Home  ›  How to Add Key File to Vstavi So It Can Read My Neo

How to Add Key File to Vstavi So It Can Read My Neo

Written By Friday, 4 March 2022 Add Comment Edit

Incident Response

Risk Assessment

Persistence
Writes information to a remote process
Fingerprint
Queries firmware tabular array information (may be used to fingerprint/evade)
Reads the agile computer name
Reads the cryptographic car GUID
Reads the windows installation language
Network Behavior
Contacts ane host. View all details

Indicators

Not all malicious and suspicious indicators are displayed. Go your own deject service or the full version to view all details.

  • Anti-Detection/Stealthyness
    • Queries firmware tabular array information (may exist used to fingerprint/evade)
      details
      "SetupHost.exe" at 00012463-00003148-00000033-743607
      "SetupHost.exe" at 00012463-00003148-00000033-743608
      "SetupHost.exe" at 00012463-00003148-00000033-1127425
      "SetupHost.exe" at 00012463-00003148-00000033-1127426
      "SetupHost.exe" at 00012463-00003148-00000033-1137739
      "SetupHost.exe" at 00012463-00003148-00000033-1137740
      "SetupHost.exe" at 00012463-00003148-00000033-1137746
      "SetupHost.exe" at 00012463-00003148-00000033-1137747
      "SetupHost.exe" at 00012463-00003148-00000033-1137867
      "SetupHost.exe" at 00012463-00003148-00000033-1137868
      source
      API Telephone call
      relevance
      x/x
  • General
    • Contains ability to beginning/interact with device drivers
      details
      DeviceIoControl@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      DeviceIoControl@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      DeviceIoControl@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      DeviceIoControl@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      DeviceIoControl@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Evidence Stream)
      DeviceIoControl@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      DeviceIoControl@KERNEL32.dll at 41249-858-1014CC8D
      DeviceIoControl@KERNEL32.dll at 41249-862-10156F21
      DeviceIoControl@KERNEL32.dll at 41249-1337-10115E92
      NtDeviceIoControlFile@ntdll.dll at 41249-2118-1011F72E
      NtDeviceIoControlFile@ntdll.dll at 41249-2156-1011FF6C
      NtDeviceIoControlFile@ntdll.dll at 41249-2261-10123F73
      NtDeviceIoControlFile@ntdll.dll at 41249-2245-101240E4
      NtDeviceIoControlFile@ntdll.dll at 41249-2121-101200FE
      NtDeviceIoControlFile@ntdll.dll at 41249-2153-1011FC00
      NtDeviceIoControlFile@ntdll.dll at 41249-2264-10124047
      NtDeviceIoControlFile@ntdll.dll at 41249-2113-1011E342
      NtDeviceIoControlFile@ntdll.dll at 41249-2249-101243A2
      DeviceIoControl@KERNEL32.dll at 41249-2561-1016C980
      DeviceIoControl@KERNEL32.dll at 41249-2624-1015C22B
      DeviceIoControl@KERNEL32.dll at 41249-2617-10150C22
      DeviceIoControl@KERNEL32.dll at 41249-2303-10119939
      DeviceIoControl@KERNEL32.dll at 41249-2511-1016C705
      DeviceIoControl@KERNEL32.dll at 41249-2588-1015BB15
      DeviceIoControl@KERNEL32.dll at 41249-2316-1011961D
      DeviceIoControl@KERNEL32.dll at 41249-2590-1015C55E
      DeviceIoControl@KERNEL32.dll at 41249-2744-101787D6
      DeviceIoControl@KERNEL32.dll at 41249-2742-10178CD4
      DeviceIoControl@KERNEL32.dll at 41249-2308-101193EA
      DeviceIoControl@KERNEL32.dll at 41249-2620-1015C925
      DeviceIoControl@KERNEL32.dll at 41249-2594-1016C551
      DeviceIoControl@KERNEL32.dll at 41249-2301-1011971C
      DeviceIoControl@KERNEL32.dll at 41249-2332-10115C59
      source
      Hybrid Analysis Technology
      relevance
      8/x
  • Installation/Persistance
    • Allocates virtual memory in a remote procedure
      details
      "<Input Sample>" allocated memory in "C:\ESD\Download"
      source
      API Call
      relevance
      vii/10
    • Writes data to a remote procedure
      details
      "<Input Sample>" wrote 1500 bytes to a remote process "C:\$Windows.~WS\Sources\SetupHost.exe" (Handle: 412)
      "<Input Sample>" wrote 4 bytes to a remote process "C:\$Windows.~WS\Sources\SetupHost.exe" (Handle: 412)
      "<Input Sample>" wrote 8 bytes to a remote process "C:\$Windows.~WS\Sources\SetupHost.exe" (Handle: 412)
      "<Input Sample>" wrote 32 bytes to a remote procedure "C:\$Windows.~WS\Sources\SetupHost.exe" (Handle: 412)
      "<Input Sample>" wrote 52 bytes to a remote process "C:\$Windows.~WS\Sources\SetupHost.exe" (Handle: 412)
      source
      API Call
      relevance
      6/10
  • Network Related
    • Malicious artifacts seen in the context of a contacted host
      details
      Found malicious artifacts related to "184.28.113.xiii": ...
      File SHA256: e0ece27305e93a3e2329d271f167a423bda6be173cc08edb1ced423355484c85 (AV positives: 1/66 scanned on 04/10/2018 09:51:04)
      File SHA256: a0dce247bbd273b9f21b45c50ae0a38aa7c1d1cae9b4159a0e767113bb8d99dd (AV positives: 37/65 scanned on 04/08/2018 22:43:36)
      File SHA256: a04170243ea856f86dfd6c9c059987ec36a67f52513ae7f8fdaad2d3525b4dda (Date: 11/xv/2017 12:35:33)
      File SHA256: 0c8a1f15e2fc3bbca18d7319530e573ad872db006068eb24e0b946b5cf2c120c (Date: 11/fourteen/2017 xiii:21:36)
      File SHA256: f973b840b812a4d2890f3fc0c30cf44ceef45ac99d58b86ff2b2164a11100f67 (Appointment: xi/14/2017 thirteen:xiv:51)
      File SHA256: 267143df888088c7b5fac2eeb178e2f6b3af608bdfa1e57e775aedf277e22e20 (Engagement: 11/xiv/2017 05:09:04)
      File SHA256: c61c13e4b3dac6de95d27ea2ef5221c1356d9debd985e25fc3c13ae8936d86c7 (Date: 11/fourteen/2017 04:48:30)
      File SHA256: 27c9ad0a348d42147b468770541d96abe74437725af0c4ea970bb6dde3868d75 (AV positives: 17/64 scanned on 07/24/2017 17:59:36)
      File SHA256: 325f5cd0b43b18f891877bfc06d90f618332577dab73d0e1f81a19a05f28954c (AV positives: 11/64 scanned on 07/24/2017 17:38:21)
      source
      Network Traffic
      relevance
      x/ten
  • Pattern Matching
    • YARA signature lucifer
      details
      Internal YARA signature matched on procedure "SetupHost.exe"
      Internal YARA signature matched on file "all.bstring"
      source
      YARA Signature
      relevance
      10/10
  • Unusual Characteristics
    • Contains native role calls
      details
      NtYieldExecution@NTDLL.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      NtSetInformationFile@NTDLL.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      NtYieldExecution@NTDLL.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      NtSetInformationFile@NTDLL.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      NtQueryInformationProcess@NTDLL.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      NtYieldExecution@NTDLL.DLL from SetupHost.exe (PID: 3148) (Bear witness Stream)
      NtYieldExecution@NTDLL.DLL from SetupHost.exe (PID: 3148) (Evidence Stream)
      NtSetInformationFile@ntdll.dll at 41249-859-10157116
      NtSetInformationFile@ntdll.dll at 41249-1332-10116551
