Analysis
| Category | Package | Started | Completed | Duration | Options | Log(s) |
|---|---|---|---|---|---|---|
| FILE | exe | 2025-06-11 05:51:24 | 2025-06-11 06:08:47 | 1043 seconds | Show Options | Show Analysis Log |
procmemdump=1
import_reconstruction=1
unpacker=2
no-iat=1
2024-11-25 13:37:15,084 [root] INFO: Date set to: 20250611T05:35:40, timeout set to: 1000 2025-06-11 06:35:40,142 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8 2025-06-11 06:35:40,142 [root] DEBUG: Storing results at: C:\iHGxVoR 2025-06-11 06:35:40,142 [root] DEBUG: Pipe server name: \\.\PIPE\tineYgyrZZ 2025-06-11 06:35:40,142 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32 2025-06-11 06:35:40,142 [root] INFO: analysis running as an admin 2025-06-11 06:35:40,142 [root] INFO: analysis package specified: "exe" 2025-06-11 06:35:40,142 [root] DEBUG: importing analysis package module: "modules.packages.exe"... 2025-06-11 06:35:41,080 [root] DEBUG: imported analysis package "exe" 2025-06-11 06:35:41,080 [root] DEBUG: initializing analysis package "exe"... 2025-06-11 06:35:41,095 [lib.common.common] INFO: wrapping 2025-06-11 06:35:41,111 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation 2025-06-11 06:35:41,127 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\ieinstal.exe 2025-06-11 06:35:41,127 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option 2025-06-11 06:35:41,127 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option 2025-06-11 06:35:41,127 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option 2025-06-11 06:35:41,127 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option 2025-06-11 06:35:41,330 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser" 2025-06-11 06:35:41,345 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig" 2025-06-11 06:35:41,376 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise" 2025-06-11 06:35:41,392 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human" 2025-06-11 06:35:41,408 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops' 2025-06-11 06:35:41,408 [lib.api.screenshot] ERROR: No module named 'PIL' 2025-06-11 06:35:41,408 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots" 2025-06-11 06:35:41,423 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump" 2025-06-11 06:35:41,423 [root] DEBUG: Initialized auxiliary module "Browser" 2025-06-11 06:35:41,423 [root] DEBUG: attempting to configure 'Browser' from data 2025-06-11 06:35:41,423 [root] DEBUG: module Browser does not support data configuration, ignoring 2025-06-11 06:35:41,423 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"... 2025-06-11 06:35:41,423 [root] DEBUG: Started auxiliary module modules.auxiliary.browser 2025-06-11 06:35:41,423 [root] DEBUG: Initialized auxiliary module "DigiSig" 2025-06-11 06:35:41,423 [root] DEBUG: attempting to configure 'DigiSig' from data 2025-06-11 06:35:41,423 [root] DEBUG: module DigiSig does not support data configuration, ignoring 2025-06-11 06:35:41,439 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"... 2025-06-11 06:35:41,439 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature 2025-06-11 06:35:41,658 [modules.auxiliary.digisig] DEBUG: File is not signed 2025-06-11 06:35:41,658 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json 2025-06-11 06:35:41,658 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig 2025-06-11 06:35:41,658 [root] DEBUG: Initialized auxiliary module "Disguise" 2025-06-11 06:35:41,658 [root] DEBUG: attempting to configure 'Disguise' from data 2025-06-11 06:35:41,658 [root] DEBUG: module Disguise does not support data configuration, ignoring 2025-06-11 06:35:41,658 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"... 