installer.exe
This report is generated from a file or URL submitted to this webservice on November 22nd 2019 20:55:16 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
-
Contains ability to open the clipboard
Found a string that may be used as part of an injection method - Persistence
-
Modifies System Certificates Settings
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries firmware table information (may be used to fingerprint/evade)
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Found a Wine emulator related string
Marks file for deletion
References security related windows services
The input sample contains a known anti-VM trick - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 1 domain and 6 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated URLs
- hxxps://nzxt-app.nzxt.com/installer.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 20
-
Anti-Detection/Stealthyness
-
Queries firmware table information (may be used to fingerprint/evade)
- details
-
"cam_helper.exe" at 00043470-00001300-00000033-192023106930
"cam_helper.exe" at 00043470-00001300-00000033-192023495448
"cam_helper.exe" at 00043470-00001300-00000033-199325146540
"cam_helper.exe" at 00043470-00001300-00000033-199325586618
"cam_helper.exe" at 00043470-00001300-00000033-207054561815
"cam_helper.exe" at 00043470-00001300-00000033-207055045528
"cam_helper.exe" at 00043470-00001300-00000033-207055856428
"cam_helper.exe" at 00043470-00001300-00000033-207056408691 - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries firmware table information (may be used to fingerprint/evade)
-
Environment Awareness
-
Found a Wine emulator related string
- details
- "wine_get_version" (Indicator: "wine_get_version"; File: "fb0e642ccbe2073270a13c6a522490f7ba6a15774626277d42476be1ebf69d3d.bin")
- source
- File/Memory
- relevance
- 2/10
-
The input sample contains a known anti-VM trick
- details
- Found VM detection artifact "CPUID trick" in "fb0e642ccbe2073270a13c6a522490f7ba6a15774626277d42476be1ebf69d3d.bin" (Offset: 644264)
- source
- Binary File
- relevance
- 5/10
-
Found a Wine emulator related string
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/20 Antivirus vendors marked sample as malicious (5% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/65 Antivirus vendors marked dropped file "Hook Helper.exe" as malicious (classified as "Gen:NN.ZexaE.31176" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
- 1/65 Antivirus vendors marked spawned process "Hook Helper.exe" (PID: 2924) as malicious (classified as "Gen:NN.ZexaE.31176" with 1% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"installer.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
"installer.exe" allocated memory in "\REGISTRY\USER\S-1-5-21-686412048-2446563785-1323799475-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e47f4f47-d863-11e7-9d8f-806e6f6e6963}"
"cam_helper.exe" allocated memory in "%WINDIR%\System32\en-US\KernelBase.dll.mui" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"installer.exe" wrote 32 bytes to a remote process "%TEMP%\651b-c0cf-32b2-2d68.exe" (Handle: 624)
"installer.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\651b-c0cf-32b2-2d68.exe" (Handle: 624)
"installer.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\651b-c0cf-32b2-2d68.exe" (Handle: 624)
"installer.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\651b-c0cf-32b2-2d68.exe" (Handle: 624)
"installer.exe" wrote 52 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 808)
"installer.exe" wrote 8 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 808)
"installer.exe" wrote 32 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 808)
"NZXT CAM.exe" wrote 32 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 752)
"NZXT CAM.exe" wrote 52 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 752)
"NZXT CAM.exe" wrote 8 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 752)
"NZXT CAM.exe" wrote 32 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 52 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 8 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 188 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 16 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 328 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 176 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928)
"NZXT CAM.exe" wrote 4 bytes to a remote process "C:\Program Files\NZXT CAM\NZXT CAM.exe" (Handle: 1928) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "13.249.87.73": ...
URL: http://goldqaess.v3locitydev.com/ (AV positives: 1/71 scanned on 11/22/2019 19:43:07)
URL: http://jsgnr.bestpriceninja.com/ (AV positives: 3/71 scanned on 11/21/2019 15:26:09)
URL: https://www.aaeglass.com/shop/fusing-supplies.html?color=298 (AV positives: 1/71 scanned on 11/19/2019 02:29:33)
URL: http://ymcss.b8cdn.com/ (AV positives: 1/71 scanned on 11/18/2019 12:24:02)
URL: https://cran.rstudio.com/web/packages/openxlsx/index.html (AV positives: 1/71 scanned on 11/14/2019 09:00:55)
File SHA256: 0445db7b806bc6fbc29fe7b2a146eee8493e5f8560827986b8f5a4f4b40887c1 (AV positives: 15/69 scanned on 10/08/2019 11:39:02)
File SHA256: 576ea63ac4f16348a80f68c45de58939d60df727f693be352a1e72d58ba970b4 (AV positives: 1/72 scanned on 09/15/2019 12:47:50)
File SHA256: 7921a6035cc8a0981a5dee737dd3d29b150ddd48407717d3fca4b6376f2b0e70 (AV positives: 1/73 scanned on 05/28/2019 00:01:21)
File SHA256: 03099d2be0e0abe0ae6ce7a7683a2541acd4a0f3d543b9814ce671846e687707 (AV positives: 1/68 scanned on 04/20/2019 00:52:45)
File SHA256: 422524a676ea5dbf08e2c1941b5d2eb84d720c7d9f822e4bdf08bcb979592746 (AV positives: 1/71 scanned on 03/17/2019 00:33:19) - source
- Network Traffic
- relevance
- 10/10
-
Uses network protocols on unusual ports
- details
-
TCP traffic to 52.218.221.64 on port 49311
TCP traffic to 35.167.7.225 on port 49316
TCP traffic to 99.84.174.17 on port 49317
TCP traffic to 35.188.42.15 on port 49318
TCP traffic to 18.214.22.168 on port 49319 - source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1065 (Show technique in the MITRE ATT&CK™ matrix)
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
Modifies System Certificates Settings
- details
-
"NZXT CAM.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "1FB86B1168EC743154062E8C9CC5B171A4B7CCB4")
"NZXT CAM.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Key: "BLOB") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
- details
- "wuauserv" (Indicator: "wuauserv")
- source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains native function calls
- details
- NtdllDefWindowProc_W@NTDLL.DLL from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "installer.exe" (Show Process)
Spawned process "651b-c0cf-32b2-2d68.exe" with commandline "/S" (Show Process)
Spawned process "service.exe" with commandline "install" (Show Process)
Spawned process "service.exe" (Show Process)
Spawned process "NZXT CAM.exe" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--reporter-url=https://sentry.io/api/1309282/minidump?sentry_key=4693ff360b9a4e72970c258176aabf3b "--application-name=NZXT CAM" "--crashes-directory=%TEMP%\NZXT CAM Crashes" --v=1" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11412982229828634726 --mojo-platform-channel-handle=1176 --ignored=" --type=renderer " /prefetch:2" (Show Process)
Spawned process "cmd.exe" with commandline "/d /s /c "tasklist"" (Show Process)
Spawned process "tasklist.exe" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=4843025526870636708 --lang=en-US --app-user-model-id=NZXT.CAM --app-path="%PROGRAMFILES%\NZXT CAM\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#00000 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=4843025526870636708 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --service-request-channel-token=8168898515963140389 --mojo-platform-channel-handle=1176 --ignored=" --type=renderer " /prefetch:2" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --service-request-channel-token=2711389636016992580 --mojo-platform-channel-handle=2264 /prefetch:2" (Show Process)
Spawned process "cam_helper.exe" with commandline ""--elevation=e508985b-12fc-4f28-b9c4-ddcdedbf53fb" "--run-id=e24b03369963491ab0082491691c78a1" "--app-version=NZXT CAM@4.1.0" "--env=production" "--log-dir=%APPDATA%\NZXT CAM"" (Show Process)
Spawned process "cam_helper.exe" with commandline "--transfer=a318f3e4-7ad1-466a-88f6-d5f902e5c966 --refresh=745b1709-0a59-4559-aa82-c00f2debf553 --run-id=e24b03369963491ab0082491691c78a1 "--app-version=NZXT CAM@4.1.0" --env=production "--log-dir=%APPDATA%\NZXT CAM"" (Show Process)
Spawned process "Hook Helper.exe" with commandline "offsets 274877910024" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--reporter-url= "--application-name=NZXT CAM" "--crashes-directory=%TEMP%\NZXT CAM Crashes" --v=1" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains native function calls
-
Hiding 6 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 44
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
-
"service.exe" is allocating memory with PAGE_GUARD access rights
"NZXT CAM.exe" is allocating memory with PAGE_GUARD access rights
"cam_helper.exe" is allocating memory with PAGE_GUARD access rights - source
- API Call
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 33 calls to GetProcAddress@KERNEL32.dll (Show Stream)
Found 17 calls to GetProcAddress@KERNEL32.dll (Show Stream)
Found 19 calls to GetProcAddress@KERNEL32.dll at 14033-5571-000000018004AF8B
Found 15 calls to GetProcAddress@KERNEL32.dll at 14033-6004-0000000180068D40
Found 12 calls to GetProcAddress@KERNEL32.dll at 14033-6632-000000018008E404 - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "fb0e642ccbe2073270a13c6a522490f7ba6a15774626277d42476be1ebf69d3d.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Contains ability to measure performance
- details
- rdtsc at 64615-2461-00433125
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query CPU information
- details
-
cpuid from installer.exe (PID: 2120) (Show Stream)
cpuid from service.exe (PID: 3424) (Show Stream)
cpuid from service.exe (PID: 2116) (Show Stream)
cpuid (Show Stream)
cpuid at 64615-1144-0042EC07
cpuid at 14033-33-0000000180197614
cpuid at 14033-257-000000018016AC54
cpuid at 14033-88-000000018018EA04
cpuid at 14033-202-0000000180175CAC - source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to read monitor info
- details
- GetMonitorInfoW@USER32.dll at 64615-1576-0041E2AF
- source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1082 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
- details
-
"installer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"651b-c0cf-32b2-2d68.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"service.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"NZXT CAM.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"tasklist.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"cam_helper.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Hook Helper.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"installer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"NZXT CAM.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"tasklist.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to measure performance
-
General
-
Contains ability to find and load resources of a specific module
- details
-
LoadResource@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
LoadResource@KERNEL32.dll at 14033-4083-00000001800D5718
LoadResource@KERNEL32.dll at 14033-4091-00000001800D59DC - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"installer.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"651b-c0cf-32b2-2d68.exe" read file "%USERPROFILE%\Users\%OSUSER%\Desktop\desktop.ini"
"cam_helper.exe" read file "%WINDIR%\win.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"cpuidsdk64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"651b-c0cf-32b2-2d68.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"Graphics Hook.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"firmware-update.exe" has type "PE32+ executable (console) x86-64 for MS Windows"
