Malware analysis FL2000-2.1.34054.0.exe Malicious activity

Add for printing

File name:	FL2000-2.1.34054.0.exe
Full analysis:	https://app.any.run/tasks/9cfd1a20-f2ea-43ce-a20d-a6e27ae003d1
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	October 15, 2024, 02:12:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware advancedinstaller
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	18B0139CA76E7447BC64F9A812F4A9F2
SHA1:	4B1163AC860F88696FFB54759E8DE9A5A581F878
SHA256:	5E0590D6DCCC198B427C7C51CA5CC50448C2D4AAAE275322B1378D78058750E7
SSDEEP:	98304:iXpTTfu5m2GMGSY5A15AfzCweiY5AbGs8i9m6X85yjQO68WjShMfaWNppfIyi7aA:CXTveVHGuyM3+hMfaWXpG7aJiVVCM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ADVANCEDINSTALLER has been detected (SURICATA)
  - FL2000-2.1.34054.0.exe (PID: 3276)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - FL2000-2.1.34054.0.exe (PID: 3276)
- Process drops legitimate windows executable
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 6848)
  - drvinst.exe (PID: 7940)
- Executable content was dropped or overwritten
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - drvinst.exe (PID: 7940)
- Access to an unwanted program domain was detected
  - FL2000-2.1.34054.0.exe (PID: 3276)
- Drops a system driver (possible attempt to evade defenses)
  - msiexec.exe (PID: 6848)
  - drvinst.exe (PID: 7940)
- Start notepad (likely ransomware note)
  - msiexec.exe (PID: 6860)
- Executes as Windows Service
  - VSSVC.exe (PID: 6996)
INFO
- Checks supported languages
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 6848)
  - msiexec.exe (PID: 6860)
- Reads the computer name
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 6860)
  - msiexec.exe (PID: 6848)
- Checks proxy server information
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 3848)
- Create files in a temporary directory
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 3848)
- Reads Environment values
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 6860)
- Reads security settings of Internet Explorer
  - msiexec.exe (PID: 3848)
- Creates files or folders in the user directory
  - FL2000-2.1.34054.0.exe (PID: 3276)
  - msiexec.exe (PID: 3848)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 3848)
  - msiexec.exe (PID: 6848)
- Application launched itself
  - msiexec.exe (PID: 6848)
- Manages system restore points
  - SrTasks.exe (PID: 7612)
- Reads the software policy settings
  - msiexec.exe (PID: 3848)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:07:14 15:02:43+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	300544
InitializedDataSize:	144384
UninitializedDataSize:	-
EntryPoint:	0x3251d
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.1.34054.0
ProductVersionNumber:	2.1.34054.0
FileFlagsMask:	0x003f
FileFlags:	Debug
FileOS:	Win32
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Fresco Logic
FileDescription:	This installer database contains the logic and data required to install Fresco Logic USB Display Driver.
FileVersion:	2.1.34054.0
InternalName:	FL2000-2.1.34054.0
LegalCopyright:	Copyright (C) 2017 Fresco Logic
OriginalFileName:	FL2000-2.1.34054.0.exe
ProductName:	Fresco Logic USB Display Driver
ProductVersion:	2.1.34054.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1764

"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\MSI8ccce.LOG

C:\Windows\SysWOW64\notepad.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Notepad

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll

3004

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

3276

"C:\Users\admin\AppData\Local\Temp\FL2000-2.1.34054.0.exe"

C:\Users\admin\AppData\Local\Temp\FL2000-2.1.34054.0.exe

explorer.exe

User:

admin

Company:

Fresco Logic

Integrity Level:

HIGH

Description:

This installer database contains the logic and data required to install Fresco Logic USB Display Driver.