2025-06-11 06:35:41,673 [modules.auxiliary.disguise] INFO: Disguising GUID to 4e0ace9a-f7be-432b-8f53-02acbe52f1bb 2025-06-11 06:35:41,673 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise 2025-06-11 06:35:41,673 [root] DEBUG: Initialized auxiliary module "Human" 2025-06-11 06:35:41,673 [root] DEBUG: attempting to configure 'Human' from data 2025-06-11 06:35:41,673 [root] DEBUG: module Human does not support data configuration, ignoring 2025-06-11 06:35:41,673 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"... 2025-06-11 06:35:41,673 [root] DEBUG: Started auxiliary module modules.auxiliary.human 2025-06-11 06:35:41,673 [root] DEBUG: Initialized auxiliary module "Screenshots" 2025-06-11 06:35:41,673 [root] DEBUG: attempting to configure 'Screenshots' from data 2025-06-11 06:35:41,673 [root] DEBUG: module Screenshots does not support data configuration, ignoring 2025-06-11 06:35:41,673 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"... 2025-06-11 06:35:41,673 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled 2025-06-11 06:35:41,673 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots 2025-06-11 06:35:41,673 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets" 2025-06-11 06:35:41,673 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data 2025-06-11 06:35:41,673 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring 2025-06-11 06:35:41,673 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"... 2025-06-11 06:35:41,673 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696 2025-06-11 06:35:41,705 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini 2025-06-11 06:35:41,705 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor 2025-06-11 06:35:41,705 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor 2025-06-11 06:35:41,705 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor 2025-06-11 06:35:41,705 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor 2025-06-11 06:35:41,705 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor 2025-06-11 06:35:41,705 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\jjqMgZX.dll, loader C:\tmp_gell1p8\bin\rDdUwvQt.exe 2025-06-11 06:35:41,767 [root] DEBUG: Loader: IAT patching disabled. 2025-06-11 06:35:41,767 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\jjqMgZX.dll. 2025-06-11 06:35:41,783 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'. 2025-06-11 06:35:41,783 [root] INFO: Disabling sleep skipping. 2025-06-11 06:35:41,783 [root] DEBUG: 696: Full process memory dumps enabled. 2025-06-11 06:35:41,783 [root] DEBUG: 696: Import reconstruction of process dumps enabled. 2025-06-11 06:35:41,783 [root] DEBUG: 696: Active unpacking of payloads enabled 2025-06-11 06:35:41,783 [root] DEBUG: 696: TLS secret dump mode enabled. 2025-06-11 06:35:41,798 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542 2025-06-11 06:35:41,814 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable 2025-06-11 06:35:41,814 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0 2025-06-11 06:35:41,814 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 2516, image base 0x00007FF60D500000, stack from 0x0000008EFAA74000-0x0000008EFAA80000 2025-06-11 06:35:41,814 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe 2025-06-11 06:35:41,830 [root] DEBUG: 696: Hooked 5 out of 5 functions 2025-06-11 06:35:41,830 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread. 2025-06-11 06:35:41,830 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\jjqMgZX.dll. 2025-06-11 06:35:41,830 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe> 2025-06-11 06:35:41,830 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump 2025-06-11 06:35:47,236 [root] INFO: Restarting WMI Service 2025-06-11 06:35:49,314 [root] DEBUG: package modules.pack <truncated>
Machine
| Name | Label | Manager | Started On | Shutdown On | Route |
|---|---|---|---|---|---|
| win10-2 | win10-2 | KVM | 2025-06-11 05:51:24 | 2025-06-11 06:08:28 | none |
File Details
| File Name |
ieinstal.exe
|
|---|---|
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| File Size | 500736 bytes |
| MD5 | 58646b0c0417c0e01becb6c922c0c10a |
| SHA1 | 1b258676756a6594722c0c4f476a59f2e1b86646 |
