General Info

File name

HALION.EXE

Full analysis
https://app.any.run/tasks/fdbe8de4-742a-4a0f-a314-fe5b856f497f
Verdict
Malicious activity
Analysis date
7/17/2019, 23:12:47
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

13231dac6ef500bbb8fcba48c5dfd94a

SHA1

33648e19739d732706df26bebb4096e521a5f570

SHA256

5f1584932dc410cd94daefd6de5001ae3b942dcbdae869b1eb38d6ef061bd666

SSDEEP

98304:tyqUHTUy3Z3B1hxPq39AenaZUKlvcEox1:t1KUyZhxPWAeaO9r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO

No malicious indicators.

Removes files from Windows directory
  • HALION.EXE (PID: 3960)
Creates files in the program directory
  • HALION.EXE (PID: 3960)
Creates files in the Windows directory
  • HALION.EXE (PID: 3960)
Executable content was dropped or overwritten
  • HALION.EXE (PID: 3960)
Creates a software uninstall entry
  • HALION.EXE (PID: 3960)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Wise Installer executable (96.9%)
.dll
|   Win32 Dynamic Link Library (generic) (1.3%)
.exe
|   Win32 Executable (generic) (0.9%)
.exe
|   Generic Win/DOS Executable (0.4%)
.exe
|   DOS Executable Generic (0.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2000:04:25 16:37:12+02:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
8704
InitializedDataSize:
5632
UninitializedDataSize:
null
EntryPoint:
0x21af
OSVersion:
4
ImageVersion:
4.1423
SubsystemVersion:
4
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.0
ProductVersionNumber:
1.0.0.0
FileFlagsMask:
0x003f
FileFlags:
(none)
FileOS:
Windows 16-bit
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
English (U.S.)
CharacterSet:
Windows, Latin1
CompanyName:
Team
FileDescription:
HALion Installation
FileVersion:
null
LegalCopyright:
Team

Screenshots

Processes

Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start halion.exe no specs halion.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3688
CMD
"C:\Users\admin\AppData\Local\Temp\HALION.EXE"
Path
C:\Users\admin\AppData\Local\Temp\HALION.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\halion.exe
c:\systemroot\system32\ntdll.dll

PID
3960
CMD
"C:\Users\admin\AppData\Local\Temp\HALION.EXE"
Path
C:\Users\admin\AppData\Local\Temp\HALION.EXE
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\halion.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\users\admin\appdata\local\temp\glcf07c.tmp
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\users\admin\appdata\local\temp\glkf08d.tmp
c:\windows\system32\riched32.dll
c:\windows\system32\riched20.dll
c:\progra~1\steinb~1\vstplu~1\halion\unwise.exe

Registry activity

Total events
2
Read events
0
Write events
2
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3960
HALION.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HALion v1.0 VSTi
DisplayName
HALion v1.0 VSTi
3960
HALION.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HALion v1.0 VSTi
UninstallString
C:\PROGRA~1\STEINB~1\VSTPLU~1\Halion\UNWISE.EXE C:\PROGRA~1\STEINB~1\VSTPLU~1\Halion\HALion.log

Files activity

Executable files
4
Suspicious files
5
Text files
0
Unknown types
5

Dropped files

PID
Process
Filename
Type
3960
HALION.EXE
C:\Users\admin\AppData\Local\Temp\GLCF07C.tmp
executable
MD5: 625214a1c57538359244dab9fac4636f
SHA256: 810bba54c92479bb47574bc214911bf310f0e98800bc33cdeff35a5e13c82ac9
3960
HALION.EXE
C:\Users\admin\AppData\Local\Temp\GLFFC48.tmp
executable
MD5: b9b41e50d612e00bf3a49a6405b89d74
SHA256: 50e7a30e1825fab93b94b698c2c6d2cc1787b094c6cee53eeed5c497f77443c9
3960
HALION.EXE
C:\Users\admin\AppData\Local\Temp\GLKF08D.tmp
executable
MD5: 7d179e580725090268424a536d021e9c
SHA256: 9a06ea098987dad25f1a255d8881a20ade5177c037b656a5c4aa8b51424d283b
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\UNWISE.EXE
executable
MD5: 1899dc30c0ce297c4e85dc5455510d8b
SHA256: 683f5c71e2a3dab5e3c492398f59dff697493fe438bd2a4a23d8cf72ea333f20
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\jane98,3.wav.peak
binary
MD5: 46c307dfc8c8048e60513b60eb3e5b47
SHA256: dbb416aa164c07b6fb3ab5377bac98671bc0d51646e64bf391e56fe136fde72a
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\slyness59,9.wav.peak
binary
MD5: e4bb6c3720ae4942353db8f3595be0d1
SHA256: 2cd6019b9d8856205b345c4f0e9bb3fb64e03d39d0f9b71147e8e0f285f656cc
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\~GLH0009.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\~GLH0008.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\break_it.wav.peak
binary
MD5: f1f02b634ce4f7c80ebe0395dda48ef3
SHA256: 2b162f3181bea619cdf890ca1b8b8522a37b2b0da946256561e1a40092b30371
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\~GLH0007.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\jane98,3.wav
wav
MD5: 6035c9f1f50ed3bda82f3cedd4a73fb1
SHA256: e68b0e9a19deedb7d9d4b150b25873db9e207be54805ac602f6ac1f8e246e90f
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\~GLH0006.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\slyness59,9.wav
wav
MD5: 6a48306a34a3b17a6b34d232f66391b4
SHA256: dd1fa9dfc0bc83fd593e5ffd6eac6b6e886c80964b4f75abda3b84e4e79565e8
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\~GLH0005.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\stop_it129,8.wav
wav
MD5: 4ca8b48517a2d2554012ca720ec416e5
SHA256: a9b3d03a7c0d5856097a5b9aef1c38a2c48d4cb01af1208776b1bab1183cf9e6
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\~GLH0004.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\smooth_op54,5.wav
wav
MD5: 5fe31055899a4c583e8c0f9f1f6e9c5a
SHA256: c0b97548f5fc554f1553f4f98832e8763ae2c1b65314ffa0bb3e84cf78c24258
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\~GLH0003.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Demo.fxp
fxb
MD5: 2aa37acc095646e2efd0af23a931b984
SHA256: 8452b83ed4b3ceacb16a9522a8e0913106bc3d8e790c1cfa5b72bfd2169e3c46
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\~GLH0002.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\stop_it129,8.wav.peak
binary
MD5: 1e575a5a0174a17589ea00ae4fbcf672
SHA256: 35363430c1411477dfe415984773dc9074e7d7df0f0f64efabee4e4fec8845ce
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\~GLH0001.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\~GLH000b.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Users\admin\AppData\Local\Temp\~GLH0000.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\~GLH000a.TMP
––
MD5:  ––
SHA256:  ––
3960
HALION.EXE
C:\Program Files\Steinberg\VstPlugins\Halion\Demo Material\Ueberschall\Drumskills Samples\Images\smooth_op54,5.wav.peak
binary
MD5: c2ace43713ec05946b9a4cfd0976dfed
SHA256: 3099bdb84df123f9ee179a9bcf58ea611b5636c94644679235c826c4d901ec0b

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.