Exit code:

1603

Version:

2.1.34054.0

Modules

Images
c:\users\admin\appdata\local\temp\fl2000-2.1.34054.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll

3848

/i "C:\Users\admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.x64.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\FL2000-2.1.34054.0.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "

C:\Windows\System32\msiexec.exe

FL2000-2.1.34054.0.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

1603

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

5328

"C:\Users\admin\AppData\Local\Temp\FL2000-2.1.34054.0.exe"

C:\Users\admin\AppData\Local\Temp\FL2000-2.1.34054.0.exe

—

explorer.exe

User:

admin

Company:

Fresco Logic

Integrity Level:

MEDIUM

Description:

This installer database contains the logic and data required to install Fresco Logic USB Display Driver.

Exit code:

3221226540

Version:

2.1.34054.0

Modules

Images
c:\users\admin\appdata\local\temp\fl2000-2.1.34054.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6280

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

6848

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6860

C:\Windows\syswow64\MsiExec.exe -Embedding E85AB14685657784C7B1B6EA4C6EAEBD C

C:\Windows\SysWOW64\msiexec.exe

—

msiexec.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

6996

C:\WINDOWS\system32\vssvc.exe

C:\Windows\System32\VSSVC.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Microsoft® Volume Shadow Copy Service

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7240

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

Add for printing

Total events

17 645

Read events

17 344

Write events

217

Delete events

Modification events


(PID) Process:	(3276) FL2000-2.1.34054.0.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Caphyon\Setups
Operation:	write	Name:	Advinst_33F2BA97D9B641EC8F11D6656BF35545
Value: C:\Users\admin\AppData\Local\Temp\FL2000-2.1.34054.0.exe
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 4800000000000000335EACBFA71EDB01C01A000054120000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 480000000000000073C1AEBFA71EDB01C01A000054120000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 4800000000000000BCDEF3BFA71EDB01C01A000054120000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 4800000000000000BCDEF3BFA71EDB01C01A000054120000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 48000000000000004CA8F8BFA71EDB01C01A000054120000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 4800000000000000E5D7FFBFA71EDB01C01A000054120000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:	write	Name:	LastIndex
Value: 11
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGatherWriterMetadata (Enter)
Value: 48000000000000007F7179C0A71EDB01C01A000054120000D30700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(6848) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher
Operation:	write	Name:	IDENTIFY (Enter)
Value: 4800000000000000BCD67BC0A71EDB01C01A0000B4030000E8030000010000000000000000000000CB933254923AF142881D8BF28DE998B100000000000000000000000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3276	FL2000-2.1.34054.0.exe	C:\Users\admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\holder0.aiph		—
		MD5:—	SHA256:—
3276	FL2000-2.1.34054.0.exe	C:\Users\admin\AppData\Roaming\Fresco Logic\Fresco Logic USB Display Driver 2.1.34054.0\install\FL2000.msi		executable
		MD5:5916F5514CC847ACB97D317027C31D87	SHA256:18001F8E8FF7428DFE7540FBADBDADC5D4DB4AAA0F0797B4BFA245148FE56253
3276	FL2000-2.1.34054.0.exe	C:\Users\admin\AppData\Local\Temp\updC54D.tmp		text
		MD5:54AB87D570346F70EAE42ABAC0CEE76B	SHA256:7FBD8678415BF9F7A462A290F74FA32B148FE05C54B73F9C6FB01B38D919C690
3276	FL2000-2.1.34054.0.exe	C:\Users\admin\AppData\Local\Temp\shiCADC.tmp		executable
		MD5:CE85F5D941EBCA72DA2A55835B303EB9	SHA256:6CF60B8101CBB475F3803E18617172CC180AFA4BC0CA8CA261C2AB6ED1C93EA1
3848	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F		binary
		MD5:FB38B82F2174FE47E28DEB2D19E374AF	SHA256:432837CED5C4CBF67A9688378E9249A67DC862CC9031810B458848FA163F95F4