| SHA256 | a57b027f6619281b920503c26a30fa3daefc874be3fc31257f63106f7a434643 [VT] [MWDB] [Bazaar] |
| SHA3-384 | 8509e23d65c6f609a65a9852695fe8d59527d258df830d64400b0bf1beb571d4e5a331aa2a28849f88c277a3d1d594c2 |
| CRC32 | FF5CBE33 |
| TLSH | T12AB47CD7B14C90F4E8664934483A4C259A76BD8D03442BDF3687BB4E1FB71C2AD36A83 |
| Ssdeep | 6144:ecaYwZJs+DsBwfw1rOt9pdYamXnrdbMKw7w1rOt9pdYamXnrdbMKw:ecaN6EFI5OLpdNIrd4Ds5OLpdNIrd4D |
| PE | File Strings BinGraph Vba2Graph VirusTotal |
D$@H!t$0H
PA_A^A]A\_^]
\j.~C
SetSecurityDescriptorDacl
l$ VWAVH
@.data
Software\Policies\Microsoft\Internet Explorer\Main\AllowAxisCharacter
LocalAlloc
@U@E@
.idata$6
(=Xen
{00000000-0000-0000-0000-000000000000}
L$89t$@u$H;
N_7>:62|
iscntrl
<assemblyIdentity
.idata$4
version="6.0.0.0"
g"lxO/
/imG
D$`E3
</trustInfo>
fE9,pu
A_A^A]A\^[]
GetStartupInfoW
ReleaseMutex
u@H!\$(H
GetTokenInformation
L$ SUVWH
o7!o2
__dllonexit
ec#KW-
9dtrRuLL
7zc9HZ
D$HE3
\$09)
D'g7<p
CreateSemaphoreExW
L!|$0E3
9\uRf
lstrcmpA
u*9Q<|%
Contains
InitializeSecurityDescriptor
r4A\p
CheckTokenMembership
IconReference
qnh,"
wcsrchr
sME0O@
t$ UWAVH
A_A^A\_^][
L$HA;
Files
FileVersion
:||l;
LcT$(H
InstalledVersion
HcD$ H
`Rj,F
Ef];kXSv
D$PE3
nnqqqqqzqqqojiUR:
(6"r~
@USVATAUAVAWH
p&7a`
RegSetValueExW
__C_specific_handler
AA\3U
x|m_(
f9<Au
p AWH
CoImpersonateClient
.4199
cUvPD9S
Software\Policies\Microsoft\Internet Explorer\Main
t"H9>t
0A_A^A]A\_^]
rand_s
(caller: %p)
i;'+Q
PCt%X
+F7oY
CLSIDFromString
<application>
RPCRT4.dll
OpenProcess
?b[sWH3_Js\i
%s\%s
SetEntriesInAclW
StringFromGUID2
yCVds3
CreateEventW
__set_app_type
"6{(;:l
)EFGs
DownloadInformation
memcpy_s
~iSRR
ph\/O
.text$mn$00
GetVersionExA
t$ WH
}G/-4X
VWAVH
7+A,jB
;!nB~
LocalizedString
SetLastError
]8ocHU
.rsrc$01
IDATx
w\H9GPuV
IDATx8b
CallContext:[%hs]
DebugBreak
D$@H!|$0
CoInitializeSecurity
GetAce
040904B0
/j@-
Microsoft Corporation
LoadLibraryExW
F>}xv~60
LocalServer32
RegDeleteValueW
D$pE3
D!t$$H
)'hNV`
H-gZeT
ICDRegOCX%u
_XcptFilter
4CEHH90
L$ UWAVH
Ym9L.q
MO=xpF
0A_A^A]A\]
_lock
!yP]!E
taH!\$XH
lstrcmpiW
>HcQ<
V=X|S
HcA<H
CoTaskMemAlloc
lRwSjH4_?
A_A^A]A\_^]
GetThreadContext
v5"V%`
L9sHs@
CreateActCtxW
CoInitialize
CreateMutexExW
t"D8=G
VirtualAlloc
L$XL+
GetTempPathA
\F= &
A_A^]
language="*"
AppID
?Wz;'
_initterm
fE94Gu
DeleteFileW
CoInitializeEx
H!\$@3
RpcStringFreeW
t^@8=$
.idata$5
'5`T$
^%#!$c
name="Microsoft.Windows.Common-Controls"
fF{LD
LeaveCriticalSection
fD94yu
Distribution Units
Ytl=P
HeapAlloc
cF_l:
g?{.<:M?
ieinstal.exe
GetFinalPathNameByHandleW
Uoh_z
|Vb'_$
*P-@,
WideCharToMultiByte
L$ SVWH
.pdata
RegQueryValueExW
wcschr
iswcntrl
/ *hF
E'pNV`
VarFileInfo
VWAUAVAWH
FindFirstFileA
y)5gk
Microsoft Corporation. All rights reserved.
_fmode
.data$brc
L$PH3
Expire
H3E H3E
InternalName
B7H5N
&7l\;
</requestedPrivileges>
2i\H*Ut
CryptCATAdminAddCatalog
f9<pu
.text$yd
-PID:
sV.]h
fD9&u
-UNREGSERVER
\8CiB
fAoaO.
"Fd03
\?PQd
_vsnwprintf
ResumeThread
C8<'u
comctl32.dll
.rsrc$02
PA_A^_^]
LcA<E3
j!W\!
CreateFileW
_unlock
-REGSERVER
"\3%O
SetEvent
B843u
M7?83?
AllocateAndInitializeSid
L$XE3
_exit
%u.Hcs
RegQueryValueExA
(D$`f
CopyFileW
\nrh{yo
processorArchitecture="*"
Local\SM0:%d:%d:%hs
ReleaseActCtx
en-US
tT9t$@u)H9t$8r"A
Extract
@.rsrc
RegGetValueW
<dependency>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
VB$h&
0A^_^
FindNextFileA
OLEAUT32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage
u$HHt}
fA98t
Oc|l?
fA,.v'
.text$di
FindClose
FormatMessageW
n ,m@
</application>
XqS0wP)
fE;>u
z1|T-
REG_EXPAND_SZ
8#8v"
$,&<?w
l$ E3
m[$DUo
%hs!%p:
GetFileAttributesA
VWATAVAWH
LegalCopyright
CoUninitialize
<!-- Copyright (c) Microsoft Corporation -->
0A_A^A\_^
A_A^A]A\_
fD9lu
GetCurrentProcessId
Enabled
p WAVAWH
RegCreateKeyExW
f98ucH
ConvertStringSidToSidW
k"/W#
DeleteCriticalSection
VirtualQuery
RaiseException
;BDDNRRGE;
|iqfni
.5|M@
x)?;W
K32GetModuleBaseNameW
RtlCaptureContext
'1j'CP
;|$Pr
f9{bu
/REGSERVER
CoCreateInstance
D9F0t
D$`L9o
type="win32"
9}M|I6"Q
pkH*I%!
