Dwntoday crc error

dwntoday crc error

dwntoday.vdb. 12.42 KB crc-modules-4.0.0-kali1-amd64-di_4.0.4-1+kali2_amd64.udeb ERROR.XM_. 198. ERSVC.DL_. 11.59 KB. ES1371MP.DL_. 11.25 KB. “The problem was how to find him a place as no public school has ever taken a thali- Ar. Headquarters where the “ "r: Crc Palestinian Council meets. CRC value set in PE header does not match actual value. details: "_Setup.dll" claimed CRC 51039 while the actual is CRC 31494 "_Setup.dll" claimed CRC 65581.

Similar video

CRC Error Troubleshooting

Dwntoday crc error - are

Incident Response

Risk Assessment

Fingerprint
Reads the active computer name

Additional Context

Related Sandbox Artifacts

Associated URLs
hxxp://connectivity.chloridepower.com/files/mopups-274-7537-1-intel-windows.exe

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Anti-Detection/Stealthyness
  • Anti-Reverse Engineering
  • Environment Awareness
    • Reads the active computer name
      details
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_ISDel.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Access
      relevance
      5/10
  • General
  • Installation/Persistance
    • Drops executable files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "mopnetups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "edpups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZDataI51.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "silectronups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_WUTL951.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      10/10
  • Network Related
  • System Destruction
    • Marks file for deletion
      details
      "C:\mopups-274-7537-1-intel-windows.exe" marked "%TEMP%\pft5EA5.tmp" for deletion
      "%TEMP%\pft5EA5~tmp\Setup.exe" marked "%TEMP%\_INS5566._MP" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%TEMP%\_ISTMP1.DIR\_INS0432.INI" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_iserr31.ini" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_isenv31.ini" for deletion
      "%TEMP%\pft5EA5~tmp\_ISDel.exe" marked "%WINDIR%\_INS33IS._MP" for deletion
      source
      API Call
      relevance
      10/10
    • Opens file with deletion access rights
      details
      "<Input Sample>" opened "%TEMP%\pft5EA5.tmp" with delete access
      "Setup.exe" opened "%TEMP%\_INS5566._MP" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_INS0432.INI" with delete access
      "_INS5576._MP" opened "%WINDIR%\_iserr31.ini" with delete access
      "_INS5576._MP" opened "%WINDIR%\_isenv31.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Corecomp.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Ctl3d32.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.728" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\_isres.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\basicups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cenerups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\chlorideups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cusppups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\edpups.dll" with delete access
      "_ISDel.exe" opened "%WINDIR%\_INS33IS._MP" with delete access
      source
      API Call
      relevance
      7/10
  • System Security
  • Unusual Characteristics
    • CRC value set in PE header does not match actual value
      details
      "_Setup.dll" claimed CRC 51039 while the actual is CRC 31494
      "_Setup.dll" claimed CRC 65581 while the actual is CRC 51039
      "IsUninst.728" claimed CRC 347409 while the actual is CRC 64594
      "_Setup.dll" claimed CRC 89282 while the actual is CRC 67814
      "_Setup.dll" claimed CRC 80470 while the actual is CRC 113816
      "_Setup.dll" claimed CRC 72541 while the actual is CRC 97507
      "_Setup.dll" claimed CRC 60083 while the actual is CRC 72541
      "_Setup.dll" claimed CRC 95602 while the actual is CRC 60083
      source
      Static Parser
      relevance
      10/10
    • Imports suspicious APIs
      details
      GetModuleFileNameW
      GetProcAddress
      GetModuleHandleA
      FindResourceW
      SetWindowsHookExW
      GetModuleFileNameA
      LoadLibraryA
      GetCommandLineA
      WriteFile
      GetStartupInfoA
      TerminateProcess
      VirtualAlloc
      RegDeleteKeyA
      RegCloseKey
      RegDeleteValueA
      RegCreateKeyExA
      RegOpenKeyA
      OpenProcessToken
      RegEnumKeyA
      GetFileAttributesA
      GetDriveTypeA
      UnhandledExceptionFilter
      GetTickCount
      GetFileSize
      CreateDirectoryA
      DeleteFileA
      FindFirstFileA
      FindNextFileA
      CreateFileA
      WinExec
      LockResource
      Sleep
      FindResourceA
      FindWindowA
      RegOpenKeyExA
      DeviceIoControl
      CreateThread
      ExitThread
      GetVersionExA
      OutputDebugStringA
      SetSecurityDescriptorDacl
      StartServiceA
      GetComputerNameA
      CreateProcessA
      ShellExecuteA
      sendto (Ordinal #20)
      accept (Ordinal #1)
      WSAStartup (Ordinal #115)
      bind (Ordinal #2)
      recv (Ordinal #16)
      socket (Ordinal #23)
      connect (Ordinal #4)
      recvfrom (Ordinal #17)
      send (Ordinal #19)
      closesocket (Ordinal #3)
      listen (Ordinal #13)
      CreateServiceA
      OpenFileMappingA
      LoadLibraryExA
      source
      Static Parser
      relevance
      1/10
    • Installs hooks/patches the running process
      details
      "Setup.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_INS5576._MP" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_ISDel.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      source
      Hook Detection
      relevance
      10/10
    • Reads information about supported languages
      details
      "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "Setup.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALE")
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      source
      Registry Access
      relevance
      3/10
    • Timestamp in PE header is very old or in the future
      details
      "Ctl3d32.dll" claims program is from Fri Jul 14 01:46:26 1995
      "_Setup.dll" claims program is from Tue Sep 29 22:34:54 1998
      "IsUninst.728" claims program is from Sat Oct 3 00:00:47 1998
      "ZDataI51.dll" claims program is from Wed Sep 23 00:06:56 1998
      "_WUTL951.DLL" claims program is from Wed Sep 23 18:20:52 1998
      "_ISDel.exe" claims program is from Tue Oct 27 19:06:49 1998
      "_isres.dll" claims program is from Thu Oct 22 18:47:00 1998
      "Setup.exe" claims program is from Tue Jan 12 18:42:19 1999
      source
      Static Parser
      relevance
      10/10
  • Hiding 4 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Environment Awareness
    • Contains ability to query machine time
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-901-1003ACD0
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine timezone
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 40277-1062-1001CB70
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1057-1001D30C
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 48050-1052-1001E9D2
      [email protected] at 60605-1183-10035CCF
      [email protected] at 60605-1060-1001EEB2
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine version
    • Contains ability to query the system locale
      details
      [email protected] from Setup.exe(PID: 2664) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-1152-1001DE03
      [email protected] at 32481-1148-1001E1A1
      [email protected] at 32481-1147-1001E25E
      [email protected] at 32481-1149-1001E08E
      [email protected] at 40277-1041-1001A1CE
      [email protected] at 40277-1045-10019F43
      [email protected] at 40277-1040-1001A2E1
      [email protected] at 40277-1039-1001A39E
      [email protected] at 44234-1036-1001B0AE
      [email protected] at 44234-1040-1001AE23
      [email protected] at 44234-1035-1001B1C1
      [email protected] at 44234-1034-1001B27E
