll.1640655560" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"uninstall.exe.2174139314" has type "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive" - source
- Dropped File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
-
OpenClipboard@USER32.DLL from fraps.exe (PID: 2380) (Show Stream)
OpenClipboard@USER32.DLL from fraps.exe (PID: 2380) (Show Stream)
OpenClipboard@USER32.DLL from fraps.exe (PID: 2380) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Contains ability to retrieve keyboard strokes
- details
-
GetAsyncKeyState@USER32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetAsyncKeyState@USER32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetAsyncKeyState@USER32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetAsyncKeyState@USER32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetAsyncKeyState@USER32.dll at 5439-102-0000000140019320
GetAsyncKeyState@USER32.dll at 13567-1688-00454687 - source
- StaticStream (Disassembly)
- relevance
- 8/10
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"C:\fraps.exe" marked "%TEMP%\nslD279.tmp" for deletion
"C:\fraps.exe" marked "%TEMP%\nsmD672.tmp" for deletion
"C:\fraps.exe" marked "%TEMP%\beepa.bmp" for deletion
"C:\fraps.exe" marked "%TEMP%\nsmD672.tmp\AdvSplash.dll" for deletion
"C:\fraps.exe" marked "%TEMP%\nsmD672.tmp\StartMenu.dll" for deletion
"C:\fraps.exe" marked "%TEMP%\nsmD672.tmp\System.dll" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\nslD279.tmp" with delete access
"<Input Sample>" opened "%TEMP%\nsmD672.tmp" with delete access
"<Input Sample>" opened "%TEMP%\beepa.bmp" with delete access
"<Input Sample>" opened "%TEMP%\nsmD672.tmp\AdvSplash.dll" with delete access
"<Input Sample>" opened "%TEMP%\nsmD672.tmp\StartMenu.dll" with delete access
"<Input Sample>" opened "%TEMP%\nsmD672.tmp\System.dll" with delete access
"<Input Sample>" opened "%TEMP%\nsmD672.tmp\" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"fraps64.dat" claimed CRC 0 while the actual is CRC 1112299
"fraps64.dll" claimed CRC 166865 while the actual is CRC 1738654
"frapsvid.dll" claimed CRC 110665 while the actual is CRC 166865
"fraps.dll" claimed CRC 195325 while the actual is CRC 110665
"fraps.exe" claimed CRC 1059719 while the actual is CRC 195325
"frapslcd.dll" claimed CRC 215286 while the actual is CRC 64482
"uninstall.exe" claimed CRC 1112299 while the actual is CRC 215286 - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetFileAttributesA
CreateDirectoryA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
CopyFileA
GetTempPathA
GetCommandLineA
LoadLibraryA
CreateThread
CreateProcessA
GetTempFileNameA
GetModuleHandleA
LoadLibraryExA
GetProcAddress
WriteFile
FindNextFileA
FindFirstFileA
DeleteFileA
FindWindowExA
ShellExecuteA
RegEnumKeyA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteValueA
RegCloseKey
RegCreateKeyExA
InternetGetConnectedState
ReadProcessMemory
GetVersionExA
MapViewOfFileEx
OpenFileMappingA
GetStartupInfoA
TerminateProcess
UnhandledExceptionFilter
IsDebuggerPresent
SetWindowsHookExA
VirtualAlloc
VirtualProtect
FindFirstFileW
GetThreadContext
CreateProcessW
GetCommandLineW
GetStartupInfoW
CreateFileMappingA
VirtualProtectEx
WriteProcessMemory
GetModuleFileNameW
MapViewOfFile
FindWindowA
GetWindowThreadProcessId - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"<Input Sample>" wrote bytes "0857337604783c760000000051c18c7794988c77ee9c8c7775dc8e77273e8e77efb292770000000046ce4277013d437738ed4377cfcd427731234277de2f4377c4ca427780bb427752ba42779fbb427792bb427746ba42770abf427700000000" to virtual address "0x729E1000" (part of module "SHFOLDER.DLL")