"StdUtils.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"SiUSBXp86.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MCP2200DriverInstallationTool.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"libGLESv2.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"ffmpeg.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"NZXT_NahimicAPIInstaller.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"NZXT CAM.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"SeaSonicsESeries64.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"nsProcess.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Uninstall NZXT CAM.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"libEGL.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"Hook Helper.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"nsis7z.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"KrakenDriver.exe" has type "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"
"service.exe" has type "PE32+ executable (console) x86-64 for MS Windows"
"SeaSonicsESeries86.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
- "NZXT CAM.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1060 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample dropped/contains a certificate file
- details
-
File "aseusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; Issuer: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA; SerialNumber: 7e93ebfb7cc64e59ea4b9a77d406fc3b; Valid From: 12/21/2012 00:00:00; Until: 12/30/2020 23:59:59; Fingerprints: MD5=7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D; SHA1=6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1)
File "aseusb.cat" is a certificate (Owner: CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US; Issuer: CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US; SerialNumber: ecff438c8febf356e04d86a981b1a50; Valid From: 10/18/2012 00:00:00; Until: 12/29/2020 23:59:59; Fingerprints: MD5=08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37; SHA1=65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4)
File "aseusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US; SerialNumber: 250ce8e030612e9f2b89f7054d7cf8fd; Valid From: 11/08/2006 00:00:00; Until: 11/07/2021 23:59:59; Fingerprints: MD5=F9:1F:FE:E6:A3:6B:99:88:41:D4:67:DD:E5:F8:97:7A; SHA1=32:F3:08:82:62:2B:87:CF:88:56:C6:3D:B8:73:DF:08:53:B4:DD:27)
File "aseusb.cat" is a certificate (Owner: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US; Issuer: CN=Microsoft Code Verification Root, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 610c120600000000001b; Valid From: 05/23/2006 17:01:29; Until: 05/23/2016 17:11:29; Fingerprints: MD5=4B:3E:F6:6A:94:BE:95:32:30:09:75:70:14:C6:66:03; SHA1=58:45:53:89:CF:1D:0C:D6:A0:8E:3C:E2:16:F6:5A:DF:F7:A8:64:08)
File "aseusb.cat" is a certificate (Owner: CN=Asetek A/S, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Asetek A/S, L=Broenderslev, ST=North Jutland, C=DK; Issuer: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 7c3d21815eac15ffda12f1bb068cbe83; Valid From: 01/17/2013 00:00:00; Until: 01/17/2014 23:59:59; Fingerprints: MD5=88:F1:4A:A4:3E:74:B4:7F:60:26:D6:95:3D:24:6D:A1; SHA1=79:33:46:91:02:EB:F4:E8:D6:CC:02:29:3C:4A:20:35:85:D9:89:D2)
File "aseusb.cat" is a certificate (Owner: CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US; SerialNumber: 5200e5aa2556fc1a86ed96c9d44b33c7; Valid From: 02/08/2010 00:00:00; Until: 02/07/2020 23:59:59; Fingerprints: MD5=4D:F6:E0:FC:40:0C:AE:9C:05:2F:AE:98:C6:6D:37:9F; SHA1=49:58:47:A9:31:87:CF:B8:C7:1F:84:0C:B7:B4:14:97:AD:95:C6:4F)
File "mchpcdc.cat" is a certificate (Owner: CN=Microsoft Time-Stamp Service, OU=nCipher DSE ESN:BBEC-30CA-2DBE, OU=MOPR, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 61077f3400000000000f; Valid From: 01/09/2012 21:53:57; Until: 04/09/2013 21:53:57; Fingerprints: MD5=33:78:A4:06:CC:7E:35:A3:A3:CB:C8:56:73:F8:3F:97; SHA1=F8:ED:FD:8E:91:AB:10:DF:64:8C:67:84:7D:56:76:F2:8A:92:2A:5A)
File "mchpcdc.cat" is a certificate (Owner: CN=Microsoft Timestamping PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright c 1997 Microsoft Corp.; SerialNumber: 6a0b994fc00025ab11db451f587a67a2; Valid From: 09/16/2006 01:04:47; Until: 09/15/2019 07:00:00; Fingerprints: MD5=B9:56:D5:DA:60:80:B3:42:72:D1:9D:08:03:A4:E7:AA; SHA1=3E:A9:9A:60:05:82:75:E0:ED:83:B8:92:A9:09:44:9F:8C:33:B2:45)
File "mchpcdc.cat" is a certificate (Owner: CN=Microsoft Windows Hardware Compatibility Publisher, OU=MOPR, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Windows Hardware Compatibility PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; SerialNumber: 3300000009b3a6bb556666748b000100000009; Valid From: 09/12/2012 17:36:57; Until: 06/12/2013 17:36:57; Fingerprints: MD5=8D:AA:63:A9:4B:66:C9:12:67:A4:A4:F2:23:3F:AB:69; SHA1=09:F1:A9:11:FB:32:1A:28:8A:20:77:FB:0A:9E:05:32:6C:75:66:24)
File "mchpcdc.cat" is a certificate (Owner: CN=Microsoft Windows Hardware Compatibility PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US; Issuer: CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com; SerialNumber: 33000000382e50e86a989d957f000000000038; Valid From: 06/04/2012 21:05:46; Until: 06/04/2020 21:15:46; Fingerprints: MD5=5F:38:BD:38:CC:79:E9:75:2A:38:AC:15:6B:85:2D:2D; SHA1=8D:42:41:9D:8B:21:E5:CF:9C:32:04:D0:06:0B:19:31:2B:96:EB:78) - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"2.5.29.17"
Heuristic match: "1.3.14.3.2.26"
"2.5.29.18"
"2.5.29.19"
Heuristic match: "2.16.840.1.101.3.4.2.4"
Heuristic match: "2.16.840.1.101.3.4.2.1"
Heuristic match: "2.16.840.1.101.3.4.2.2"
Heuristic match: "2.16.840.1.101.3.4.2.3"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\smart_ptr\shared_ptr.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\optional\optional.hpp"
Heuristic match: "nc:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\format\alt_sstream_impl.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\format\parsing.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\format\format_implementation.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\regex\v4\basic_regex.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\format\internals.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\format\feed_args.hpp"
"1.2.0.4"
"2.5.4.3"
"2.5.4.4"
"2.5.4.5"
"2.5.4.6"
"2.5.4.7"
"2.5.4.8"
"2.5.4.9"
"2.5.4.10"
"2.5.4.11"
"2.5.4.12"
"2.5.4.13"
"2.5.4.17"
"2.5.4.41"
"2.5.4.42"
"2.5.4.43"
"2.5.4.44"
"2.5.4.45"
"2.5.4.46"
"2.5.4.65"
"2.5.4.72"
Heuristic match: "one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\smart_ptr\shared_ptr.hpp"
Heuristic match: "c:\nzxt\one-click-install\packages\boost.1.68.0.0\lib\native\include\boost\format\alt_sstream_impl.hpp"
Heuristic match: "oost.1.68.0.0\lib\native\include\boost\format\format_implementation.hpp"
Heuristic match: "install\packages\boost.1.68.0.0\lib\native\include\boost\regex\v4\basic_regex.hpp"
"1.1.1.0" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 13.249.87.73 on port 80 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to open the clipboard
- details
- OpenClipboard@USER32.DLL from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
- ATT&CK ID
- T1115 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\installer.exe" marked "%APPDATA%\NZXT CAM\CURRENT~RF9f2d0.TMP" for deletion
"%PROGRAMFILES%\NZXT CAM\NZXT CAM.exe" marked "%APPDATA%\NZXT CAM\MANIFEST-000001" for deletion
"%PROGRAMFILES%\NZXT CAM\NZXT CAM.exe" marked "%APPDATA%\NZXT CAM\Network Persistent State~RFb9a75.TMP" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"installer.exe" opened "%TEMP%\651b-c0cf-32b2-2d68.exe" with delete access
"651b-c0cf-32b2-2d68.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsr49BF.tmp" with delete access
"651b-c0cf-32b2-2d68.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\nsc4CBD.tmp" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\1a6c667a-4fcc-4f46-9716-1420a7cad4d8.tmp" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\migration.json.4193267585" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\settings.json.488878097" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\Code Cache\js\index-dir\the-real-index" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\Code Cache\js\index-dir\temp-index" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\migration.json.3214869592" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\migration.json.209136609" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\migration.json.4190596097" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\migration.json.1389539251" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\000001.dbtmp" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\000002.dbtmp" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\CURRENT" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\CURRENT~RF9f2d0.TMP" with delete access
"NZXT CAM.exe" opened "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM\MANIFEST-000001" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.dll at 14033-4134-00000001800D9604
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Modifies Software Policy Settings
- details
-
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"service.exe" (Access type: "CREATE"; Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
- details
-
"installer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"installer.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"installer.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"installer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"installer.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"NZXT CAM.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"NZXT CAM.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
-
"installer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"NZXT CAM.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK") - source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"cpuidsdk64.dll" claimed CRC 1733067 while the actual is CRC 1671260
"651b-c0cf-32b2-2d68.exe" claimed CRC 81106825 while the actual is CRC 1733067
"Graphics Hook.dll" claimed CRC 1050518 while the actual is CRC 5276870
"firmware-update.exe" claimed CRC 1535485 while the actual is CRC 1050518
"SiUSBXp86.dll" claimed CRC 104946 while the actual is CRC 125559
"MCP2200DriverInstallationTool.exe" claimed CRC 1071427 while the actual is CRC 104946
"NZXT_NahimicAPIInstaller.exe" claimed CRC 8520814 while the actual is CRC 2133441
"NZXT CAM.exe" claimed CRC 97710150 while the actual is CRC 5011385
"nsProcess.dll" claimed CRC 55001 while the actual is CRC 162310
"Uninstall NZXT CAM.exe" claimed CRC 217215 while the actual is CRC 55001
"Hook Helper.exe" claimed CRC 358590 while the actual is CRC 212230
"service.exe" claimed CRC 561898 while the actual is CRC 15534
"Graphics Hook64.dll" claimed CRC 1220072 while the actual is CRC 123474
"cpuidsdk.dll" claimed CRC 1479106 while the actual is CRC 1220072
"NZXTNahimicAPI64.dll" claimed CRC 303516 while the actual is CRC 1479106
"d3dcompiler_47.dll" claimed CRC 4387215 while the actual is CRC 2727988
"MCP2200DriverInstallationTool.exe" claimed CRC 947622 while the actual is CRC 29572
"SiUSBXp64.dll" claimed CRC 101981 while the actual is CRC 947622 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
CryptEncrypt
GetDriveTypeW
GetFileAttributesW
UnhandledExceptionFilter
WriteFile
OutputDebugStringA
DeviceIoControl
OutputDebugStringW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryA
LoadLibraryExW
CreateThread
ExitThread
TerminateProcess
GetModuleHandleExW
SleepEx
LoadLibraryW
GetVersionExW
GetTickCount
VirtualProtect
GetStartupInfoW
DeleteFileW
FindNextFileW
FindFirstFileExW
GetProcAddress
CreateFileW
LockResource
GetCommandLineW
GetCommandLineA
GetTickCount64
GetModuleHandleA
GetModuleHandleW
FindResourceW
CreateProcessW
Sleep
VirtualAlloc
ShellExecuteW
InternetGetConnectedState
accept
WSAStartup
connect
recv
send
listen
closesocket
socket
bind
recvfrom
sendto
RegCloseKey
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExA
CreateServiceW