      [email protected] at 48050-1030-1001BE41
      [email protected] at 48050-1035-1001BAA3
      [email protected] at 48050-1031-1001BD2E
      [email protected] at 48050-1029-1001BEFE
      [email protected] at 60605-1038-1001C321
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query volume size
    • Makes a code branch decision directly after an API that is environment aware
      details
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-38-00476C86")
      which is directly followed by "cmp ax, word ptr [004870F2h]" and "jne 00476CEBh". See related instructions: "...
      +23 call dword ptr [0047E2CCh] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [004870F2h]
      +40 jne 00476CEBh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-641-00413F10")
      which is directly followed by "cmp dword ptr [ebp-04h], 80000000h" and "jnc 00413F57h". See related instructions: "...
      +0 push ebp
      +1 mov ebp, esp
      +3 push ecx
      +4 push ecx
      +5 and dword ptr [0048889Ch], 00000000h
      +12 and dword ptr [00488874h], 00000000h
      +19 and dword ptr [0048888Ch], 00000000h
      +26 and dword ptr [00488884h], 00000000h
      +33 call dword ptr [0047E270h] ;GetVersion
      +39 mov dword ptr [ebp-04h], eax
      +42 mov ax, word ptr [ebp-04h]
      +46 mov word ptr [ebp-08h], ax
      +50 cmp dword ptr [ebp-04h], 80000000h
      +57 jnc 00413F57h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-42839-1200-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-1203-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "oneacups.dll.989022799"; Stream UID: "40277-1191-10033D9F")
      which is directly followed by "cmp ax, word ptr [1004560Ah]" and "jne 10033E04h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004560Ah]
      +40 jne 10033E04h" ... at 40277-1191-10033D9F
      Found API call [email protected] (Target: "sinergyups.dll.819830290"; Stream UID: "44234-1183-1003452F")
      which is directly followed by "cmp ax, word ptr [1004696Ah]" and "jne 10034594h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004696Ah]
      +40 jne 10034594h" ... at 44234-1183-1003452F
      Found API call [email protected] (Target: "cenerups.dll.738709359"; Stream UID: "48050-1175-100357EF")
      which is directly followed by "cmp ax, word ptr [10048A0Ah]" and "jne 10035854h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A0Ah]
      +40 jne 10035854h" ... at 48050-1175-100357EF
      Found API call [email protected] (Target: "chlorideups.dll.660316738"; Stream UID: "60605-1183-10035CCF")
      which is directly followed by "cmp ax, word ptr [10048A7Ah]" and "jne 10035D34h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A7Ah]
      +40 jne 10035D34h" ... at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      10/10
  • General
    • Creates a writable file in a temporary directory
      details
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\pftw1.pkg"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\AUTORUN.INF"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\DATA.TAG"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.cab"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.hdr"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\lang.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\layout.bin"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\os.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\Setup.exe"
      source
      API Call
      relevance
      1/10
    • Drops files marked as clean
      details
      Antivirus vendors marked dropped file "Ctl3d32.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_Setup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IsUninst.728" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "chlorideups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "cusppups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ondynups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopnetups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ZDataI51.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_WUTL951.DLL" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_ISDel.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "demoups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "basicups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isres.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopinstl.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
      source
      Extracted File
      relevance
      10/10
    • Loads rich edit control libraries
      details
      "<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 6AFB0000
      "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6AF30000
      source
      Loaded Module
    • Spawns new processes
      details
      Spawned process "Setup.exe" with commandline "/SMS" (Show Process)
      Spawned process "_INS5576._MP" (Show Process)
      Spawned process "_ISDel.exe" with commandline "%TEMP%\pft5EA5~tmp\_ISDEL.EXE" (Show Process)
      source
      Monitored Target
      relevance
      3/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "<Input Sample>" connecting to "\ThemeApiPort"
      "Setup.exe" connecting to "\ThemeApiPort"
      "_ISDel.exe" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      1/10
    • Dropped files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "value.shl" has type "ISO-8859 text with CRLF line terminators"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_isenv31.ini" has type "data"
      "setup.lid" has type "ASCII text with CRLF line terminators"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.lid" has type "ASCII text"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.ins" has type "data"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "lang.dat" has type "Non-ISO extended-ASCII text with CRLF line terminators"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_inst32i.ex_" has type "data"
      source
      Extracted File
      relevance
      3/10
    • Touches files in the Windows directory
      details
      "<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
      "<Input Sample>" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\COMCTL32.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcSpecfc.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "Setup.exe" touched file "%WINDIR%\_delis32.ini"
      source
      API Call
      relevance
      7/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "i[GZB>R.Bw"
      Pattern match: "http://www.installshield.com/pftw/"
      Pattern match: "http://connectivity.chloridepower.com"
      Heuristic match: "MSG_SETUPCOMPLETEOPT1= READ.ME"
      Heuristic match: "UID.NAME"
      Heuristic match: "PDU.%d.NAME"
      source
      String
      relevance
      10/10
  • System Security
  • Unusual Characteristics
    • Matched Compiler/Packer signature
      details
      "_Setup.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "IsUninst.728" was detected as "Microsoft Visual C++ .0"
      "_ISKPMG.dll" was detected as "Microsoft Visual C++ 6.0"
      "chlorideups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cenerups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cusppups.dll" was detected as "Microsoft Visual C++ 6.0"
      "sinergyups.dll" was detected as "Microsoft Visual C++ 6.0"
      "oneacups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_isuser.dll" was detected as "Microsoft Visual C++ 6.0"
      "ondynups.dll" was detected as "Microsoft Visual C++ 6.0"
      "mopnetups.dll" was detected as "Microsoft Visual C++ 6.0"
      "edpups.dll" was detected as "Microsoft Visual C++ 6.0"
      "ZDataI51.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "silectronups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_ISDel.exe" was detected as "Microsoft Visual C++ .0"
      "demoups.dll" was detected as "Microsoft Visual C++ 6.0"
      source
      Static Parser
      relevance
      10/10

