AmScopeSetup.exe
This report is generated from a file or URL submitted to this webservice on August 27th 2019 17:29:50 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Contains ability to open the clipboard
Found a string that may be used as part of an injection method - Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Checks a device property (often used to detect VM artifacts)
Marks file for deletion - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
2/77 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "W32.Ramnit.CF" with 2% detection rate)
2/73 Antivirus vendors marked dropped file "dpinst.exe" as malicious (classified as "Unavailable" with 2% detection rate)
1/79 Antivirus vendors marked dropped file "nsDialogs.dll" as malicious (classified as "Unavailable" with 1% detection rate)
1/75 Antivirus vendors marked dropped file "amcam.sys" as malicious (classified as "Adware.LightSee" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
2/73 Antivirus vendors marked spawned process "dpinst.exe" (PID: 3364) as malicious (classified as "Unavailable" with 2% detection rate)
2/73 Antivirus vendors marked spawned process "dpinst.exe" (PID: 2720) as malicious (classified as "Unavailable" with 2% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" allocated memory in "%PROGRAMFILES%\AmScope\AmScope\hcam\x64\glavcam.sys"
"AmScopeSetup_v3.7.10246.zip.exe" allocated memory in "%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe"
"dpinst.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\Windows Error Reporting\Debug" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" wrote 1500 bytes to a remote process "%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" (Handle: 492)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 4 bytes to a remote process "C:\Program Files\AmScope\AmScope\drivers\x64\dpinst.exe" (Handle: 492)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 8 bytes to a remote process "C:\Program Files\AmScope\AmScope\drivers\x64\dpinst.exe" (Handle: 492)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 32 bytes to a remote process "C:\Program Files\AmScope\AmScope\drivers\x64\dpinst.exe" (Handle: 492)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 52 bytes to a remote process "C:\Program Files\AmScope\AmScope\drivers\x64\dpinst.exe" (Handle: 492)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 1500 bytes to a remote process "C:\Program Files\AmScope\AmScope\hcam\dpinst.exe" (Handle: 488)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 4 bytes to a remote process "C:\Program Files\AmScope\AmScope\hcam\dpinst.exe" (Handle: 488)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 8 bytes to a remote process "C:\Program Files\AmScope\AmScope\hcam\dpinst.exe" (Handle: 488)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 32 bytes to a remote process "C:\Program Files\AmScope\AmScope\hcam\dpinst.exe" (Handle: 488)
"AmScopeSetup_v3.7.10246.zip.exe" wrote 52 bytes to a remote process "C:\Program Files\AmScope\AmScope\hcam\dpinst.exe" (Handle: 488)
"dpinst.exe" wrote 32 bytes to a remote process "C:\Windows\System32\wermgr.exe" (Handle: 908)
"dpinst.exe" wrote 52 bytes to a remote process "C:\Windows\System32\wermgr.exe" (Handle: 908)
"dpinst.exe" wrote 8 bytes to a remote process "C:\Windows\System32\wermgr.exe" (Handle: 908) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
ExitWindowsEx@USER32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
ExitWindowsEx@USER32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains native function calls
- details
-
NtdllDefWindowProc_A@NTDLL.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
NtOpenProcessToken@NTDLL.DLL at 00049616-00003364-63085-211--00E618E4
NtOpenProcessToken@NTDLL.DLL at 00050014-00002720-11665-211--00A818E4
NtOpenProcessToken@ntdll.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
References suspicious system modules
- details
- "ntoskrnl.exe"
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to reboot/shutdown the operating system
-
Hiding 2 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 31
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.dll (Show Stream)
OpenServiceW@ADVAPI32.dll (Show Stream)
OpenServiceW@ADVAPI32.dll (Show Stream)
OpenServiceW@ADVAPI32.dll (Show Stream)
OpenServiceW@ADVAPI32.dll (Show Stream)