"<Input Sample>" wrote bytes "4053b4775858b577186ab577653cb6770000000000bf42770000000056cc4277000000007cca4277000000003768da756a2cb677d62db677000000002069da750000000029a6427700000000a48dda7500000000f70e427700000000" to virtual address "0x77CA1000" (part of module "NSI.DLL")
"<Input Sample>" wrote bytes "4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000000000000d934020026cbfdff07920e00" to virtual address "0x00400000" (part of module "FRAPS.EXE") - source
- Hooks
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "EN-US")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "EN-US")
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 11 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 12
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003376
GetSystemTimeAsFileTime@KERNEL32.DLL from fraps.exe (PID: 3376) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from PID 00003376
GetSystemTimeAsFileTime@KERNEL32.dll at 5439-225-000000014000E0C0 - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from fraps.exe (PID: 2380) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from fraps.exe (PID: 2380) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from fraps.exe (PID: 2380) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 3/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\nswD4DB.tmp"
"<Input Sample>" created file "%TEMP%\beepa.bmp"
"<Input Sample>" created file "%TEMP%\nsmD672.tmp\AdvSplash.dll"
"<Input Sample>" created file "%TEMP%\nsmD672.tmp\StartMenu.dll"
"<Input Sample>" created file "%TEMP%\nsmD672.tmp\System.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\RALBBBCE9CA"
"\Sessions\1\BaseNamedObjects\BBBCE9CA::WK" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "fraps64.dat.137699308" as clean (type is "PE32+ executable (GUI) x86-64
for MS Windows"), Antivirus vendors marked dropped file "README.HTM.157919210" as clean (type is "HTML document
ASCII text
with CRLF line terminators"), Antivirus vendors marked dropped file "fraps64.dll.196419592" as clean (type is "PE32+ executable (DLL) (GUI) x86-64
for MS Windows"), Antivirus vendors marked dropped file "frapsvid.dll.929935688" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "fraps.dll.979716456" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "fraps.exe.1067796882" as clean (type is "PE32 executable (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "help_screenshots.htm.1111779754" as clean (type is "HTML document
ASCII text
with very long lines
with CRLF line terminators"), Antivirus vendors marked dropped file "StartMenu.dll.1282673192" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "System.dll.1471584872" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "AdvSplash.dll.1618021064" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "frapslcd.dll.1640655560" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386
for MS Windows"), Antivirus vendors marked dropped file "uninstall.exe.2174139314" as clean (type is "PE32 executable (GUI) Intel 80386
for MS Windows
Nullsoft Installer self-extracting archive") - source
- Dropped File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6EB50000
- source
- Loaded Module
-
Sample shows a variety of benign indicators
- details
-
The file was not detected as malicious
drops clean files and is signed with a certificate - source
- Signature combinations
- relevance
- 10/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "OU=Class 3 Public Primary Certification Authority, O="VeriSign
Inc.", C=US" (SHA1: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2, see report for more information)
The input sample is signed with a certificate issued by "OU=Class 3 Public Primary Certification Authority, O="VeriSign
Inc.", C=US" (SHA1: 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4, see report for more information)
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa c04, OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: AC:29:A2:FC:0B:30:2F:0E:38:20:02:7C:90:14:88:92:EB:3A:F5:98, see report for more information) - source
- Unknown
- relevance
- 10/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"fraps64.dat.137699308" has type "PE32+ executable (GUI) x86-64, for MS Windows"
"README.HTM.157919210" has type "HTML document, ASCII text, with CRLF line terminators"
"fraps64.dll.196419592" has type "PE32+ executable (DLL) (GUI) x86-64, for MS Windows"
"screenshots.gif.910256488" has type "GIF image data, version 89a, 400 x 300"
"frapsvid.dll.929935688" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"fraps.dll.979716456" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"fraps.exe.1067796882" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"Fraps.lnk.1083507118" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Oct 3 06:49:24 2008, mtime=Tue Feb 23 01:21:38 2016, atime=Fri Oct 3 06:49:24 2008, length=1027752, window=hide"
"help_screenshots.htm.1111779754" has type "HTML document, ASCII text, with very long lines, with CRLF line terminators"
"Fraps.lnk.1127680430" has type "MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Oct 3 06:49:24 2008, mtime=Tue Feb 23 01:21:38 2016, atime=Fri Oct 3 06:49:24 2008, length=1027752, window=hide"
"fps.gif.1170635240" has type "GIF image data, version 89a, 400 x 300"
"StartMenu.dll.1282673192" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"System.dll.1471584872" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"AdvSplash.dll.1618021064" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"frapslcd.dll.1640655560" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"uninstall.exe.2174139314" has type "PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive"
"Uninstall.lnk.2232597454" has type "MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Mon Jan 1 06:50:36 1601, mtime=Mon Jan 1 06:50:36 1601, atime=Mon Jan 1 06:50:36 1601, length=0, window=hide"
"nswD4DB.tmp.2285644372" has type "data"
"beepa.bmp.2412702756" has type "PC bitmap, Windows 3.x format, 600 x 220 x 24"
"general.gif.2510795848" has type "GIF image data, version 89a, 400 x 300" - source
- Dropped File
- relevance
- 3/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Pattern match: "http://www.fraps.com/"
Pattern match: "http://www.microsoft.com/directx"
Pattern match: "http://www.fraps.com/help/fraps2/"
Pattern match: "http://www.fraps.com/register296/"
Pattern match: "www.beepa.com\par"
Pattern match: "UjjEP.EjMQ/.Ej"
Pattern match: "12.zmbk/Pwl*;4xeP"
Pattern match: "d4k52.jh/6..A"
Pattern match: "L.Gj/y,zn4RS6j?]^F*!e`yJORp#w$"
Heuristic match: "e2gT@|UfR_5[uT=J|qHy~}8hUgI|p:(LDj]c4^3IvPm'4zEhLQ't#f_Lg?.D.n/cF eX)qUwBKHF\.fR&6T!?Kz4Dy2@_).BI"
Pattern match: "RaTkiK.Fj/lrFY?'p{Z+_\R.[15VS0@#"
Heuristic match: "1>U>ZRJof`X!xRn`p<=y1Lf$!r:.iN"
Pattern match: "5Zv..hin/i|p8f3"
Heuristic match: "\S2JE\gi8u^825yk4h]WLEmza1RQ=.AW"
Pattern match: "zt.CQKb/[WPN.9"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
fraps.exe
- Filename
- fraps.exe
- Size
- 1MiB (1067456 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- e33dc5fb8deb61717149f2109b5db93418164f4cb436cf13c89bb0b83fcee4c2
- MD5
- c36024d0e487d207bd37f0ad4c0e77bf
- SHA1
- 6229e35013a347f8f71dba6a9898e0540ae43d7b
- ssdeep
- 24576:0Hb+s0OoLpiFu6sHW93jrFY3mHx8Ot9UU1:S0O8Uue93jry3mRdGU
- imphash
- 099c0646ea7282d232219f8807883be0
- authentihash
- afe23862e3bf7e295325bdad7e67294d40bc80ede26f5c66270225aaf305c53c
Classification (TrID)
- 94.8% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.4% (.EXE) Win32 Executable MS Visual C++ (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.5% (.EXE) Win32 Executable (generic)
- 0.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US | OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial: 70bae41d10d92934b638ca7b03ccbabf |
01/28/1996 18:00:00 08/01/2028 18:59:59 |
10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2 |
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa c04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US | OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US Serial: 4191a15a3978dfcf496566381d4c75c2 |
07/15/2004 19:00:00 07/15/2014 18:59:59 |
63:FE:60:C5:5A:44:AF:8E:E2:11:5A:27:62:2A:B0:7C 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4 |
CN=Beepa Pty Ltd, OU=Development, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Beepa Pty Ltd, L=Melbourne, ST=Victoria, C=AU | CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa c04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: d2fab944320ef72bf20b8432e7e3f30 |
08/06/2006 19:00:00 08/30/2009 18:59:59 |
A2:BB:96:56:01:BC:90:D8:C6:1C:D4:64:C5:9E:78:2E AC:29:A2:FC:0B:30:2F:0E:38:20:02:7C:90:14:88:92:EB:3A:F5:98 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00011385-00002380-39448-52-00402C5B |
Extracted Strings
Extracted Files
Displaying 24 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Clean 11
-
-
AdvSplash.dll
- Size
- 6KiB (6144 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- MD5
- 7d3644befb511be2fdaa03ff544deab4
- SHA1
- 8fa1d896f0f597f5deafa4d0214f0c56ffadef4b
- SHA256
- b02607fc2a8bcd5184f570b3e14334055d172f7b6757b979931b442824eb5bb0
-
StartMenu.dll
- Size
- 7KiB (7168 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- MD5
- e98edd029f7f9f62ebb75992841817b8
- SHA1
- 8a7054283e4386689a29c63f4e65f3ef1ea7c43f
- SHA256
- abf56fe9b605c8cd716a2cc59b6ef052428753d5c716aaf857c3349d74fae66c
-
System.dll
- Size
- 10KiB (10240 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/56
- MD5
- 82f7926fd7d12e3eb8ed7b5232bcf956
- SHA1
- 6065fc921b742cc86c77ce2533fc1d17359eb45e
- SHA256
- 604b5e75f43ffae8f172018cdd8f136392d9c52ae0c100d27ef537bb2dfb3984
-
frapsvid.dll
- Size
- 80KiB (81920 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/56
- Context
- %WINDIR%\System32\frapsvid.dll
- Additional Context
- New file
- MD5
- 1571ec0e318281206271e63e2a8fc381
- SHA1
- 85d8da27cb02d04cd55d7239413092898f686927
- SHA256
- 439fdd69d1b69e6b4bdbe950e99d979eb57745e128f9c125fb2700117ef848ac
-
help_screenshots.htm
- Size
- 2.4KiB (2452 bytes)
- Type
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- AV Scan Result
- 0/41
- MD5
- 352fc8059a5fd8aada8cdc346a2e90ad
- SHA1
- 213a261341ec584582901524ba00342120cde44c
- SHA256
- 69c075dd4c63e16bc2cfc3d60d9722583955d3bd143cac72daddfaedfca36fbc
-
README.HTM
- Size
- 1.8KiB (1840 bytes)
- Type
- HTML document, ASCII text, with CRLF line terminators
- AV Scan Result
- 0/42
- MD5
- 3fdace923844fcdadc0980053e29a419
- SHA1
- 4bad0ea521b33cbc579ed82d2470be9824f7f2b8
- SHA256
- 44eea57d8bb14075633d1db62080e84cab0356904bb934f914deadb00d32037a
-
fraps.dll
- Size
- 180KiB (184320 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/54
- MD5
- 259f9de12ff6afbce7ffd2f1be1ba9dd
- SHA1
- b9d2be6051e1e704309663e8e31b9ceddbbc57ed
- SHA256
- 658f44a7b2a13f56d40d428143370421292fa88940f2a1a79e32f665dd6d6343
-
fraps.exe
- Size
- 1004KiB (1027752 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/54
- MD5
- 3573013a7f72ab146d046c61989d5ac2
- SHA1
- c828730873eb41f31fcc0a6ab61bc63d4bf91caf
- SHA256
- 1e00576ec3b9bc00c040dbb3d5f09b210cedcc58a5cd42f70b493ed3011529fd
-
fraps64.dll