      NtDeviceIoControlFile@ntdll.dll at 41249-2118-1011F72E
      NtQueryKey@ntdll.dll at 41249-2133-1011D12B
      NtEnumerateKey@ntdll.dll at 41249-2169-1011CEA5
      NtOpenFile@ntdll.dll at 41249-2111-1011F221
      NtYieldExecution@ntdll.dll at 41249-1992-101331B1
      NtQuerySystemInformation@ntdll.dll at 41249-2136-1011A34F
      NtSetInformationThread@ntdll.dll at 41249-2182-101208FF
      NtOpenFile@ntdll.dll at 41249-2117-1011F6AB
      NtOpenFile@ntdll.dll at 41249-2156-1011FF6C
      NtOpenSymbolicLinkObject@ntdll.dll at 41249-2247-101250C0
      NtTranslateFilePath@ntdll.dll at 41249-2258-10124434
      NtReleaseMutant@ntdll.dll at 41249-2130-1011C075
      NtAllocateUuids@ntdll.dll at 41249-2187-1011DA65
      NtSetSecurityObject@ntdll.dll at 41249-2159-1011CA7C
      NtOpenDirectoryObject@ntdll.dll at 41249-2255-10124A0B
      NtClose@ntdll.dll at 41249-2126-1011D337
      NtOpenFile@ntdll.dll at 41249-2261-10123F73
      NtWaitForSingleObject@ntdll.dll at 41249-2134-1011C02A
      NtSetInformationThread@ntdll.dll at 41249-2179-10120A84
      NtOpenFile@ntdll.dll at 41249-2152-1011DFA8
      NtQuerySystemInformation@ntdll.dll at 41249-2266-10120852
      NtOpenFile@ntdll.dll at 41249-2245-101240E4
      NtDeviceIoControlFile@ntdll.dll at 41249-2121-101200FE
      NtOpenMutant@ntdll.dll at 41249-2135-1011BFA1
      NtClose@ntdll.dll at 41249-2268-1011C089
      NtOpenSymbolicLinkObject@ntdll.dll at 41249-2115-1011F98E
      NtUnloadKey@ntdll.dll at 41249-2238-1011C60D
      NtDeviceIoControlFile@ntdll.dll at 41249-2153-1011FC00
      NtQueryBootEntryOrder@ntdll.dll at 41249-2256-1012454B
      NtDeleteValueKey@ntdll.dll at 41249-2162-1011D254
      NtSetSecurityObject@ntdll.dll at 41249-2131-1011CA40
      NtUnloadKey@ntdll.dll at 41249-2218-1011C94D
      NtQueryKey@ntdll.dll at 41249-2163-1011BC71
      NtDeleteKey@ntdll.dll at 41249-2168-1011CC0B
      NtOpenFile@ntdll.dll at 41249-2264-10124047
      NtOpenProcess@ntdll.dll at 41249-2234-101202F0
      NtClose@ntdll.dll at 41249-2144-1011C39E
      NtOpenKey@ntdll.dll at 41249-2253-10123B71
      NtOpenFile@ntdll.dll at 41249-2119-1011FCFB
      NtSetValueKey@ntdll.dll at 41249-2149-1011D4C2
      NtClose@ntdll.dll at 41249-2246-10124D7B
      source
      Hybrid Analysis Technology
      relevance
      v/10
    • References suspicious system modules
      details
      "System32\hal.dll"
      source
      String
      relevance
      5/10
  • Anti-Detection/Stealthyness
    • Queries kernel debugger information
      details
      "SetupHost.exe" at 00012463-00003148-00000033-737232
      "DiagTrackRunner.exe" at 00020815-00004304-00000033-1179568
      "DiagTrackRunner.exe" at 00020815-00004304-00000033-1190167
      source
      API Call
      relevance
      six/10
  • Anti-Opposite Engineering
    • Checks a device property (oftentimes used to detect VM artifacts)
      details
      SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll at 41249-2743-101788F0
      SetupDiGetDeviceRegistryPropertyW@SETUPAPI.dll at 24305-540-1000F5E3
      source
      Hybrid Assay Technology
      relevance
      seven/10
    • Looks up many procedures inside the aforementioned disassembly stream (often used to hide usage)
      details
      Institute thirteen calls to GetProcAddress@KERNEL32.dll at 41249-2318-10118E50
      source
      Hybrid Assay Engineering
      relevance
      10/ten
  • Environment Sensation
    • Perchance tries to implement anti-virtualization techniques
      details
      "vboxvideo.inf" (Indicator: "vbox")
      "VBoxVideo.cat" (Indicator: "vbox")
      source
      Cord
      relevance
      4/10
    • Reads the cryptographic motorcar GUID
      details
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
      "DiagTrackRunner.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
      source
      Registry Access
      relevance
      10/10
  • General
    • Contains ability to detect and load resources of a specific module
      details
      LockResource@KERNEL32.dll at 41249-2393-1017955F
      FindResourceExW@KERNEL32.dll at 41249-2425-1017F46C
      FindResourceExW@KERNEL32.dll at 41249-2421-1017F9B9
      FindResourceW@api-ms-win-downlevel-kernel32-l2-one-0.dll at 38499-1042-100403D5
      source
      Hybrid Analysis Engineering
      relevance
      1/10
    • Reads configuration files
      details
      "SetupHost.exe" read file "%WINDIR%\win.ini"
      source
      API Phone call
      relevance
      4/ten
  • Installation/Persistance
    • Drops executable files
      details
      "api-ms-win-downlevel-advapi32-l2-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-cadre-apiquery-l1-ane-0.dll" has type "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-ole32-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "pidgenx.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "wdsutil.dll" has type "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-advapi32-l1-one-0.dll" has blazon "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-ole32-l1-ane-1.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-kernel32-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "unbcl.dll" has blazon "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "wdscsl.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "SetupCore.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-user32-l1-i-0.dll" has blazon "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "wpx.dll" has blazon "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "Diager.dll" has blazon "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-user32-l1-1-1.dll" has blazon "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-advapi32-l2-one-1.dll" has blazon "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "SetupHost.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "DU.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-version-l1-ane-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-kernel32-l2-ane-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      10/ten
  • Network Related
    • Institute potential IP address in binary/retention
      details
      Heuristic match: "MM-SEARCH * HTTP/1.1Host:239.255.255.250:1900ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1Man:"ssdp:observe"MX:3"
      Heuristic match: "App.Support.ContactSupport~~~~0.0.i.0"
      Heuristic match: "App.Support.QuickAssist~~~~0.0.1.0"
      source
      String
      relevance
      3/10
  • System Destruction
    • Marks file for deletion
      details