File Details

All Details:

mopups-274-7537-1-intel-windows.exe

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 4 processes in total (System Resource Monitor).

Logged Script Calls Logged Stdout Extracted Streams Memory Dumps
Reduced Monitoring Network Activityy Network Error Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Incident Response

Risk Assessment

Fingerprint
Reads the active computer name

Additional Context

Related Sandbox Artifacts

Associated URLs
hxxp://connectivity.chloridepower.com/files/mopups-274-7537-1-intel-windows.exe

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Anti-Detection/Stealthyness
  • Anti-Reverse Engineering
  • Environment Awareness
    • Reads the active computer name
      details
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_ISDel.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Access
      relevance
      5/10
  • General
  • Installation/Persistance
    • Drops executable files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "mopnetups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "edpups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZDataI51.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "silectronups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_WUTL951.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      10/10
  • Network Related
  • System Destruction
    • Marks file for deletion
      details
      "C:\mopups-274-7537-1-intel-windows.exe" marked "%TEMP%\pft5EA5.tmp" for deletion
      "%TEMP%\pft5EA5~tmp\Setup.exe" marked "%TEMP%\_INS5566._MP" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%TEMP%\_ISTMP1.DIR\_INS0432.INI" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_iserr31.ini" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_isenv31.ini" for deletion
      "%TEMP%\pft5EA5~tmp\_ISDel.exe" marked "%WINDIR%\_INS33IS._MP" for deletion
      source
      API Call
      relevance
      10/10
    • Opens file with deletion access rights
      details
      "<Input Sample>" opened "%TEMP%\pft5EA5.tmp" with delete access
      "Setup.exe" opened "%TEMP%\_INS5566._MP" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_INS0432.INI" with delete access
      "_INS5576._MP" opened "%WINDIR%\_iserr31.ini" with delete access
      "_INS5576._MP" opened "%WINDIR%\_isenv31.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Corecomp.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Ctl3d32.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.728" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\_isres.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\basicups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cenerups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\chlorideups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cusppups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\edpups.dll" with delete access
      "_ISDel.exe" opened "%WINDIR%\_INS33IS._MP" with delete access
      source
      API Call
      relevance
      7/10
  • System Security
  • Unusual Characteristics
    • CRC value set in PE header does not match actual value
      details
      "_Setup.dll" claimed CRC 51039 while the actual is CRC 31494
      "_Setup.dll" claimed CRC 65581 while the actual is CRC 51039
      "IsUninst.728" claimed CRC 347409 while the actual is CRC 64594
      "_Setup.dll" claimed CRC 89282 while the actual is CRC 67814
      "_Setup.dll" claimed CRC 80470 while the actual is CRC 113816
      "_Setup.dll" claimed CRC 72541 while the actual is CRC 97507
      "_Setup.dll" claimed CRC 60083 while the actual is CRC 72541
      "_Setup.dll" claimed CRC 95602 while the actual is CRC 60083
      source
      Static Parser
      relevance
      10/10
    • Imports suspicious APIs
      details
      GetModuleFileNameW
      GetProcAddress
      GetModuleHandleA
      FindResourceW
      SetWindowsHookExW
      GetModuleFileNameA
      LoadLibraryA
      GetCommandLineA
      WriteFile
      GetStartupInfoA
      TerminateProcess
      VirtualAlloc
      RegDeleteKeyA
      RegCloseKey
      RegDeleteValueA
      RegCreateKeyExA
      RegOpenKeyA
      OpenProcessToken
      RegEnumKeyA
      GetFileAttributesA
      GetDriveTypeA
      UnhandledExceptionFilter
      GetTickCount
      GetFileSize
      CreateDirectoryA
      DeleteFileA
      FindFirstFileA
      FindNextFileA
      CreateFileA
      WinExec
      LockResource
      Sleep
      FindResourceA
      FindWindowA
      RegOpenKeyExA
      DeviceIoControl
      CreateThread
      ExitThread
      GetVersionExA
      OutputDebugStringA
      SetSecurityDescriptorDacl
      StartServiceA
      GetComputerNameA
      CreateProcessA
      ShellExecuteA
      sendto (Ordinal #20)
      accept (Ordinal #1)
      WSAStartup (Ordinal #115)
      bind (Ordinal #2)
      recv (Ordinal #16)
      socket (Ordinal #23)
      connect (Ordinal #4)
      recvfrom (Ordinal #17)
      send (Ordinal #19)
      closesocket (Ordinal #3)
      listen (Ordinal #13)
      CreateServiceA
      OpenFileMappingA
      LoadLibraryExA
      source
      Static Parser
      relevance
      1/10
    • Installs hooks/patches the running process
      details
      "Setup.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_INS5576._MP" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_ISDel.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      source
      Hook Detection
      relevance
      10/10
    • Reads information about supported languages
      details
      "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "Setup.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALE")
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      source
      Registry Access
      relevance
      3/10
    • Timestamp in PE header is very old or in the future
      details
      "Ctl3d32.dll" claims program is from Fri Jul 14 01:46:26 1995
      "_Setup.dll" claims program is from Tue Sep 29 22:34:54 1998
      "IsUninst.728" claims program is from Sat Oct 3 00:00:47 1998
      "ZDataI51.dll" claims program is from Wed Sep 23 00:06:56 1998
      "_WUTL951.DLL" claims program is from Wed Sep 23 18:20:52 1998
      "_ISDel.exe" claims program is from Tue Oct 27 19:06:49 1998
      "_isres.dll" claims program is from Thu Oct 22 18:47:00 1998
      "Setup.exe" claims program is from Tue Jan 12 18:42:19 1999
      source
      Static Parser
      relevance
      10/10
  • Hiding 4 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Environment Awareness
    • Contains ability to query machine time
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-901-1003ACD0
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine timezone
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 40277-1062-1001CB70
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1057-1001D30C
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 48050-1052-1001E9D2
      [email protected] at 60605-1183-10035CCF
      [email protected] at 60605-1060-1001EEB2
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine version
    • Contains ability to query the system locale
      details
      [email protected] from Setup.exe(PID: 2664) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-1152-1001DE03
      [email protected] at 32481-1148-1001E1A1
      [email protected] at 32481-1147-1001E25E
      [email protected] at 32481-1149-1001E08E
      [email protected] at 40277-1041-1001A1CE
      [email protected] at 40277-1045-10019F43
      [email protected] at 40277-1040-1001A2E1
      [email protected] at 40277-1039-1001A39E
      [email protected] at 44234-1036-1001B0AE
      [email protected] at 44234-1040-1001AE23
      [email protected] at 44234-1035-1001B1C1
      [email protected] at 44234-1034-1001B27E
      [email protected] at 48050-1030-1001BE41
      [email protected] at 48050-1035-1001BAA3