OpenServiceW@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
- details
-
"dpinst.exe" at 00049616-00003364-00000033-76425065420
"wermgr.exe" at 00049879-00003636-00000033-85172632480
"dpinst.exe" at 00050014-00002720-00000033-90046988366 - source
- API Call
- relevance
- 6/10
-
Contains ability to open/control a service
-
Anti-Reverse Engineering
-
Checks a device property (often used to detect VM artifacts)
- details
-
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream)
SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 7/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks a device property (often used to detect VM artifacts)
-
Environment Awareness
-
Reads the active computer name
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"dpinst.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"wermgr.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"dpinst.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"wermgr.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/71 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.DLL at 00049616-00003364-63085-121--00E715AC
LoadResource@KERNEL32.DLL at 00049616-00003364-63085-123--00E71464
FindResourceExW@KERNEL32.DLL at 00049616-00003364-63085-182--00E6102C
LoadResource@KERNEL32.DLL at 00049616-00003364-63085-185--00E616F0
LoadResource@KERNEL32.DLL at 00049616-00003364-63085-2734--00E61990
LoadResource@KERNEL32.DLL at 00050014-00002720-11665-121--00A915AC
LoadResource@KERNEL32.DLL at 00050014-00002720-11665-123--00A91464
FindResourceExW@KERNEL32.DLL at 00050014-00002720-11665-182--00A8102C
LoadResource@KERNEL32.DLL at 00050014-00002720-11665-185--00A816F0
LoadResource@KERNEL32.DLL at 00050014-00002720-11665-2735--00A81990
FindResourceExW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
- "AmScopeSetup_v3.7.10246.zip.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"dpinst.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"amcam.sys" has type "PE32 executable (native) Intel 80386 for MS Windows"
"amcam.sys" has type "PE32+ executable (native) x86-64 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
The input sample dropped/contains a certificate file
- details
-
File "amcam.cat" is a certificate (Owner: CN=GlobalSign Timestamping CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE; Issuer: CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3; SerialNumber: 400000000013189c65004; Valid From: 08/02/2011 10:00:00; Until: 03/29/2029 10:00:00; Fingerprints: MD5=F3:F4:A7:13:A0:48:DD:20:00:39:40:22:76:4D:F8:5B; SHA1=91:84:3B:BD:93:6D:86:EA:FA:42:A3:AF:BF:33:E9:28:31:06:8F:99)
File "amcam.cat" is a certificate (Owner: CN=GlobalSign CodeSigning CA - G3, O=GlobalSign nv-sa, C=BE; Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE; SerialNumber: 47c30ffefc22bb280f96fea75251; Valid From: 03/16/2016 00:00:00; Until: 03/16/2024 00:00:00; Fingerprints: MD5=BB:13:BF:79:9E:56:1C:0C:F3:BC:2E:BC:89:90:23:88; SHA1=F1:E7:B6:C0:C1:0D:A9:43:6E:CC:04:FF:5F:C3:B6:91:6B:46:CF:4C)
File "amcam.cat" is a certificate (Owner: CN=GlobalSign TSA for MS Authenticode advanced - G2, O=GMO GlobalSign Pte Ltd, C=SG; Issuer: CN=GlobalSign Timestamping CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE; SerialNumber: 1121ed9018caa927b7626c526b906d93f567; Valid From: 05/24/2016 00:00:00; Until: 06/24/2027 00:00:00; Fingerprints: MD5=E6:A1:D7:63:21:B0:BD:1E:AD:85:8C:7D:CE:0F:A4:6B; SHA1=37:C0:41:8C:A8:48:0B:BA:CE:02:E0:00:EC:88:46:AD:3D:B6:91:EC)
File "amcam.cat" is a certificate (Owner: EMAILADDRESS=info@amscope.com, CN=AmScope, OU=United Scope, O=AmScope, L=Irvine, ST=CA, C=US; Issuer: CN=GlobalSign CodeSigning CA - G3, O=GlobalSign nv-sa, C=BE; SerialNumber: 79a980ddc25c4a9102e66214; Valid From: 08/24/2016 15:26:13; Until: 08/25/2019 15:26:13; Fingerprints: MD5=4D:DF:82:B4:CC:E4:CC:9F:51:D6:22:5A:34:F6:0B:9B; SHA1=4E:2A:7F:CE:D6:D8:4C:71:F1:C4:C8:B4:4E:F0:A1:03:60:1B:A4:AD)
File "amcam.cat" is a certificate (Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 610b7f6b000000000019; Valid From: 05/23/2006 17:00:51; Until: 05/23/2016 17:10:51; Fingerprints: MD5=88:2E:CF:2B:03:10:AF:61:15:C6:B2:E9:2C:E5:0B:44; SHA1=3E:EB:27:50:A1:99:F5:E7:B6:A8:95:24:30:BE:50:62:FE:04:E9:E5) - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "INFO: Product Version 2.1.0.0."