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\ESD\Download" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-cadre-apiquery-l1-i-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-ane-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-1-1.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-i-i.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l3-1-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-i-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-ane-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-i.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-ane-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-1.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-i.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\api-ms-win-downlevel-version-l1-ane-0.dll" for deletion
      "C:\MediaCreationTool1803.exe" marked "C:\$Windows.~WS\Sources\Diager.dll" for deletion
      source
      API Call
      relevance
      ten/x
    • Opens file with deletion access rights
      details
      "DiagTrackRunner.exe" opened "%ALLUSERSPROFILE%\Microsoft\Diagnosis\events00.rbs" with delete admission
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\events01.rbs" with delete access
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\events10.rbs" with delete admission
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\events11.rbs" with delete admission
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json" with delete access
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.new" with delete access
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json" with delete admission
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.new" with delete access
      "DiagTrackRunner.exe" opened "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl" with delete access
      source
      API Phone call
      relevance
      seven/10
  • System Security
    • Contains ability to drag privileges
      details
      SetSecurityDescriptorDacl@ADVAPI32.dll at 41249-6136-10144679
      source
      Hybrid Analysis Applied science
      relevance
      10/10
    • Contains ability to lookup privileges
      details
      GetSecurityDescriptorDacl@ADVAPI32.dll at 41249-2586-1015134B
      source
      Hybrid Analysis Technology
      relevance
      3/10
    • Modifies Software Policy Settings
      details
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
      "SetupHost.exe" (Admission type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
      "SetupHost.exe" (Admission type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
      "SetupHost.exe" (Access blazon: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
      "SetupHost.exe" (Admission type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
      "SetupHost.exe" (Access blazon: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
      "SetupHost.exe" (Access blazon: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
      "SetupHost.exe" (Admission type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS")
      "SetupHost.exe" (Access blazon: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE")
      "SetupHost.exe" (Access blazon: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES")
      "SetupHost.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS")
      source
      Registry Access
      relevance
      10/10
  • Unusual Characteristics
    • CRC value set up in PE header does not match bodily value
      details
      "api-ms-win-core-apiquery-l1-1-0.dll" claimed CRC 19818 while the actual is CRC 69913
      "api-ms-win-downlevel-ole32-l1-1-0.dll" claimed CRC 43127 while the bodily is CRC 19818
      "pidgenx.dll" claimed CRC 958750 while the actual is CRC 43127
      "wdsutil.dll" claimed CRC 276874 while the actual is CRC 958750
      "api-ms-win-downlevel-advapi32-l1-1-0.dll" claimed CRC 66029 while the bodily is CRC 276874
      "api-ms-win-downlevel-ole32-l1-ane-1.dll" claimed CRC 58652 while the actual is CRC 66029
      "api-ms-win-downlevel-kernel32-l1-ane-0.dll" claimed CRC 89027 while the actual is CRC 58652
      "unbcl.dll" claimed CRC 896713 while the actual is CRC 89027
      "wdscsl.dll" claimed CRC 113042 while the bodily is CRC 896713
      "api-ms-win-downlevel-user32-l1-one-0.dll" claimed CRC 62349 while the actual is CRC 113042
      "wpx.dll" claimed CRC 1139771 while the actual is CRC 62349
      "Diager.dll" claimed CRC 47814 while the bodily is CRC 1139771
      "api-ms-win-downlevel-user32-l1-one-one.dll" claimed CRC 67761 while the actual is CRC 47814
      "api-ms-win-downlevel-advapi32-l2-1-1.dll" claimed CRC 78492 while the actual is CRC 67761
      "SetupHost.exe" claimed CRC 707336 while the actual is CRC 78492
      "DU.dll" claimed CRC 159922 while the actual is CRC 707336
      "api-ms-win-downlevel-version-l1-1-0.dll" claimed CRC 13608 while the actual is CRC 159922
      "api-ms-win-downlevel-kernel32-l2-1-0.dll" claimed CRC 63600 while the actual is CRC 13608
      "DiagTrack.dll" claimed CRC 966468 while the actual is CRC 63600
      "wdsimage.dll" claimed CRC 840319 while the actual is CRC 966468
      source
      Static Parser
      relevance
      ten/ten
    • Imports suspicious APIs
      details
      LdrLoadDll
      CryptEncrypt
      GetModuleFileNameW
      GetVersionExW
      GetTickCount
      VirtualProtect
      GetVersionExA
      GetFileSize
      UnhandledExceptionFilter
      LoadLibraryExW
      GetModuleHandleExW
      GetProcAddress
      CreateFileMappingW
      CreateThread
      MapViewOfFile
      GetModuleHandleW
      TerminateProcess
      CreateFileW
      Sleep
      SleepConditionVariableSRW
      VirtualAlloc
      RegCloseKey
      RegEnumKeyExW
      RegOpenKeyExW
      GetFileAttributesW
      MapViewOfFileEx
      FindResourceExW
      OutputDebugStringW
      OutputDebugStringA
      DeviceIoControl
      CopyFileW
      IsDebuggerPresent
      GetModuleFileNameA
      LoadLibraryExA
      LoadLibraryW
      CreateDirectoryW
      DeleteFileW
      GetTempFileNameW
      WriteFile
      FindNextFileW
      FindFirstFileW
      FindResourceW
      LockResource
      GetTempPathW
      CreateProcessW
      RegCreateKeyExW
      RegDeleteValueW
      CopyFileExW
      GetFileAttributesExW
      GetComputerNameW
      WSAStartup
      bind
      WSASendTo
      WSASocketW
      closesocket
      GetFileSizeEx
      RegDeleteKeyExW
      GetDriveTypeW
      OpenProcess
      GetComputerNameExW
      GetCommandLineW
      CreateProcessA
      ShellExecuteExW
      SetSecurityDescriptorDacl
      OpenProcessToken
      DeleteFileA
      GetStartupInfoW
      CreateFileMappingA
      CreateFileA
      NtQueryInformationFile
      NtQueryInformationProcess
      RegDeleteKeyW
      CreateProcessAsUserW
      CreateThreadpoolWork
      CreateToolhelp32Snapshot
      FindFirstFileExW
      Process32NextW
      CreateThreadpool
      Process32FirstW
      GetTickCount64
      CreateThreadpoolTimer
      NtQueryInformationThread
      RegEnumKeyW
      source
      Static Parser
      relevance
      1/10
    • Installs hooks/patches the running process
      details
      "<Input Sample>" wrote bytes "711122027a3b2102ab8b02007f950200fc8c0200729602006cc805001ecd1e027d261e02" to virtual address "0x754707E4" (part of module "USER32.DLL")
