General Info

File name

sasi.exe

Full analysis
https://app.any.run/tasks/9f6ba740-8c9e-460c-ba45-677a203a6096
Verdict
Malicious activity
Analysis date
10/9/2019, 15:34:30
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

9feb8d7a93cca3c5bc37deacb4124459

SHA1

48093127b3addc1d8824a6c03fdd805189d1923e

SHA256

bb271d5da1700dd7c8a4a0148b5a8e6bb2e46fbd2dab9d7b0986fac1c56aa584

SSDEEP

196608:ZP0LbeDjvS93PtL0XTFrZVD570fS/CZ/CqS53JOIf:ZPUiXZZT7vCZ/CqS55Om

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • st6unst.exe (PID: 3692)
  • Setup1.exe (PID: 3432)
  • setup.exe (PID: 2544)
  • setup.exe (PID: 3292)
Loads dropped or rewritten executable
  • setup.exe (PID: 2544)
  • Setup1.exe (PID: 3432)
Writes to a start menu file
  • setup.exe (PID: 2544)
Executable content was dropped or overwritten
  • setup.exe (PID: 2544)
  • sasi.exe (PID: 3204)
Creates files in the user directory
  • setup.exe (PID: 2544)
Creates files in the Windows directory
  • setup.exe (PID: 2544)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:02:21 17:21:56+01:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
190976
InitializedDataSize:
242176
UninitializedDataSize:
null
EntryPoint:
0x1d779
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
21-Feb-2019 16:21:56
Detected languages
English - United States
Debug artifacts
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000110
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
21-Feb-2019 16:21:56
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0002E864 0x0002EA00 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.69348
.rdata 0x00030000 0x00009AAC 0x00009C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.13363
.data 0x0003A000 0x000213D0 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 3.24289
.gfids 0x0005C000 0x000000E8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.09592
.rsrc 0x0005D000 0x0000DFD0 0x0000E000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.63679
.reloc 0x0006B000 0x00001FD0 0x00002000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.68736
Resources
1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

100

101

102

ASKNEXTVOL

GETPASSWORD1

LICENSEDLG

RENAMEDLG

REPLACEFILEDLG

STARTDLG

Imports
    KERNEL32.dll

    gdiplus.dll

    USER32.dll (delay-loaded)

Exports

    No exports.

Screenshots

Processes

Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

+
drop and start drop and start start drop and start sasi.exe setup.exe no specs setup.exe setup1.exe no specs st6unst.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3204
CMD
"C:\Users\admin\AppData\Local\Temp\sasi.exe"
Path
C:\Users\admin\AppData\Local\Temp\sasi.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\sasi.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\riched20.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\users\admin\appdata\local\temp\rarsfx0\setup.exe
c:\windows\system32\mpr.dll
c:\windows\system32\sfc.dll
c:\windows\system32\devrtl.dll

PID
3292
CMD
"C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.exe
Indicators
No indicators
Parent process
sasi.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Instalación de Bootstrap para Visual Basic Setup Toolkit
Version
6.00.8169
Modules
Image
c:\users\admin\appdata\local\temp\rarsfx0\setup.exe
c:\systemroot\system32\ntdll.dll

PID
2544
CMD
"C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.exe"
Path
C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.exe
Indicators
Parent process
sasi.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Instalación de Bootstrap para Visual Basic Setup Toolkit
Version
6.00.8169
Modules
Image
c:\users\admin\appdata\local\temp\rarsfx0\setup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\comcat.dll
c:\windows\system32\msvcrt40.dll
c:\windows\system32\stdole2.tlb
c:\windows\system32\asycfilt.dll
c:\windows\system32\olepro32.dll
c:\windows\system32\msvbvm60.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\st6unst.exe
c:\windows\system32\vb6stkit.dll
c:\windows\system32\msvbvm50.dll
c:\windows\system32\devrtl.dll
c:\windows\setup1.exe

PID
3432
CMD
Setup1.exe "C:\Users\admin\AppData\Local\Temp\RarSFX0\" "C:\WINDOWS\ST6UNST.000" "C:\WINDOWS\st6unst.exe"
Path
C:\Windows\Setup1.exe
Indicators
No indicators
Parent process
setup.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Utilidad de instalación de Visual Basic 6.0
Version
6.00.8171
Modules
Image
c:\windows\setup1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\vb6es.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\vb6stkit.dll
c:\windows\st6unst.exe