DuplicateHandle
InitOnceExecuteOnce
x ATAVAWH
SetFileAttributesA
WaitForSingleObjectEx
@A_A^A]A\_^]
GLV^k
GetFileAttributesW
FlushInstructionCache
N,S-$
IK|qrf
Xkq;!
CoInternetSetFeatureEnabled
%.08X
xJOo9
EqualSid
Xc$3F
RegOverridePredefKey
KS.\h
.rdata$zzzdbg
RemoveDirectoryA
RegCreateKeyA
)L$0A
Security_HKLM_Only
</compatibility>
W"cC"
RegCreateKeyW
LoadStringW
TMk:i
tyD95F
WAVAWH
LIDATHD
AdvInstallFileW
.CRT$XIA
.rdata
GetLengthSid
DllRegisterServer
fA;>t
CoTaskMemFree
Precache
RegDeleteKeyW
wtP<W
@j[U0
1|ne$
AuthzInitializeResourceManager
{g9?
RegOpenKeyExA
kb8@/<
Unknown Owner
A_A^_
.CRT$XIZ
Software\Microsoft\Internet Explorer\Main\AllowAxisCharacter
D$$I;
9ksF.$B
fB9<;
^gH6+D
`<t0k
x UAVAWH
+!=r<
fD9,Au
IEAdvpack.Dll
I;IHM
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
H!|$PH
CoRevertToSelf
FileDescription
VirtualFree
!This program cannot be run in DOS mode.
Msg:[%ws]
urlmon.dll
A_A^A\
\$ UVWH
WaitForSingleObject
u@H!\$0H
Lct$$H
Software\Microsoft\Windows\CurrentVersion\RunOnce
ThreadingModel
11.00.17763.1
ServerExecutable
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
UWATAVAWH
FilesFlags
D$HH!|$HH
GetModuleFileNameA
L9K@t
ntdll.dll
y;I1V2
w>Lds
WinVerifyTrust
USER32.dll
GetCurrentThread
t$8E3
AUTHZ.dll
SetProcessShutdownParameters
+?~fQd
&I`&p
InitializeCriticalSection
A_A^A\_^
UVAVH
6wi g"
memcpy
.idata$3
z2@X}|2
H;B`u
D$ fD
-CLSID:
L9{@u
OpenSemaphoreW
AuthzInitializeContextFromSid
__wgetmainargs
l$0E3
d6y=%aj
mP{4f
IDI_APPICON
9.t$f
=0@+Z
HeapSetInformation
u$L97t
RtlLookupFunctionEntry
SetThreadContext
f9H\u
EnterCriticalSection
H!|$8H
.CRT$XCU
$DkynC&
#f{fp
internal\sdk\inc\wil\resource.h
S D9s
RtlDllShutdownInProgress
\$ E3
D$(E3
<description>IE Admin Broker</description>
W6\2)Q
0-ZZW$
]jR@CG
CLSID
[%hs(%hs)]
<44GZ
QueryPerformanceCounter
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
TIQk?
<security>
4GaPl
:s]W:
t$0E3
=DNbfjnnjojutrR;
rundll32.exe IEAdvpack.dll,RegisterOCX %s
RunAs
CryptCATAdminReleaseCatalogContext
/UNREGSERVER
msvcrt.dll
lstrcmpiA
CoGetCallContext
StringFileInfo
L$(E3
%hs(%d) tid(%x) %08X %ws
D$(H!t$ 3
x4fD9&u
0A_A^A]A\_
D95=n
ole32.dll
f9,Fu
GetCurrentProcess
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
ieinstal.pdb
AuthzFreeResourceManager
UVWAVAWH
(_^][
L$0E3
D9=W-
H;BXu&I
__setusermatherr
H!t$8H
UATAUAVAWH
HeapFree
M0fD;!I
Nvgf_
oc)/!
GetTickCount
PA^^]
iswascii
iertutil.dll
!9q(1
D$(H!|$ L
A_A^A\_]
OSzR*/
SetProcessDPIAware
.text$mn
,-1002
LocalFree
user32.dll
CoInternetCreateSecurityManager
fD9<xu
.CRT$XIY
H\}^C|
D$8E3
CODEBASE
TerminateProcess
</assembly>
wcstok_s
D95jn
publicKeyToken="6595b64144ccf1df"
fLfgqC
Translation
/>
s;fD9
%ProgramFiles%\Internet Explorer\
h VWATAVAWH
WinTrust.Dll
Ay$?5
SuspendThread
Elevation
Dk/"d
$.Mwe~
6UK89'
u'r>V`
Uoynx
~/kH"
UWAVH
6hynd
MultiByteToWideChar
WilError_02
%rHT Gn
=tlHA
znRD1
T$8H!t$8H
FTPO
^b{"-.