      [email protected] at 48050-1031-1001BD2E
      [email protected] at 48050-1029-1001BEFE
      [email protected] at 60605-1038-1001C321
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query volume size
    • Makes a code branch decision directly after an API that is environment aware
      details
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-38-00476C86")
      which is directly followed by "cmp ax, word ptr [004870F2h]" and "jne 00476CEBh". See related instructions: "...
      +23 call dword ptr [0047E2CCh] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [004870F2h]
      +40 jne 00476CEBh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-641-00413F10")
      which is directly followed by "cmp dword ptr [ebp-04h], 80000000h" and "jnc 00413F57h". See related instructions: "...
      +0 push ebp
      +1 mov ebp, esp
      +3 push ecx
      +4 push ecx
      +5 and dword ptr [0048889Ch], 00000000h
      +12 and dword ptr [00488874h], 00000000h
      +19 and dword ptr [0048888Ch], 00000000h
      +26 and dword ptr [00488884h], 00000000h
      +33 call dword ptr [0047E270h] ;GetVersion
      +39 mov dword ptr [ebp-04h], eax
      +42 mov ax, word ptr [ebp-04h]
      +46 mov word ptr [ebp-08h], ax
      +50 cmp dword ptr [ebp-04h], 80000000h
      +57 jnc 00413F57h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-42839-1200-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-1203-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "oneacups.dll.989022799"; Stream UID: "40277-1191-10033D9F")
      which is directly followed by "cmp ax, word ptr [1004560Ah]" and "jne 10033E04h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004560Ah]
      +40 jne 10033E04h" ... at 40277-1191-10033D9F
      Found API call [email protected] (Target: "sinergyups.dll.819830290"; Stream UID: "44234-1183-1003452F")
      which is directly followed by "cmp ax, word ptr [1004696Ah]" and "jne 10034594h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004696Ah]
      +40 jne 10034594h" ... at 44234-1183-1003452F
      Found API call [email protected] (Target: "cenerups.dll.738709359"; Stream UID: "48050-1175-100357EF")
      which is directly followed by "cmp ax, word ptr [10048A0Ah]" and "jne 10035854h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A0Ah]
      +40 jne 10035854h" ... at 48050-1175-100357EF
      Found API call [email protected] (Target: "chlorideups.dll.660316738"; Stream UID: "60605-1183-10035CCF")
      which is directly followed by "cmp ax, word ptr [10048A7Ah]" and "jne 10035D34h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A7Ah]
      +40 jne 10035D34h" ... at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      10/10
  • General
    • Creates a writable file in a temporary directory
      details
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\pftw1.pkg"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\AUTORUN.INF"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\DATA.TAG"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.cab"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.hdr"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\lang.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\layout.bin"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\os.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\Setup.exe"
      source
      API Call
      relevance
      1/10
    • Drops files marked as clean
      details
      Antivirus vendors marked dropped file "Ctl3d32.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_Setup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IsUninst.728" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "chlorideups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "cusppups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ondynups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopnetups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ZDataI51.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_WUTL951.DLL" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_ISDel.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "demoups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "basicups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isres.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopinstl.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
      source
      Extracted File
      relevance
      10/10
    • Loads rich edit control libraries
      details
      "<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 6AFB0000
      "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6AF30000
      source
      Loaded Module
    • Spawns new processes
      details
      Spawned process "Setup.exe" with commandline "/SMS" (Show Process)
      Spawned process "_INS5576._MP" (Show Process)
      Spawned process "_ISDel.exe" with commandline "%TEMP%\pft5EA5~tmp\_ISDEL.EXE" (Show Process)
      source
      Monitored Target
      relevance
      3/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "<Input Sample>" connecting to "\ThemeApiPort"
      "Setup.exe" connecting to "\ThemeApiPort"
      "_ISDel.exe" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      1/10
    • Dropped files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "value.shl" has type "ISO-8859 text with CRLF line terminators"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_isenv31.ini" has type "data"
      "setup.lid" has type "ASCII text with CRLF line terminators"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.lid" has type "ASCII text"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.ins" has type "data"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "lang.dat" has type "Non-ISO extended-ASCII text with CRLF line terminators"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_inst32i.ex_" has type "data"
      source
      Extracted File
      relevance
      3/10
    • Touches files in the Windows directory
      details
      "<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
      "<Input Sample>" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\COMCTL32.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcSpecfc.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "Setup.exe" touched file "%WINDIR%\_delis32.ini"
      source
      API Call
      relevance
      7/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "i[GZB>R.Bw"
      Pattern match: "http://www.installshield.com/pftw/"
      Pattern match: "http://connectivity.chloridepower.com"
      Heuristic match: "MSG_SETUPCOMPLETEOPT1= READ.ME"
      Heuristic match: "UID.NAME"
      Heuristic match: "PDU.%d.NAME"
      source
      String
      relevance
      10/10
  • System Security
  • Unusual Characteristics
    • Matched Compiler/Packer signature
      details
      "_Setup.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "IsUninst.728" was detected as "Microsoft Visual C++ .0"
      "_ISKPMG.dll" was detected as "Microsoft Visual C++ 6.0"
      "chlorideups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cenerups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cusppups.dll" was detected as "Microsoft Visual C++ 6.0"
      "sinergyups.dll" was detected as "Microsoft Visual C++ 6.0"
      "oneacups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_isuser.dll" was detected as "Microsoft Visual C++ 6.0"
      "ondynups.dll" was detected as "Microsoft Visual C++ 6.0"
      "mopnetups.dll" was detected as "Microsoft Visual C++ 6.0"
      "edpups.dll" was detected as "Microsoft Visual C++ 6.0"
      "ZDataI51.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "silectronups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_ISDel.exe" was detected as "Microsoft Visual C++ .0"
      "demoups.dll" was detected as "Microsoft Visual C++ 6.0"
      source
      Static Parser
      relevance
      10/10