Heuristic match: "glavcam.DisplayVersion="13.12.18.0"" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 51.143.111.81 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to open the clipboard
- details
- OpenClipboard@USER32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
-
System Destruction
-
Marks file for deletion
- details
-
"C:\AmScopeSetup_v3.7.10246.zip.exe" marked "%TEMP%\nsc60B8.tmp" for deletion
"C:\AmScopeSetup_v3.7.10246.zip.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\nsx626F.tmp" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\SETDB37.tmp" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\SETDB48.tmp" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\SETDB68.tmp" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\amcam.cat" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\amcam.inf" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\amcam.sys" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}" for deletion
"%PROGRAMFILES%\AmScope\AmScope\drivers\x64\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\DMIE365.tmp.log.xml" for deletion
"%WINDIR%\System32\wermgr.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_873679e53ee0a337d4e8471afed967de4439b414_cab_0d2fe411\amcam.inf" for deletion
"%WINDIR%\System32\wermgr.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_873679e53ee0a337d4e8471afed967de4439b414_cab_0d2fe411\DMIE365.tmp.log.xml" for deletion
"%WINDIR%\System32\wermgr.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_873679e53ee0a337d4e8471afed967de4439b414_cab_0d2fe411\Report.wer" for deletion
"%WINDIR%\System32\wermgr.exe" marked "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_873679e53ee0a337d4e8471afed967de4439b414_cab_0d2fe411" for deletion
"%PROGRAMFILES%\AmScope\AmScope\hcam\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{646bedfe-cb46-332f-d998-3371d0b4a366}\SETF324.tmp" for deletion
"%PROGRAMFILES%\AmScope\AmScope\hcam\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{646bedfe-cb46-332f-d998-3371d0b4a366}\SETF344.tmp" for deletion
"%PROGRAMFILES%\AmScope\AmScope\hcam\dpinst.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\{646bedfe-cb46-332f-d998-3371d0b4a366}\x64\SETF384.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" opened "%TEMP%\nsc60B8.tmp" with delete access
"AmScopeSetup_v3.7.10246.zip.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsx626F.tmp" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\SETDB37.tmp" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\SETDB48.tmp" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\SETDB68.tmp" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\amcam.cat" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\amcam.inf" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}\amcam.sys" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{3e310e95-daa9-33c7-3663-be6c3400bc5f}" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\DMIE365.tmp.log.xml" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{646bedfe-cb46-332f-d998-3371d0b4a366}\SETF324.tmp" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{646bedfe-cb46-332f-d998-3371d0b4a366}\SETF344.tmp" with delete access
"dpinst.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\{646bedfe-cb46-332f-d998-3371d0b4a366}\x64\SETF384.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.dll (Show Stream)
SetEntriesInAclW@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"dpinst.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"dpinst.exe" claimed CRC 1081282 while the actual is CRC 39362
"amcam.sys" claimed CRC 40935 while the actual is CRC 21321
"amcam.sys" claimed CRC 69325 while the actual is CRC 40935 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleHandleA
VirtualProtect
GetProcAddress
VirtualAlloc
LoadLibraryA
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
RegDeleteValueW
StartServiceW
GetFileAttributesW
FindResourceExW
OutputDebugStringA
DeviceIoControl
CopyFileW
GetModuleFileNameW
UnhandledExceptionFilter
LoadLibraryExW
CreateThread
TerminateProcess
LoadLibraryW
GetVersionExW
GetTickCount
GetVersionExA
GetFileSize
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetTempFileNameW
CreateFileMappingW
WriteFile
FindNextFileW
FindFirstFileW
CreateFileW
LockResource
GetCommandLineW