StartServiceA
GetFileAttributesA
GetTempPathA
GetModuleFileNameA
GetVersionExA
GetStartupInfoA
CreateDirectoryA
DeleteFileA
GetComputerNameA
CreateFileA
FindResourceA
RegCreateKeyExW
RegDeleteValueW
RegEnumKeyW
RegOpenKeyExW
RegDeleteKeyW
CopyFileW
GetFileSize
CreateDirectoryW
GetTempFileNameW
GetTempPathW
FindFirstFileW
ShellExecuteExW
FindWindowExW
OpenFileMappingW
GetThreadContext
ConnectNamedPipe
CreateToolhelp32Snapshot
OpenProcess
CreateFileMappingW
MapViewOfFile
GetFileSizeEx
GetWindowThreadProcessId
StartServiceW
FindResourceExW
NtQueryInformationToken
SleepConditionVariableSRW
GetUserNameW
RegEnumKeyExW
LoadLibraryExA
GetComputerNameW
CopyFileExW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"651b-c0cf-32b2-2d68.exe" wrote bytes "7111fa017a3bf901ab8b02007f950200fc8c0200729602006cc805001ecdf6017d26f601" to virtual address "0x75E107E4" (part of module "USER32.DLL")
"651b-c0cf-32b2-2d68.exe" wrote bytes "d0558c76647395760000000051c1747694987476ee9c747675dc7676273e76760fb37a760000000085485577698755770f775777d9175577ead75677a9345577f8115577201455770c115577f516557754145577ff1055773214557700000000" to virtual address "0x74181000" (part of module "SHFOLDER.DLL")
"NZXT CAM.exe" wrote bytes "e01044fefe0700000000000000000000c0f4b9770000000080c2b977000000000000000000000000001a957700000000e01995770000000060dcb977000000000000000000000000" to virtual address "0x74222000" (part of module "KSUSER.DLL")
"NZXT CAM.exe" wrote bytes "2c001200" to virtual address "0x779D02A8" (part of module "KERNEL32.DLL")
"NZXT CAM.exe" wrote bytes "300f384201000000" to virtual address "0xF5201630" (part of module "DWRITE.DLL")
"NZXT CAM.exe" wrote bytes "100f384201000000" to virtual address "0xF5201638" (part of module "DWRITE.DLL")
"NZXT CAM.exe" wrote bytes "700f384201000000" to virtual address "0xF5201628" (part of module "DWRITE.DLL")
"NZXT CAM.exe" wrote bytes "900f384201000000" to virtual address "0xF5201658" (part of module "DWRITE.DLL")
"NZXT CAM.exe" wrote bytes "c00f384201000000" to virtual address "0xF5201B88" (part of module "DWRITE.DLL")
"NZXT CAM.exe" wrote bytes "e01044fefe0700000000000000000000c0f4b9770000000080c2b977000000000000000000000000001a957700000000e01995770000000060dcb977000000000000000000000000" to virtual address "0x73EA2000" (part of module "KSUSER.DLL")
"Hook Helper.exe" wrote bytes "7111fa017a3bf901ab8b02007f950200fc8c0200729602006cc805001ecdf6017d26f601" to virtual address "0x75E107E4" (part of module "USER32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"NZXT CAM.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
"NZXT CAM.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"NZXT CAM.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 17 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 42
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
PE file contains zero-size sections
- details
-
Raw size of ".ndata" is zero
Raw size of ".data" is zero - source
- Static Parser
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
GetSystemTime@KERNEL32.dll at 64615-1477-00406037
GetSystemTime@KERNEL32.dll at 11937-123-100117A0
GetSystemTime@KERNEL32.dll at 11937-125-10011710
GetSystemTime@KERNEL32.dll at 11937-126-10011680 - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.DLL from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
GetVersion@KERNEL32.DLL from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
GetVersionExW@KERNEL32.dll at 64615-1482-004062AA
GetVersionExA@KERNEL32.dll at 14033-3685-0000000180002670
GetVersionExA@KERNEL32.dll at 14033-4140-00000001800D8F58
GetVersionExA@KERNEL32.dll at 14033-4151-00000001800D3118
GetVersionExA@KERNEL32.dll at 14033-4153-00000001800D28BC
GetVersionExA@KERNEL32.dll at 14033-5561-0000000180003D7C
GetVersionExA@KERNEL32.dll at 14033-5628-000000018004F264
GetVersionExA@KERNEL32.dll at 14033-6977-00000001800A0D00 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
EnumSystemLocalesW@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
GetUserDefaultLCID@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
GetUserDefaultUILanguage@KERNEL32.dll at 64615-1471-00405E62 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.DLL from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
GetDiskFreeSpaceW@KERNEL32.DLL from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.dll at 14033-6984-00000001800A044C - source
- Hybrid Analysis Technology
- relevance
- 3/10
- ATT&CK ID
- T1083 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes WMI queries
- details
-
"cam_helper.exe" issued a query "SELECT * FROM Win32_PhysicalMemory"
"cam_helper.exe" issued a query "SELECT * FROM WmiMonitorID" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 0000000140103A56h" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.DLL directly followed by "cmp eax, FFFFFFFFh" and "je 3F3B3A56h" from installer.exe (PID: 2120) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 004033DFh" from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
Found API call GetVersion@KERNEL32.DLL directly followed by "cmp ax, 00000006h" and "je 004033DFh" from 651b-c0cf-32b2-2d68.exe (PID: 2072) (Show Stream)
Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp eax, ebx" and "jne 00000001800026EBh" at 14033-3685-0000000180002670
Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp eax, ebx" and "jne 00000001800D3197h" at 14033-4151-00000001800D3118
Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp dword ptr [rsp+00000414h], 06h" and "jc 000000018004F2F4h" at 14033-5628-000000018004F264
Found API call GetVersionExA@KERNEL32.dll directly followed by "cmp eax, ebx" and "jne 00000001800A0D57h" at 14033-6977-00000001800A0D00
Found API call GetDiskFreeSpaceA@KERNEL32.dll directly followed by "cmp eax, esp" and "je 00000001800A0826h" at 14033-6984-00000001800A044C - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.DLL from installer.exe (PID: 2120) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
GetProcessHeap@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll (Show Stream)
GetProcessHeap@KERNEL32.dll at 64615-2455-00439771
GetProcessHeap@KERNEL32.dll at 14033-8285-00000001800FA4F8 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-91595493839
"NZXT CAM.exe" queries volume information of "%PROGRAMFILES%\NZXT CAM\resources\app.asar" at 00040414-00003028-00000046-91597505108
"NZXT CAM.exe" queries volume information of "C:\Program Files\NZXT CAM\resources\app.asar.unpacked\node_modules\@nzxt\rust-cam\package.json" at 00040414-00003028-00000046-91756746778
"NZXT CAM.exe" queries volume information of "C:\Program Files\NZXT CAM\resources\app.asar.unpacked\node_modules\@nzxt\rust-cam\dist\index.js" at 00040414-00003028-00000046-91762169527
"NZXT CAM.exe" queries volume information of "C:\Program Files\NZXT CAM\resources\app.asar.unpacked\node_modules\@nzxt\rust-cam\dist\proxy\client\BaseClient.js" at 00040414-00003028-00000046-91767483235
"NZXT CAM.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM" at 00040414-00003028-00000046-93441787447
"NZXT CAM.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM" at 00040414-00003028-00000046-93447181815
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-93449222129
"NZXT CAM.exe" queries volume information of "C:\Users" at 00040414-00003028-00000046-93451166798
"NZXT CAM.exe" queries volume information of "C:\Users\8gyZ9U5" at 00040414-00003028-00000046-93453088903
"NZXT CAM.exe" queries volume information of "C:\Users\%OSUSER%" at 00040414-00003028-00000046-93455660003
"NZXT CAM.exe" queries volume information of "C:\Users\%OSUSER%" at 00040414-00003028-00000046-93458916066
"NZXT CAM.exe" queries volume information of "C:\Users\%USERNAME%\AppData" at 00040414-00003028-00000046-93460851658
"NZXT CAM.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Roaming" at 00040414-00003028-00000046-93462837823
"NZXT CAM.exe" queries volume information of "C:\Users\%USERNAME%\AppData\Roaming\NZXT CAM" at 00040414-00003028-00000046-93464870885
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-98463040284
"NZXT CAM.exe" queries volume information of "C:\Program Files" at 00040414-00003028-00000046-98464821719
"NZXT CAM.exe" queries volume information of "C:\Program Files\NZXT CAM" at 00040414-00003028-00000046-98466592753
"NZXT CAM.exe" queries volume information of "C:\Program Files\NZXT CAM\resources" at 00040414-00003028-00000046-98468311191
"NZXT CAM.exe" queries volume information of "C:\Program Files\NZXT CAM\resources\electron.asar" at 00040414-00003028-00000046-98470017813 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-91595493839
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-93449222129
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-98463040284
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-100515228640
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-109252678984
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-127540966825
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-127587943306
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-127632590341
"NZXT CAM.exe" queries volume information of "C:\" at 00040414-00003028-00000046-129046119625
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-147125072572
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-147836571918
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-180154883061
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-180319007095
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-180571971530
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-180977556572
"NZXT CAM.exe" queries volume information of "C:\" at 00041850-00003080-00000046-186551739648 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"installer.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\NZXT CAM.EXE")
"installer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\NZXT CAM.EXE")
"651b-c0cf-32b2-2d68.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CB701B7F-13CC-5FE6-944F-FC26616AF169")
"651b-c0cf-32b2-2d68.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AC0666AE-EE66-5310-AC01-9D6348133B2D")
"651b-c0cf-32b2-2d68.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\AC0666AE-EE66-5310-AC01-9D6348133B2D")
"NZXT CAM.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CAM_HELPER.EXE")
"NZXT CAM.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\CAM_HELPER.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/68 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Accesses System Certificates Settings
- details
-
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"service.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Contacts domains
- details
- "nzxt-app.nzxt.com"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"13.249.87.73:80"
"52.218.221.64:49311"
"35.167.7.225:49316"
"99.84.174.17:49317"
"35.188.42.15:49318"
"18.214.22.168:49319" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"C:\NZXT\one-click-install\x64\Release\one-click-install.pdb"
"%USERPROFILE%\code\rust-cam\native\target\release\deps\service-4f21c58b9045f0a3.pdb"
"%USERPROFILE%\code\rust-cam\native\target\release\deps\firmware_update-1b36b199829c2dc5.pdb"
"C:\agent\_work\8\s\build\ship\x86\burn.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
-
CreateNamedPipeA@KERNEL32.DLL from service.exe (PID: 3424) (Show Stream)
CreateNamedPipeA@KERNEL32.DLL from service.exe (PID: 2116) (Show Stream)
CreateNamedPipeA@KERNEL32.dll (Show Stream)
CreateNamedPipeA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"installer.exe" created file "%TEMP%\651b-c0cf-32b2-2d68.exe"
"651b-c0cf-32b2-2d68.exe" created file "%TEMP%\nsc4CBD.tmp\System.dll"
"651b-c0cf-32b2-2d68.exe" created file "%TEMP%\nsc4CBD.tmp\nsProcess.dll"
"651b-c0cf-32b2-2d68.exe" created file "%TEMP%\nsc4CBD.tmp\app-64.7z"
"651b-c0cf-32b2-2d68.exe" created file "%TEMP%\nsc4CBD.tmp\System.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"DBWinMutex"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"CAMOneTouch"
"\Sessions\1\BaseNamedObjects\CAMOneTouch"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"\Sessions\1\BaseNamedObjects\ac0666ae-ee66-5310-ac01-9d6348133b2d"