      "SetupHost.exe" wrote bytes "7d07677781ed6577ae866477c6e06377effd66772d16657760146777478d6477a8e263776089647700000000ad3776768b2d7676b641767600000000" to virtual address "0x73C91000" (part of module "WSHTCPIP.DLL")
      "SetupHost.exe" wrote bytes "0efc667781ed6577ae866477c6e06377effd66772d166577c0fc6277da8f6d7760146777478d6477a8e263776089647700000000ad3776768b2d7676b641767600000000" to virtual address "0x73C81000" (office of module "WSHIP6.DLL")
      "SetupHost.exe" wrote bytes "c0df63771cf96277ccf862770d64647700000000c011297600000000fc3e297600000000e0132976000000009457517625e06377c6e0637700000000bc6a507600000000cf3129760000000093195176000000002c32297600000000" to virtual address "0x76EB1000" (part of module "NSI.DLL")
      "SetupHost.exe" wrote bytes "711122027a3b2102ab8b02007f950200fc8c0200729602006cc805001ecd1e027d261e02" to virtual address "0x754707E4" (part of module "USER32.DLL")
      "SetupHost.exe" wrote bytes "75dc6476273e647651c16276ee9c6276949862760fb36876109962769097627600000000f5162976ead72a76d9172976698729760f772b760c112976a934297620142976f8112976ff10297600000000" to virtual address "0x72F5E000" (role of module "MSLS31.DLL")
      "DiagTrackRunner.exe" wrote bytes "7d07677781ed6577ae866477c6e06377effd66772d16657760146777478d6477a8e263776089647700000000ad3776768b2d7676b641767600000000" to virtual address "0x73C91000" (part of module "WSHTCPIP.DLL")
      "DiagTrackRunner.exe" wrote bytes "0efc667781ed6577ae866477c6e06377effd66772d166577c0fc6277da8f6d7760146777478d6477a8e263776089647700000000ad3776768b2d7676b641767600000000" to virtual accost "0x73C81000" (part of module "WSHIP6.DLL")
      "DiagTrackRunner.exe" wrote bytes "c0df63771cf96277ccf862770d64647700000000c011297600000000fc3e297600000000e0132976000000009457517625e06377c6e0637700000000bc6a507600000000cf3129760000000093195176000000002c32297600000000" to virtual accost "0x76EB1000" (role of module "NSI.DLL")
      "DiagTrackRunner.exe" wrote bytes "711122027a3b2102ab8b02007f950200fc8c0200729602006cc805001ecd1e027d261e02" to virtual address "0x754707E4" (part of module "USER32.DLL")
      source
      Hook Detection
      relevance
      x/10
    • Reads information about supported languages
      details
      "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Cardinal: "00000409")
      "SetupHost.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL\GEO"; Key: "NATION")
      "SetupHost.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\Control\NLS\LOCALE"; Key: "00000409")
      source
      Registry Access
      relevance
      3/10
    • Timestamp in PE header is very old or in the hereafter
      details
      "api-ms-win-downlevel-advapi32-l2-one-0.dll" claims plan is from Sat Aug 27 14:58:18 2061
      "api-ms-win-downlevel-ole32-l1-1-0.dll" claims program is from Lord's day Mar twenty 22:22:09 2072
      "pidgenx.dll" claims programme is from Monday Jan fourteen 10:36:36 2030
      "wdsutil.dll" claims program is from Tue Aug 21 07:15:15 1979
      "api-ms-win-downlevel-advapi32-l1-1-0.dll" claims plan is from Mon February 24 00:43:11 2048
      "api-ms-win-downlevel-ole32-l1-1-ane.dll" claims program is from Monday Oct 23 thirteen:06:xix 1972
      "api-ms-win-downlevel-kernel32-l1-1-0.dll" claims program is from Thu April xi 19:46:20 2086
      "unbcl.dll" claims program is from Mon Oct one 17:21:36 2057
      "wdscsl.dll" claims programme is from Dominicus Jun 30 16:01:41 1991
      "api-ms-win-downlevel-user32-l1-1-0.dll" claims program is from Sat Sep iii fourteen:23:43 2101
      "api-ms-win-downlevel-user32-l1-i-1.dll" claims program is from Sat Jul 23 00:21:31 2078
      "api-ms-win-downlevel-advapi32-l2-ane-ane.dll" claims program is from Mon Jun ten xvi:38:09 1991
      "SetupHost.exe" claims programme is from Sat October 23 18:43:45 2066
      "api-ms-win-downlevel-version-l1-one-0.dll" claims program is from Wednesday Aug 17 15:41:03 1988
      "api-ms-win-downlevel-kernel32-l2-1-0.dll" claims program is from Thu Feb 26 17:41:01 1981
      "wdsimage.dll" claims program is from Mon Oct 22 14:56:06 1973
      "wdscore.dll" claims program is from Sat May 23 07:50:34 2076
      "wdsclientapi.dll" claims plan is from Sat Aug 3 16:06:37 2058
      "api-ms-win-downlevel-advapi32-l1-1-one.dll" claims program is from Thu October 6 15:17:55 2089
      "api-ms-win-downlevel-advapi32-l3-1-0.dll" claims plan is from Thu Aug 5 22:42:29 1976
      source
      Static Parser
      relevance
      10/10
  • Hiding 9 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Anti-Reverse Engineering
    • Contains ability to annals a top-level exception handler (oftentimes used every bit anti-debugging trick)
      details
      SetUnhandledExceptionFilter@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Prove Stream)
      SetUnhandledExceptionFilter@KERNEL32.dll at 41249-696-10175926
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Plant strings in conjunction with a procedure lookup that resolve to a known API export symbol
      details
      Found reference to API FindFirstFileNameW@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Evidence Stream)
      source
      Hybrid Assay Engineering science
      relevance
      10/10
  • Environment Awareness
    • Contains ability to query auto time
      details
      GetSystemTimeAsFileTime@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Prove Stream)
      GetSystemTimeAsFileTime@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      GetSystemTimeAsFileTime@KERNEL32.DLL from SetupHost.exe (PID: 3148) (Show Stream)
      GetSystemTimeAsFileTime@KERNEL32.dll at 41249-851-10145F5B
      GetLocalTime@KERNEL32.dll at 41249-722-10175BC7
      GetSystemTime@KERNEL32.dll at 41249-1406-10113A56
      GetSystemTimeAsFileTime@KERNEL32.dll at 41249-2548-10147930
      GetSystemTimeAsFileTime@KERNEL32.dll at 41249-2553-10147DBA
      source
      Hybrid Assay Applied science
      relevance
      1/10
    • Contains ability to query the automobile timezone
      details
      GetTimeZoneInformation@KERNEL32.dll at 41249-1406-10113A56
      source
      Hybrid Assay Technology
      relevance
      1/10
    • Contains ability to query the automobile version
      details
      GetVersionExW@KERNEL32.dll at 41249-564-101800B0
      RtlGetVersion@ntdll.dll at 41249-1757-1017383E
      RtlGetVersion@ntdll.dll at 41249-1765-101704EC
      RtlGetVersion@ntdll.dll at 41249-1756-1017399D
      RtlGetVersion@ntdll.dll at 41249-1762-101703BE
      RtlGetVersion@ntdll.dll at 41249-1766-1016FBB8
      RtlGetVersion@ntdll.dll at 41249-2070-101738A7
      RtlGetVersion@ntdll.dll at 41249-2156-1011FF6C
      RtlGetVersion@ntdll.dll at 41249-1769-1016FF0F
      RtlGetVersion@ntdll.dll at 41249-1774-1017376A
      RtlGetVersion@ntdll.dll at 41249-1770-1016FCF3
      RtlGetVersion@ntdll.dll at 41249-1776-10173F9A
      RtlGetVersion@ntdll.dll at 41249-2760-10173919
