| File name: | systeminformer-3.0.7660-release-setup.exe |
| Full analysis: | https://app.any.run/tasks/31256b14-d444-4a00-b57f-ea95de642e84 |
| Verdict: | Malicious activity |
| Analysis date: | September 01, 2024, 18:27:59 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 0D909A4A638465A17BC9F37C5024E574 |
| SHA1: | EAB2BC1CA6EBFA17B95B8CACEBCB04043238164E |
| SHA256: | A82821A4C18EF940354B84CD625CE0FD8ED5CFBA5418014063F054071BD5FCCD |
| SSDEEP: | 98304:BfuShiqGEHMUGmL1Yt0zJWL9omlWA9ag2liM1UIWMK1CIV3YCQmJhax83+m13oLm:IlKBUMjqQBJa0Kq5JTtIYHTJ5LSGIuy |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- systeminformer-3.0.7660-release-setup.exe (PID: 5708)
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
- SystemInformer.exe (PID: 236)
Application launched itself
- systeminformer-3.0.7660-release-setup.exe (PID: 5708)
The process creates files with name similar to system file names
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Drops a system driver (possible attempt to evade defenses)
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Creates a software uninstall entry
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Reads the date of Windows installation
- systeminformer-3.0.7660-release-setup.exe (PID: 5708)
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Executable content was dropped or overwritten
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Drops the executable file immediately after the start
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Checks Windows Trust Settings
- SystemInformer.exe (PID: 236)
INFO
Reads the computer name
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
- systeminformer-3.0.7660-release-setup.exe (PID: 5708)
- SystemInformer.exe (PID: 236)
Checks supported languages
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
- systeminformer-3.0.7660-release-setup.exe (PID: 5708)
- SystemInformer.exe (PID: 236)
- SystemInformer.exe (PID: 4576)
Creates files in the program directory
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Process checks computer location settings
- systeminformer-3.0.7660-release-setup.exe (PID: 5708)
- systeminformer-3.0.7660-release-setup.exe (PID: 188)
Reads the time zone
- SystemInformer.exe (PID: 236)
Reads CPU info
- SystemInformer.exe (PID: 236)
Manual execution by a user
- SystemInformer.exe (PID: 4576)
Reads the machine GUID from the registry
- SystemInformer.exe (PID: 236)
Reads the software policy settings
- SystemInformer.exe (PID: 236)
Checks proxy server information
- SystemInformer.exe (PID: 236)
Creates files or folders in the user directory
- SystemInformer.exe (PID: 236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2054:10:22 23:54:18+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.39 |
| CodeSize: | 253952 |
| InitializedDataSize: | 15585280 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20300 |
| OSVersion: | 6.1 |
| ImageVersion: | - |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.0.12187.7660 |
| ProductVersionNumber: | 3.0.12187.7660 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | System Informer |
| FileDescription: | System Informer - Setup |
| FileVersion: | 3.0.12187.7660 |
| InternalName: | systeminformer-setup.exe |
| LegalCopyright: | Copyright (c) Winsider Seminars & Solutions, Inc. All rights reserved. |
| OriginalFileName: | systeminformer-setup.exe |
| ProductName: | System Informer |
| ProductVersion: | 3.0.12187.7660 |
Total processes
135
Monitored processes
6
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 188 | "C:\Users\admin\AppData\Local\Temp\systeminformer-3.0.7660-release-setup.exe" "C:\Users\admin\AppData\Local\Temp\systeminformer-3.0.7660-release-setup.exe" | C:\Users\admin\AppData\Local\Temp\systeminformer-3.0.7660-release-setup.exe | systeminformer-3.0.7660-release-setup.exe | ||||||||||||
User: admin Company: System Informer Integrity Level: HIGH Description: System Informer - Setup Exit code: 0 Version: 3.0.12187.7660 Modules
| |||||||||||||||
| 236 | "C:\Program Files\SystemInformer\SystemInformer.exe" -channel release | C:\Program Files\SystemInformer\SystemInformer.exe | systeminformer-3.0.7660-release-setup.exe | ||||||||||||
User: admin Company: System Informer Integrity Level: HIGH Description: System Informer Version: 3.0.12187.7660 Modules
| |||||||||||||||
| 1116 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3332 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4576 | "C:\Program Files\SystemInformer\SystemInformer.exe" | C:\Program Files\SystemInformer\SystemInformer.exe | — | explorer.exe | |||||||||||