"ac0666ae-ee66-5310-ac01-9d6348133b2d" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "cpuidsdk64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "Graphics Hook.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "StdUtils.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SiUSBXp86.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MCP2200DriverInstallationTool.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "v8_context_snapshot.bin" as clean (type is "data"), Antivirus vendors marked dropped file "aseusb.cat" as clean (type is "data"), Antivirus vendors marked dropped file "ffmpeg.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "natives_blob.bin" as clean (type is "data"), Antivirus vendors marked dropped file "nsProcess.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Uninstall NZXT CAM.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"), Antivirus vendors marked dropped file "libEGL.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "mchpcdc.cat" as clean (type is "data"), Antivirus vendors marked dropped file "nsis7z.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "KrakenDriver.exe" as clean (type is "PE32 executable (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "service.exe" as clean (type is "PE32+ executable (console) x86-64 for MS Windows"), Antivirus vendors marked dropped file "Graphics Hook64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "cpuidsdk.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "snapshot_blob.bin" as clean (type is "data"), Antivirus vendors marked dropped file "libGLESv2.dll" as clean (type is "PE32+ executable (DLL) (console) x86-64 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
GETs files from a webserver
- details
-
"GET /latest.yml HTTP/1.1
Host: nzxt-app.nzxt.com
User-Agent: Forge Installer 1.0
Accept: */*"
"GET /NZXT%20CAM%20Setup%204.1.0.exe HTTP/1.1
Host: nzxt-app.nzxt.com
User-Agent: Forge Installer 1.0
Accept: */*" - source
- Network Traffic
- relevance
- 5/10
-
Overview of unique CLSIDs touched in registry
- details
-
"installer.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"installer.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"installer.exe" touched "Security Manager" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}")
"NZXT CAM.exe" touched "MMDeviceEnumerator class" (Path: "HKCU\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}")
"NZXT CAM.exe" touched "SpVoice Class" (Path: "HKCU\CLSID\{96749377-3391-11D2-9EE3-00C04F797396}\TREATAS")
"NZXT CAM.exe" touched "SpObjectTokenCategory Class" (Path: "HKCU\CLSID\{A910187F-0C7A-45AC-92CC-59EDAFB77B53}\TREATAS")
"NZXT CAM.exe" touched "SpDataKey Class" (Path: "HKCU\CLSID\{D9F6EE60-58C9-458B-88E1-2F908FD7F87C}\TREATAS")
"NZXT CAM.exe" touched "SpResourceManager Class" (Path: "HKCU\CLSID\{96749373-3391-11D2-9EE3-00C04F797396}\TREATAS")
"NZXT CAM.exe" touched "SpTaskManager Class" (Path: "HKCU\CLSID\{4C6F940C-3CFE-11D2-9EE7-00C04F797396}\TREATAS")
"NZXT CAM.exe" touched "SpNotifyTranslator Class" (Path: "HKCU\CLSID\{E2AE5372-5D40-11D2-960E-00C04F8EE628}\TREATAS")
"NZXT CAM.exe" touched "SpObjectTokenEnum Class" (Path: "HKCU\CLSID\{3918D75F-0ACB-41F2-B733-92AA15BCECF6}\TREATAS")
"NZXT CAM.exe" touched "SpObjectToken Class" (Path: "HKCU\CLSID\{EF411752-3736-4CB4-9C8C-8EF4CCB58EFE}\TREATAS")
"tasklist.exe" touched "WBEM Locator" (Path: "HKCU\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}")
"tasklist.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}")
"tasklist.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}")
"tasklist.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"tasklist.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS")
"tasklist.exe" touched "WbemStatusCode" (Path: "HKCU\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\TREATAS")
"NZXT CAM.exe" touched "Portable Devices" (Path: "HKCU\CLSID\{35786D3C-B075-49B9-88DD-029876E11C01}")
"NZXT CAM.exe" touched "Enhanced Storage Data Source" (Path: "HKCU\CLSID\{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}\SHELLFOLDER") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "651b-c0cf-32b2-2d68.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "651b-c0cf-32b2-2d68.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432"
Process "service.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "service.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "service.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "service.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, PROMPT, VXDIR, HOMEPATH, HOMEDRIVE"
Process "NZXT CAM.exe" (Show Process) was launched with new environment variables: "LOGONSERVER="\\HAPUBWS-PC", PROMPT="$P$G", VXDIR="C:\VxStream", HOMEPATH="\Users\8gyZ9U5", HOMEDRIVE="C:""
Process "NZXT CAM.exe" (Show Process) was launched with modified environment variables: "Path, LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "NZXT CAM.exe" (Show Process) was launched with new environment variables: "SYSTEMDRIVE="C:", MEOW="%ALLUSERSPROFILE%\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", WINDIR="C:\Windows", ELECTRON_INTERNAL_CRASH_SERVICE="1", SYSTEMROOT="C:\Windows""
Process "NZXT CAM.exe" (Show Process) was launched with missing environment variables: "LOCALAPPDATA, PROCESSOR_LEVEL, FP_NO_HOST_CHECK, PROMPT, SESSIONNAME, ALLUSERSPROFILE, PROCESSOR_ARCHITECTURE, PSModulePath, VXDIR, SystemDrive, APPDATA, windows_tracing_logfile, ProgramFiles(x86), CommonProgramFiles, Path, PATHEXT, OS, windows_tracing_flags, COMPUTERNAME, PROCESSOR_REVISION, CommonProgramW6432, ComSpec, ProgramData, ProgramW6432, SystemRoot, PROCESSOR_IDENTIFIER, TMP, CommonProgramFiles(x86), PUBLIC, ProgramFiles, NUMBER_OF_PROCESSORS, windir"
Process "cmd.exe" (Show Process) was launched with new environment variables: "LOCALAPPDATA="C:\Users\%USERNAME%\AppData\Local", PROCESSOR_LEVEL="6", FP_NO_HOST_CHECK="NO", PROMPT="$P$G", SESSIONNAME="Console", ALLUSERSPROFILE="C:\ProgramData", PROCESSOR_ARCHITECTURE="AMD64", PSModulePath="C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItX", VXDIR="C:\VxStream", SystemDrive="C:", APPDATA="C:\Users\%USERNAME%\AppData\Roaming", windows_tracing_logfile="C:\BVTBin\Tests\installpackage\csilogfile.log", ProgramFiles(x86)="C:\Program Files (x86)", CommonProgramFiles="C:\Program Files\Common Files", Path="C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", PATHEXT=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC", OS="Windows_NT", windows_tracing_flags="3", COMPUTERNAME="wv5cOTVxUD", PROCESSOR_REVISION="4f01", CommonProgramW6432="C:\Program Files\Common Files", ComSpec="C:\Windows\system32\cmd.exe", ProgramData="C:\ProgramData", ProgramW6432="C:\Program Files", SystemRoot="C:\Windows", PROCESSOR_IDENTIFIER="Intel64 Family 6 Model 79 Stepping 1
GenuineIntel", TMP="C:\Users\%USERNAME%\AppData\Local\Temp", CommonProgramFiles(x86)="C:\Program Files (x86)\Common Files", PUBLIC="C:\Users\%USERNAME%\Program Files", NODE_ENV="production", NUMBER_OF_PROCESSORS="2", windir="C:\Windows""
Process "cmd.exe" (Show Process) was launched with missing environment variables: "SYSTEMDRIVE, MEOW, WINDIR, ELECTRON_INTERNAL_CRASH_SERVICE, SYSTEMROOT"
Process "NZXT CAM.exe" (Show Process) was launched with new environment variables: "SYSTEMDRIVE="C:", MEOW="C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\", WINDIR="C:\Windows", ELECTRON_INTERNAL_CRASH_SERVICE="1", SYSTEMROOT="C:\Windows""
Process "NZXT CAM.exe" (Show Process) was launched with missing environment variables: "LOCALAPPDATA, PROCESSOR_LEVEL, FP_NO_HOST_CHECK, PROMPT, SESSIONNAME, ALLUSERSPROFILE, PROCESSOR_ARCHITECTURE, PSModulePath, VXDIR, SystemDrive, APPDATA, windows_tracing_logfile, ProgramFiles(x86), CommonProgramFiles, Path, PATHEXT, OS, windows_tracing_flags, COMPUTERNAME, PROCESSOR_REVISION, CommonProgramW6432, ComSpec, ProgramData, ProgramW6432, SystemRoot, PROCESSOR_IDENTIFIER, TMP, CommonProgramFiles(x86), PUBLIC, ProgramFiles, NODE_ENV, NUMBER_OF_PROCESSORS, windir" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "service.exe" (Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Runs shell commands
- details
- "/d /s /c "tasklist"" on 2019-11-22.21:58:54.953
- source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"651b-c0cf-32b2-2d68.exe" searching for class "#32770"
"NZXT CAM.exe" searching for class "Shell_TrayWnd"
"NZXT CAM.exe" searching for class "Chrome_MessageWindow"
"cam_helper.exe" searching for class "MPWClass" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "651b-c0cf-32b2-2d68.exe" with commandline "/S" (Show Process)
Spawned process "service.exe" with commandline "install" (Show Process)
Spawned process "service.exe" (Show Process)
Spawned process "NZXT CAM.exe" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--reporter-url=https://sentry.io/api/1309282/minidump?sentry_key ..." (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerPro ..." (Show Process)
Spawned process "cmd.exe" with commandline "/d /s /c "tasklist"" (Show Process)
Spawned process "tasklist.exe" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=renderer --disable-features=SpareRendererForSitePerProces ..." (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerPro ..." (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerPro ..." (Show Process)
Spawned process "cam_helper.exe" with commandline ""--elevation=e508985b-12fc-4f28-b9c4-ddcdedbf53fb" "--run-id=e24 ..." (Show Process), Spawned process "cam_helper.exe" with commandline "--transfer=a318f3e4-7ad1-466a-88f6-d5f902e5c966 --refresh=745b17 ..." (Show Process), Spawned process "Hook Helper.exe" with commandline "offsets 274877910024" (Show Process), Spawned process "NZXT CAM.exe" with commandline "--reporter-url= "--application-name=NZXT CAM" "--crashes-directo ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "651b-c0cf-32b2-2d68.exe" with commandline "/S" (Show Process)
Spawned process "service.exe" with commandline "install" (Show Process)
Spawned process "service.exe" (Show Process)
Spawned process "NZXT CAM.exe" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--reporter-url=https://sentry.io/api/1309282/minidump?sentry_key ..." (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerPro ..." (Show Process)
Spawned process "cmd.exe" with commandline "/d /s /c "tasklist"" (Show Process)
Spawned process "tasklist.exe" (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=renderer --disable-features=SpareRendererForSitePerProces ..." (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerPro ..." (Show Process)
Spawned process "NZXT CAM.exe" with commandline "--type=gpu-process --disable-features=SpareRendererForSitePerPro ..." (Show Process)
Spawned process "cam_helper.exe" with commandline ""--elevation=e508985b-12fc-4f28-b9c4-ddcdedbf53fb" "--run-id=e24 ..." (Show Process), Spawned process "cam_helper.exe" with commandline "--transfer=a318f3e4-7ad1-466a-88f6-d5f902e5c966 --refresh=745b17 ..." (Show Process), Spawned process "Hook Helper.exe" with commandline "offsets 274877910024" (Show Process), Spawned process "NZXT CAM.exe" with commandline "--reporter-url= "--application-name=NZXT CAM" "--crashes-directo ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign
Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign
Inc.", C=US" (SHA1: 5B:8F:88:C8:0A:73:D3:5F:76:CD:41:2A:9E:74:E9:16:59:4D:FA:67; see report for more information)
The input sample is signed with a certificate issued by "CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US" (SHA1: 03:E9:D8:2B:B1:5A:CC:44:54:20:C0:A5:A9:03:08:D7:C8:6B:4D:BA; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"installer.exe" connecting to "\ThemeApiPort"
"651b-c0cf-32b2-2d68.exe" connecting to "\ThemeApiPort"
"NZXT CAM.exe" connecting to "\ThemeApiPort"
"cam_helper.exe" connecting to "\ThemeApiPort"
"Hook Helper.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Contains ability to lookup the windows account name
- details
- GetUserNameW@ADVAPI32.dll at 64615-1480-004061DF