File Details

All Details:

mopups-274-7537-1-intel-windows.exe

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 4 processes in total (System Resource Monitor).

Logged Script Calls Logged Stdout Extracted Streams Memory Dumps
Reduced Monitoring Network Activityy Network Error Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

dwntoday crc error

Dwntoday crc error - congratulate

Incident Response

Risk Assessment

Fingerprint
Reads the active computer name

Additional Context

Related Sandbox Artifacts

Associated URLs
hxxp://connectivity.chloridepower.com/files/mopups-274-7537-1-intel-windows.exe

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Anti-Detection/Stealthyness
  • Anti-Reverse Engineering
  • Environment Awareness
    • Reads the active computer name
      details
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_ISDel.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Access
      relevance
      5/10
  • General
  • Installation/Persistance
    • Drops executable files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "mopnetups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "edpups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZDataI51.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "silectronups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_WUTL951.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      10/10
  • Network Related
  • System Destruction
    • Marks file for deletion
      details
      "C:\mopups-274-7537-1-intel-windows.exe" marked "%TEMP%\pft5EA5.tmp" for deletion
      "%TEMP%\pft5EA5~tmp\Setup.exe" marked "%TEMP%\_INS5566._MP" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%TEMP%\_ISTMP1.DIR\_INS0432.INI" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_iserr31.ini" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_isenv31.ini" for deletion
      "%TEMP%\pft5EA5~tmp\_ISDel.exe" marked "%WINDIR%\_INS33IS._MP" for deletion
      source
      API Call
      relevance
      10/10
    • Opens file with deletion access rights
      details
      "<Input Sample>" opened "%TEMP%\pft5EA5.tmp" with delete access
      "Setup.exe" opened "%TEMP%\_INS5566._MP" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_INS0432.INI" with delete access
      "_INS5576._MP" opened "%WINDIR%\_iserr31.ini" with delete access
      "_INS5576._MP" opened "%WINDIR%\_isenv31.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Corecomp.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Ctl3d32.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.728" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\_isres.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\basicups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cenerups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\chlorideups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cusppups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\edpups.dll" with delete access
      "_ISDel.exe" opened "%WINDIR%\_INS33IS._MP" with delete access
      source
      API Call
      relevance
      7/10
  • System Security
  • Unusual Characteristics
    • CRC value set in PE header does not match actual value
      details
      "_Setup.dll" claimed CRC 51039 while the actual is CRC 31494
      "_Setup.dll" claimed CRC 65581 while the actual is CRC 51039
      "IsUninst.728" claimed CRC 347409 while the actual is CRC 64594
      "_Setup.dll" claimed CRC 89282 while the actual is CRC 67814
      "_Setup.dll" claimed CRC 80470 while the actual is CRC 113816
      "_Setup.dll" claimed CRC 72541 while the actual is CRC 97507
      "_Setup.dll" claimed CRC 60083 while the actual is CRC 72541
      "_Setup.dll" claimed CRC 95602 while the actual is CRC 60083
      source
      Static Parser
      relevance
      10/10
    • Imports suspicious APIs
      details
      GetModuleFileNameW
      GetProcAddress
      GetModuleHandleA
      FindResourceW
      SetWindowsHookExW
      GetModuleFileNameA
      LoadLibraryA
      GetCommandLineA
      WriteFile
      GetStartupInfoA
      TerminateProcess
      VirtualAlloc
      RegDeleteKeyA
      RegCloseKey
      RegDeleteValueA
      RegCreateKeyExA
      RegOpenKeyA
      OpenProcessToken
      RegEnumKeyA
      GetFileAttributesA
      GetDriveTypeA
      UnhandledExceptionFilter
      GetTickCount
      GetFileSize
      CreateDirectoryA
      DeleteFileA
      FindFirstFileA
      FindNextFileA
      CreateFileA
      WinExec
      LockResource
      Sleep
      FindResourceA
      FindWindowA
      RegOpenKeyExA
      DeviceIoControl
      CreateThread
      ExitThread
      GetVersionExA
      OutputDebugStringA
      SetSecurityDescriptorDacl
      StartServiceA
      GetComputerNameA
      CreateProcessA
      ShellExecuteA
      sendto (Ordinal #20)
      accept (Ordinal #1)
      WSAStartup (Ordinal #115)
      bind (Ordinal #2)
      recv (Ordinal #16)
      socket (Ordinal #23)
      connect (Ordinal #4)
      recvfrom (Ordinal #17)
      send (Ordinal #19)
      closesocket (Ordinal #3)
      listen (Ordinal #13)
      CreateServiceA
      OpenFileMappingA
      LoadLibraryExA
      source
      Static Parser
      relevance
      1/10
    • Installs hooks/patches the running process
      details
      "Setup.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_INS5576._MP" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_ISDel.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      source
      Hook Detection
      relevance
      10/10
    • Reads information about supported languages
      details
      "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "Setup.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALE")
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      source
      Registry Access
      relevance
      3/10
    • Timestamp in PE header is very old or in the future
      details
      "Ctl3d32.dll" claims program is from Fri Jul 14 01:46:26 1995
      "_Setup.dll" claims program is from Tue Sep 29 22:34:54 1998
      "IsUninst.728" claims program is from Sat Oct 3 00:00:47 1998
      "ZDataI51.dll" claims program is from Wed Sep 23 00:06:56 1998
      "_WUTL951.DLL" claims program is from Wed Sep 23 18:20:52 1998
      "_ISDel.exe" claims program is from Tue Oct 27 19:06:49 1998
      "_isres.dll" claims program is from Thu Oct 22 18:47:00 1998
      "Setup.exe" claims program is from Tue Jan 12 18:42:19 1999
      source
      Static Parser
      relevance
      10/10
  • Hiding 4 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Environment Awareness
    • Contains ability to query machine time
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-901-1003ACD0
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine timezone
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 40277-1062-1001CB70
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1057-1001D30C
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 48050-1052-1001E9D2
      [email protected] at 60605-1183-10035CCF
      [email protected] at 60605-1060-1001EEB2
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine version
    • Contains ability to query the system locale
      details
      [email protected] from Setup.exe(PID: 2664) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-1152-1001DE03
      [email protected] at 32481-1148-1001E1A1
      [email protected] at 32481-1147-1001E25E
      [email protected] at 32481-1149-1001E08E
      [email protected] at 40277-1041-1001A1CE
      [email protected] at 40277-1045-10019F43
      [email protected] at 40277-1040-1001A2E1
      [email protected] at 40277-1039-1001A39E
      [email protected] at 44234-1036-1001B0AE
      [email protected] at 44234-1040-1001AE23
      [email protected] at 44234-1035-1001B1C1
      [email protected] at 44234-1034-1001B27E
      [email protected] at 48050-1030-1001BE41