      GetVersionExW@KERNEL32.dll at 41249-2427-1017F56B
      RtlGetVersion@ntdll.dll at 41249-2749-1010ABCC
      RtlGetVersion@ntdll.dll at 41249-2276-100E4F1D
      RtlGetVersion@ntdll.dll at 41249-2742-10178CD4
      GetVersionExW@KERNEL32.dll at 41249-2830-10180314
      RtlGetVersion@ntdll.dll at 41249-2736-101737CB
      GetVersionExA@KERNEL32.dll at 41249-6591-101718FC
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the system locale
      details
      GetUserDefaultUILanguage@KERNEL32.dll at 41249-1762-101703BE
      GetUserDefaultUILanguage@KERNEL32.dll at 41249-1809-100CFEA4
      GetUserDefaultUILanguage@KERNEL32.dll at 41249-2421-1017F9B9
      source
      Hybrid Analysis Engineering
      relevance
      1/10
    • Contains ability to query volume size
      details
      GetDiskFreeSpaceExW@KERNEL32.dll at 41249-1805-101069F3
      source
      Hybrid Analysis Technology
      relevance
      3/ten
    • Makes a code branch decision direct after an API that is environs aware
      details
      Found API call GetSystemTimeAsFileTime@KERNEL32.DLL (Target: "SetupHost.exe"; Stream UID: "00012463-00003148-54674-382-00C8B41B")
      which is direct followed past "cmp dword ptr [esi+34h], 00000000h" and "je 00C8B58Eh". See related instructions: "...+349 lea eax, dword ptr [esp+14h]+353 push eax+354 call dword ptr [00CC52ECh] ;GetSystemTimeAsFileTime+360 cmp dword ptr [esi+34h], 00000000h+364 mov edx, esi+366 je 00C8B58Eh" ... from SetupHost.exe (PID: 3148) (Bear witness Stream)
      Found API call GetSystemTimeAsFileTime@KERNEL32.dll (Target: "SetupCore.dll.1504949792"; Stream UID: "41249-851-10145F5B")
      which is directly followed by "cmp dword ptr [esi+34h], 00000000h" and "je 101460CEh". See related instructions: "...+349 lea eax, dword ptr [esp+14h]+353 push eax+354 call dword ptr [10191170h] ;GetSystemTimeAsFileTime+360 cmp dword ptr [esi+34h], 00000000h+364 mov edx, esi+366 je 101460CEh" ... at 41249-851-10145F5B
      source
      Hybrid Analysis Technology
      relevance
      10/10
    • Possibly tries to detect the presence of a debugger
    • Queries book information
      details
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources" at 00011774-00003088-00000046-674451
      "<Input Sample>" queries volume data of "C:\$Windows.~WS" at 00011774-00003088-00000046-674468
      "<Input Sample>" queries book information of "C:\ESD\Download" at 00011774-00003088-00000046-1291609
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources\api-ms-win-core-apiquery-l1-ane-0.dll" at 00011774-00003088-00000046-1291809
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-ane-0.dll" at 00011774-00003088-00000046-1291829
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l1-i-1.dll" at 00011774-00003088-00000046-1291848
      "<Input Sample>" queries book information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-0.dll" at 00011774-00003088-00000046-1291868
      "<Input Sample>" queries book information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l2-1-1.dll" at 00011774-00003088-00000046-1291888
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l3-1-0.dll" at 00011774-00003088-00000046-1291907
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-advapi32-l4-1-0.dll" at 00011774-00003088-00000046-1291926
      "<Input Sample>" queries book information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l1-1-0.dll" at 00011774-00003088-00000046-1291946
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-kernel32-l2-1-0.dll" at 00011774-00003088-00000046-1291965
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-0.dll" at 00011774-00003088-00000046-1291985
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-ole32-l1-1-1.dll" at 00011774-00003088-00000046-1292004
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-1-0.dll" at 00011774-00003088-00000046-1292023
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-shlwapi-l1-i-one.dll" at 00011774-00003088-00000046-1292042
      "<Input Sample>" queries volume data of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-one-0.dll" at 00011774-00003088-00000046-1292061
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-user32-l1-1-one.dll" at 00011774-00003088-00000046-1292082
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\api-ms-win-downlevel-version-l1-i-0.dll" at 00011774-00003088-00000046-1292101
      "<Input Sample>" queries volume information of "C:\$Windows.~WS\Sources\Diager.dll" at 00011774-00003088-00000046-1292119
      source
      API Telephone call
      relevance
      2/10
  • External Systems
    • Sample was identified as clean by Antivirus engines
      details
      0/65 Antivirus vendors marked sample as malicious (0% detection rate)
      source
      External System
      relevance
      x/10
  • General
    • Accesses Software Policy Settings
      details
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Cardinal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Cardinal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Central: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Primal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Fundamental: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Fundamental: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Fundamental: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Central: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Central: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE"; Primal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CERTIFICATES"; Primal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPEOPLE\CRLS"; Key: "")
      source
      Registry Access
      relevance
      10/x
    • Accesses System Certificates Settings
      details
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Primal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\104C63D2546B8021DD105E9FBA5A8D78169F6B32"; Key: "BLOB")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\1FB86B1168EC743154062E8C9CC5B171A4B7CCB4"; Fundamental: "Hulk")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\247106A405B288A46E70A0262717162D0903E734"; Key: "Hulk")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Central: "Blob")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\339CDD57CFD5B141169B615FF31428782D1DA639"; Key: "Blob")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\5AEAEE3F7F2A9449CEBAFEEC68FDD184F20124A7"; Key: "Blob")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\902EF2DEEB3C5B13EA4C3D5193629309E231AE55"; Central: "Blob")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\C86EDBC71AB05078F61ACDF3D8DC5DB61EB75FB6"; Fundamental: "BLOB")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\E3FC0AD84F2F5A83ED6F86F567F8B14B40DCBF12"; Primal: "BLOB")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\EAB040689A0D805B5D6FD654FC168CFF00B78BE3"; Cardinal: "BLOB")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\F5AD0BCC1AD56CD150725B1C866C30AD92EF21B0"; Key: "BLOB")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Primal: "")