:96.G
GetSecurityDescriptorSacl
!KCQ&
vMO!d@c
),G2Xj
wcsncmp
11.00.17763.1 (WinBuild.160101.0800)
@,$b'
g(xuR9
T$@E3
<dependentAssembly>
ProductVersion
WV9..u;3
Z0SUc"
D$@E3
.text$x
Juj%
OutputDebugStringW
_wtoi
cv`eh
DF443333130
7#Q~</
w`'z?
<requestedPrivileges>
ReturnHr
DE4/4////////---
MSICD
IsValidSid
_onexit
L$HH3
LastCheckedHi
A^_^
.CRT$XIAA
CryptCATAdminAcquireContext
jf0$3
GetModuleHandleW
fD9<Au
WINTRUST.dll
type="win32"/>
<assemblyIdentity version="5.1.0.0"
/Pgqv
RedirectToHKCU
actxprxy.dll
AuthzAccessCheck
5]1LrT
S"-t;y
L$ E3
(z!H "
>[A_-
UuidCreate
@A^_]
IsDebuggerPresent
Qtk@<
.giats
kernelbase.dll
AvailableVersion
DeleteFileA
D$0E3
`+"K6
qf9;u
~VL!E
zCS8$
RtlVirtualUnwind
Installer
99tyH
.idata$2
RegSetValueExA
_wcmdln
o7!kP6
\UNC\
x AVH
CreateProcessW
GetModuleFileNameW
i@<0z
'C&#PU
@SUVWATAVAWH
ActivateActCtx
OriginalFilename
WATAUAVAWH
RaiseFailFastException
<requestedExecutionLevel level="asInvoker" />
/RegServer
IDAT(
</dependentAssembly>
*UU_/
A_A^A]_^
UuidToStringW
H!|$XA
.ENNNG.
D$hD90t
K UWATAVAWH
%s%s%d.tmp
@M5@]
-Embedding
@7VST
GetExitCodeThread
A_A^A]A\_
|$ E3
.CRT$XCA
.CRT$XCAA
.xdata
s2_Mb
{x5s!
</dependency>
.gfids
CompanyName
yebbe
,-1001
+?@(IJ
8"v9`
KERNEL32.dll
\$ UH
@Y2|Y1
fD94Au
DU`@]
s/;{2
hpzzzz
ADVAPI32.dll
processorArchitecture="amd64"
CompatFlagsFromClsid
fD9,Wu
AuthzFreeContext
%hs(%d)\%hs!%p:
GetFullPathNameW
CreateThread
fE94Du
L9{0t#H
.00cfg
CoRevokeClassObject
name="ieinstal"
k/<kt
T$8H!\$8
UnhandledExceptionFilter
yiO<W
FreeLibrary
GetModuleHandleExW
@SUVWH
REG_SZ
f9,Cu
FailFast
UVWATAUAVAWH
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
%s\[%d]%s
D$8fD9
_cexit
CloseHandle
L$8E3
k}j=G
I?(((()(((
@.reloc
_vsnprintf
fE9tE
OpenThreadToken
M{Kbs
%s\%s.dat
dtrRH
FreeSid
sSPNE
|$0E3
UVWAUAVH
D$0L;
9;tVH
f9,Yu
VirtualProtect
RegOpenCurrentUser
uB!t$PH
D$@L+
RSDS8
t$ WATAUAVAWH
CreateWellKnownSid
VS_VERSION_INFO
GetLastError
GetCurrentThreadId
_commode
9>&4r
D9K(t
GetSystemTimeAsFileTime
x UATAUAVAWH
=xlrrfF
A_A^_^]
LogHr
wsL>W
_amsg_exit
*Bf+1=
ARREc
RegEnumValueW
.CRT$XCZ
H!] 9
?terminate@@YAXXZ
*kf["
u HcA<H
zzzqqiiPE
PostQuitMessage
OP=*+\
RunSetupCommandW
GetKernelObjectSecurity
V9fB0,
Internet Explorer
CoRegisterClassObject
CryptCATAdminReleaseContext
0Z ET:?