      [email protected] at 48050-1035-1001BAA3
      [email protected] at 48050-1031-1001BD2E
      [email protected] at 48050-1029-1001BEFE
      [email protected] at 60605-1038-1001C321
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query volume size
    • Makes a code branch decision directly after an API that is environment aware
      details
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-38-00476C86")
      which is directly followed by "cmp ax, word ptr [004870F2h]" and "jne 00476CEBh". See related instructions: "...
      +23 call dword ptr [0047E2CCh] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [004870F2h]
      +40 jne 00476CEBh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-641-00413F10")
      which is directly followed by "cmp dword ptr [ebp-04h], 80000000h" and "jnc 00413F57h". See related instructions: "...
      +0 push ebp
      +1 mov ebp, esp
      +3 push ecx
      +4 push ecx
      +5 and dword ptr [0048889Ch], 00000000h
      +12 and dword ptr [00488874h], 00000000h
      +19 and dword ptr [0048888Ch], 00000000h
      +26 and dword ptr [00488884h], 00000000h
      +33 call dword ptr [0047E270h] ;GetVersion
      +39 mov dword ptr [ebp-04h], eax
      +42 mov ax, word ptr [ebp-04h]
      +46 mov word ptr [ebp-08h], ax
      +50 cmp dword ptr [ebp-04h], 80000000h
      +57 jnc 00413F57h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-42839-1200-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-1203-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "oneacups.dll.989022799"; Stream UID: "40277-1191-10033D9F")
      which is directly followed by "cmp ax, word ptr [1004560Ah]" and "jne 10033E04h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004560Ah]
      +40 jne 10033E04h" ... at 40277-1191-10033D9F
      Found API call [email protected] (Target: "sinergyups.dll.819830290"; Stream UID: "44234-1183-1003452F")
      which is directly followed by "cmp ax, word ptr [1004696Ah]" and "jne 10034594h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004696Ah]
      +40 jne 10034594h" ... at 44234-1183-1003452F
      Found API call [email protected] (Target: "cenerups.dll.738709359"; Stream UID: "48050-1175-100357EF")
      which is directly followed by "cmp ax, word ptr [10048A0Ah]" and "jne 10035854h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A0Ah]
      +40 jne 10035854h" ... at 48050-1175-100357EF
      Found API call [email protected] (Target: "chlorideups.dll.660316738"; Stream UID: "60605-1183-10035CCF")
      which is directly followed by "cmp ax, word ptr [10048A7Ah]" and "jne 10035D34h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A7Ah]
      +40 jne 10035D34h" ... at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      10/10
  • General
    • Creates a writable file in a temporary directory
      details
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\pftw1.pkg"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\AUTORUN.INF"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\DATA.TAG"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.cab"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.hdr"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\lang.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\layout.bin"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\os.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\Setup.exe"
      source
      API Call
      relevance
      1/10
    • Drops files marked as clean
      details
      Antivirus vendors marked dropped file "Ctl3d32.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_Setup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IsUninst.728" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "chlorideups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "cusppups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ondynups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopnetups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ZDataI51.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_WUTL951.DLL" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_ISDel.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "demoups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "basicups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isres.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopinstl.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
      source
      Extracted File
      relevance
      10/10
    • Loads rich edit control libraries
      details
      "<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 6AFB0000
      "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6AF30000
      source
      Loaded Module
    • Spawns new processes
      details
      Spawned process "Setup.exe" with commandline "/SMS" (Show Process)
      Spawned process "_INS5576._MP" (Show Process)
      Spawned process "_ISDel.exe" with commandline "%TEMP%\pft5EA5~tmp\_ISDEL.EXE" (Show Process)
      source
      Monitored Target
      relevance
      3/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "<Input Sample>" connecting to "\ThemeApiPort"
      "Setup.exe" connecting to "\ThemeApiPort"
      "_ISDel.exe" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      1/10
    • Dropped files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "value.shl" has type "ISO-8859 text with CRLF line terminators"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_isenv31.ini" has type "data"
      "setup.lid" has type "ASCII text with CRLF line terminators"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.lid" has type "ASCII text"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.ins" has type "data"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "lang.dat" has type "Non-ISO extended-ASCII text with CRLF line terminators"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_inst32i.ex_" has type "data"
      source
      Extracted File
      relevance
      3/10
    • Touches files in the Windows directory
      details
      "<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
      "<Input Sample>" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\COMCTL32.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcSpecfc.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "Setup.exe" touched file "%WINDIR%\_delis32.ini"
      source
      API Call
      relevance
      7/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "i[GZB>R.Bw"
      Pattern match: "http://www.installshield.com/pftw/"
      Pattern match: "http://connectivity.chloridepower.com"
      Heuristic match: "MSG_SETUPCOMPLETEOPT1= READ.ME"
      Heuristic match: "UID.NAME"
      Heuristic match: "PDU.%d.NAME"
      source
      String
      relevance
      10/10
  • System Security
  • Unusual Characteristics
    • Matched Compiler/Packer signature
      details
      "_Setup.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "IsUninst.728" was detected as "Microsoft Visual C++ .0"
      "_ISKPMG.dll" was detected as "Microsoft Visual C++ 6.0"
      "chlorideups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cenerups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cusppups.dll" was detected as "Microsoft Visual C++ 6.0"
      "sinergyups.dll" was detected as "Microsoft Visual C++ 6.0"
      "oneacups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_isuser.dll" was detected as "Microsoft Visual C++ 6.0"
      "ondynups.dll" was detected as "Microsoft Visual C++ 6.0"
      "mopnetups.dll" was detected as "Microsoft Visual C++ 6.0"
      "edpups.dll" was detected as "Microsoft Visual C++ 6.0"
      "ZDataI51.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "silectronups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_ISDel.exe" was detected as "Microsoft Visual C++ .0"
      "demoups.dll" was detected as "Microsoft Visual C++ 6.0"
      source
      Static Parser
      relevance
      10/10