User: admin Company: System Informer Integrity Level: MEDIUM Description: System Informer Exit code: 0 Version: 3.0.12187.7660 Modules
| |||||||||||||||
| 5708 | "C:\Users\admin\AppData\Local\Temp\systeminformer-3.0.7660-release-setup.exe" | C:\Users\admin\AppData\Local\Temp\systeminformer-3.0.7660-release-setup.exe | — | explorer.exe | |||||||||||
User: admin Company: System Informer Integrity Level: MEDIUM Description: System Informer - Setup Exit code: 0 Version: 3.0.12187.7660 Modules
| |||||||||||||||
Total events
12 741
Read events
12 674
Write events
47
Delete events
20
Modification events
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\SystemInformer\systeminformer.exe,0 | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | DisplayName |
Value: System Informer | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | DisplayVersion |
Value: 3.0 | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | HelpLink |
Value: https://systeminformer.sourceforge.io/ | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\SystemInformer\ | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | Publisher |
Value: System Informer | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\SystemInformer\systeminformer-setup.exe" -uninstall | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
| (PID) Process: | (188) systeminformer-3.0.7660-release-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemInformer |
| Operation: | write | Name: | NoRepair |
Value: 1 | |||
| (PID) Process: | (236) SystemInformer.exe | Key: | HKEY_LOCAL_MACHINE\BCD00000000\Objects\{9dea862c-5cdd-4e70-acc1-f32b344d4795}\Elements\11000001 |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
19
Suspicious files
23
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\systeminformer-setup.exe | executable | |
MD5:0D909A4A638465A17BC9F37C5024E574 | SHA256:A82821A4C18EF940354B84CD625CE0FD8ED5CFBA5418014063F054071BD5FCCD | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Users\Public\Desktop\System Informer.lnk | binary | |
MD5:33ACAF16A48F662D62ACB2E0406DE152 | SHA256:623E792ACD760E0B5E88BCA0A83EAFA9E88387BEC920F427D0B7E3F246FE34B1 | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\README.txt | text | |
MD5:0CCC7E76DA4E38CD2F73BD197DEA80C3 | SHA256:29C068275F2B99405DFED86B2C6C6E0722944B743565796B76FBF74F42DA8039 | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\COPYRIGHT.txt | text | |
MD5:D97229C38736F130D83B1C9BA9F68703 | SHA256:6DEB8978832A3B5CB8B4AD79F33EFAAC9857AC539D771EEBB3C5680A12436D2C | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\ksidyn.sig | binary | |
MD5:6569FE0F0ADC6F9530673A2C9C049599 | SHA256:6E6EFBE6DF1F3A94DB4018B0220069E95AF60251892FC8D674045F71BA5F2C61 | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\EtwGuids.txt | ini | |
MD5:E5350380E5A9E4DC1A9432A299B6D4DE | SHA256:43426A3FB94A44B5F4092547A1DE5D9A676064BBCC485BD9B6A79EA1CB1598C8 | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\LICENSE.txt | text | |
MD5:00B5F3DE97978ECBFCAA88C3D9D87CE5 | SHA256:E0CD000380F49907CB856B00AC44C436DF10E2B0AD24EA77576F8EF77F508BDD | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\CapsList.txt | text | |
MD5:397F7C66959A56EF89133733B56A9616 | SHA256:D74FA0FF77E0FB81EE2A5B7211CBE7CC33F03EE1EB1AA488CDAFC45540A8FE5A | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\Program Files\SystemInformer\icon.png | image | |
MD5:5352EBD888E7E6C1DABD20C4D6B921C5 | SHA256:46E1C3D45F5085FA4F97F6BCB2AD0197DABB0E1C7EFD2A6CBA1A0BD3461E2387 | |||
| 188 | systeminformer-3.0.7660-release-setup.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Informer.lnk | binary | |
MD5:2E2893D76C1802E3838C343D0ACC0044 | SHA256:13562C787CEA59D09EBDE8FFC94A1A6D83AE01EA05465DEBFD1E717B27114633 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
24
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3652 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
5148 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5148 | SIHClient.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6516 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6164 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3260 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3652 | svchost.exe | 40.126.32.76:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3652 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
5148 | SIHClient.exe | 20.114.59.183:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5148 | SIHClient.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
systeminformer.sourceforge.io |
| whitelisted |