MapViewOfFile
GetModuleHandleW
FindResourceW
Sleep
ShellExecuteExW
NtQueryInformationToken
GetFileAttributesA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" wrote bytes "fe189675f854967557d19775f2189775852a9875221296753e18967568349675eb59967577499675451296752e589675dd16967526189675ff429675c011967500000000d894d9760000000008227475d1e4717500000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"AmScopeSetup_v3.7.10246.zip.exe" wrote bytes "d055b6756473bf750000000051c1a5769498a576ee9ca57675dca776273ea7760fb3ab760000000085489675698796750f779875d9179675ead79775a9349675f8119675201496750c119675f516967554149675ff1096753214967500000000" to virtual address "0x74121000" (part of module "SHFOLDER.DLL")
"AmScopeSetup_v3.7.10246.zip.exe" wrote bytes "711171007a3b7000ab8b02007f950200fc8c0200729602006cc805001ecd6d007d266d00" to virtual address "0x76D807E4" (part of module "USER32.DLL")
"AmScopeSetup_v3.7.10246.zip.exe" wrote bytes "c2000000" to virtual address "0x1000404C" (part of module "SYSTEM.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "AmScopeSetup_v3.7.10246.zip.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 10 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 32
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL at 00049616-00003364-63085-69--00E3342A
SetUnhandledExceptionFilter@KERNEL32.DLL at 00050014-00002720-11665-69--00A5342A
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.DLL at 00049616-00003364-63085-200--00E72628
GetLocalTime@KERNEL32.DLL at 00050014-00002720-11665-200--00A92628
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
GetVersion@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
GetVersion@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
GetVersion@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
GetVersion@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultUILanguage@KERNEL32.DLL at 00049616-00003364-63085-182--00E6102C
GetUserDefaultUILanguage@KERNEL32.DLL at 00049616-00003364-63085-2616--00E747E0
GetUserDefaultUILanguage@KERNEL32.DLL at 00049616-00003364-63085-2617--00E6BFEC
GetUserDefaultUILanguage@KERNEL32.DLL at 00050014-00002720-11665-182--00A8102C
GetUserDefaultUILanguage@KERNEL32.DLL at 00050014-00002720-11665-2617--00A947E0
GetUserDefaultUILanguage@KERNEL32.DLL at 00050014-00002720-11665-2618--00A8BFEC
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream)
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream)
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 00403273h" from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 00403273h" from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 00403273h" from AmScopeSetup_v3.7.10246.zip.exe (PID: 4076) (Show Stream)
Found API call GetVersionExW@KERNEL32.dll directly followed by "cmp eax, ebp" and "jne 000000010001DD5Dh" (Show Stream)
Found API call GetVersionExW@KERNEL32.dll directly followed by "cmp eax, esp" and "je 0000000100045218h" (Show Stream)
Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp dword ptr [rsp+30h], 02h" and "jne 000000010005C7C7h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL at 00049616-00003364-63085-2682--00E38D24
GetProcessHeap@KERNEL32.DLL at 00049616-00003364-63085-2683--00E38ED0
GetProcessHeap@KERNEL32.DLL at 00049616-00003364-63085-3961--00E38730
GetProcessHeap@KERNEL32.DLL at 00050014-00002720-11665-2683--00A58D24
GetProcessHeap@KERNEL32.DLL at 00050014-00002720-11665-2684--00A58ED0
GetProcessHeap@KERNEL32.DLL at 00050014-00002720-11665-3962--00A58730
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"dpinst.exe" queries volume information of "%PROGRAMFILES%\AmScope\AmScope\drivers\x64\amcam.cat" at 00049616-00003364-00000046-78938106068
"dpinst.exe" queries volume information of "%PROGRAMFILES%\AmScope\AmScope\drivers\x64\amcam.cat" at 00049616-00003364-00000046-80794470513 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/66 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"dpinst.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts server
- details
- "51.143.111.81:443"
- source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"DpInst.pdb"
"c:\dev\image\sys\amscope\amd64\amcam.pdb"
"c:\dev\image\sys\amscope\i386\amcam.pdb" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" created file "%TEMP%\nss624F.tmp"