SFA]$
Exception
GetProcessHeap
j`;OmO
Sleep
fD94Gu
|$HE3
x\3.N,:
LanguageCheckPeriod
Software\Microsoft\Code Store Database\Distribution Units
L$(f9
CharNextW
<!--The ID below indicates application support for Windows 8 -->
.Xz5}
SetUnhandledExceptionFilter
_ji6W
D$`D9'
.data
PA^A]_^]
t$ UWATAVAWH
Internet Explorer Add-on Installer
T$$D!t$ H
D$ E3
A_A^A]A\]
.text
'fhimmmhf+%
t=nB1
DeactivateActCtx
~UqO--
CopySid
</security>
[au{K
XHkyH
SystemComponent
memset
[%hs]
`.rdata
Software\Classes
tVc\X
EiCDhp
wEhXt
l$PD9)
\\?\Volume
CreateFileA
.rdata$brc
.Owner
H!\$`H
RegCloseKey
RegOpenKeyExW
ReleaseSemaphore
iswalpha
^8>Oa
LastModified
0A_A^A\_]
CreateDirectoryExA
\$ UVWAVAWH
GetProcAddress
-Iu.)
mO4x2o
ProductName
_wcsnicmp
4\Tu&
PE Information
| Image Base | Entry Point | Reported Checksum | Actual Checksum | Minimum OS Version | PDB Path | Compile Time | Import Hash | Icon | Icon Exact Hash | Icon Similarity Hash | Icon DHash |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 0x140000000 | 0x0000e2a0 | 0x0008a1f2 | 0x0008a1f2 | 10.0 | ieinstal.pdb | 1977-02-28 18:19:02 | c5ac1a1fe6c548914c7dbcc2bc5db3a9 |  |
eb5bdba0f37ca7b9760ed1f2fd6c654f | ce0306991cc42cb5bc77277d6708f0ca | c2e1cc9cecd9e366 |
Version Infos
| CompanyName | Microsoft Corporation |
|---|---|
| FileDescription | Internet Explorer Add-on Installer |
| FileVersion | 11.00.17763.1 (WinBuild.160101.0800) |
| InternalName | ieinstal.exe |
| LegalCopyright | รยฉ Microsoft Corporation. All rights reserved. |
| OriginalFilename | ieinstal.exe |
| ProductName | Internet Explorer |
| ProductVersion | 11.00.17763.1 |
| Translation | 0x0409 0x04b0 |
Sections
| Name | RAW Address | Virtual Address | Virtual Size | Size of Raw Data | Characteristics | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x00000400 | 0x00001000 | 0x0000db1e | 0x0000dc00 | IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ | 6.20 |
| .rdata | 0x0000e000 | 0x0000f000 | 0x00005dd8 | 0x00005e00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.34 |
| .data | 0x00013e00 | 0x00015000 | 0x0000095c | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE | 0.58 |
| .pdata | 0x00014000 | 0x00016000 | 0x00000a38 | 0x00000c00 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 4.32 |
| .rsrc | 0x00014c00 | 0x00017000 | 0x000650b8 | 0x00065200 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ | 5.67 |
| .reloc | 0x00079e00 | 0x0007d000 | 0x000004a0 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ | 4.64 |
| Name | Offset | Size | Language | Sub-language | Entropy | File type |
|---|---|---|---|---|---|---|
| MUI | 0x0007bfe8 | 0x000000d0 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.64 | None |
| RT_ICON | 0x00018048 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.95 | None |
| RT_ICON | 0x000186b0 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.39 | None |
| RT_ICON | 0x00018998 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.43 | None |
| RT_ICON | 0x00018b80 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.38 | None |
| RT_ICON | 0x00018ca8 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.21 | None |
| RT_ICON | 0x00019b50 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.88 | None |
| RT_ICON | 0x0001a3f8 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.93 | None |
| RT_ICON | 0x0001aac0 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.43 | None |
| RT_ICON | 0x0001b028 | 0x0000cbcd | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.98 | None |
| RT_ICON | 0x00027bf8 | 0x00010828 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.16 | None |
| RT_ICON | 0x00038420 | 0x000094a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.32 | None |
| RT_ICON | 0x000418c8 | 0x00004228 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.56 | None |
| RT_ICON | 0x00045af0 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.96 | None |
| RT_ICON | 0x00048098 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.45 | None |