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Dropped files
- details
-
"AseUSB.inf" has type "Windows setup INFormation ASCII text"
"cpuidsdk64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"651b-c0cf-32b2-2d68.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows Nullsoft Installer self-extracting archive"
"Graphics Hook.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"firmware-update.exe" has type "PE32+ executable (console) x86-64 for MS Windows"
"StdUtils.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"mchpcdc.inf" has type "Windows setup INFormation ASCII text"
"SiUSBXp86.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MCP2200DriverInstallationTool.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"libGLESv2.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"v8_context_snapshot.bin" has type "data"
"aseusb.cat" has type "data"
"ffmpeg.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"NZXT_NahimicAPIInstaller.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"natives_blob.bin" has type "data"
"NZXT CAM.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"SeaSonicsESeries64.dll" has type "PE32+ executable (DLL) (console) x86-64 for MS Windows"
"nsProcess.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"installer.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\counters.dat"
"installer.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui"
"installer.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"installer.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"installer.exe" touched file "%WINDIR%\Fonts\segoeui.ttf"
"installer.exe" touched file "%WINDIR%\Fonts\segoeuib.ttf"
"installer.exe" touched file "%WINDIR%\Fonts\segoeuii.ttf"
"installer.exe" touched file "%WINDIR%\Fonts\segoeuiz.ttf"
"installer.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"installer.exe" touched file "%WINDIR%\System32\en-US\setupapi.dll.mui"
"installer.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://curl.haxx.se/docs/http-cookies.html"
Heuristic match: "ftp@example.com"
Heuristic match: "nzxt-app-staging.nzxt.com"
Heuristic match: "nzxt-app.nzxt.com"
Pattern match: "http://s.symcb.com/pca3-g5.crl0"
Pattern match: "http://s.symcd.com0_"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sw.symcb.com/sw.crl0"
Pattern match: "http://sw.symcd.com0"
Pattern match: "http://sw1.symcb.com/sw.crt0"
Pattern match: "www.digicert.com110/"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://crl3.digicert.com/sha2-assured-ts.crl02"
Pattern match: "http://crl4.digicert.com/sha2-assured-ts.crl0"
Pattern match: "http://ocsp.digicert.com0O"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0"
Pattern match: "www.digicert.com1$0"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P"
Pattern match: "www.digicert.com1!0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDCA-1.crl08"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w"
Pattern match: "http://ocsp.digicert.com0A"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0"
Pattern match: "http://www.digicert.com/ssl-cps-repository.htm0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "https://www.nzxt.com/customer-support"
Heuristic match: "-staging.nzxt.com"
Heuristic match: "aseusb.cat"
Heuristic match: "mchpcdc.cat"
Heuristic match: "api.md"
Heuristic match: "device.md"
Heuristic match: "overlay.md"
Pattern match: "http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdU"
Pattern match: "http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEFhZZKCmR48QAF%2Bv"
Pattern match: "https://heapanalytics.com:{supports_spdy:true}}],version:5},network_qualities:{CAESABiAgICA+P////8B:4G"
Pattern match: "https://sentry.io/api/1309282/minidump?sentry_key=4693ff360b9a4e72970c258176aabf3b"
Pattern match: "http://nsis.sf.net/NSIS_Error"
Heuristic match: "Tried to shrink to a larger capacitysrc\liballoc\raw_vec.rs"
Heuristic match: "a Display implementation returned an error unexpectedlycalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Heuristic match: "serviceservice\src\main.rs"
Heuristic match: "%USERPROFILE%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\flavors\array.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\flavors\list.rs"
Heuristic match: "internal error: entered unreachable codeC:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\flavors\zero.rs"
Heuristic match: "cannot access a TLS value during or after it is destroyedalready borrowedcalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\channel.rs"
Heuristic match: "internal error: entered unreachable codesrc\liballoc\raw_vec.rs"
Heuristic match: "a Display implementation returned an error unexpectedlyalready borrowedalready mutably borrowedcalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Heuristic match: "deps\ipc-channel\src\platform\windows\mod.rs"
Heuristic match: "deps\ipc-channel\src\platform\windows\aliased_cell.rs"
Heuristic match: "failed to fill whole bufferTried to shrink to a larger capacitysrc\liballoc\raw_vec.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\rand-0.4.6\src\os.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\rand-0.4.6\src\lib.rs"
Heuristic match: "common_winapi_handlecommon\winapi-handle\src\lib.rs"
Heuristic match: "/rustc/625451e376bb2e5283fc4741caa0a3e8a2ca4d54\src\libcore\mem\mod.rs"
Heuristic match: "/rustc/625451e376bb2e5283fc4741caa0a3e8a2ca4d54\src\libcore\str\pattern.rs"
Heuristic match: "assertion failed: self.is_char_boundary(new_len)src\liballoc\string.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\backtrace-0.3.34\src\backtrace\dbghelp.rs"
Heuristic match: "AccessErrorcannot access a TLS value during or after it is destroyeduse of std::thread::current() is not possible after the thread's local data has been destroyedsrc\libstd\thread\mod.rs"
Heuristic match: "src\libstd\env.rs"
Heuristic match: "src\libstd\io\stdio.rs"
Heuristic match: ".:..src\libstd\path.rs"
Heuristic match: "src\libstd\sync\condvar.rs"
Heuristic match: "src\libstd\sync\once.rs"
Heuristic match: "supplied instant is later than selfoverflow when adding duration to instantsrc\libstd\sys_common\at_exit_imp.rs"
Heuristic match: "PoisonError { inner: .. }RUST_MIN_STACKsrc\libstd\sys_common\thread_info.rs"
Heuristic match: "src\libstd\sys_common\mod.rs"
Heuristic match: "src\libstd\sys\windows\args.rs"
Heuristic match: "src\libstd\sys\windows\mutex.rs"
Heuristic match: "src\libstd\sys\windows\path.rs"
Heuristic match: "src\libstd\sys\windows\thread_local.rs"
Heuristic match: "src\libstd\sys\windows\time.rs"
Heuristic match: "strings passed to WinAPI cannot contain NULsSetThreadStackGuaranteeSetThreadDescriptionSleepConditionVariableSRWsrc\libstd\sys\windows\c.rs"
Heuristic match: "src\libstd\sys\windows\stdio.rs"
Heuristic match: "src\libcore\char\methods.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\rustc-demangle-0.1.15\src\v0.rs"
Heuristic match: "/rustc/625451e376bb2e5283fc4741caa0a3e8a2ca4d54\src\libcore\fmt\mod.rs"
Heuristic match: "src\libcore\num\flt2dec\strategy\dragon.rs"
Heuristic match: "src\libcore\num\flt2dec\strategy\grisu.rs"
Heuristic match: "src\libcore\num\flt2dec\mod.rs"
Heuristic match: "src\libcore\result.rs"
Heuristic match: "src\libcore\str\pattern.rs"
Heuristic match: "src\libcore\fmt\mod.rs"
Heuristic match: "kindEmptysrc\libcore\num\bignum.rs"
Heuristic match: "src\libcore\num\bignum.rs"
Heuristic match: "service::winhelper::signatureservice\src\winhelper\signature.rs"
Heuristic match: "service::serviceservice\src\main.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\flavors\zero.rs"
Heuristic match: "internal error: entered unreachable codeC:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\flavors\after.rs"
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "https://www.nzxt.com/camapp"
Pattern match: "https://github.com/NZXTCorp/electron-builder/releases/download/electron-updater-v4.0.14-elevation-helper/electron-updater-4.0.14.tgz"
Pattern match: "https://developer.mozilla.org/en-US/docs/Web/API/IDBFactory/databases"
Pattern match: "http://www.w3.org/2000/svg"
Pattern match: "http://www.bohemiancoding.com/sketch"
Pattern match: "https://sketchapp.com"
Pattern match: "https://sketch.com"
Pattern match: "http://www.w3.org/1999/xlink"
Pattern match: "http://www.apache.org/licenses/LICENSE-2.0"
Pattern match: "https://github.com/jprichardson/node-fs-extra/pull/141,o="
Pattern match: "http://goo.gl/MqrFmX\n"
Heuristic match: "/rustc/625451e376bb2e5283fc4741caa0a3e8a2ca4d54\src\liballoc\vec.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\smallvec-0.6.9\lib.rs"
Heuristic match: "nzxt-device\src\bin\firmware-update\usb\mod.rs"
Heuristic match: "unexpected invalid UTF-8 code pointcalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Heuristic match: "nzxt-device\src\bin\firmware-update\usb\device.rs"
Heuristic match: "pBcalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\crossbeam-channel-0.3.8\src\select.rs"
Heuristic match: "nzxt-device\src\device\firmware_info.rs"
Heuristic match: "nzxt_device::device::usb::win32nzxt-device\src\device\usb\win32.rs"
Heuristic match: "receiving on an empty and disconnected channelRecvErrorcalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Heuristic match: "a Display implementation returned an error unexpectedlyalready borrowedcalled `Option::unwrap()` on a `None` valuesrc\libcore\option.rs"
Pattern match: "https://github.com/clap-rs/clap/issues"
Heuristic match: "next_float: argument is NaNsrc\libcore\num\dec2flt\rawfp.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\clap-2.33.0\src\app\mod.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\clap-2.33.0\src\args\group.rs"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\clap-2.33.0\src\args\arg_matcher.rs"
Pattern match: "https://github.com/clap-rs/clap/issuesstream"
Heuristic match: "C:\Users\%USERNAME%\.cargo\registry\src\github.com-1ecc6299db9ec823\clap-2.33.0\src\app\validator.rs"
Heuristic match: "src\libstd\sys\windows\rand.rs"
Heuristic match: "Windows stdin in console mode does not support non-UTF-16 input; encountered unpaired surrogatesrc\libstd\sys\windows\stack_overflow.rs"
Heuristic match: "src\libcore\num\dec2flt\algorithm.rs"
Heuristic match: "assertion failed: x.bit_length() < 64src\libcore\num\dec2flt\num.rs"
Heuristic match: "src\libcore\num\dec2flt\num.rs"
Heuristic match: "src\libcore\num\dec2flt\rawfp.rs"
Heuristic match: "src\libcore\num\dec2flt\mod.rs"
Heuristic match: "src\libcore\num\mod.rs"
Heuristic match: "src\libcore\ascii.rs"
Pattern match: "http://appsyndication.org/2006/appsyn"
Pattern match: "appsyndication.org/2006/appsyn"
Heuristic match: "CatalogFile=%MFGFILENAME%.cat"
Heuristic match: "CatalogFile=AseUSB.cat" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
"WmiPrvSE.exe" (Indicator: "wmiprvse.exe")
"%WINDIR%\system32\wbem\wmiprvse.exe" (Indicator: "wmiprvse.exe") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
-
System Security
-
Creates or modifies windows services
- details
-
"installer.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CAM SERVICE")
"service.exe" (Access type: "SETVAL"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES\EVENTLOG\APPLICATION\CAM SERVICE"; Key: "EVENTMESSAGEFILE"; Value: "%PROGRAMFILES%\NZXT CAM\resources\app.asar.unpacked\node_modules\@nzxt\rust-cam\dist\native\target\release\service.exe")
"service.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"NZXT CAM.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"cam_helper.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
"cam_helper.exe" (Access type: "CREATE"; Path: "HKLM\SYSTEM\CONTROLSET001\SERVICES") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"installer.exe" opened "\Device\KsecDD"
"651b-c0cf-32b2-2d68.exe" opened "\Device\KsecDD"
"service.exe" opened "\Device\KsecDD"
"NZXT CAM.exe" opened "\Device\KsecDD"
"tasklist.exe" opened "\Device\KsecDD"
"cam_helper.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates or modifies windows services
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"Graphics Hook.dll" was detected as "Borland Delphi 3.0 (???)"