"AmScopeSetup_v3.7.10246.zip.exe" created file "%TEMP%\nsx626F.tmp\System.dll"
"AmScopeSetup_v3.7.10246.zip.exe" created file "%TEMP%\nsx626F.tmp\modern-wizard.bmp"
"AmScopeSetup_v3.7.10246.zip.exe" created file "%TEMP%\nsx626F.tmp\nsDialogs.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\DPINST_LOG_SCROLLER_MUTEX"
"\Sessions\1\BaseNamedObjects\Global\"
"Global\"
"Global\DPINST_LOG_SCROLLER_MUTEX"
"\Sessions\1\BaseNamedObjects\Global\"
"Global\" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "glavcam.inf" as clean (type is "Windows setup INFormation ASCII text with CRLF line terminators")
Antivirus vendors marked dropped file "amcam.sys" as clean (type is "PE32 executable (native) Intel 80386 for MS Windows") - source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "AmScopeSetup_v3.7.10246.zip.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 74050000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"AmScopeSetup_v3.7.10246.zip.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"AmScopeSetup_v3.7.10246.zip.exe" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"AmScopeSetup_v3.7.10246.zip.exe" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"AmScopeSetup_v3.7.10246.zip.exe" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"AmScopeSetup_v3.7.10246.zip.exe" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"dpinst.exe" touched "XML DOM Document" (Path: "HKCU\CLSID\{2933BF90-7B36-11D2-B20E-00C04F983E60}")
"dpinst.exe" touched "XML DOM Document 3.0" (Path: "HKCU\CLSID\{F5078F32-C551-11D3-89B9-0000F81FE221}") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "wermgr.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "wermgr.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "dpinst.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "dpinst.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "dpinst.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
- "AmScopeSetup_v3.7.10246.zip.exe" searching for class "#32770"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "dpinst.exe" with commandline "/SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\drivers\x64"" (Show Process)
Spawned process "wermgr.exe" with commandline ""-queuereporting_s_user" "%LOCALAPPDATA%\Microsoft\Windows\WER\R ..." (Show Process), Spawned process "dpinst.exe" with commandline "/SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\hcam"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "dpinst.exe" with commandline "/SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\drivers\x64"" (Show Process)
Spawned process "wermgr.exe" with commandline ""-queuereporting_s_user" "%LOCALAPPDATA%\Microsoft\Windows\WER\R ..." (Show Process), Spawned process "dpinst.exe" with commandline "/SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\hcam"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=US, S=CA, L=Irvine, O=AmScope, OU=United Scope, CN=AmScope, E=info@amscope.com" (SHA1: 4E:2A:7F:CE:D6:D8:4C:71:F1:C4:C8:B4:4E:F0:A1:03:60:1B:A4:AD: (sha1RSA(RSA)); see report for more information)
The input sample is signed with a certificate issued by "C=BE, O=GlobalSign nv-sa, CN=GlobalSign CodeSigning CA - G3" (SHA1: F1:E7:B6:C0:C1:0D:A9:43:6E:CC:04:FF:5F:C3:B6:91:6B:46:CF:4C: (sha1RSA(RSA)); see report for more information)
The input sample is signed with a certificate issued by "C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA" (SHA1: B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" connecting to "\ThemeApiPort"
"dpinst.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"glavcam.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"amcam.inf" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"amcam.cat" has type "data"
"dpinst.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"glavcam.cat" has type "data"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"amcam.sys" has type "PE32 executable (native) Intel 80386 for MS Windows"
"amcam.sys" has type "PE32+ executable (native) x86-64 for MS Windows"
"DPINST.LOG" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"nss624F.tmp" has type "data"
"SETDB48.tmp" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"SETF344.tmp" has type "Windows setup INFormation ASCII text with CRLF line terminators"
"modern-wizard.bmp" has type "PC bitmap Windows 3.x format 164 x 314 x 4"