| RT_ICON | 0x00049140 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.62 | None |
| RT_ICON | 0x00049ac8 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.36 | None |
| RT_ICON | 0x0004a018 | 0x00000668 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 2.95 | None |
| RT_ICON | 0x0004a680 | 0x000002e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.39 | None |
| RT_ICON | 0x0004a968 | 0x000001e8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.43 | None |
| RT_ICON | 0x0004ab50 | 0x00000128 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.38 | None |
| RT_ICON | 0x0004ac78 | 0x00000ea8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.21 | None |
| RT_ICON | 0x0004bb20 | 0x000008a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.88 | None |
| RT_ICON | 0x0004c3c8 | 0x000006c8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.93 | None |
| RT_ICON | 0x0004ca90 | 0x00000568 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.43 | None |
| RT_ICON | 0x0004cff8 | 0x0000cbcd | LANG_ENGLISH | SUBLANG_ENGLISH_US | 7.98 | None |
| RT_ICON | 0x00059bc8 | 0x00010828 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.16 | None |
| RT_ICON | 0x0006a3f0 | 0x000094a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.32 | None |
| RT_ICON | 0x00073898 | 0x00004228 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.56 | None |
| RT_ICON | 0x00077ac0 | 0x000025a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.96 | None |
| RT_ICON | 0x0007a068 | 0x000010a8 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.45 | None |
| RT_ICON | 0x0007b110 | 0x00000988 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 5.62 | None |
| RT_ICON | 0x0007ba98 | 0x00000468 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 6.36 | None |
| RT_GROUP_ICON | 0x00049f30 | 0x000000e6 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.18 | None |
| RT_GROUP_ICON | 0x0007bf00 | 0x000000e6 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.27 | None |
| RT_VERSION | 0x00017cc0 | 0x00000388 | LANG_ENGLISH | SUBLANG_ENGLISH_US | 3.44 | None |
| RT_MANIFEST | 0x000177a0 | 0x0000051b | LANG_ENGLISH | SUBLANG_ENGLISH_US | 4.76 | None |
Imports
| Name | Address |
|---|---|
| RegDeleteValueW | 0x140011288 |
| CheckTokenMembership | 0x140011290 |
| FreeSid | 0x140011298 |
| RegSetValueExW | 0x1400112a0 |
| RegCreateKeyExW | 0x1400112a8 |
| AllocateAndInitializeSid | 0x1400112b0 |
| RegCloseKey | 0x1400112b8 |
| RegQueryValueExW | 0x1400112c0 |
| RegEnumValueW | 0x1400112c8 |
| RegCreateKeyW | 0x1400112d0 |
| RegOpenKeyExW | 0x1400112d8 |
| RegOpenKeyExA | 0x1400112e0 |
| RegSetValueExA | 0x1400112e8 |
| RegDeleteKeyW | 0x1400112f0 |
| RegQueryValueExA | 0x1400112f8 |
| RegCreateKeyA | 0x140011300 |
| GetTokenInformation | 0x140011308 |
| OpenThreadToken | 0x140011310 |
| GetLengthSid | 0x140011318 |
| GetKernelObjectSecurity | 0x140011320 |
| InitializeSecurityDescriptor | 0x140011328 |
| IsValidSid | 0x140011330 |
| ConvertStringSidToSidW | 0x140011338 |
| CopySid | 0x140011340 |
| CreateWellKnownSid | 0x140011348 |
| SetEntriesInAclW | 0x140011350 |
| EqualSid | 0x140011358 |
| GetAce | 0x140011360 |
| SetSecurityDescriptorDacl | 0x140011368 |
| GetSecurityDescriptorSacl | 0x140011370 |
| RegOverridePredefKey | 0x140011378 |
| RegGetValueW | 0x140011380 |
| RegOpenCurrentUser | 0x140011388 |
| Name | Address |
|---|---|
| PostQuitMessage | 0x140011700 |
| CharNextW | 0x140011708 |
| LoadStringW | 0x140011710 |
| Name | Address |
|---|---|
| iscntrl | 0x1400117a0 |
| iswascii | 0x1400117a8 |
| _wtoi | 0x1400117b0 |
| wcstok_s | 0x1400117b8 |
| _wcsnicmp | 0x1400117c0 |
| _XcptFilter | 0x1400117c8 |
| _amsg_exit | 0x1400117d0 |
| __wgetmainargs | 0x1400117d8 |
| __set_app_type | 0x1400117e0 |
| exit | 0x1400117e8 |
| _exit | 0x1400117f0 |
| rand_s | 0x1400117f8 |
| memcpy_s | 0x140011800 |
| iswalpha | 0x140011808 |
| wcsncmp | 0x140011810 |
| _cexit | 0x140011818 |
| __setusermatherr | 0x140011820 |