File Details

All Details:

mopups-274-7537-1-intel-windows.exe

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 4 processes in total (System Resource Monitor).

Logged Script Calls Logged Stdout Extracted Streams Memory Dumps
Reduced Monitoring Network Activityy Network Error Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

Incident Response

Risk Assessment

Fingerprint
Reads the active computer name

Additional Context

Related Sandbox Artifacts

Associated URLs
hxxp://connectivity.chloridepower.com/files/mopups-274-7537-1-intel-windows.exe

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

  • Anti-Detection/Stealthyness
  • Anti-Reverse Engineering
  • Environment Awareness
    • Reads the active computer name
      details
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      "_ISDel.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
      source
      Registry Access
      relevance
      5/10
  • General
  • Installation/Persistance
    • Drops executable files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "mopnetups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "edpups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "ZDataI51.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "silectronups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_WUTL951.DLL" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      source
      Extracted File
      relevance
      10/10
  • Network Related
  • System Destruction
    • Marks file for deletion
      details
      "C:\mopups-274-7537-1-intel-windows.exe" marked "%TEMP%\pft5EA5.tmp" for deletion
      "%TEMP%\pft5EA5~tmp\Setup.exe" marked "%TEMP%\_INS5566._MP" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%TEMP%\_ISTMP1.DIR\_INS0432.INI" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_iserr31.ini" for deletion
      "%TEMP%\_ISTMP1.DIR\_INS5576._MP" marked "%WINDIR%\_isenv31.ini" for deletion
      "%TEMP%\pft5EA5~tmp\_ISDel.exe" marked "%WINDIR%\_INS33IS._MP" for deletion
      source
      API Call
      relevance
      10/10
    • Opens file with deletion access rights
      details
      "<Input Sample>" opened "%TEMP%\pft5EA5.tmp" with delete access
      "Setup.exe" opened "%TEMP%\_INS5566._MP" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_INS0432.INI" with delete access
      "_INS5576._MP" opened "%WINDIR%\_iserr31.ini" with delete access
      "_INS5576._MP" opened "%WINDIR%\_isenv31.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Corecomp.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\Ctl3d32.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.728" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\_isres.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\basicups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cenerups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\chlorideups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\cusppups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.dll" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\demoups.ini" with delete access
      "_INS5576._MP" opened "%TEMP%\_ISTMP1.DIR\_ISTMP0.DIR\edpups.dll" with delete access
      "_ISDel.exe" opened "%WINDIR%\_INS33IS._MP" with delete access
      source
      API Call
      relevance
      7/10
  • System Security
  • Unusual Characteristics
    • CRC value set in PE header does not match actual value
      details
      "_Setup.dll" claimed CRC 51039 while the actual is CRC 31494
      "_Setup.dll" claimed CRC 65581 while the actual is CRC 51039
      "IsUninst.728" claimed CRC 347409 while the actual is CRC 64594
      "_Setup.dll" claimed CRC 89282 while the actual is CRC 67814
      "_Setup.dll" claimed CRC 80470 while the actual is CRC 113816
      "_Setup.dll" claimed CRC 72541 while the actual is CRC 97507
      "_Setup.dll" claimed CRC 60083 while the actual is CRC 72541
      "_Setup.dll" claimed CRC 95602 while the actual is CRC 60083
      source
      Static Parser
      relevance
      10/10
    • Imports suspicious APIs
      details
      GetModuleFileNameW
      GetProcAddress
      GetModuleHandleA
      FindResourceW
      SetWindowsHookExW
      GetModuleFileNameA
      LoadLibraryA
      GetCommandLineA
      WriteFile
      GetStartupInfoA
      TerminateProcess
      VirtualAlloc
      RegDeleteKeyA
      RegCloseKey
      RegDeleteValueA
      RegCreateKeyExA
      RegOpenKeyA
      OpenProcessToken
      RegEnumKeyA
      GetFileAttributesA
      GetDriveTypeA
      UnhandledExceptionFilter
      GetTickCount
      GetFileSize
      CreateDirectoryA
      DeleteFileA
      FindFirstFileA
      FindNextFileA
      CreateFileA
      WinExec
      LockResource
      Sleep
      FindResourceA
      FindWindowA
      RegOpenKeyExA
      DeviceIoControl
      CreateThread
      ExitThread
      GetVersionExA
      OutputDebugStringA
      SetSecurityDescriptorDacl
      StartServiceA
      GetComputerNameA
      CreateProcessA
      ShellExecuteA
      sendto (Ordinal #20)
      accept (Ordinal #1)
      WSAStartup (Ordinal #115)
      bind (Ordinal #2)
      recv (Ordinal #16)
      socket (Ordinal #23)
      connect (Ordinal #4)
      recvfrom (Ordinal #17)
      send (Ordinal #19)
      closesocket (Ordinal #3)
      listen (Ordinal #13)
      CreateServiceA
      OpenFileMappingA
      LoadLibraryExA
      source
      Static Parser
      relevance
      1/10
    • Installs hooks/patches the running process
      details
      "Setup.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_INS5576._MP" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      "_ISDel.exe" wrote bytes "40532a7758582b77186a2b77653c2c770000000000bffb750000000056ccfb75000000007ccafb7500000000376867756a2c2c77d62d2c7700000000206967750000000029a6fb7500000000a48d677500000000f70efb7500000000" to virtual address "0x773E1000" (part of module "NSI.DLL")
      source
      Hook Detection
      relevance
      10/10
    • Reads information about supported languages
      details
      "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "Setup.exe" (Path: "HKU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALE")
      "Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      "_INS5576._MP" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
      source
      Registry Access
      relevance
      3/10
    • Timestamp in PE header is very old or in the future
      details
      "Ctl3d32.dll" claims program is from Fri Jul 14 01:46:26 1995
      "_Setup.dll" claims program is from Tue Sep 29 22:34:54 1998
      "IsUninst.728" claims program is from Sat Oct 3 00:00:47 1998
      "ZDataI51.dll" claims program is from Wed Sep 23 00:06:56 1998
      "_WUTL951.DLL" claims program is from Wed Sep 23 18:20:52 1998
      "_ISDel.exe" claims program is from Tue Oct 27 19:06:49 1998
      "_isres.dll" claims program is from Thu Oct 22 18:47:00 1998
      "Setup.exe" claims program is from Tue Jan 12 18:42:19 1999
      source
      Static Parser
      relevance
      10/10
  • Hiding 4 Suspicious Indicators
    • All indicators are available only in the private webservice or standalone version
  • Environment Awareness
    • Contains ability to query machine time
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-901-1003ACD0
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine timezone
      details
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 40277-1062-1001CB70
      [email protected] at 40277-1191-10033D9F
      [email protected] at 44234-1057-1001D30C
      [email protected] at 44234-1183-1003452F
      [email protected] at 48050-1175-100357EF
      [email protected] at 48050-1052-1001E9D2
      [email protected] at 60605-1183-10035CCF
      [email protected] at 60605-1060-1001EEB2
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query the machine version
    • Contains ability to query the system locale
      details
      [email protected] from Setup.exe(PID: 2664) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] from _INS5576._MP(PID: 2892) (Show Stream)
      [email protected] at 32481-1152-1001DE03
      [email protected] at 32481-1148-1001E1A1
      [email protected] at 32481-1147-1001E25E
      [email protected] at 32481-1149-1001E08E
      [email protected] at 40277-1041-1001A1CE
      [email protected] at 40277-1045-10019F43
      [email protected] at 40277-1040-1001A2E1
      [email protected] at 40277-1039-1001A39E
      [email protected] at 44234-1036-1001B0AE
      [email protected] at 44234-1040-1001AE23
      [email protected] at 44234-1035-1001B1C1
      [email protected] at 44234-1034-1001B27E
      [email protected] at 48050-1030-1001BE41
      [email protected]dll at 48050-1035-1001BAA3
      [email protected] at 48050-1031-1001BD2E
      [email protected] at 48050-1029-1001BEFE
      [email protected] at 60605-1038-1001C321
      source
      Hybrid Analysis Technology
      relevance
      1/10
    • Contains ability to query volume size
    • Makes a code branch decision directly after an API that is environment aware
      details
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-38-00476C86")
      which is directly followed by "cmp ax, word ptr [004870F2h]" and "jne 00476CEBh". See related instructions: "...
      +23 call dword ptr [0047E2CCh] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [004870F2h]
      +40 jne 00476CEBh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-47749-641-00413F10")
      which is directly followed by "cmp dword ptr [ebp-04h], 80000000h" and "jnc 00413F57h". See related instructions: "...
      +0 push ebp
      +1 mov ebp, esp
      +3 push ecx
      +4 push ecx
      +5 and dword ptr [0048889Ch], 00000000h
      +12 and dword ptr [00488874h], 00000000h
      +19 and dword ptr [0048888Ch], 00000000h
      +26 and dword ptr [00488884h], 00000000h
      +33 call dword ptr [0047E270h] ;GetVersion
      +39 mov dword ptr [ebp-04h], eax
      +42 mov ax, word ptr [ebp-04h]