"DMIE365.tmp.log.xml" has type "XML 1.0 document Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Report.wer" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Windows\SysWOW64\oleaccrc.dll"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000019.db"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000019.db"
"AmScopeSetup_v3.7.10246.zip.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_873679e53ee0a337d4e8471afed967de4439b414_cab_0d2fe411\amcam.inf"
"dpinst.exe" touched file "C:\Windows\AppPatch\AppPatch64\sysmain.sdb"
"dpinst.exe" touched file "C:\Windows\AppPatch\AppPatch64\AcLayers.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "ub]P9S.nL"
Heuristic match: "mkuGXl.cl"
Heuristic match: "F fxj4.iM"
Pattern match: "xO.QZ/Fg"
Heuristic match: "xi
SB.SR"
Heuristic match: "0;Lbfq).Be"
Heuristic match: "b{C _{.CG"
Heuristic match: "amcam.cat"
Heuristic match: "Sig[0].Name"
Heuristic match: "Sig[1].Name"
Heuristic match: "Sig[2].Name"
Heuristic match: "Sig[3].Name"
Heuristic match: "DynamicSig[1].Name"
Heuristic match: "DynamicSig[2].Name"
Heuristic match: "glavcam.cat"
Pattern match: "http://www.amscope.com"
Heuristic match: "CatalogFile=amcam.cat"
Heuristic match: "Catalogfile=glavcam.cat"
Pattern match: "www.amscope.comPublisherNoModifyNoRepairInstallLocationError"
Pattern match: "https://www.globalsign.com/repository/06U/0-0+"
Pattern match: "https://www.globalsign.com/repository/0U00U%0"
Pattern match: "crl.globalsign.com/gs/gstimestampingsha2g2.crl0X+L0J0H+0" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Creates or modifies windows services
- details
- "wermgr.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"AmScopeSetup_v3.7.10246.zip.exe" opened "\Device\KsecDD"
"dpinst.exe" opened "\Device\KsecDD"
"wermgr.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "amcam.sys" was detected as "Visual C++ 2003 DLL -> Microsoft"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
AmScopeSetup.exe
- Filename
- AmScopeSetup.exe
- Size
- 43MiB (44667808 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- e98c031f8fbb24a31aacdb6f823d5cc53ce696771eedb9a89754e7d27acc8586
- MD5
- e6d7d725b3cd368d51923079387e2783
- SHA1
- 2c95fc79985ee519654626c02329c8c4e0628ed0
Classification (TrID)
- 42.7% (.EXE) Win32 Executable (generic)
- 19.2% (.EXE) OS/2 Executable (generic)
- 18.9% (.EXE) Generic Win/DOS Executable
- 18.9% (.EXE) DOS Executable Generic
File Certificates
Certificate chain was successfully validated.
Download Certificate File (7.1KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=US, S=CA, L=Irvine, O=AmScope, OU=United Scope, CN=AmScope, E=info@amscope.com | C=US, S=CA, L=Irvine, O=AmScope, OU=United Scope, CN=AmScope, E=info@amscope.com Serial: 79a980ddc25c4a9102e66214 |
08/24/2016 17:26:13 08/25/2019 17:26:13 |
4E:2A:7F:CE:D6:D8:4C:71:F1:C4:C8:B4:4E:F0:A1:03:60:1B:A4:AD: (sha1RSA(RSA)) |
C=BE, O=GlobalSign nv-sa, CN=GlobalSign CodeSigning CA - G3 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign CodeSigning CA - G3 Serial: 47c30ffefc22bb280f96fea75251 |
03/16/2016 02:00:00 03/16/2024 02:00:00 |
F1:E7:B6:C0:C1:0D:A9:43:6E:CC:04:FF:5F:C3:B6:91:6B:46:CF:4C: (sha1RSA(RSA)) |
C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA | C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Serial: 040000000001154b5ac394 |
09/01/1998 14:00:00 01/28/2028 14:00:00 |
B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
AmScopeSetup_v3.7.10246.zip.exe
(PID: 4076)
-
dpinst.exe
/SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\drivers\x64"
(PID: 3364)
2/73
- wermgr.exe "-queuereporting_s_user" "%LOCALAPPDATA%\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_873679e53ee0a337d4e8471afed967de4439b414_cab_0d2fe411" (PID: 3636)
- dpinst.exe /SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\hcam" (PID: 2720) 2/73
-
dpinst.exe
/SA /SW /PATH "%PROGRAMFILES%\AmScope\AmScope\drivers\x64"
(PID: 3364)
2/73
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
51.143.111.81 |
443
TCP |
wermgr.exe PID: 3636 |
United Kingdom |
Contacted Countries
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00047584-00004076-49044-63-00402CB6 |
Extracted Strings
Extracted Files
Displaying 20 extracted file(s). The remaining 8 file(s) are available in the full version and XML/JSON reports.