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
      "SetupHost.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
      source
      Registry Access
      relevance
      10/10
    • Contacts server
      details
      "184.28.113.13:443"
      source
      Network Traffic
      relevance
      1/ten
    • Contains PDB pathways
      details
      "SetupPrep.pdb"
      "SetupCore.pdb"
      "api-ms-win-downlevel-kernel32-l2-1-0.pdb"
      "du.pdb"
      "api-ms-win-downlevel-advapi32-l2-1-1.pdb"
      "api-ms-win-downlevel-ole32-l1-ane-0.pdb"
      "api-ms-win-downlevel-kernel32-l1-ane-0.pdb"
      source
      Cord
      relevance
      1/10
    • Creates mutants
      details
      "\Sessions\one\BaseNamedObjects\Global\Microsoft.Windows.Websetup"
      "Global\Microsoft.Windows.Websetup"
      "\Sessions\1\BaseNamedObjects\Global\WdsSetupLogInit"
      "\Sessions\ane\BaseNamedObjects\Global\SetupLog"
      "\Sessions\ane\BaseNamedObjects\Local\SM0:3148:64:WilError_01"
      "\Sessions\1\BaseNamedObjects\Local\__DDrawExclMode__"
      "\Sessions\1\BaseNamedObjects\Local\__DDrawCheckExclMode__"
      "Local\__DDrawExclMode__"
      "Global\WdsSetupLogInit"
      "Global\SetupLog"
      "Local\__DDrawCheckExclMode__"
      "Local\SM0:3148:64:WilError_01"
      "\Sessions\1\BaseNamedObjects\DBWinMutex"
      source
      Created Mutant
      relevance
      3/10
    • Drops files marked every bit make clean
      details
      Antivirus vendors marked dropped file "api-ms-win-downlevel-advapi32-l2-1-0.dll" equally clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-cadre-apiquery-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-ole32-l1-i-0.dll" equally clean (blazon is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "pidgenx.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "wdsutil.dll" as clean (blazon is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-advapi32-l1-i-0.dll" equally clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-ole32-l1-1-1.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-kernel32-l1-1-0.dll" as clean (blazon is "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "unbcl.dll" as make clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "wdscsl.dll" as clean (blazon is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupCore.dll" every bit clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-user32-l1-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "wpx.dll" as make clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Diager.dll" every bit clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-user32-l1-1-1.dll" as clean (type is "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-advapi32-l2-i-1.dll" every bit clean (blazon is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupHost.exe" as clean (blazon is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "DU.dll" equally clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-version-l1-i-0.dll" equally clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "api-ms-win-downlevel-kernel32-l2-1-0.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows")
      source
      Extracted File
      relevance
      10/x
    • Loads rich edit control libraries
      details
      "<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched32.dll" at 74400000
      "<Input Sample>" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 74380000
      "SetupHost.exe" loaded module "%WINDIR%\SysWOW64\riched32.dll" at 74400000
      "SetupHost.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 74380000
      source
      Loaded Module
    • Process launched with changed environment
      details
      Process "DiagTrackRunner.exe" (Prove Procedure) was launched with new surround variables: "SP_UPLOAD_ASIMOV="one""
      source
      Monitored Target
      relevance
      x/10
    • Reads Windows Trust Settings
      details
      "SetupHost.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "Country")
      source
      Registry Access
      relevance
      5/10
    • Spawns new processes
      details
      Spawned process "SetupHost.exe" with commandline "/Download /Spider web" (Show Process)
      Spawned procedure "DiagTrackRunner.exe" with commandline "/UploadEtlFilesOnly" (Show Process)
      source
      Monitored Target
      relevance
      iii/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "<Input Sample>" connecting to "\ThemeApiPort"
      "SetupHost.exe" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      1/10
    • Dropped files
      details
      "api-ms-win-downlevel-advapi32-l2-1-0.dll" has type "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "api-ms-win-core-apiquery-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-ole32-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "pidgenx.dll" has blazon "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "wdsutil.dll" has type "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-advapi32-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-ole32-l1-1-i.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-kernel32-l1-one-0.dll" has blazon "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "unbcl.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "wdscsl.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "SetupCore.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-user32-l1-ane-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "wpx.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "Diager.dll" has blazon "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-user32-l1-1-1.dll" has type "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-advapi32-l2-one-ane.dll" has type "PE32 executable (DLL) (panel) Intel 80386 for MS Windows"
      "SetupHost.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "DU.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-version-l1-1-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      "api-ms-win-downlevel-kernel32-l2-one-0.dll" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      3/ten
    • Touches files in the Windows directory
      details
      "<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\odbcint.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\SysWOW64\en-US\MFC42u.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\Logs\MoSetup"
      "<Input Sample>" touched file "%WINDIR%\Logs\MoSetup\BlueBox.log"
      "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
      "<Input Sample>" touched file "%WINDIR%\SysWOW64\tzres.dll"
      "<Input Sample>" touched file "%WINDIR%\Fonts\StaticCache.dat"
      "<Input Sample>" touched file "%WINDIR%\SysWOW64\en-The states\msctf.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\AppPatch\sysmain.sdb"
      "SetupHost.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