| _initterm | 0x140011828 |
| _wcmdln | 0x140011830 |
| _fmode | 0x140011838 |
| _commode | 0x140011840 |
| _lock | 0x140011848 |
| _unlock | 0x140011850 |
| __dllonexit | 0x140011858 |
| _onexit | 0x140011860 |
| ?terminate@@YAXXZ | 0x140011868 |
| memcpy | 0x140011870 |
| wcschr | 0x140011878 |
| __C_specific_handler | 0x140011880 |
| memset | 0x140011888 |
| _vsnwprintf | 0x140011890 |
| wcsrchr | 0x140011898 |
| iswcntrl | 0x1400118a0 |
| _vsnprintf | 0x1400118a8 |
| Name | Address |
|---|---|
| RtlCaptureContext | 0x1400118b8 |
| RtlLookupFunctionEntry | 0x1400118c0 |
| RtlVirtualUnwind | 0x1400118c8 |
| Name | Address |
|---|---|
| CoRevertToSelf | 0x1400118d8 |
| CoGetCallContext | 0x1400118e0 |
| StringFromGUID2 | 0x1400118e8 |
| CoInitializeSecurity | 0x1400118f0 |
| CoImpersonateClient | 0x1400118f8 |
| CoInitializeEx | 0x140011900 |
| CoTaskMemFree | 0x140011908 |
| CoCreateInstance | 0x140011910 |
| CoTaskMemAlloc | 0x140011918 |
| CoUninitialize | 0x140011920 |
| CoInitialize | 0x140011928 |
| CoRevokeClassObject | 0x140011930 |
| CoRegisterClassObject | 0x140011938 |
| CLSIDFromString | 0x140011940 |
| Name | Address |
|---|---|
| UnRegisterTypeLib | 0x1400116a0 |
| UnRegisterTypeLibForUser | 0x1400116a8 |
| RegisterTypeLibForUser | 0x1400116b0 |
| SysStringLen | 0x1400116b8 |
| SysAllocString | 0x1400116c0 |
| SysFreeString | 0x1400116c8 |
| RegisterTypeLib | 0x1400116d0 |
| Name | Address |
|---|---|
| UuidToStringW | 0x1400116e0 |
| RpcStringFreeW | 0x1400116e8 |
| UuidCreate | 0x1400116f0 |
| Name | Address |
|---|---|
| CompatFlagsFromClsid | 0x140011950 |
| CoInternetSetFeatureEnabled | 0x140011968 |
| CoInternetCreateSecurityManager | 0x140011970 |
| Extract | 0x140011978 |
| Name | Address |
|---|---|
| CryptCATAdminReleaseContext | 0x140011720 |
| CryptCATAdminReleaseCatalogContext | 0x140011728 |
| CryptCATAdminAddCatalog | 0x140011730 |
| CryptCATAdminAcquireContext | 0x140011738 |
| Name | Address |
|---|---|
| AuthzInitializeResourceManager | 0x140011398 |
| AuthzInitializeContextFromSid | 0x1400113a0 |
| AuthzFreeContext | 0x1400113a8 |
| AuthzFreeResourceManager | 0x1400113b0 |
| AuthzAccessCheck | 0x1400113b8 |
Usage
Processing ( 10.68 seconds )
- 10.124 ProcessMemory
- 0.541 CAPE
- 0.006 AnalysisInfo
- 0.006 BehaviorAnalysis
- 0.001 Debug
Signatures ( 0.05 seconds )
- 0.008 ransomware_files
- 0.005 antianalysis_detectfile
- 0.005 antiav_detectreg
- 0.005 ransomware_extensions
- 0.003 ursnif_behavior
- 0.002 antiav_detectfile
- 0.002 infostealer_ftp
- 0.002 infostealer_im
- 0.002 poullight_files
- 0.002 territorial_disputes_sigs
- 0.001 antianalysis_detectreg
- 0.001 antivm_vbox_files
- 0.001 antivm_vbox_keys
- 0.001 geodo_banking_trojan
- 0.001 browser_security
- 0.001 disables_backups
- 0.001 disables_browser_warn
- 0.001 disables_power_options
- 0.001 azorult_mutexes
- 0.001 infostealer_bitcoin
- 0.001 cryptbot_files
- 0.001 echelon_files
- 0.001 infostealer_mail
- 0.001 masquerade_process_name
- 0.001 revil_mutexes
- 0.001 modirat_behavior
Reporting ( 0.01 seconds )
- 0.005 CAPASummary
- 0.001 JsonDump
Signatures
The PE file contains a PDB path
pdbpath: ieinstal.pdb
SetUnhandledExceptionFilter detected (possible anti-debug)
Yara detections observed in process dumps, payloads or dropped files
Hit: PID 188 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 59 }']'
Anomalous binary characteristics
anomaly: Entrypoint of binary is located outside of any mapped sections
Screenshots
No screenshots available.Hosts
No hosts contacted.
DNS
No domains contacted.
Summary
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
Sorry! No behavior.
Sorry! No strace.
Sorry! No tracee.
No hosts contacted.
No TCP connections recorded.
No UDP connections recorded.
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP traffic
No SMTP traffic performed.
IRC traffic
No IRC requests performed.
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.
Sorry! No dropped files.
Sorry! No process dumps.
Sorry! No process dumps.