"NZXT_NahimicAPIInstaller.exe" was detected as "VC8 -> Microsoft Corporation"
"Hook Helper.exe" was detected as "VC8 -> Microsoft Corporation"
"nsis7z.dll" was detected as "Borland Delphi 3.0 (???)"
"KrakenDriver.exe" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"cpuidsdk.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"ChipsetDriver.exe" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"MCP2200DriverInstallationTool.exe" was detected as "VC8 -> Microsoft Corporation" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
installer.exe
- Filename
- installer.exe
- Size
- 1.6MiB (1633864 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- Architecture
- WINDOWS
- SHA256
- fb0e642ccbe2073270a13c6a522490f7ba6a15774626277d42476be1ebf69d3d
- MD5
- 6f7ffeadb86267d5980c760febe232c3
- SHA1
- a3424b99c09700177d05c0cff9bcab11ff89be7a
- ssdeep
- 49152:KtpmhbJ2sG4T0WDBV7apzUSK0FNTw+psUMhTA+CCvP:+O53aoisNP
- imphash
- 94f799f185bae696de7f6a1e7f529bdc
- authentihash
- f035bdd7b24684b0e147c062542a5c40a49d1bc12cbdbff2db1447c4a05ae88b
- PDB Timestamp
- 09/12/2019 02:44:50 (UTC)
- PDB Pathway
- C:\NZXT\one-click-install\x64\Release\one-click-install.pdb
- PDB GUID
- 8234008BF6E34166BF73DDE9BB64A457
Classification (TrID)
- 33.6% (.EXE) OS/2 Executable (generic)
- 33.1% (.EXE) Generic Win/DOS Executable
- 33.1% (.EXE) DOS Executable Generic
File Metadata
- 1 .BAS Files compiled with C2.EXE 5.00 (Visual Studio 5) (build: 25711)
- 100 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24215)
- 18 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26730)
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 25711)
- 37 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 125 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26706)
- 9 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 26706)
- 7 .OBJ Files linked with ALIASOBJ.EXE 11.00 (Internal OLDNAMES.LIB Tool) (build: 41118)
- 13 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 26431)
- 195 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 25711)
- 20 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 25711)
- 12 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 25711)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Certificates
Certificate chain was successfully validated.
Download Certificate File (5.8KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US | CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="c 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US Serial: 191a32cb759c97b8cfac118dd5127f49 |
03/04/2014 00:00:00 03/03/2024 23:59:59 |
5C:FF:C3:DE:D2:AD:28:15:22:93:34:96:39:C5:49:64 5B:8F:88:C8:0A:73:D3:5F:76:CD:41:2A:9E:74:E9:16:59:4D:FA:67 |
CN="NZXT, Inc.", O="NZXT, Inc.", L=City of Industry, ST=California, C=US, SERIALNUMBER=5707170, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.1=City of Industry, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US | CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US Serial: 4b289c0d4e39cf49d9f5b560a98817c2 |
10/23/2018 00:00:00 10/16/2019 23:59:59 |
0F:BB:AE:15:A5:A6:20:6F:2A:39:42:E8:01:AA:24:18 03:E9:D8:2B:B1:5A:CC:44:54:20:C0:A5:A9:03:08:D7:C8:6B:4D:BA |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 16 processes in total (System Resource Monitor).
-
installer.exe
(PID: 2120)
1/81
-
651b-c0cf-32b2-2d68.exe
/S
(PID: 2072)
- service.exe install (PID: 3424)
-
NZXT CAM.exe
(PID: 3028)
- NZXT CAM.exe --reporter-url=https://sentry.io/api/1309282/minidump?sentry_key=4693ff360b9a4e72970c258176aabf3b "--application-name=NZXT CAM" "--crashes-directory=%TEMP%\NZXT CAM Crashes" --v=1 (PID: 4084)
- NZXT CAM.exe --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11412982229828634726 --mojo-platform-channel-handle=1176 --ignored=" --type=renderer " /prefetch:2 (PID: 3260)
-
cmd.exe
/d /s /c "tasklist"
(PID: 2228)
- tasklist.exe (PID: 3988)
-
NZXT CAM.exe
--type=renderer --disable-features=SpareRendererForSitePerProcess --service-pipe-token=4843025526870636708 --lang=en-US --app-user-model-id=NZXT.CAM --app-path="%PROGRAMFILES%\NZXT CAM\resources\app.asar" --node-integration --no-sandbox --no-zygote --background-color=#00000 --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=4843025526870636708 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
(PID: 3080)
-
cam_helper.exe
"--elevation=e508985b-12fc-4f28-b9c4-ddcdedbf53fb" "--run-id=e24b03369963491ab0082491691c78a1" "--app-version=NZXT CAM@4.1.0" "--env=production" "--log-dir=%APPDATA%\NZXT CAM"
(PID: 3824)
- cam_helper.exe --transfer=a318f3e4-7ad1-466a-88f6-d5f902e5c966 --refresh=745b1709-0a59-4559-aa82-c00f2debf553 --run-id=e24b03369963491ab0082491691c78a1 "--app-version=NZXT CAM@4.1.0" --env=production "--log-dir=%APPDATA%\NZXT CAM" (PID: 1300)
- Hook Helper.exe offsets 274877910024 (PID: 2924) 1/65
-
cam_helper.exe
"--elevation=e508985b-12fc-4f28-b9c4-ddcdedbf53fb" "--run-id=e24b03369963491ab0082491691c78a1" "--app-version=NZXT CAM@4.1.0" "--env=production" "--log-dir=%APPDATA%\NZXT CAM"
(PID: 3824)
- NZXT CAM.exe --type=gpu-process --disable-features=SpareRendererForSitePerProcess --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --service-request-channel-token=8168898515963140389 --mojo-platform-channel-handle=1176 --ignored=" --type=renderer " /prefetch:2 (PID: 3292)
- NZXT CAM.exe --type=gpu-process --disable-features=SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --use-gl=swiftshader-webgl --service-request-channel-token=2711389636016992580 --mojo-platform-channel-handle=2264 /prefetch:2 (PID: 1280)
- NZXT CAM.exe --reporter-url= "--application-name=NZXT CAM" "--crashes-directory=%TEMP%\NZXT CAM Crashes" --v=1 (PID: 3652)
-
651b-c0cf-32b2-2d68.exe
/S
(PID: 2072)
- service.exe (PID: 2116)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
nzxt-app.nzxt.com
OSINT |
13.249.87.73 | TUCOWS, INC. | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
13.249.87.73 |
80
TCP |
installer.exe PID: 2120 |
United States |
52.218.221.64 |
49311
TCP |
nzxt cam.exe PID: 3028 |
United States |
35.167.7.225 |
49316
TCP |
nzxt cam.exe PID: 3028 |
United States |
99.84.174.17 |
49317
TCP |
nzxt cam.exe PID: 3028 |
United States |
35.188.42.15 |
49318
TCP |
nzxt cam.exe PID: 3080 cam_helper.exe PID: 1300 |
United States |
18.214.22.168 |
49319
TCP |
nzxt cam.exe PID: 3028 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
13.249.87.73:80 (nzxt-app.nzxt.com) | GET | nzxt-app.nzxt.com/latest.yml | GET /latest.yml HTTP/1.1
Host: nzxt-app.nzxt.com
User-Agent: Forge Installer 1.0
Accept: */* More Details |
13.249.87.73:80 (nzxt-app.nzxt.com) | GET | nzxt-app.nzxt.com/NZXT%20CAM%20Setup%204.1.0.exe | GET /NZXT%20CAM%20Setup%204.1.0.exe HTTP/1.1
Host: nzxt-app.nzxt.com
User-Agent: Forge Installer 1.0
Accept: */* More Details |
Memory Forensics
String | Context | Stream UID |
---|---|---|
http://nsis.sf.net/nsis_error | Domain/IP reference | 00038808-00002072-17935-72-00402EDD |
Extracted Strings
Extracted Files
Displaying 64 extracted file(s). The remaining 287 file(s) are available in the full version and XML/JSON reports.