      "SetupHost.exe" touched file "%WINDIR%\Branding\Basebrd\basebrd.dll"
      "SetupHost.exe" touched file "%WINDIR%\SysWOW64\en-United states of america\odbcint.dll.mui"
      "SetupHost.exe" touched file "%WINDIR%\SysWOW64\en-US\MFC42u.dll.mui"
      "SetupHost.exe" touched file "%WINDIR%\setuplog.cfg"
      source
      API Call
      relevance
      seven/10
  • Network Related
    • Establish potential URL in binary/memory
      details
      Pattern friction match: "http://www.w3.org/XML/1998/namespace"
      Design match: "http://www.w3.org/2000/xmlns/"
      Blueprint match: "http://www.w3.org/2000/09/xmldsig#"
      Heuristic match: "X1_?S~.Mt"
      Heuristic match: "hdyK46g4.Co"
      Design friction match: "crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X"
      Design friction match: "http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0"
      Blueprint lucifer: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z"
      Pattern friction match: "http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0"
      Blueprint match: "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T"
      Pattern match: "www.microsoft.com/pki/certs/MicrosoftRootCert.crt0"
      Blueprint match: "http://www.microsoft.com/windows0"
      Pattern match: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z"
      Pattern match: "http://www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0"
      Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z"
      Design lucifer: "http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0"
      Pattern match: "www.microsoft.com/PKI/docs/CPS/default.htm0@"
      Blueprint lucifer: "crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z"
      Pattern match: "http://world wide web.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0"
      Pattern match: "Install.wim/swm/esd"
      Heuristic lucifer: "n vaaditaan Windows XP Service Pack 3.u.k."
      Design match: "www.aka.ms"
      Pattern match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl"
      Pattern lucifer: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%205.crl0"
      Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%205.crt0"
      Design match: "http://ocsp.msocsp.com0"
      Blueprint match: "http://www.microsoft.com/pki/mscorp/cps0"
      Pattern match: "http://ocsp.digicert.com0"
      Design match: "http://crl3.digicert.com/Omniroot2025.crl0="
      Pattern friction match: "https://www.digicert.com/CPS0"
      Design friction match: "mscrl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%201.crl"
      Pattern match: "crl.microsoft.com/pki/mscorp/crl/Microsoft%20IT%20TLS%20CA%201.crl0"
      Pattern match: "www.microsoft.com/pki/mscorp/Microsoft%20IT%20TLS%20CA%201.crt0"
      Heuristic match: "GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e7cb2148e6a514ca HTTP/ane.1Connection: Keep-AliveAccept: */*If-Modified-Since: Thu, 20 April 2017 16:02:twenty GMTIf-None-Match: 04e707defb9d21:0User-Amanuensis: Microsoft-CryptoAPI/6.1Hos"
      Pattern match: "www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl0"
      Design lucifer: "world wide web.microsoft.com/pkiops/certs/MicSecSerCA2011_2011-10-18.crt0"
      Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^"
      Pattern friction match: "www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0"
      Pattern match: "world wide web.microsoft.com"
      Pattern lucifer: "https://go.microsoft.com/fwlink/?LinkId=841361"
      Blueprint match: "https://download.microsoft.com/download/C/0/3/C036B882-9F99-4BC9-A4B5-69370C4E17E9/EULA_MCTool_EN-US_6.27.16.rtf"
      Pattern friction match: "http://fg.ds.b1.download.windowsupdate.com/d/Upgr/2018/04/17134.one.180410-1804.rs4_release_clientconsumer_ret_x64fre_en-us_e698e1f0c2e6022982a48e299e06936f84d83"
      Pattern match: "http://fg.ds.b1.download.windowsupdate.com/d/Upgr/2018/04/17134.1.180410-1804.rs4_release_clientconsumer_ret_x64fre_en-us_e698e1f0c2e6022982a48e299e06936f84d83a74.esd"
      Heuristic match: "VBoxVideo.true cat"
      Design match: "http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl"
      Design match: "http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl"
      Pattern match: "https://settings-win.data.microsoft.com/reg"
      Blueprint match: "http://schemas.microsoft.com/WMIConfig/2002/State"
      source
      String
      relevance
      x/10
  • Arrangement Security
    • Creates or modifies windows services
      details
      "SetupHost.exe" (Admission type: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
      "DiagTrackRunner.exe" (Admission blazon: "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS")
      source
      Registry Access
      relevance
      ten/10
    • Opens the Kernel Security Device Driver (KsecDD) of Windows
      details
      "<Input Sample>" opened "\Device\KsecDD"
      "SetupHost.exe" opened "\Device\KsecDD"
      "DiagTrackRunner.exe" opened "\Device\KsecDD"
      source
      API Telephone call
      relevance
      ten/10
  • Unusual Characteristics
    • Matched Compiler/Packer signature
      details
      "api-ms-win-downlevel-advapi32-l2-1-0.dll" was detected as "Microsoft visual C++ vx.x DLL"
      "api-ms-win-core-apiquery-l1-one-0.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
      "api-ms-win-downlevel-ole32-l1-i-0.dll" was detected equally "Microsoft visual C++ vx.10 DLL"
      "pidgenx.dll" was detected as "Visual C++ 2003 DLL -> Microsoft"
      "wdsutil.dll" was detected equally "Visual C++ 2005 DLL -> Microsoft"
      "api-ms-win-downlevel-advapi32-l1-ane-0.dll" was detected as "Microsoft visual C++ vx.10 DLL"
      "api-ms-win-downlevel-ole32-l1-one-i.dll" was detected as "Microsoft visual C++ vx.ten DLL"
      "api-ms-win-downlevel-kernel32-l1-one-0.dll" was detected every bit "Microsoft visual C++ vx.x DLL"
      "unbcl.dll" was detected every bit "Visual C++ 2005 DLL -> Microsoft"
      "wdscsl.dll" was detected every bit "Visual C++ 2005 DLL -> Microsoft"
      "api-ms-win-downlevel-user32-l1-i-0.dll" was detected every bit "Microsoft visual C++ vx.10 DLL"
      "wpx.dll" was detected equally "Visual C++ 2005 DLL -> Microsoft"
      "Diager.dll" was detected every bit "Visual C++ 2005 DLL -> Microsoft"
      "api-ms-win-downlevel-user32-l1-ane-1.dll" was detected as "Microsoft visual C++ vx.x DLL"
      "api-ms-win-downlevel-advapi32-l2-1-1.dll" was detected every bit "Microsoft visual C++ vx.x DLL"
      "SetupHost.exe" was detected as "Visual C++ 2005 Release -> Microsoft"
      "DU.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
      "api-ms-win-downlevel-version-l1-one-0.dll" was detected as "Microsoft visual C++ vx.x DLL"
      "api-ms-win-downlevel-kernel32-l2-1-0.dll" was detected as "Microsoft visual C++ vx.x DLL"
      "DiagTrack.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
      source
      Static Parser
      relevance
      x/10