      +46 mov word ptr [ebp-08h], ax
      +50 cmp dword ptr [ebp-04h], 80000000h
      +57 jnc 00413F57h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-42839-1200-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected]LBASE.DLL (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-308-0046CB55")
      which is directly followed by "cmp dword ptr [ebp-00000224h], 00000000h" and "jne 0046CC5Dh". See related instructions: "...
      +196 lea eax, dword ptr [ebp-00000108h]
      +202 mov dword ptr [ebp-00000330h], eax
      +208 push dword ptr [ebp+14h]
      +211 push dword ptr [ebp+10h]
      +214 push dword ptr [ebp+0Ch]
      +217 push dword ptr [ebp-00000330h]
      +223 call dword ptr [0048469Ch] ;GetDiskFreeSpaceExA
      +229 mov dword ptr [ebp-00000224h], eax
      +235 cmp dword ptr [ebp-00000224h], 00000000h
      +242 jne 0046CC5Dh" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "_INS5576._MP"; Stream UID: "00025300-00002892-38233-1203-0043EB35")
      which is directly followed by "cmp dword ptr [ebp+08h], 06h" and "je 0043EBF7h". See related instructions: "...
      +90 mov eax, dword ptr [00485FF8h]
      +95 mov ecx, dword ptr [ebp+08h]
      +98 mov dword ptr [eax+08h], ecx
      +101 mov eax, dword ptr [00485FF8h]
      +106 mov ecx, dword ptr [ebp-0Ch]
      +109 mov dword ptr [eax+0Ch], ecx
      +112 mov eax, dword ptr [00485FF8h]
      +117 and byte ptr [eax+00000226h], 00h
      +124 mov eax, dword ptr [00485FF8h]
      +129 mov ecx, dword ptr [ebp+0Ch]
      +132 mov dword ptr [eax], ecx
      +134 mov eax, dword ptr [00485FF8h]
      +139 and dword ptr [eax+04h], 00000000h
      +143 mov eax, dword ptr [00485FF8h]
      +148 and dword ptr [eax+18h], 00000000h
      +152 mov eax, dword ptr [00485FF8h]
      +157 and dword ptr [eax+14h], 00000000h
      +161 mov eax, dword ptr [00485FF8h]
      +166 mov dword ptr [eax+10h], 00000001h
      +173 call dword ptr [0047E270h] ;GetVersion
      +179 mov dword ptr [ebp-04h], eax
      +182 cmp dword ptr [ebp+08h], 06h
      +186 je 0043EBF7h" ... from _INS5576._MP(PID: 2892) (Show Stream)
      Found API call [email protected] (Target: "oneacups.dll.989022799"; Stream UID: "40277-1191-10033D9F")
      which is directly followed by "cmp ax, word ptr [1004560Ah]" and "jne 10033E04h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004560Ah]
      +40 jne 10033E04h" ... at 40277-1191-10033D9F
      Found API call [email protected] (Target: "sinergyups.dll.819830290"; Stream UID: "44234-1183-1003452F")
      which is directly followed by "cmp ax, word ptr [1004696Ah]" and "jne 10034594h". See related instructions: "...
      +23 call dword ptr [10039168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [1004696Ah]
      +40 jne 10034594h" ... at 44234-1183-1003452F
      Found API call [email protected] (Target: "cenerups.dll.738709359"; Stream UID: "48050-1175-100357EF")
      which is directly followed by "cmp ax, word ptr [10048A0Ah]" and "jne 10035854h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A0Ah]
      +40 jne 10035854h" ... at 48050-1175-100357EF
      Found API call [email protected] (Target: "chlorideups.dll.660316738"; Stream UID: "60605-1183-10035CCF")
      which is directly followed by "cmp ax, word ptr [10048A7Ah]" and "jne 10035D34h". See related instructions: "...
      +23 call dword ptr [1003B168h] ;GetSystemTime
      +29 mov ax, word ptr [ebp-16h]
      +33 cmp ax, word ptr [10048A7Ah]
      +40 jne 10035D34h" ... at 60605-1183-10035CCF
      source
      Hybrid Analysis Technology
      relevance
      10/10
  • General
    • Creates a writable file in a temporary directory
      details
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\pftw1.pkg"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\AUTORUN.INF"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\DATA.TAG"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.cab"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\data1.hdr"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\lang.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\layout.bin"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\os.dat"
      "<Input Sample>" created file "%TEMP%\pft5EA5~tmp\Setup.exe"
      source
      API Call
      relevance
      1/10
    • Drops files marked as clean
      details
      Antivirus vendors marked dropped file "Ctl3d32.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_Setup.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "IsUninst.728" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "chlorideups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "cusppups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ondynups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopnetups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ZDataI51.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_WUTL951.DLL" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_ISDel.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "demoups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "basicups.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "_isres.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "mopinstl.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows")
      source
      Extracted File
      relevance
      10/10
    • Loads rich edit control libraries
      details
      "<Input Sample>" loaded module "%WINDIR%\System32\riched32.dll" at 6AFB0000
      "<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 6AF30000
      source
      Loaded Module
    • Spawns new processes
      details
      Spawned process "Setup.exe" with commandline "/SMS" (Show Process)
      Spawned process "_INS5576._MP" (Show Process)
      Spawned process "_ISDel.exe" with commandline "%TEMP%\pft5EA5~tmp\_ISDEL.EXE" (Show Process)
      source
      Monitored Target
      relevance
      3/10
  • Installation/Persistance
    • Connects to LPC ports
      details
      "<Input Sample>" connecting to "\ThemeApiPort"
      "Setup.exe" connecting to "\ThemeApiPort"
      "_ISDel.exe" connecting to "\ThemeApiPort"
      source
      API Call
      relevance
      1/10
    • Dropped files
      details
      "Ctl3d32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_Setup.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "value.shl" has type "ISO-8859 text with CRLF line terminators"
      "IsUninst.728" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
      "_isenv31.ini" has type "data"
      "setup.lid" has type "ASCII text with CRLF line terminators"
      "_ISKPMG.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "chlorideups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.lid" has type "ASCII text"
      "cenerups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "cusppups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "sinergyups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "setup.ins" has type "data"
      "oneacups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_isuser.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "lang.dat" has type "Non-ISO extended-ASCII text with CRLF line terminators"
      "ondynups.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
      "_inst32i.ex_" has type "data"
      source
      Extracted File
      relevance
      3/10
    • Touches files in the Windows directory
      details
      "<Input Sample>" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
      "<Input Sample>" touched file "%WINDIR%\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_en-us_020378a8991bbcc2\COMCTL32.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
      "<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcSpecfc.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcLayers.DLL"
      "Setup.exe" touched file "%WINDIR%\AppPatch\AcGenral.DLL"
      "Setup.exe" touched file "%WINDIR%\_delis32.ini"
      source
      API Call
      relevance
      7/10
  • Network Related
    • Found potential URL in binary/memory
      details
      Heuristic match: "i[GZB>R.Bw"
      Pattern match: "http://www.installshield.com/pftw/"
      Pattern match: "http://connectivity.chloridepower.com"
      Heuristic match: "MSG_SETUPCOMPLETEOPT1= READ.ME"
      Heuristic match: "UID.NAME"
      Heuristic match: "PDU.%d.NAME"
      source
      String
      relevance
      10/10
  • System Security
  • Unusual Characteristics
    • Matched Compiler/Packer signature
      details
      "_Setup.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "IsUninst.728" was detected as "Microsoft Visual C++ .0"
      "_ISKPMG.dll" was detected as "Microsoft Visual C++ 6.0"
      "chlorideups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cenerups.dll" was detected as "Microsoft Visual C++ 6.0"
      "cusppups.dll" was detected as "Microsoft Visual C++ 6.0"
      "sinergyups.dll" was detected as "Microsoft Visual C++ 6.0"
      "oneacups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_isuser.dll" was detected as "Microsoft Visual C++ 6.0"
      "ondynups.dll" was detected as "Microsoft Visual C++ 6.0"
      "mopnetups.dll" was detected as "Microsoft Visual C++ 6.0"
      "edpups.dll" was detected as "Microsoft Visual C++ 6.0"
      "ZDataI51.dll" was detected as "fasm -> Tomasz Grysztar,Microsoft Visual C++ DLL"
      "silectronups.dll" was detected as "Microsoft Visual C++ 6.0"
      "_ISDel.exe" was detected as "Microsoft Visual C++ .0"
      "demoups.dll" was detected as "Microsoft Visual C++ 6.0"
      source
      Static Parser
      relevance
      10/10

File Details

All Details:

mopups-274-7537-1-intel-windows.exe

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 4 processes in total (System Resource Monitor).

Logged Script Calls Logged Stdout Extracted Streams Memory Dumps
Reduced Monitoring Network Activityy Network Error Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

HTTP Traffic

No relevant HTTP requests were made.

0 Comments

Leave a Comment