PID
3692
CMD
C:\WINDOWS\st6unst.exe -n "C:\WINDOWS\ST6UNST.000" -e 2 -f -w 3432
Path
C:\WINDOWS\st6unst.exe
Indicators
No indicators
Parent process
Setup1.exe
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Visual Basic Setup Toolkit Uninstaller
Version
6.00.8169
Modules
Image
c:\windows\st6unst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll

Registry activity

Total events
616
Read events
562
Write events
54
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
3204
sasi.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3204
sasi.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\MSVBVM50.DLL
1
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\VB6STKIT.DLL
1
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\COMCAT.DLL
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\MSVCRT40.DLL
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\VB6ES.DLL
1
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\STDOLE2.TLB
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\ASYCFILT.DLL
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\OLEPRO32.DLL
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\OLEAUT32.DLL
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
C:\Windows\System32\MSVBVM60.DLL
2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\5.0
Visual Basic For Applications
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\5.0\FLAGS
0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\5.0\9\win32
C:\WINDOWS\SYSTEM32\MSVBVM50.DLL
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\5.0\HELPDIR
C:\WINDOWS\SYSTEM32
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A4C466B8-499F-101B-BB78-00AA00383CBB}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A4C46780-499F-101B-BB78-00AA00383CBB}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0
Visual Basic runtime objects and procedures
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0\FLAGS
4
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0\9\win32
C:\WINDOWS\SYSTEM32\MSVBVM50.DLL\2
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{97177EBC-0C54-11D0-B407-00AA00C14969}\5.0\HELPDIR
C:\WINDOWS\SYSTEM32
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}
PropertyBag
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{45046D60-08CA-11CF-A90F-00AA0062BB4C}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41A7D761-6018-11CF-9016-00AA0068841E}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2CE46480-1A08-11CF-AD63-00AA00614F3E}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4E0F020-720A-11CF-8136-00AA00C14959}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D624E3E0-720A-11CF-8136-00AA00C14959}
DataBinding
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D624E3E0-720A-11CF-8136-00AA00C14959}\ProxyStubClsid
{00020424-0000-0000-C000-000000000046}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D624E3E0-720A-11CF-8136-00AA00C14959}\ProxyStubClsid32
{00020424-0000-0000-C000-000000000046}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D624E3E0-720A-11CF-8136-00AA00C14959}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D624E3E0-720A-11CF-8136-00AA00C14959}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{888A5A60-B283-11CF-8AD5-00A0C90AEA82}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}
AsyncProperty
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib
{97177EBC-0C54-11D0-B407-00AA00C14969}
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{14E469E0-BF61-11CF-8385-8F69D8F1350B}\TypeLib
Version
5.0
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\VBRuntime
EventMessageFile
C:\WINDOWS\SYSTEM32\MSVBVM50.DLL
2544
setup.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Application\VBRuntime
TypesSupported
4
3432
Setup1.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\DAO350
Path
C:\Program Files\Common Files\Microsoft Shared\DAO\DAO350.DLL

Files activity

Executable files
17
Suspicious files
10
Text files
42
Unknown types
1

Dropped files

PID
Process
Filename
Type
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\OLEAUT32.DLL
executable
MD5: 4ca53c2809b7b22fdec20c993440d68f
SHA256: 9ad6d2dd546c8537dfac9261376c51b164c61f7ffb53b7c5e55b5565a7e963c7
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\STDOLE2.TLB
executable
MD5: 1b02577f0addea32eb02a50d4a4cdd1e
SHA256: 6ea525bface5467c1045c3708f339a4b92a3a273f70656e061c7f7322c56d667
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\VB6ES.DLL
executable
MD5: 5920f5a17a7bb807ef3f1f7cb5558728
SHA256: b9c2fa6decf3c7027c6ac7d363a1714b732e0b75ad17327f3e31c6b88fa9e92a
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\MSVCRT40.DLL
executable
MD5: 146263312871d16ba8e06b3cf68b88df
SHA256: 1ded954d583f8bc620073f750a14987d370581763f742e564c8371c59651fabd
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\ASYCFILT.DLL
executable
MD5: 47f9c0dd76c967ad76643c49b5d6830d
SHA256: 4069fbd97bb17d4aa51142984239784fbaac2f728c5719a01e51e0b6312fc6a4
2544
setup.exe
C:\Windows\System32\VB6STKIT.DLL
executable
MD5: 87aa9155acc202711f5720718e1dffcb
SHA256: 564747cff8abb9367f4d435bfaddb578aab7e4cb4bf174f361d33846207540fe
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\VB6STKIT.DLL
executable
MD5: 87aa9155acc202711f5720718e1dffcb
SHA256: 564747cff8abb9367f4d435bfaddb578aab7e4cb4bf174f361d33846207540fe
2544
setup.exe
C:\Windows\System32\VB6ES.DLL
executable
MD5: 5920f5a17a7bb807ef3f1f7cb5558728
SHA256: b9c2fa6decf3c7027c6ac7d363a1714b732e0b75ad17327f3e31c6b88fa9e92a
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\MSVBVM50.DLL
executable
MD5: 1e2d2568eee99e3114de560f2aa8c5c4
SHA256: 616df490b59bface214de7c19c81a6b24a504090d77f9b9d4150eff6abab2934
2544
setup.exe
C:\WINDOWS\Setup1.exe
executable
MD5: 8aa40fd187a56c90d157f6917e093817
SHA256: 86fb9d030e11b2997cba0c321a4b649f06293a7971398d016bfa67ad5800277d
2544
setup.exe
C:\Windows\System32\MSVBVM50.DLL
executable
MD5: 1e2d2568eee99e3114de560f2aa8c5c4
SHA256: 616df490b59bface214de7c19c81a6b24a504090d77f9b9d4150eff6abab2934
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\setup.exe
executable
MD5: d06cee4016aac5e427390655a870b0f4
SHA256: d00e85a7d6d8bfbffbade69cf92380b08dbd1ef374f6d7260f256a0bebd68e0d
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\MSVBVM60.DLL
executable
MD5: f28eb5cbc3ca6d8c787f09f047d1f9c8
SHA256: 3ef32e0152cc3fa07c417e6aadf9ead83a17b5fdee73799044e1bd7564725d6e
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\OLEPRO32.DLL
executable
MD5: f745044771adc3e08e908263d0049249
SHA256: b0bc9477d1628c082de5726f48bbe751a6a0ef486eb8d79041789e45dea5108c
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\st6unst.exe
executable
MD5: 7f787d537ae26932e9eaf2442abd6b98
SHA256: 69c66a8e0085e4ebff940b426c84feddf6aab0f97e43658b872f63dd6c6c9761
2544
setup.exe
C:\WINDOWS\ST6UNST.EXE
executable
MD5: 7f787d537ae26932e9eaf2442abd6b98
SHA256: 69c66a8e0085e4ebff940b426c84feddf6aab0f97e43658b872f63dd6c6c9761
2544
setup.exe
C:\Users\admin\AppData\Local\Temp\msftqws.pdw\COMCAT.DLL
executable
MD5: 3b180da2b50b954a55fe37afba58d428
SHA256: 96d04cdfaf4f4d7b8722b139a15074975d4c244302f78034b7be65df1a92fd03
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 6b486af82680869f1d70c37c416855aa
SHA256: cfb95ddbae06fca7e5da7c44f6c5fc849eca16bb029e00e8c3288fb88bb6e0f6
2544
setup.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 404390e144b6ff8b0dd732b2221891ff
SHA256: e5d4f0068cac76fd0b27013e31562ec0659ea9e4507ccc6de3128df179be223f
2544
setup.exe
C:\WINDOWS\temp.000
––
MD5:  ––
SHA256:  ––
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 2719509073e6ebd34de89a986e947135
SHA256: eacb06bfb86cfa73c179deff71787526af8ee38b788be5a1ede6d7b6e77cc203
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 7be073a5761245d70b8ed2a033869567
SHA256: 96b4097130a54617ff1e07ef3abe90c42a6d85ba56dafd05d6998d363ff6a3e1
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\Setup.Lst
text
MD5: a7942a278617a07475aba83f2d5e8651
SHA256: 911e176a2a3b9f9c6bb3b1fdd00e23bf06f8c41d2882f67f2a189cabc64b33de
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 318278219a1f5755e28bd1f038f5747f
SHA256: c9a9db8525faeb5e9120308a37e7b94441986d8838f1bfba7cd9762263caa90c
2544
setup.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 85a1b16649985e3201ce0da43f2eac83
SHA256: 7ee411a3f36ca5258b7f20c07e22bf23c39b88ac9cca5946b20aa91fc1054fe7
2544
setup.exe
C:\WINDOWS\ST6UNST.000
––
MD5:  ––
SHA256:  ––
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 4fb658943451010a6137a14d0403c151
SHA256: 05bf909e12dae811f75e9609be4359c61ccebac99c0f9b9b518d9922c9705074
2544
setup.exe
C:\Windows\System32\temp.000
––
MD5:  ––
SHA256:  ––
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 4dbb0d4a6046ec29a488046abe3f50ba
SHA256: 8670863df6d0034680f390d2eba25dee1f2c89a5b8f162c906c633bb88f55037
2544
setup.exe
C:\WINDOWS\ST6UNST.000
text
MD5: da39d82d0f99db34c8fa56f51806d824
SHA256: 78830780cae990822143d8ae2d692a3ebe01409b7cb114ea205c9ab63cbe8dd4
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: ad8d61cfe9366875b209b4a7f0d7a82e
SHA256: b775b695957efb312d372c126bbccebbb2ea880fbba7bf7849eb5b36386c7f08
2544
setup.exe
C:\WINDOWS\SAS5.cab
compressed
MD5: e95f93abd37e6d4c4f74c57540cdf628
SHA256: c7ff2955e260015db07c38b3ae6fe2063bb00f8020ff359d41dbec47bb413835
2544
setup.exe
C:\WINDOWS\SAS4.cab
compressed
MD5: 17940765cef516f3381692985473adaa
SHA256: bc1fca036e3319672e7110d0f633d3fd3ddd4cb45989bece99307b12cb6071d1
2544
setup.exe
C:\WINDOWS\SAS2.cab
compressed
MD5: 12d8bd4f02bff041080880ab7313d6e6
SHA256: 6a7f036139654817ba4c5526c7fadbc20a3a131fd86bef70c2eb04bdb861940e
2544
setup.exe
C:\WINDOWS\SAS3.cab
compressed
MD5: 91e646da65c6d283bca4c9566cadd8c1
SHA256: fe36911d62d27b80e30bcdaac05e4891df03aa6f1c901f710f7007cd9e449c89
2544
setup.exe
C:\WINDOWS\SAS1.CAB
compressed
MD5: 02cffccc4acb24d4b1ad8d35564fe24c
SHA256: de70354149163c0b4d164d540db846db34f693fca36d0fec521f9488eb74a5a9
2544
setup.exe
C:\WINDOWS\SETUP.LST
text
MD5: a7942a278617a07475aba83f2d5e8651
SHA256: 911e176a2a3b9f9c6bb3b1fdd00e23bf06f8c41d2882f67f2a189cabc64b33de
2544
setup.exe
C:\WINDOWS\ST6UNST.000
text
MD5: 36756bd4e2c2910566236050c1867b05
SHA256: f2d6d70e31ff83e084d8be509d525f2af9828bcd7f759b42d3b952bbab8edde8
2544
setup.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ST6UNST Uninstaller.LNK
lnk
MD5: 1fbd3f2783516c2e504539e1b216bb9a
SHA256: 05cfa248f44fc96595aa30311274f37c37bf81b1981568266958ba36345be776
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\SAS5.CAB
compressed
MD5: e95f93abd37e6d4c4f74c57540cdf628
SHA256: c7ff2955e260015db07c38b3ae6fe2063bb00f8020ff359d41dbec47bb413835
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\SAS4.CAB
compressed
MD5: 17940765cef516f3381692985473adaa
SHA256: bc1fca036e3319672e7110d0f633d3fd3ddd4cb45989bece99307b12cb6071d1
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\SAS3.CAB
compressed
MD5: 91e646da65c6d283bca4c9566cadd8c1
SHA256: fe36911d62d27b80e30bcdaac05e4891df03aa6f1c901f710f7007cd9e449c89
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\SAS2.CAB
compressed
MD5: 12d8bd4f02bff041080880ab7313d6e6
SHA256: 6a7f036139654817ba4c5526c7fadbc20a3a131fd86bef70c2eb04bdb861940e
3204
sasi.exe
C:\Users\admin\AppData\Local\Temp\RarSFX0\SAS1.CAB
compressed
MD5: 02cffccc4acb24d4b1ad8d35564fe24c
SHA256: de70354149163c0b4d164d540db846db34f693fca36d0fec521f9488eb74a5a9
3432
Setup1.exe
C:\WINDOWS\ST6UNST.000
text
MD5: c81dd074c079017629a4cdf052b40139
SHA256: 80680d0e488faa04b24394edbf81d3f3e6ca20c77f5f6de3891e602cacc20cb6

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

Process Message
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC
setup.exe Ending BRC