File Details

All Details:

MediaCreationTool1803.exe

Filename
MediaCreationTool1803.exe
Size
18MiB (19119064 bytes)
Type
peexe executable
Description
PE32 executable (GUI) Intel 80386, for MS Windows
Architecture
WINDOWS
SHA256
aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4 Copy SHA256 to clipboard

Classification (TrID)

  • 83.4% (.EXE) InstallShield setup
  • eight.7% (.EXE) Win32 Executable (generic)
  • iii.8% (.EXE) Generic Win/DOS Executable
  • 3.8% (.EXE) DOS Executable Generic

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 3 processes in total (System Resource Monitor).

  • MediaCreationTool1803.exe (PID: 3088)

Network Assay

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Files

Displaying 46 extracted file(s). The remaining 9 file(s) are available in the full version and XML/JSON reports.

    • DU.dll
    • DiagTrack.dll
    • DiagTrackRunner.exe
    • Diager.dll
    • SetupCore.dll
    • SetupHost.exe
    • SetupMgr.dll
    • WinDlp.dll
    • api-ms-win-core-apiquery-l1-1-0.dll
    • api-ms-win-downlevel-advapi32-l1-1-0.dll
    • api-ms-win-downlevel-advapi32-l1-1-1.dll
    • api-ms-win-downlevel-advapi32-l2-1-0.dll
    • api-ms-win-downlevel-advapi32-l2-ane-1.dll
    • api-ms-win-downlevel-advapi32-l3-1-0.dll
    • api-ms-win-downlevel-advapi32-l4-1-0.dll
    • api-ms-win-downlevel-kernel32-l1-ane-0.dll
    • api-ms-win-downlevel-kernel32-l2-i-0.dll
    • api-ms-win-downlevel-ole32-l1-1-0.dll
    • api-ms-win-downlevel-ole32-l1-1-1.dll
    • api-ms-win-downlevel-shlwapi-l1-1-0.dll
    • api-ms-win-downlevel-shlwapi-l1-i-one.dll
    • api-ms-win-downlevel-user32-l1-1-0.dll
    • api-ms-win-downlevel-user32-l1-one-ane.dll
    • api-ms-win-downlevel-version-l1-1-0.dll
    • ext-ms-win-advapi32-encryptedfile-l1-i-0.dll
    • pidgenx.dll
    • unbcl.dll
    • wdsclientapi.dll
    • wdscore.dll
    • wdscsl.dll
    • wdsimage.dll
    • wdstptc.dll
    • wdsutil.dll
    • wpx.dll

Notifications

  • A process crash was detected during the runtime assay
  • Network whitenoise filtering was applied
  • No static assay parsing on sample was performed
  • Not all IP/URL cord resources were checked online
  • Non all sources for indicator ID "api-11" are available in the study
  • Not all sources for indicator ID "api-12" are bachelor in the report
  • Not all sources for indicator ID "api-26" are available in the written report
  • Non all sources for indicator ID "api-55" are available in the report
  • Not all sources for indicator ID "binary-0" are bachelor in the report
  • Not all sources for indicator ID "binary-1" are available in the report
  • Not all sources for indicator ID "binary-xvi" are bachelor in the written report
  • Not all sources for indicator ID "mutant-0" are available in the report
  • Not all sources for indicator ID "registry-17" are available in the report
  • Not all sources for indicator ID "registry-18" are available in the written report
  • Not all sources for indicator ID "registry-19" are available in the report
  • Not all sources for indicator ID "static-0" are available in the report
  • Not all sources for indicator ID "static-1" are available in the report
  • Not all sources for indicator ID "static-18" are available in the report
  • Not all sources for indicator ID "static-3" are bachelor in the study
  • Not all sources for indicator ID "stream-22" are available in the report
  • Non all sources for indicator ID "stream-3" are bachelor in the report
  • Non all sources for indicator ID "stream-31" are bachelor in the report
  • Not all sources for indicator ID "string-24" are bachelor in the written report
  • Non all sources for indicator ID "string-64" are bachelor in the study
  • Not all strings are visible in the report, because the maximum number of strings was reached (5000)
  • Some low-level information is hidden, as this is only a slim report
  • Static study size exceeded maximum chapters and may take missing stream data

moraleshistre.blogspot.com

Source: https://www.hybrid-analysis.com/sample/aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4?environmentId=120

Related Posts

0 Response to "How to Add Key File to Vstavi So It Can Read My Neo"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel