Malware analysis multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe Malicious activity

Add for printing

File name:	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe
Full analysis:	https://app.any.run/tasks/19f2ba43-65ad-4f93-b933-0caddf066f89
Verdict:	Malicious activity
Analysis date:	April 18, 2018, 07:31:41
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	87482220000A2DEAA0FE79A573534DEC
SHA1:	7536168B5E95781FC693B8729865C5E7DF931278
SHA256:	A7496DF0C5D13DB9B2AAC7EA48749DE0E24734F49F7291A9D59CFD3E652B8848
SSDEEP:	393216:nwMYHKe7CkP4KcLelvEWARoAezyYTWARZx:eW+4KcLelvEWtXHTW+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:

Software preset

Internet Explorer 8.0.7601.17514 undefined
7-Zip 16.04 (16.04)
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 26 ActiveX (26.0.0.137)
CCleaner (5.35)
FileZilla Client 3.31.0 (3.31.0)
Google Chrome (61.0.3163.100)
Google Update Helper (1.3.33.5)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Home and Business 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2005 Redistributable (8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.12.25810 (14.12.25810.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.12.25810 (14.12.25810)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.12.25810 (14.12.25810)
Mozilla Firefox 55.0.3 (x86 en-US) (55.0.3)
Mozilla Maintenance Service (55.0.3)
Notepad++ (32-bit x86) (7.5.4)
Opera 12.15 (12.15.1748)
Skype™ 7.39 (7.39.102)
VLC media player (2.2.6)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition
WinMan WinIP Package TopLevel

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - dcmdev32.exe (PID: 696)
  - dcmdev32.exe (PID: 2996)
  - hapint.exe (PID: 1404)
  - cctk.exe (PID: 2852)
  - dcmdev32.exe (PID: 4048)
  - hapint.exe (PID: 3196)
  - dchcfg32.exe (PID: 1828)
- Application loaded dropped or rewritten executable
  - dchcfg32.exe (PID: 1828)
  - cctk.exe (PID: 2852)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe (PID: 2796)
- Creates files in the Windows directory
  - dcmdev32.exe (PID: 2996)
  - DrvInst.exe (PID: 2944)
  - DrvInst.exe (PID: 2752)
  - hapint.exe (PID: 1404)
- Creates files in the program directory
  - multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe (PID: 2796)
  - cctk.exe (PID: 2852)
- Creates files in the driver directory
  - DrvInst.exe (PID: 2944)
  - DrvInst.exe (PID: 2752)
- Removes files from Windows directory
  - DrvInst.exe (PID: 2944)
  - DrvInst.exe (PID: 2752)
  - hapint.exe (PID: 3196)
- Application launched itself
  - taskmgr.exe (PID: 3288)
INFO
- Dropped object may contain URL's
  - dcmdev32.exe (PID: 2996)
  - DrvInst.exe (PID: 2944)
  - DrvInst.exe (PID: 2752)
  - hapint.exe (PID: 1404)
  - multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe (PID: 2796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:06:11 09:11:18+02:00
PEType:	PE32
LinkerVersion:	10
CodeSize:	4475904
InitializedDataSize:	1582080
UninitializedDataSize:	-
EntryPoint:	0x307062
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	3.0.0.0
ProductVersionNumber:	3.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	Dell Inc.
FileDescription:	SCE
FileVersion:	003.000.000.000
InternalName:	DUPFramework.exe
LegalCopyright:	(c) Dell Inc. All rights reserved.
OriginalFileName:	DUPFramework.exe
ProductName:	SCE
ProductVersion:	003.000.000.000

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	11-Jun-2013 07:11:18
Detected languages:	English - United States
Debug artifacts:	C:\svn\trunk\dtk1_tksrc\DupFramework\DupFramework\bin\Release\DupFramework.pdb
CompanyName:	Dell Inc.
FileDescription:	SCE
FileVersion:	003.000.000.000
InternalName:	DUPFramework.exe
LegalCopyright:	(c) Dell Inc. All rights reserved.
OriginalFilename:	DUPFramework.exe
ProductName:	SCE
ProductVersion:	003.000.000.000

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000110

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	7
Time date stamp:	11-Jun-2013 07:11:18
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00444B0C	0x00444C00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.92515
.rdata	0x00446000	0x000E0918	0x000E0A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.59414
.data	0x00527000	0x00017CB8	0x0000DE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.48273
.idata	0x0053F000	0x00006614	0x00006800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.00514
.didat	0x00546000	0x000002B8	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.344416
.rsrc	0x00547000	0x0004C14C	0x0004C200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.26087
.reloc	0x00594000	0x00040CF5	0x00040E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.24155

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.12493	1342	Latin 1 / Western European	English - United States	RT_MANIFEST
2	3.02695	308	Latin 1 / Western European	English - United States	RT_CURSOR
3	2.74274	180	Latin 1 / Western European	English - United States	RT_CURSOR
4	2.34038	308	Latin 1 / Western European	English - United States	RT_CURSOR
5	2.34004	308	Latin 1 / Western European	English - United States	RT_CURSOR
6	2.51649	308	Latin 1 / Western European	English - United States	RT_CURSOR
7	2.45401	308	Latin 1 / Western European	English - United States	RT_CURSOR
8	2.34864	308	Latin 1 / Western European	English - United States	RT_CURSOR
9	3.24207	572	Latin 1 / Western European	English - United States	RT_STRING
10	3.25884	686	Latin 1 / Western European	English - United States	RT_STRING

Imports


ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IMM32.dll
KERNEL32.dll
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

58

Monitored processes

15

Malicious processes

5

Suspicious processes

4

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

696

dcmdev32.exe remove root\dcdbas

C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\x86\HAPI\dcmdev32.exe

—

hapint.exe

User:

admin

Company:

Dell Inc.

Integrity Level:

HIGH

Description:

WDM Driver Manager

Exit code:

0

Version:

7.4.0 (BLD_3999)

Modules

Images
c:\programdata\dell\drivers\multiplatform_201603101209_wol_enabled_deepsleep_disabled\x86\hapi\dcmdev32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

1284

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

0

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

1352

"C:\Windows\system32\taskmgr.exe" /1

C:\Windows\system32\taskmgr.exe

taskmgr.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Task Manager

Exit code:

0

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

1404

x86\HAPI\hapint.exe -i -q -k CCTK-SCE -p "hapint.exe"

C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\x86\HAPI\hapint.exe

cmd.exe

User:

admin

Company:

Dell Inc.

Integrity Level:

HIGH

Description:

Hapi Installer

Exit code:

0

Version:

7.4.0 (BLD_3999)

Modules

Images
c:\programdata\dell\drivers\multiplatform_201603101209_wol_enabled_deepsleep_disabled\x86\hapi\hapint.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll

1828

dchcfg32.exe command=getsupportedsystypes

C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\x86\HAPI\dchcfg32.exe

—

hapint.exe

User:

admin

Company:

Dell Inc.

Integrity Level:

HIGH

Description:

HAPI Config Utility

Exit code:

0

Version:

7.4.0 (BLD_3999)

Modules

Images
c:\programdata\dell\drivers\multiplatform_201603101209_wol_enabled_deepsleep_disabled\x86\hapi\dchcfg32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2480

"C:\Users\admin\AppData\Local\Temp\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe"

C:\Users\admin\AppData\Local\Temp\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe

—

explorer.exe

User:

admin

Company:

Dell Inc.

Integrity Level:

MEDIUM

Description:

SCE

Exit code:

3221226540

Version:

003.000.000.000

Modules

Images
c:\users\admin\appdata\local\temp\multiplatform_201603101209_wol_enabled_deepsleep_disabled.exe
c:\systemroot\system32\ntdll.dll

2536

cmd /c ""C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\applyconfig.bat" -l="C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\SCE756.tmp""

C:\Windows\system32\cmd.exe

—

multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

0

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2752

DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "dcdbas32.inf:Standard:dcdbas:7.4.0.453:root\dcdbas" "6dfcb1ac3" "000004E4" "000005CC" "000005DC"

C:\Windows\system32\DrvInst.exe

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Driver Installation Module

Exit code:

0

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll

2796

"C:\Users\admin\AppData\Local\Temp\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe"

C:\Users\admin\AppData\Local\Temp\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe

explorer.exe

User:

admin

Company:

Dell Inc.

Integrity Level:

HIGH

Description:

SCE

Exit code:

0

Version:

003.000.000.000

Modules

Images
c:\users\admin\appdata\local\temp\multiplatform_201603101209_wol_enabled_deepsleep_disabled.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2852

x86\cctk.exe -i config.ini -l "C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\SCE756.tmp"

C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\x86\cctk.exe

—

cmd.exe

User:

admin

Company:

Dell

Integrity Level:

HIGH

Description:

Client Configuration Toolkit

Exit code:

0

Version:

2.2.1.0

Modules

Images
c:\programdata\dell\drivers\multiplatform_201603101209_wol_enabled_deepsleep_disabled\x86\cctk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

237

Read events

170

Write events

60

Delete events

7

Modification events


(PID) Process:	(1404) hapint.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\hapiTemp
Operation:	delete key	Name:
Value:
(PID) Process:	(2796) multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2796) multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2996) dcmdev32.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.app.log
Value: 4096
(PID) Process:	(2996) dcmdev32.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(2996) dcmdev32.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2944) DrvInst.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2752) DrvInst.exe	Key:	HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\91\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(2752) DrvInst.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles
Operation:	write	Name:	%SystemPath%\system32\DRIVERS\dcdbas32.sys
Value: 5
(PID) Process:	(2752) DrvInst.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CriticalDeviceDatabase\root#dcdbas
Operation:	write	Name:	Service
Value: dcdbas

Add for printing

Executable files

52

Suspicious files

19

Text files

131

Unknown types

7

Dropped files

PID	Process	Filename		Type
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\config.ini		binary
		MD5:—	SHA256:—
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\package.xml		xml
		MD5:—	SHA256:—
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\mup.xml		xml
		MD5:51B31D6FC0D180E8AB1672BAAA20A0D9	SHA256:9C491BB41C54E432414C5E44808990C1468F7D8A59136F271F6C2265AE40E833
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\X86\cctk.exe		executable
		MD5:9E4C0DA7CB87508021B01069A423BD90	SHA256:E94B9C8E662A38A133C3B7AA495D6B1171AEADB7DA609B6317BEF5040CDEE946
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\X86\HAPI\dcdbas32.inf		binary
		MD5:92C249206F515DEE2D5C7E5117B6E6A0	SHA256:2213EEABF7F43824D51491424B579F6AE01C050663EA25360591A62768AAB58F
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\X86\HAPI\dcdipm32.sys		text
		MD5:9D4D9EC6CE9C703FCDE269B7F1665C67	SHA256:EE57916B76F7C9895A83933FE239ADDF1A7D76EBE597BF41B8133196A0779A68
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\applyconfig.bat		text
		MD5:0B97AF703C6687CE7DD301B730867AEB	SHA256:500461F07C86054911306C7A60C9925C31E841CC4AF46CA2663DAFC3D18AD91F
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\X86\HAPI\dcdbas32.cat		cat
		MD5:FA41524D28D7BA53D33DA20AD51DBEC8	SHA256:BD5D823B2F5A3A5E11F47960BCB413FC3212A99D32230C449984EEC1689FED40
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\X86\HAPI\dchtst32.exe		executable
		MD5:D8353157D44BEE02C1EC128B1FDFF3DB	SHA256:330595DF0E54636E4D1A5E4185BE1C84872CFBE8203FA2F1B590F7D71A18FA56
2796	multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe	C:\ProgramData\dell\drivers\multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled\X86\HAPI\dchesm32.dll		executable
		MD5:9EBD8A1E2938C9FC237BC44C796B841B	SHA256:4D8B0422BA99CFE0DC6DE0933024A95D7D2B8B2A6CC94C6C48095A250D3A9212

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

0

TCP/UDP connections

0

DNS requests

0

Threats

0

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected

Add for printing

No debug info

General Info

multiplatform_201603101209_WOL_enabled_DEEPSLEEP_disabled.exe

87482220000A2DEAA0FE79A573534DEC

7536168B5E95781FC693B8729865C5E7DF931278

A7496DF0C5D13DB9B2AAC7EA48749DE0E24734F49F7291A9D59CFD3E652B8848

393216:nwMYHKe7CkP4KcLelvEWARoAezyYTWARZx:eW+4KcLelvEWtXHTW+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Application loaded dropped or rewritten executable

SUSPICIOUS

Starts CMD.EXE for commands execution

Creates files in the Windows directory

Creates files in the program directory

Creates files in the driver directory

Removes files from Windows directory

Application launched itself

INFO

Dropped object may contain URL's

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings