| File name: | InstalliCUE.exe |
| Full analysis: | https://app.any.run/tasks/f293e8ab-7b78-4ed9-af78-49363f4e2251 |
| Verdict: | Malicious activity |
| Analysis date: | September 07, 2024, 12:19:01 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 1731FE31DFEFBC818BAC666FDBB3FFF0 |
| SHA1: | F134334277615A0F501D99FEE9D531F3CC36D070 |
| SHA256: | C9C0591382B3B85238F5FB0638EA3FF45734E48C9C0AC316DA8954B6CD0C6ACE |
| SSDEEP: | 49152:znLogGWAjgQSCbnUuQ2BP4lB0r307yuCsEUdvIhO3lUpjAg4RiDK/XjYYkSgGs+S:znLogGWAjgQSCbnUuQoPeB0rNbK/sas |
MALICIOUS
No malicious indicators.SUSPICIOUS
Checks Windows Trust Settings
- InstalliCUE.exe (PID: 6988)
Reads security settings of Internet Explorer
- InstalliCUE.exe (PID: 6988)
Uses TASKKILL.EXE to kill process
- InstalliCUE.exe (PID: 6988)
Process drops legitimate windows executable
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 6580)
The process drops C-runtime libraries
- InstalliCUE.exe (PID: 6988)
Executable content was dropped or overwritten
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 6580)
INFO
Creates files in the program directory
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 2232)
- cuepkg.exe (PID: 5532)
- cuepkg.exe (PID: 1616)
- cuepkg.exe (PID: 6580)
Checks supported languages
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 2232)
- cuepkg.exe (PID: 5532)
- cuepkg.exe (PID: 1616)
- cuepkg.exe (PID: 1932)
- cuepkg.exe (PID: 6580)
Checks proxy server information
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 1616)
- cuepkg.exe (PID: 6580)
Creates files or folders in the user directory
- InstalliCUE.exe (PID: 6988)
Reads the software policy settings
- InstalliCUE.exe (PID: 6988)
Reads the computer name
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 2232)
- cuepkg.exe (PID: 1616)
- cuepkg.exe (PID: 6580)
Reads the machine GUID from the registry
- InstalliCUE.exe (PID: 6988)
- cuepkg.exe (PID: 5532)
- cuepkg.exe (PID: 1616)
- cuepkg.exe (PID: 6580)
Create files in a temporary directory
- cuepkg.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:07:04 07:43:04+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.29 |
| CodeSize: | 1329152 |
| InitializedDataSize: | 2012160 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1048fc |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.13.10.0 |
| ProductVersionNumber: | 1.13.10.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | 1 |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Corsair |
| FileDescription: | Corsair iCUE Installer |
| FileVersion: | 1.13.10 |
| InternalName: | Corsair iCUE Primary Installer |
| LegalCopyright: | Corsair Memory, Inc. © 2023, All rights reserved |
| ProductName: | Corsair iCUE |
| ProductVersion: | 1.13.10 |
Total processes
147
Monitored processes
24
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1616 | "C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.exe" --installdir="C:\ProgramData\Corsair\iCUE5 Initial Installer\packages" update | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.exe | InstalliCUE.exe | ||||||||||||
User: admin Company: Corsair Memory, Inc. Integrity Level: HIGH Description: iCUE Package Manager Exit code: 0 Version: 1.18.21 Modules
| |||||||||||||||
| 1920 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cuepkg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1932 | "C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.exe" --version | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.exe | — | InstalliCUE.exe | |||||||||||
User: admin Company: Corsair Memory, Inc. Integrity Level: HIGH Description: iCUE Package Manager Exit code: 0 Version: 1.18.21 Modules
| |||||||||||||||
| 2056 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | taskkill.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2232 | "C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.exe" --installdir="C:\ProgramData\Corsair\iCUE5 Initial Installer\packages" init | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.exe | — | InstalliCUE.exe | |||||||||||
User: admin Company: Corsair Memory, Inc. Integrity Level: HIGH Description: iCUE Package Manager Exit code: 0 Version: 1.18.21 Modules
| |||||||||||||||
| 2572 | taskkill /F /IM cuepkg.exe /T | C:\Windows\System32\taskkill.exe | — | InstalliCUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3140 | taskkill /F /IM cuepkg.exe /T | C:\Windows\System32\taskkill.exe | — | InstalliCUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3244 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | taskkill.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3292 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cuepkg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3384 | taskkill /F /IM cuepkg.exe /T | C:\Windows\System32\taskkill.exe | — | InstalliCUE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 033
Read events
9 028
Write events
5
Delete events
0
Modification events
| (PID) Process: | (6988) InstalliCUE.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (6988) InstalliCUE.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (6988) InstalliCUE.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (6988) InstalliCUE.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Corsair\iCUE5\Privacy |
| Operation: | write | Name: | DataCollectionConsent |
Value: 1 | |||
| (PID) Process: | (6988) InstalliCUE.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Corsair\iCUE5\Privacy |
| Operation: | write | Name: | DataCollectionConsentTimestamp |
Value: Sat, 07 Sep 2024 12:19:20 +0000 | |||
Executable files
130
Suspicious files
27
Text files
444
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.zip | compressed | |
MD5:1D52D8BB0D0BD60B0E64EFFAB205526C | SHA256:E933BAC8D23E6743C52846F5334BEB6FFFBD788341BF16DE7BFA569E5E61AA7F | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-console-l1-2-0.dll | executable | |
MD5:57193BFBCCEFE3D5DF8C1A0D27C4E8D4 | SHA256:F5025E74DE2C1C6EA74E475B57771AC32205E6F1FA6A0390298BBE1F4049AC5D | |||
| 6988 | InstalliCUE.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\terms-of-use[2].htm | html | |
MD5:78019EE9CCD1CF08CCB425C6E41F6170 | SHA256:9696506D1282BDA0139BAF1320DA8527E4B8FCC34FCB3763716AF90ADE73A3DC | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\cuepkg.zip.sha2 | text | |
MD5:0500BF932B104CC6190C887A344E68A9 | SHA256:851EEDD77D14D9658D1274F714B1D83E803A3EBB47B9C1B6D22BADDA8B681BC9 | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-handle-l1-1-0.dll | executable | |
MD5:D1DF480505F2D23C0B5C53DF2E0E2A1A | SHA256:0B3DFB8554EAD94D5DA7859A12DB353942406F9D1DFE3FAC3D48663C233EA99D | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-datetime-l1-1-0.dll | executable | |
MD5:557405C47613DE66B111D0E2B01F2FDB | SHA256:913EAAA7997A6AEE53574CFFB83F9C9C1700B1D8B46744A5E12D76A1E53376FD | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-console-l1-1-0.dll | executable | |
MD5:07EBE4D5CEF3301CCF07430F4C3E32D8 | SHA256:8F8B79150E850ACC92FD6AAB614F6E3759BEA875134A62087D5DD65581E3001F | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-errorhandling-l1-1-0.dll | executable | |
MD5:2DB5666D3600A4ABCE86BE0099C6B881 | SHA256:46079C0A1B660FC187AAFD760707F369D0B60D424D878C57685545A3FCE95819 | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-file-l1-1-0.dll | executable | |
MD5:0F7D418C05128246AFA335A1FB400CB9 | SHA256:5C9BC70586AD538B0DF1FCF5D6F1F3527450AE16935AA34BD7EB494B4F1B2DB9 | |||
| 6988 | InstalliCUE.exe | C:\ProgramData\Corsair\iCUE5 Initial Installer\manager\api-ms-win-core-file-l1-2-0.dll | executable | |
MD5:5A72A803DF2B425D5AAFF21F0F064011 | SHA256:629E52BA4E2DCA91B10EF7729A1722888E01284EED7DDA6030D0A1EC46C94086 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
449
TCP/UDP connections
39
DNS requests
10
Threats
21
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5796 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 301 | 107.154.248.100:443 | https://www.corsair.com/ww/en/terms-of-use | unknown | — | — | — |
6012 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 301 | 107.154.248.100:443 | https://www.corsair.com/ww/en/terms-of-use | unknown | — | — | — |
2120 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 301 | 107.154.248.100:443 | https://www.corsair.com/ww/en/terms-of-use | unknown | — | — | — |
— | — | GET | 302 | 107.154.248.100:443 | https://www.corsair.com/s/terms-of-use | unknown | — | — | — |
— | — | GET | 302 | 107.154.248.100:443 | https://www.corsair.com/s/terms-of-use | unknown | — | — | — |
— | — | GET | 302 | 107.154.248.100:443 | https://www.corsair.com/s/terms-of-use | unknown | — | — | — |
— | — | GET | 200 | 95.100.135.89:443 | https://www3.corsair.com/software/CUE_V5/public/modules/icue_initial_installer.json | unknown | binary | 303 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5796 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6012 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5796 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6012 | RUXIMICS.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2120 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6988 | InstalliCUE.exe | 107.154.248.100:443 | www.corsair.com | INCAPSULA | US | whitelisted |
6988 | InstalliCUE.exe | 95.100.135.51:443 | www3.corsair.com | Akamai International B.V. | NL | whitelisted |
6988 | InstalliCUE.exe | 184.25.158.35:443 | cwsmgmt.corsair.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www3.corsair.com |
| whitelisted |
cwsmgmt.corsair.com |
| whitelisted |
www.corsair.com |
| whitelisted |
api.ipregistry.co |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] IP Geolocation and Threat Intelligence (api .ipregistr y.co) |
20 ETPRO signatures available at the full report