-
Malicious 4
-
-
dpinst.exe
- Size
- 1MiB (1050104 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- Labeled as "Unavailable" (2/73)
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- be3c79033fa8302002d9d3a6752f2263
- SHA1
- a01147731f2e500282eca5ece149bcc5423b59d6
- SHA256
- 181bf85d3b5900ff8abed34bc415afc37fc322d9d7702e14d144f96a908f5cab
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "W32.Ramnit.CF" (2/77)
- Runtime Process
- AmScopeSetup_v3.7.10246.zip.exe (PID: 4076)
- MD5
- 2ae993a2ffec0c137eb51c8832691bcb
- SHA1
- 98e0b37b7c14890f8a599f35678af5e9435906e1
- SHA256
- 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Unavailable" (1/79)
- Runtime Process
- AmScopeSetup_v3.7.10246.zip.exe (PID: 4076)
- MD5
- 13b6a88cf284d0f45619e76191e2b995
- SHA1
- 09ebb0eb4b1dca73d354368414906fc5ad667e06
- SHA256
- cb958e21c3935ef7697a2f14d64cae0f9264c91a92d2deeb821ba58852dac911
-
amcam.sys
- Size
- 21KiB (21024 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (native) x86-64, for MS Windows
- AV Scan Result
- Labeled as "Adware.LightSee" (1/75)
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- 391ce20910391e2beec24039a9c03649
- SHA1
- 4d308e5bb731efbdb7316bda62d3a9839cbdb2c3
- SHA256
- e795765949d85b5643d065fc3c0b1cee61d6b2df711ad0592ff27b93edd5f5c7
-
-
Clean 1
-
-
glavcam.inf
- Size
- 5.5KiB (5604 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- AV Scan Result
- 0/70
- Runtime Process
- dpinst.exe (PID: 2720)
- MD5
- 1e618604b6f163d18bdfcb023a358344
- SHA1
- 58d5c0f7b97b9f88b02638bd6c8acfb0f304d92e
- SHA256
- 7329be904c492693f0978c9f4966f5dcc165f14f4a89a00c3daf90f6e34e1419
-
-
Informative Selection 1
-
-
SETDB48.tmp
- Size
- 7.6KiB (7798 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- 1a08a7425cb7cbfdf55971897e16e5bd
- SHA1
- 805a459bde554ddb7549cfbfaef7582140984ba4
- SHA256
- a247c057028602155c67299fa44205f299a5f0960c4f85ad7f63c0493f13fcf2
-
-
Informative 14
-
-
DMIE365.tmp.log.xml
- Size
- 820B (820 bytes)
- Runtime Process
- wermgr.exe (PID: 3636)
- MD5
- 58be3f148f45ed8da5742c8e02520233
- SHA1
- c81e8fede5728deb15f98e486a177ea9d1198837
- SHA256
- d510921da394c14636cdbfd8b6b175966dbe57e35b0cc09c7571a68aa2a4a2d2
-
Report.wer
- Size
- 2.3KiB (2316 bytes)
- Runtime Process
- wermgr.exe (PID: 3636)
- MD5
- b844d783dac4e0a615c62dbf0b51d40a
- SHA1
- 2ea6403fb86a816a329a9996909eb74d2164517b
- SHA256
- c40f016ea462325700311ceb6d41b555eeff72882e676e72e35984cf802a6550
-
amcam.inf
- Size
- 7.6KiB (7798 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- wermgr.exe (PID: 3636)
- MD5
- 1a08a7425cb7cbfdf55971897e16e5bd
- SHA1
- 805a459bde554ddb7549cfbfaef7582140984ba4
- SHA256
- a247c057028602155c67299fa44205f299a5f0960c4f85ad7f63c0493f13fcf2
-
nss624F.tmp
- Size
- 5MiB (5216368 bytes)
- Type
- rtf
- Description
- data
- Runtime Process
- AmScopeSetup_v3.7.10246.zip.exe (PID: 4076)
- MD5
- f5b9f3e3ed7cc66d5e6fe55535f3374d
- SHA1
- 1f8fa5133ac4010e1be4927bb28b3b4086907e81
- SHA256
- 445512eea90a7e19cc1db8de5acd57b93cdc28235c8f0ca1049edab87fbdc987
-
modern-wizard.bmp
- Size
- 26KiB (26494 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 164 x 314 x 4
- Runtime Process
- AmScopeSetup_v3.7.10246.zip.exe (PID: 4076)
- MD5
- cbe40fd2b1ec96daedc65da172d90022
- SHA1
- 366c216220aa4329dff6c485fd0e9b0f4f0a7944
- SHA256
- 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
-
SETDB37.tmp
- Size
- 20KiB (20166 bytes)
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- 59ee0f11c003a91bf099500437ffb34c
- SHA1
- 327a346a12b5638e51786aca631cae44b51f46a2
- SHA256
- 199c31227f4f4e71c29ec66987298f4140e8c8313200860881474eff200c98ba
-
SETDB68.tmp
- Size
- 21KiB (21024 bytes)
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- 391ce20910391e2beec24039a9c03649
- SHA1
- 4d308e5bb731efbdb7316bda62d3a9839cbdb2c3
- SHA256
- e795765949d85b5643d065fc3c0b1cee61d6b2df711ad0592ff27b93edd5f5c7
-
amcam.cat
- Size
- 20KiB (20166 bytes)
- Type
- data
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- 1698bb08aad9b2b024a7b71bec0d755b
- SHA1
- 12331635af152a2a021ff12fcd347ce1087b4dca
- SHA256
- 3c6ba5992911ba0a4d08e0dba359274e3e2d2da9913ec43f0d75d71143836cc6
-
SETF324.tmp
- Size
- 3.2KiB (3263 bytes)
- Runtime Process
- dpinst.exe (PID: 2720)
- MD5
- 3fa058a2e99a089da3a3ef0e61e0936a
- SHA1
- 43e6db51458691e40cf8e81b8163129b9e0f5c8f
- SHA256
- d3217c4a047b6154f169c3449b0e8c4b64c4804447bf9e80ae0b09140d845ede
-
SETF344.tmp
- Size
- 5.5KiB (5604 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text, with CRLF line terminators
- Runtime Process
- dpinst.exe (PID: 2720)
- MD5
- 1e618604b6f163d18bdfcb023a358344
- SHA1
- 58d5c0f7b97b9f88b02638bd6c8acfb0f304d92e
- SHA256
- 7329be904c492693f0978c9f4966f5dcc165f14f4a89a00c3daf90f6e34e1419
-
glavcam.cat
- Size
- 3.2KiB (3263 bytes)
- Type
- data
- Runtime Process
- dpinst.exe (PID: 2720)
- MD5
- 3fa058a2e99a089da3a3ef0e61e0936a
- SHA1
- 43e6db51458691e40cf8e81b8163129b9e0f5c8f
- SHA256
- d3217c4a047b6154f169c3449b0e8c4b64c4804447bf9e80ae0b09140d845ede
-
SETF384.tmp
- Size
- 3.1MiB (3270432 bytes)
- Runtime Process
- dpinst.exe (PID: 2720)
- MD5
- 95c65234bc3809f593152b25f78f1475
- SHA1
- 9385f96e799ff868cd1115b0f896abaafb33cc07
- SHA256
- 561f34de839e38edbe26832209413065bc43e61dfb4c21213f8308913a9b5bd8
-
glavcam.sys
- Size
- 3.1MiB (3270432 bytes)
- Runtime Process
- dpinst.exe (PID: 2720)
- MD5
- 95c65234bc3809f593152b25f78f1475
- SHA1
- 9385f96e799ff868cd1115b0f896abaafb33cc07
- SHA256
- 561f34de839e38edbe26832209413065bc43e61dfb4c21213f8308913a9b5bd8
-
DPINST.LOG
- Size
- 4.4KiB (4528 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- dpinst.exe (PID: 3364)
- MD5
- dad7c33e09f68c991e7328cf5d140af4
- SHA1
- 2e4cdf6f1cf1dc1d8411a75e75ffcbe1dd067057
- SHA256
- e0efd2eae1a0f7dd1aefab2ce506a60a7619abf381a4f967ee166b7f14a9d3a0
-
Notifications
-
Runtime
- Extracted file "amcam.inf" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/a247c057028602155c67299fa44205f299a5f0960c4f85ad7f63c0493f13fcf2/analysis/1566927479/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report