download: | click_install.exe |
Full analysis: | https://app.any.run/tasks/59299947-52f9-4b51-9b39-fd855beabc85 |
Verdict: | Malicious activity |
Analysis date: | August 13, 2019, 16:18:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1DDE7914C7E30DB8E6F63A50D43204C4 |
SHA1: | AF6249C78ECE8E4549830262C2B71EB83305472E |
SHA256: | AF691967F586DFDB1B906E4822423540F0244A3B581D99BABED0A7A25B41138F |
SSDEEP: | 393216:N2s8qD9nenkXjaEdns7JUo9vAb2w/7n4taDcqnfOIsZKNdpMM3kB:ks8+6kXGHtUohAb2wDCqcq98IpMBB |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
ProductVersion: | 1.22 |
---|---|
ProductName: | Click |
OriginalFileName: | click_install.exe |
LegalCopyright: | Copyright (C) C3 SoftWorks |
InternalName: | click_install |
FileVersion: | 1.22 |
FileDescription: | This installer database contains the logic and data required to install Click. |
CompanyName: | C3 SoftWorks |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | Debug |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.22.0.0 |
FileVersionNumber: | 1.22.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x20b90 |
UninitializedDataSize: | - |
InitializedDataSize: | 40448 |
CodeSize: | 135680 |
LinkerVersion: | 7.1 |
PEType: | PE32 |
TimeStamp: | 2009:05:27 11:57:29+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-May-2009 09:57:29 |
Detected languages: |
|
CompanyName: | C3 SoftWorks |
FileDescription: | This installer database contains the logic and data required to install Click. |
FileVersion: | 1.22 |
InternalName: | click_install |
LegalCopyright: | Copyright (C) C3 SoftWorks |
OriginalFileName: | click_install.exe |
ProductName: | Click |
ProductVersion: | 1.22 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000108 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 27-May-2009 09:57:29 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000210A1 | 0x00021200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.47012 |
.rdata | 0x00023000 | 0x00003BA6 | 0x00003C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.60439 |
.data | 0x00027000 | 0x00000700 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.86115 |
.rsrc | 0x00028000 | 0x00005A2C | 0x00005C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.29574 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.85667 | 975 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.44886 | 1384 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.91708 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.78674 | 2216 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 3.37783 | 1116 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.35468 | 1136 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.31743 | 760 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.23118 | 1432 | Latin 1 / Western European | English - United States | RT_STRING |
13 | 3.32779 | 978 | Latin 1 / Western European | English - United States | RT_STRING |
14 | 3.19507 | 1974 | Latin 1 / Western European | English - United States | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
VERSION.dll |
WININET.dll (delay-loaded) |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2144 | "C:\Users\admin\AppData\Local\Temp\click_install.exe" | C:\Users\admin\AppData\Local\Temp\click_install.exe | explorer.exe | |
User: admin Company: C3 SoftWorks Integrity Level: MEDIUM Description: This installer database contains the logic and data required to install Click. Exit code: 0 Version: 1.22 | ||||
2072 | /i "C:\Users\admin\AppData\Roaming\C3 SoftWorksinstall\Click\install\click_install_final.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\click_install.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\" | C:\Windows\system32\msiexec.exe | click_install.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
4080 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1444 | C:\Windows\system32\MsiExec.exe -Embedding A049248CF3A5741B9FCEAAAD54462B85 C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1748 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3968 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000540" "000005DC" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2900 | "C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\C3 SoftWorks\Click\Reply2005.ocx" | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
360 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\C3 SoftWorks\Click\help\index.html | C:\Program Files\Internet Explorer\iexplore.exe | MsiExec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3084 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:360 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1716 | "C:\Program Files\C3 SoftWorks\Click\Click.exe" | C:\Program Files\C3 SoftWorks\Click\Click.exe | MsiExec.exe | |
User: admin Company: C3 SoftWorks Integrity Level: MEDIUM Description: BRAVO! Click Exit code: 0 Version: 3.0.0.0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2144 | click_install.exe | C:\Users\admin\AppData\Roaming\C3 SoftWorksinstall\Click\install\disk1.cab | — | |
MD5:— | SHA256:— | |||
2072 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSIFA76.tmp | — | |
MD5:— | SHA256:— | |||
4080 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
2144 | click_install.exe | C:\Users\admin\AppData\Roaming\C3 SoftWorksinstall\Click\install\click_install_final.msi | executable | |
MD5:B16201DA0C46CBB528BC84796E49DBC9 | SHA256:CC8B906E9BEDDF8997C2983F30380EB233B68398C5B2FC92CC07D80EFD13503E | |||
3968 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:1DA8E9C1DA42257542108A357FA63908 | SHA256:4385E2847E1B7D34C156CA985EF12B6089AB283B8FA5EA1143FDF8831DD3DC36 | |||
4080 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{1b6ed263-d176-4ecc-bac9-0780c193e324}_OnDiskSnapshotProp | binary | |
MD5:2A88E0E18C8429C676D2D7B080ABA722 | SHA256:C4733AD762F04262081C5BA09AF86CF4D9F0E64CA4878273E9135C01B0ABF800 | |||
3968 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:D3EEC9E5D954D0939FEE7E27851ABB6D | SHA256:0FB711EE824B95F8C503F15A48B35702F8D4B1012EFCE66DB1FEF4A64605D046 | |||
4080 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:2A88E0E18C8429C676D2D7B080ABA722 | SHA256:C4733AD762F04262081C5BA09AF86CF4D9F0E64CA4878273E9135C01B0ABF800 | |||
4080 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF8C10FC92FA0F3EE8.TMP | — | |
MD5:— | SHA256:— | |||
1748 | vssvc.exe | C: | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
360 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
360 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1716 | Click.exe | 162.242.144.107:80 | virtual.c3softworks.com | Rackspace Ltd. | US | suspicious |
1716 | Click.exe | 162.242.144.107:443 | virtual.c3softworks.com | Rackspace Ltd. | US | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
virtual.c3softworks.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
1716 | Click.exe | Potential Corporate Privacy Violation | ET POLICY Outdated Flash Version M1 |
Process | Message |
---|---|
Click.exe | setfocus main form 0
|
Click.exe | killfocus main form 0
|
Click.exe | setfocus main form 0
|
Click.exe | killfocus main form 0
|
Click.exe | setfocus main form 0
|
Click.exe | killfocus main form 0
|
Click.exe | WM_PAINT |
Click.exe | mdm.hasEI |
Click.exe | - |
Click.exe | |