-
Malicious 1
-
-
Hook Helper.exe
- Size
- 314KiB (321664 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Gen:NN.ZexaE.31176" (1/65)
- Runtime Process
- Hook Helper.exe (PID: 2924)
- MD5
- edbca066a44c26ce4d9d1b52f26bb068
- SHA1
- b392aa664bcaf45ae2a4ddf17b8e46f560110bec
- SHA256
- 734b7719b824b3bb0f1eaa484fc74db7009bfe247a2c8a587c7c0cb1708efaea
-
-
Clean 21
-
-
d3dcompiler_47.dll
- Size
- 4.1MiB (4346120 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 222d020bd33c90170a8296adc1b7036a
- SHA1
- 612e6f443d927330b9b8ac13cc4a2a6b959cee48
- SHA256
- 4432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
-
ffmpeg.dll
- Size
- 2MiB (2131456 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- NZXT CAM.exe (PID: 3260)
- MD5
- c23301f1e6c1f8116edfb55408cd7c2a
- SHA1
- b0f0a8af7576eba7fdd2509a4b138eac775df4bd
- SHA256
- a70c01724f320e014939735d11241a7e321b0838b2137899885000e425edfc09
-
natives_blob.bin
- Size
- 81KiB (83328 bytes)
- Type
- data
- AV Scan Result
- 0/69
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- e350965916554e65a47305a6ab27c2ba
- SHA1
- 9d60e499a907811a3155e9a07f8645d6c83cb909
- SHA256
- 1cae202ada016cf455abf69d583524a1d37a1371ad4efdfac4baed07c6402bdd
-
service.exe
- Size
- 544KiB (557184 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- service.exe (PID: 2116)
- MD5
- bd00c102e7a1064038555704e15ea2b1
- SHA1
- d151e2cd3430f00af542c0c42360da303b309af2
- SHA256
- f22635fa680cf0f16418f8856a5a4f1682d868b701f349e1dc402c1430361192
-
SiUSBXp64.dll
- Size
- 82KiB (83456 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- NZXT CAM.exe (PID: 3080)
- MD5
- 136170b033767c7b4070a6d92c50f85a
- SHA1
- e83dea492fc005de3c12f789ddbfc0916ea999c5
- SHA256
- 72b2ebc4399a642b34bb2244b1aac6c0873748d6ddc9bd24c9f61462d0c073cc
-
cpuidsdk64.dll
- Size
- 1.6MiB (1702400 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- cam_helper.exe (PID: 1300)
- MD5
- ddcf50afe97da3c5d9c8a16e5bdfa6fb
- SHA1
- 93b90e74d103988490a7c283b513ab4498746ed0
- SHA256
- a553626ee5bc1ff7444246b15908a9c21344e9fbd6d4fa11f6f8805c57b71f93
-
aseusb.cat
- Size
- 11KiB (11289 bytes)
- Type
- data
- AV Scan Result
- 0/67
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 6ded424fe8ffacf1a1821d8630c455ee
- SHA1
- a9a3807c4cda750d2720ee9322dd3d134d486b48
- SHA256
- 19228e0b79b02110182391401571d2cae966d91536f4b085f24178b700bad9d2
-
snapshot_blob.bin
- Size
- 281KiB (287384 bytes)
- Type
- data
- AV Scan Result
- 0/57
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- e12844b5baa65936fa96fcd333ffbee7
- SHA1
- 57d0a5568755e98d6419c6846a175dc846275ed8
- SHA256
- af9578992a02006fb85925ae2fef4e880a54f716495338cdf87ee3372a5aeb6e
-
v8_context_snapshot.bin
- Size
- 673KiB (688952 bytes)
- Type
- data
- AV Scan Result
- 0/68
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 672ea3db0155a4fafdf701d92349a3ce
- SHA1
- a819f43c28779e5560268880d001732f3fc9da27
- SHA256
- 48b67d949d11961434bc2e738e7afee9d8bed80380f8a32ae6c281ca32cbd76a
-
StdUtils.dll
- Size
- 101KiB (103424 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/82
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 33b4e69e7835e18b9437623367dd1787
- SHA1
- 53afa03edaf931abdc2d828e5a2c89ad573d926c
- SHA256
- 72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae
-
nsProcess.dll
- Size
- 4.5KiB (4608 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/76
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- f0438a894f3a7e01a4aae8d1b5dd0289
- SHA1
- b058e3fcfb7b550041da16bf10d8837024c38bf6
- SHA256
- 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
-
nsis7z.dll
- Size
- 391KiB (400384 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- c6a070b3e68b292bb0efc9b26e85e9cc
- SHA1
- 5a922b96eda6595a68fd0a9051236162ff2e2ada
- SHA256
- 66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b
-
Graphics Hook.dll
- Size
- 1005KiB (1029248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- MD5
- 3a01ef34c92c3b0d10642902508eec70
- SHA1
- cd0eeb2195b5726dd0518473242daf00f1e03a85
- SHA256
- b15e2b355d82fe9368e3404cf0e849a63d9cc8673edf45d62e92a9c39956a904
-
SiUSBXp86.dll
- Size
- 88KiB (90112 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/80
- MD5
- 8d32be58b5f5bd7317628bf6be577db7
- SHA1
- c43bce281cdb08c4b36d7c15b2817c901b75a9ee
- SHA256
- 4cb634e37c2622afbcddf706868f4e992db59b7bbb6f99820ec636307f833c32
-
MCP2200DriverInstallationTool.exe
- Size
- 899KiB (920928 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/70
- MD5
- 302435e5b928494cc1f87142b1914cc9
- SHA1
- 0694e2beab8e84aead9e5cb9c09643a348ec6ea5
- SHA256
- 3094ada786b735aaa774b86c29e53a3cf43d9abf446bb6a63effaafc25428bfa
-
Uninstall NZXT CAM.exe
- Size
- 164KiB (167736 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- AV Scan Result
- 0/66
- MD5
- 5e675e8b4d8a6f7bcd038e97989d0eca
- SHA1
- 648805359110a313df5cc990078da797a9c9da14
- SHA256
- 255887cae277f1dde9a4e3f197de568a921a018799def06499823543f7d038be
-
KrakenDriver.exe
- Size
- 8.5KiB (8704 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/61
- MD5
- 19f3ddcc8c2bd22b6dd1e7a3856706a4
- SHA1
- a70278df249758fc6c84bb4558bed0f8a6240c4f
- SHA256
- b08a333f11155e6f8e33e6fb0abbe6bf1a7df20024566c664c0a752261c47c60
-
Graphics Hook64.dll
- Size
- 1.1MiB (1178752 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/69
- MD5
- ae42bf3c4516969094d81015426ade0e
- SHA1
- c00f8b3affb5bf2f531e43de7a11e7641aa71636
- SHA256
- f72611a69a7fb95b54cb5cc9668c84fdfc3328568b58142692725c36af4fe5a4
-
cpuidsdk.dll
- Size
- 1.4MiB (1431552 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/68
- MD5
- dd0c0bd018af04272b0b66c63bb5069d
- SHA1
- 359cd5998657db499f80922894758e124047fc4e
- SHA256
- 40d73b7278aea28aca97a675c6f0bbd7680c290e974ff96e68a8bbd144bfa061
-
libGLESv2.dll
- Size
- 2.6MiB (2680320 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- AV Scan Result
- 0/69
- MD5
- b999bf6fc8dd9962437a9a60e88e0cf2
- SHA1
- 056f1a05ce95abc7826d94af6a08c73197b342c0
- SHA256
- b351ad7d6503b390e71e8f1ea3ca50cb599bc107fe24434f79f96fd7efc0e12b
-
ChipsetDriver.exe
- Size
- 8.5KiB (8704 bytes)
- Type
- peexe assembly executable
- Description
- PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/57
- MD5
- 9f237625c35200703e888c6f286fd90f
- SHA1
- 7db8c1a230c1d852115d531582183dbfd6474cf8
- SHA256
- 63bebc89b8856b0a5711e53f395994e690411697f4a7eac296d9e5f92013a801
-
-
Informative Selection 2
-
-
LOG
- Size
- 45B (45 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 0de554540b2a5d8864bfe522ead118d5
- SHA1
- 04a7e50254c15cd0ef4e218d27a4758c444a2da7
- SHA256
- fc975e92395f396cd334a3e7a7902cd64813f4a88d4410c705e32fef9cfec366
-
mchpcdc.inf
- Size
- 3.9KiB (3985 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 0c327447b134e61b2e3a4cd55f8f8404
- SHA1
- 3799310cf1575f3d7e1df7cac425bc61df36e009
- SHA256
- 9f089bc68790f6d67f4db9244810778266a84f58bc7bd89e92e5caa2524a4dd6
-
-
Informative 40
-
-
.updaterId
- Size
- 36B (36 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- bf53ef5494e8437952a49de1d621606a
- SHA1
- e79ac7acf72506738eadb19bd8bbebece8e46f80
- SHA256
- 3662944eccc0f547014e5210495fb29f638cdde84d8851a63be1b16c858a8e58
-
000002.dbtmp
- Size
- 16B (16 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 206702161f94c5cd39fadd03f4014d98
- SHA1
- bd8bfc144fb5326d21bd1531523d9fb50e1b600a
- SHA256
- 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
-
data_0
- Size
- 8.1KiB (8300 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- fcb27e0536d3f0414d198c60595700ad
- SHA1
- 1ee27da4331e09061ae9cdb03bef1e64917be06f
- SHA256
- 5dbeec8e5e3268f0b5449b5a0d69687125432c54de303f9216ae1d4916a22dc4
-
data_1
- Size
- 8.3KiB (8488 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 16c8e059885deb6902766cb6cd8edaae
- SHA1
- eec7ca81a9b975bd6a396a75a8363437c55be779
- SHA256
- ac13860c69f1ac63feab5e926599a8e99d5552300ec097eb755d11768f427a03
-
data_2
- Size
- 8KiB (8192 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 0962291d6d367570bee5454721c17e11
- SHA1
- 59d10a893ef321a706a9255176761366115bedcb
- SHA256
- ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
-
data_3
- Size
- 22KiB (22612 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- a32fcf194663c66f6cef5743e9fdac97
- SHA1
- af48b762cd4b6df38b9b2de9d970dd5200fe7744
- SHA256
- 82887f40508ea679d93706d33b491a55403fae52a25d04b0e457b8f1a089e7f3
-
f_000001
- Size
- 29KiB (29805 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- df74fa9937f7e9ea7592acd43a5252ba
- SHA1
- bf14dec0840f7896e7c204ba05d3fb43bcbb906b
- SHA256
- ce2b063ed0ecfc62b208b8978fa6dd820dca030be75b5bd1953e31cd3269ed9d
-
index
- Size
- 368B (368 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- eb8a90dc1d1f55dfa33e024c6b4d9567
- SHA1
- 71753f7b45c95f45bb6d8686a0e62f15b6488eb4
- SHA256
- 00c20c91ff51cb86aec6a8fb8219e237546f273dca834a86b0356f6ca36877d4
-
temp-index
- Size
- 48B (48 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 43f1bf95ec32a77873757a0f7d225047
- SHA1
- f0124ce39e608a5db111d695e96294c416bc3cf3
- SHA256
- af96ef82bd133af2c2cf47d86e08de452e2a12269fcea702aee6063f5ad2b07c
-
Cookies
- Size
- 20KiB (20480 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 20dca36fe9ef3579a4bd794d6badd02d
- SHA1
- cdc96e8d585b14842ea5d7b673fc62407c50a9be
- SHA256
- 62ca19008990866d73b6292d891278ba926331b3caa1cac01a1a25b81f8d534a
-
Cookies-journal
- Size
- 4.5KiB (4616 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 4c8bc8c6f7946022587a5a6f5ddc3707
- SHA1
- 92e40608769fbbb0949cc81da5f4ae82abc303be
- SHA256
- 65dd41239417b9f87e82768865bb21d3be30eb83bb8372258a7e58f880719403
-
000001.dbtmp
- Size
- 16B (16 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 46295cac801e5d4857d09837238a6394
- SHA1
- 44e0fa1b517dbf802b18faf0785eeea6ac51594b
- SHA256
- 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
-
000003.log
- Size
- 993B (993 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 7e4c2b6607bd9da7c5d577ba296cb855
- SHA1
- 9da59f945448e0ac108b7d50401edda92e090b2d
- SHA256
- 8a7e61594aa739fdc6c08ca19aa58b50a94a9bb76c41a4fa93e4b8ca791d9bf1
-
MANIFEST-000001
- Size
- 41B (41 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 5af87dfd673ba2115e2fcf5cfdb727ab
- SHA1
- d5b5bbf396dc291274584ef71f444f420b6056f1
- SHA256
- f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
-
MANIFEST-000002
- Size
- 50B (50 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 22bf0e81636b1b45051b138f48b3d148
- SHA1
- 56755d203579ab356e5620ce7e85519ad69d614a
- SHA256
- e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
-
QuotaManager
- Size
- 52KiB (53248 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- 7c47be1bc7737f3e9aaad689ee4526bf
- SHA1
- 9e5216c94d1403514fc292ef14addbc73f1055b7
- SHA256
- 4e85e65fc22320c9aea24c873e9430a0d31efa9c2571d077579dda553e42c396
-
QuotaManager-journal
- Size
- 25KiB (25136 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- ec58a53c2fc3ddb2414267f61e5d413d
- SHA1
- f886480f1b2878a4f31e4066fd0d438fdf27f7af
- SHA256
- 1ebe08995f31328eda32dabb3791965b59d4cbbcf158462eeb82cb54589e039b
-
af3c18d0-b10f-40a5-b190-bc3e6b7724b6.tmp
- Size
- 163B (163 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3028)
- MD5
- e0b403164bdad9522cfc4487283193b5
- SHA1
- dabb9ea9b236db3101acc9e2a7d2c1d05e93c24b
- SHA256
- ff15d2fb996250c879b3da796a44512cde8dec5efb39e5b27e091523cc513310
-
cam.log
- Size
- 5.5KiB (5644 bytes)
- Runtime Process
- NZXT CAM.exe (PID: 3080)
- MD5
- 81513ef1fe3b99b253fd535a99b0aedf
- SHA1
- ed691c7e9f483697a34618d3a924c22306e06efb
- SHA256
- 5048dd36920d69d5d89635b9858a38c7ddacc48a2e23be74371700a94026966f
-
NZXT CAM.exe
- Size
- 4.8MiB (4980736 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- Runtime Process
- installer.exe (PID: 2120)
- MD5
- 0d364dfd8631660867e3447601ccd99e
- SHA1
- 9bc5b9199f1f1fea2c0cf958aa69a94a043b42e4
- SHA256
- 4edb80d300a4a5134a280ac69ba95d638d929cac77db429434dcafad5ada68d7
-
libEGL.dll
- Size
- 137KiB (140288 bytes)
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 994d3437dfa4dd98604df908ef263aa6
- SHA1
- 6fe95ee2fffb34dbfcd463f0ac4593e0642bfa5a
- SHA256
- 84f01fa08f0017f9eb3cfcc5e9f90a2eaadbc7ea74d3be9d671ea6ae74c40b8a
-
cam_helper.exe
- Size
- 4.8MiB (4980736 bytes)
- Runtime Process
- service.exe (PID: 2116)
- MD5
- 7954f0da7be76d8c3329d43997bde483
- SHA1
- 79c659a76773681a7a76572369fec17c663200e5
- SHA256
- e885982aab56be238b44b354fa6fc4d8bf9c7a5734d665510bf8e0cb3a95071f
-
AseUSB.inf
- Size
- 1.6KiB (1658 bytes)
- Type
- text
- Description
- Windows setup INFormation, ASCII text
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 2ba4e3efccf362ca785f4d3ce6a587f0
- SHA1
- 1d06dd73d7d1a980814a19b70b1914a3b3b95fbb
- SHA256
- 23f8fe895690d3c171ea57cac6b12d9795ebe7d55e7e4eab9040eb5dc9ff114a
-
mchpcdc.cat
- Size
- 7.7KiB (7866 bytes)
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 119e2e37a8341e8be6bf9bcc343d957f
- SHA1
- dcd07bc393030f105b52a2b3ea2e90a4d1637b3d
- SHA256
- 2567f9315352bc65417c9b26b4a27420f5aa18d7cbeb5d276eb29eac85d11dbe
-
651b-c0cf-32b2-2d68.exe
- Size
- 5MiB (5238784 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Runtime Process
- installer.exe (PID: 2120)
- MD5
- 9133b714231cb3d3d74d0ea87ec16525
- SHA1
- 083da9954ac3610f8e0e764d0959e0bef0aff773
- SHA256
- d5447908102d9b3b60c1f51da7c2569633968c7baef2d1e1b03e2069805f3786
-
System.dll
- Size
- 12KiB (11776 bytes)
- Runtime Process
- 651b-c0cf-32b2-2d68.exe (PID: 2072)
- MD5
- 75ed96254fbf894e42058062b4b4f0d1
- SHA1
- 996503f1383b49021eb3427bc28d13b5bbd11977
- SHA256
- a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
-
firmware-update.exe
- Size
- 1.4MiB (1479296 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (console) x86-64, for MS Windows
- MD5
- 72137fc8beae7781161a138e24ebdb63
- SHA1
- 273ae48d58dc9dda4a6c7c5fb890417210496aa8
- SHA256
- 1ad4f8a21c3905d410176cfe4e569bdf64f072be2b92b376a6bc073071e077ff
-
libGLESv2.dll
- Size
- 4.8MiB (4980736 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- MD5
- ea10690efab80443256408d88b8b9211
- SHA1
- 81ff3ccfd3b86eb3ba053e91fae22481dbb35d8e
- SHA256
- 17724469a892c529f2d022dacde9d70b133684d89b82af5b0fd1ac81b642d1e2
-
NZXT_NahimicAPIInstaller.exe
- Size
- 4.8MiB (4980736 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
- 62fc5ce6337edb603cc20eff5dfa836a
- SHA1
- ec35045959ad044472d29ba7da865bda93644f69
- SHA256
- ea8a578634933e9155f10b33156a93ab60120707bbc2a771bb5ffba5f85f10ac
-
SeaSonicsESeries64.dll
- Size
- 104KiB (106264 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (console) x86-64, for MS Windows
- MD5
- 3db004d5fb2708c35f06d124af82f9b5
- SHA1
- 6ea6e2953bd8494a8246b685a024e16689a0a1a8
- SHA256
- 8abf5f7f0e27decc3be3f52b1333b8752f60ae86a22cc7ebab40627a12d35c7f
-
SeaSonicsESeries86.dll
- Size
- 72KiB (73728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- MD5
- 3e5f992cced645d95cc1ccfdc996df19
- SHA1
- 7fc73496187ff783199d2d8be2f6064ac1073ddb
- SHA256
- 1c5ce5a45eba8a2d03303d5ec74022c58113e492056f7aca13eb927c20f9318e
-
NZXTNahimicAPI64.dll
- Size
- 238KiB (243688 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- MD5
- 73137d81318a7697bf1b37cb06b2feb7
- SHA1
- e1458bec7d67a4890b3d2309b04a0a91d825fd91
- SHA256
- 64c1b3f5aa6f1ded505da7c860dd54f4f46a4eb1f7cfbefa1eb58176ca972c2a
-
NZXT CAM.lnk
- Size
- 1.7KiB (1727 bytes)
- MD5
- d18b4531ceff802a243b52569e142178
- SHA1
- ccd987ccb6da062cd1020f45bd1977d7a7542a5a
- SHA256
- 7b78b992a7023d120028dcfc6f13e7d141a5e5bbd4c0dd2b65a10216a1ed02bd
-
elevate.exe
- Size
- 121KiB (123536 bytes)
- MD5
- f8a43b3d4c2903e5915658d4eb9cc52b
- SHA1
- b2300cb91e0af4143bf4b66717c3c34de1dcbfac
- SHA256
- 84e735e2229b945e0724c1f51811d7825f4a67c1081379b9e58ea38425ac79b3
-
MCP2200_v1.0_SEE_README_.inf
- Size
- 3.3KiB (3368 bytes)
- MD5
- 8c62c8d8a77594056737794759a49c45
- SHA1
- 56cc75958a584d90bfc49ab8b46af3a69a5f4171
- SHA256
- 0ca9efb69f9a356d6556db5df8fb6320f874004832a9be7c3e2b5f1d4f8bc135
-
WinShell.dll
- Size
- 3KiB (3072 bytes)
- MD5
- 1cc7c37b7e0c8cd8bf04b6cc283e1e56
- SHA1
- 0b9519763be6625bd5abce175dcc59c96d100d4c
- SHA256
- 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
-
KrakenDriver.vshost.exe
- Size
- 23KiB (23168 bytes)
- MD5
- 00c54466cfc232e2ba1dfc4f3a679f05
- SHA1
- 59bedfb34a5e6dc19724bab57aa72a2ddd9f76b0
- SHA256
- 099923b629ff4309a579a66eaa857de4e5d5caa093b6226ee7c491742d9168e9
-
nsExec.dll
- Size
- 6.5KiB (6656 bytes)
- MD5
- 3d366250fcf8b755fce575c75f8c79e4
- SHA1
- 2ebac7df78154738d41aac8e27d7a0e482845c57
- SHA256
- 8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
-
NZXTNahimicAPI86.dll
- Size
- 196KiB (200680 bytes)
- MD5
- 58528fd012cb769b3091ea0d3c6a8e90
- SHA1
- 90e8e6c7def66e478a525873a031119d750c0918
- SHA256
- e250f1f8ccaa6d1c0755c5f35d45ed4e2553ed6aa2b437396dd84b27717d04f3
-
Hook Helper64.exe
- Size
- 376KiB (384640 bytes)
- MD5
- ef905f0f695ca5bfbfc87c71eaf9c4f4
- SHA1
- 7dbe8ce84e0f3bc73ca6aba810b7b9362c4f9de7
- SHA256
- b29a639339d1664addc0ee2bacf22cc9cb4f507d77d1e4f67c7a6b4e612eae72
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Extracted file "651b-c0cf-32b2-2d68.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/d5447908102d9b3b60c1f51da7c2569633968c7baef2d1e1b03e2069805f3786/analysis/1574456662/")
- Extracted file "mchpcdc.inf" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/9f089bc68790f6d67f4db9244810778266a84f58bc7bd89e92e5caa2524a4dd6/analysis/1574456663/")
- Main report size exceeded maximum capacity and may have missing behavior or stream data
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for cmd.exe (PID: 2228)
- Not all file accesses are visible for tasklist.exe (PID: 3988)
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-1" are available in the report
- Not all sources for indicator ID "api-11" are available in the report
- Not all sources for indicator ID "api-12" are available in the report
- Not all sources for indicator ID "api-21" are available in the report
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-37" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-56" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "api-9" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "registry-1" are available in the report
- Not all sources for indicator ID "registry-17" are available in the report
- Not all sources for indicator ID "registry-18" are available in the report
- Not all sources for indicator ID "registry-19" are available in the report
- Not all sources for indicator ID "registry-72" are available in the report
- Not all sources for indicator ID "static-1" are available in the report
- Not all sources for indicator ID "static-60" are available in the report
- Not all sources for indicator ID "stream-21" are available in the report
- Not all sources for indicator ID "stream-4" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all sources for indicator ID "string-43" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Some low-level data is hidden, as this is only a slim report
- Static report size exceeded maximum capacity and may have missing stream data