- Size
- 126KiB (129024 bytes)
- Type
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/55
- MD5
- 3502333b6a23049ccd455f3e9fba2e2b
- SHA1
- 96fdb5041f3fab9acaefe11f2aa213ec51a8f7ee
- SHA256
- 9c0e6f9e04a1432c90e9b9ed445817e7dd471cedbf8aaed57c0b1001694f1fb9
-
frapslcd.dll
- Size
- 156KiB (159744 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/54
- MD5
- 031a05b2e1aedb60dd189dd554650689
- SHA1
- c65f03a1c1dc6e55d708035ebe7281accf11b971
- SHA256
- 3f49f477f94aef9116013a7100fb0d16042da0e41725a27d6347654252ccd29f
-
uninstall.exe
- Size
- 34KiB (34561 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- 0/48
- MD5
- e2a69a707727e8436830488b9005931a
- SHA1
- be996009492998b2a964d47cd3a0553737b0c09b
- SHA256
- 2ba579cdfdc2f15a2d02923b856258dbda02bad9aaf10666b58c72553dc0f493
-
-
Informative 13
-
-
Fraps.lnk
- Size
- 1.4KiB (1424 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Fri Oct 3 06:49:24 2008, mtime=Tue Feb 23 01:21:38 2016, atime=Fri Oct 3 06:49:24 2008, length=1027752, window=hide
- MD5
- dd92a91e38b61ee55736371f024bedc7
- SHA256
- 24a08b4054efba6d705839869dbff09384be7ceb7e1159d6573991a052d84877
-
Uninstall.lnk
- Size
- 1.3KiB (1291 bytes)
- Type
- MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, Icon number=0, ctime=Mon Jan 1 06:50:36 1601, mtime=Mon Jan 1 06:50:36 1601, atime=Mon Jan 1 06:50:36 1601, length=0, window=hide
- MD5
- d94c9159c8d8534d34dba2a4299d8f1a
- SHA256
- d72935d1457216a26895f48260a72db33a10a102868e9474b4ec5619fc745253
-
beepa.bmp
- Size
- 387KiB (396054 bytes)
- Type
- PC bitmap, Windows 3.x format, 600 x 220 x 24
- MD5
- eaf41522d3f54404460d7f57910f1e7a
- SHA1
- 1c9af837104141808abb9e8abbdde552f4823ec5
- SHA256
- fa22fb3e4835d6061a4221f803064cdfc018a6819095713f1a6bd1f931c6d9ce
-
nswD4DB.tmp
- Size
- 3.7MiB (3909845 bytes)
- Type
- data
- MD5
- 97229cf3cf70d8f7d705ae14f31d1f45
- SHA1
- 1936236ad742fea9a29164b9ac100652ba4afde3
- SHA256
- 276bfc7486ace17dbd54f0175ee832e1fe1a3539fe30ff2d626159e209bd4046
-
Fraps.lnk
- Size
- 562B (562 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Fri Oct 3 06:49:24 2008, mtime=Tue Feb 23 01:21:38 2016, atime=Fri Oct 3 06:49:24 2008, length=1027752, window=hide
- MD5
- 1d10d50b47cf7da8a6989711bec91711
- SHA256
- 6398b250350640d98d0166976bb274a1d8a43714ac0be43d14b434295c81ae2f
-
fps.gif
- Size
- 21KiB (21727 bytes)
- Type
- GIF image data, version 89a, 400 x 300
- MD5
- ab1db59da5f74f38701b05810471f841
- SHA256
- 84800794e54b651d7867e6914fc726a4904d6eb89bcd757d8bb8883f2c30a985
-
general.gif
- Size
- 19KiB (19099 bytes)
- Type
- GIF image data, version 89a, 400 x 300
- MD5
- b92375d34647e255d299c511cfed1e07
- SHA256
- 063e5801e214502412d6c6a5fb97ccc1a4c3b56d7076826a670e7400845ecffa
-
help_fps.htm
- Size
- 5.4KiB (5504 bytes)
-
help_general.htm
- Size
- 2.9KiB (2945 bytes)
-
help_movies.htm
- Size
- 9.1KiB (9274 bytes)
-
movies.gif
- Size
- 22KiB (22828 bytes)
-
screenshots.gif
- Size
- 20KiB (20435 bytes)
- Type
- GIF image data, version 89a, 400 x 300
- MD5
- 9589b392fbeff1d3664d3cca6e785656
- SHA256
- 15d4eba743037910a4b7bb8f452da81d8f81d679f5a75c92c1c07289e3fe1c4f
-
changes.txt
- Size
- 14KiB (14472 bytes)
-
Notifications
-
Runtime
- Added comment to VirusTotal report
- Not all sources for signature ID "api-19" are available in the report
- Not all sources for signature ID "api-35" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "static-6" are available in the report
- Not all sources for signature ID "string-21" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Parsed the maximum number of dropped files (20), report might not contain information about some dropped files
- Some low-level data is hidden, as this is only a slim report