6848	msiexec.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
3848	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D266D9E1E69FA1EEFB9699B009B34C8_0A9BFDD75B598C2110CBF610C078E6E6		binary
		MD5:B11FFF8EBE21A7A3E8E7C3B4FDF9B5A1	SHA256:8518DD3D48725B1ED31CCC89E3AB55105AEBCC8DF0292C3E9775B5EEEC2D1086
3848	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A19ADAD9D098E039450ABBEDD5616EB_F6A0C6C61B9F933FB38C16FB572DDFC8		binary
		MD5:FA29A06FA9025FBC4C85148823053D11	SHA256:56A68CA53BA1F02ED45F1B7F98FA6E1816AF8CAAFEA08506C0475D8C12295945
3848	msiexec.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A19ADAD9D098E039450ABBEDD5616EB_F6A0C6C61B9F933FB38C16FB572DDFC8		binary
		MD5:5BFA51F3A417B98E7443ECA90FC94703	SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
3848	msiexec.exe	C:\Users\admin\AppData\Local\Temp\MSID134.tmp		executable
		MD5:3056644ACE6294C801A8010E99888525	SHA256:77ABFF1B7322ECA3DD35CBADF268D06C9EF920CF923EE3A77E97EDD050C28A1B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3848	msiexec.exe	GET	200	152.199.19.74:80	http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D	unknown	—	—	whitelisted
3848	msiexec.exe	GET	200	152.199.19.74:80	http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAubDR3UJcBFCIVoVo4J2lY%3D	unknown	—	—	whitelisted
3848	msiexec.exe	GET	200	152.199.19.74:80	http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c%3D	unknown	—	—	whitelisted
3848	msiexec.exe	GET	200	152.199.19.74:80	http://sf.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo%2FX8AUm7%2BPSp50CEAubDR3UJcBFCIVoVo4J2lY%3D	unknown	—	—	whitelisted
3848	msiexec.exe	GET	200	192.229.221.95:80	http://crl.verisign.com/pca3-g5.crl	unknown	—	—	whitelisted
4700	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7304	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7304	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
3848	msiexec.exe	GET	200	192.229.221.95:80	http://sf.symcb.com/sf.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5640	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6944	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3276	FL2000-2.1.34054.0.exe	172.217.16.196:80	www.google.com	GOOGLE	US	whitelisted
3276	FL2000-2.1.34054.0.exe	52.218.205.43:80	updates.frescologic.com	AMAZON-02	US	shared
3848	msiexec.exe	152.199.19.74:80	ocsp.verisign.com	EDGECAST	US	whitelisted
3848	msiexec.exe	192.229.221.95:80	crl.verisign.com	EDGECAST	US	whitelisted
6944	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.212.174	whitelisted
www.google.com	172.217.16.196	whitelisted
updates.frescologic.com	52.218.205.43 52.92.211.193 52.92.146.65 52.92.196.113 52.92.209.105 52.218.217.123 52.92.177.217 52.218.185.51	shared
ocsp.verisign.com	152.199.19.74	whitelisted
crl.verisign.com	192.229.221.95	whitelisted
sf.symcd.com	152.199.19.74	whitelisted
sf.symcb.com	192.229.221.95	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28	whitelisted
www.microsoft.com	2.18.97.123 95.101.149.131	whitelisted

Threats

Found threats are available for the paid subscriptions

3 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

FL2000-2.1.34054.0.exe

18B0139CA76E7447BC64F9A812F4A9F2

4B1163AC860F88696FFB54759E8DE9A5A581F878

5E0590D6DCCC198B427C7C51CA5CC50448C2D4AAAE275322B1378D78058750E7

98304:iXpTTfu5m2GMGSY5A15AfzCweiY5AbGs8i9m6X85yjQO68WjShMfaWNppfIyi7aA:CXTveVHGuyM3+hMfaWXpG7aJiVVCM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADVANCEDINSTALLER has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Process drops legitimate windows executable

Executable content was dropped or overwritten

Access to an unwanted program domain was detected

Drops a system driver (possible attempt to evade defenses)

Start notepad (likely ransomware note)

Executes as Windows Service

INFO

Checks supported languages

Reads the computer name

Checks proxy server information

Create files in a temporary directory

Reads Environment values

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Executable content was dropped or overwritten

Application launched itself

Manages system restore points

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings