Accellion kitedrive Setup.exe
This report is generated from a file or URL submitted to this webservice on October 21st 2015 13:35:15 (UTC)
Report generated by
Falcon Sandbox v2.52 © Hybrid Analysis
Attention: this analysis ran with the legacy Usermode Monitor. It is highly recommended to use the Kernelmode Monitor.
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Persistence
- Spawns a lot of processes
- Fingerprint
-
Contains ability to lookup the windows account name
Reads the cryptographic machine GUID
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 9
-
Environment Awareness
-
The input sample contains a known anti-VM trick
- details
- "Found VM detection artifact "CPUID trick" in "ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe.bin" (Offset: 125668)
- source
- Dropped File
- relevance
- 5/10
-
The input sample contains a known anti-VM trick
-
General
-
The input sample dropped a file that was identified as malicious
- details
- 1/56 Antivirus vendors marked dropped file "StartX.exe" as malicious (classified as "W32.JiwutgtrgisC" with 1% detection rate)
- source
- Dropped File
- relevance
- 10/10
-
The input sample dropped a file that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in foreign process
- details
-
"<Input Sample>" allocated 00000088 bytes of memory in "StartX.exe" (Protection: "read/write")
"setup.exe" allocated 00001500 bytes of memory in "msiexec.exe" (Protection: "read/write")
"setup.exe" allocated 00000088 bytes of memory in "msiexec.exe" (Protection: "read/write") - source
- API Call
- relevance
- 7/10
-
Writes a PE file header to disc
- details
-
"<Input Sample>" wrote 131068 bytes starting with PE header signature to file "%TEMP%\7zS1860.tmp\32\setup.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 90152 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\64\setup.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ...
"<Input Sample>" wrote 49236 bytes starting with PE header signature to file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\StartX.exe": 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000 ... - source
- API Call
- relevance
- 1/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 32 bytes to a foreign process "StartX.exe" (PID: 00003704)
"<Input Sample>" wrote 52 bytes to a foreign process "StartX.exe" (PID: 00003704)
"<Input Sample>" wrote 4 bytes to a foreign process "StartX.exe" (PID: 00003704)
"setup.exe" wrote 1500 bytes to a foreign process "msiexec.exe" (PID: 00003884)
"setup.exe" wrote 4 bytes to a foreign process "msiexec.exe" (PID: 00003884)
"setup.exe" wrote 32 bytes to a foreign process "msiexec.exe" (PID: 00003884)
"setup.exe" wrote 52 bytes to a foreign process "msiexec.exe" (PID: 00003884) - source
- API Call
- relevance
- 6/10
-
Allocates virtual memory in foreign process
-
System Security
-
Modifies System Certificates Settings
- details
-
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS") - source
- Registry Access
- relevance
- 8/10
-
Queries/modifies the display settings of system associated file extensions
- details
-
"setup.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE", Key: "ALWAYSSHOWEXT")
"setup.exe" (Access type: "QUERYVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\CLASSES\SYSTEMFILEASSOCIATIONS\.EXE", Key: "NEVERSHOWEXT") - source
- Registry Access
- relevance
- 7/10
-
Modifies System Certificates Settings
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from setup.exe (PID: 3824) (Show Stream)
ExitWindowsEx@USER32.DLL from setup.exe (PID: 3824) (Show Stream)
ExitWindowsEx@USER32.DLL from setup.exe (PID: 3824) (Show Stream)
ExitWindowsEx@USER32.DLL from setup.exe (PID: 3824) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "<Input Sample>" (Show Process)
Spawned process "StartX.exe" with commandline ".\StartX.exe /min /wait Installkitedrive.bat" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c Installkitedrive.bat" (Show Process)
Spawned process "whoami.exe" with commandline "C:\Windows\system32\whoami /groups" (Show Process)
Spawned process "find.exe" with commandline "C:\Windows\system32\find "S-1-5-32-544"" (Show Process)
Spawned process "setup.exe" with commandline ".\32\setup.exe" (Show Process)
Spawned process "msiexec.exe" with commandline "-I "%TEMP%\7zS1860.tmp\32\kitedrive32.msi"" (Show Process)
Spawned process "kitedrive.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 32
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
-
"<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
"setup.exe" set its error mode to SEM_NOOPENFILEERRORBOX
"kitedrive.exe" set its error mode to SEM_NOOPENFILEERRORBOX
"kitedrive.exe" set its error mode to SEM_NOGPFAULTERRORBOX - source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- source
- API Call
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.DLL from ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe (PID: 3648) (Show Stream)
GetVersion@KERNEL32.DLL from ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe (PID: 3648) (Show Stream)
GetVersionExA@KERNEL32.DLL from ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe (PID: 3648) (Show Stream)
GetVersion@KERNEL32.DLL from ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe (PID: 3648) (Show Stream)
GetVersionExA@KERNEL32.DLL from ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe (PID: 3648) (Show Stream)
GetVersionExA@KERNEL32.DLL from ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471.exe (PID: 3648) (Show Stream)
GetVersionExA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
GetVersionExA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
GetVersion@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
GetVersionExA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Makes a branch decision directly after calling an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.DLL (Target: "StartX.exe", Stream UID: "00140281-00003704-51823-438-00405BD6")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "xor ecx, ebp". See related instructions: "...
+33 call 004122D0h
+38 add esp, 0Ch
+41 lea eax, dword ptr [ebp-00000098h]
+47 push eax
+48 mov dword ptr [ebp-00000098h], 00000094h
+58 call dword ptr [004241C8h] ;GetVersionExA
+64 mov ecx, dword ptr [ebp-04h]
+67 xor eax, eax
+69 cmp dword ptr [ebp-00000088h], 02h
+76 sete al
+79 xor ecx, ebp" ... from StartX.exe (PID: 3704) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "StartX.exe", Stream UID: "00140281-00003704-51823-651-00422479")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 004224BAh". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000098h
+9 mov eax, dword ptr [0042DB00h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 lea eax, dword ptr [ebp-00000098h]
+25 push eax
+26 mov dword ptr [ebp-00000098h], 00000094h
+36 call dword ptr [004241C8h] ;GetVersionExA
+42 cmp dword ptr [ebp-00000088h], 02h
+49 jne 004224BAh" ... from StartX.exe (PID: 3704) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "StartX.exe", Stream UID: "00140281-00003704-51823-1032-00422673")
which is directly followed by "cmp dword ptr [ebp-10h], 02h" and "jne 004226D7h". See related instructions: "...
+61 call 004122D0h
+66 add esp, 0Ch
+69 lea eax, dword ptr [ebp-20h]
+72 push eax
+73 mov dword ptr [ebp-20h], 00000094h
+80 call dword ptr [004241C8h] ;GetVersionExA
+86 cmp dword ptr [ebp-10h], 02h
+90 jne 004226D7h" ... from StartX.exe (PID: 3704) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "StartX.exe", Stream UID: "00140281-00003704-59267-438-00405BD6")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "xor ecx, ebp". See related instructions: "...
+33 call 004122D0h
+38 add esp, 0Ch
+41 lea eax, dword ptr [ebp-00000098h]
+47 push eax
+48 mov dword ptr [ebp-00000098h], 00000094h
+58 call dword ptr [004241C8h] ;GetVersionExA
+64 mov ecx, dword ptr [ebp-04h]
+67 xor eax, eax
+69 cmp dword ptr [ebp-00000088h], 02h
+76 sete al
+79 xor ecx, ebp" ... from StartX.exe (PID: 3704) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "StartX.exe", Stream UID: "00140281-00003704-59267-651-00422479")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "jne 004224BAh". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000098h
+9 mov eax, dword ptr [0042DB00h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 lea eax, dword ptr [ebp-00000098h]
+25 push eax
+26 mov dword ptr [ebp-00000098h], 00000094h
+36 call dword ptr [004241C8h] ;GetVersionExA
+42 cmp dword ptr [ebp-00000088h], 02h
+49 jne 004224BAh" ... from StartX.exe (PID: 3704) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "StartX.exe", Stream UID: "00140281-00003704-59267-1032-00422673")
which is directly followed by "cmp dword ptr [ebp-10h], 02h" and "jne 004226D7h". See related instructions: "...
+61 call 004122D0h
+66 add esp, 0Ch
+69 lea eax, dword ptr [ebp-20h]
+72 push eax
+73 mov dword ptr [ebp-20h], 00000094h
+80 call dword ptr [004241C8h] ;GetVersionExA
+86 cmp dword ptr [ebp-10h], 02h
+90 jne 004226D7h" ... from StartX.exe (PID: 3704) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "setup.exe", Stream UID: "00147125-00003824-6021-1375-008DE08E")
which is directly followed by "cmp al, 06h" and "jnc 008DE0B7h". See related instructions: "...
+0 call dword ptr [008B10D4h] ;GetVersion
+6 cmp al, 06h
+8 jnc 008DE0B7h" ... from setup.exe (PID: 3824) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "setup.exe", Stream UID: "00147125-00003824-13674-1372-008DE08E")
which is directly followed by "cmp al, 06h" and "jnc 008DE0B7h". See related instructions: "...
+0 call dword ptr [008B10D4h] ;GetVersion
+6 cmp al, 06h
+8 jnc 008DE0B7h" ... from setup.exe (PID: 3824) (Show Stream)
Found API call GetVersionExA@KERNEL32.dll (Target: "StartX.exe.139468", Stream UID: "49158-1177-00405BD6")
which is directly followed by "cmp dword ptr [ebp-00000088h], 02h" and "xor ecx, ebp". See related instructions: "...
+33 call 004122D0h
+38 add esp, 0Ch
+41 lea eax, dword ptr [ebp-00000098h]
+47 push eax
+48 mov dword ptr [ebp-00000098h], 00000094h
+58 call dword ptr [004241C8h] ;GetVersionExA
+64 mov ecx, dword ptr [ebp-04h]
+67 xor eax, eax
+69 cmp dword ptr [ebp-00000088h], 02h
+76 sete al
+79 xor ecx, ebp" ... at 49158-1177-00405BD6
Found API call GetVersionExA@KERNEL32.dll (Target: "StartX.exe.139468", Stream UID: "49158-1776-00422673")
which is directly followed by "cmp dword ptr [ebp-10h], 02h" and "jne 004226D7h". See related instructions: "...
+61 call 004122D0h
+66 add esp, 0Ch
+69 lea eax, dword ptr [ebp-20h]
+72 push eax
+73 mov dword ptr [ebp-20h], 00000094h
+80 call dword ptr [004241C8h] ;GetVersionExA
+86 cmp dword ptr [ebp-10h], 02h
+90 jne 004226D7h" ... at 49158-1776-00422673 - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
-
GetProcessHeap@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
GetProcessHeap@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Possibly tries to implement anti-virtualization techniques
- details
- "h4%BHVBOX*g[+IIT>*ZfY%;syllV)-xLgM!<q%x/,[iP%btVG*o;AuXehFzps{L'!f+SE1FAogs6D~4mT" (Indicator: "vbox")
- source
- String
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"msiexec.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID")
"kitedrive.exe" (Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\CRYPTOGRAPHY", Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query the machine version
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
LockResource@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FreeResource@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
LockResource@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
FindResourceA@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Reads configuration files
- details
-
"setup.exe" read file "%USERPROFILE%\Desktop\desktop.ini"
"kitedrive.exe" read file "C:\Users\desktop.ini"
"kitedrive.exe" read file "C:\Users\%USERNAME%\Desktop\desktop.ini"
"kitedrive.exe" read file "C:\Users\%USERNAME%\Searches\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Creates/touches files in windows directory
- details
-
"setup.exe" created file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"setup.exe" created file "C:\Windows\system32\msiexec.exe"
"kitedrive.exe" created file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\72269ea7cc6281139e4d155e7c57dc67\System.Drawing.ni.dll.aux"
"kitedrive.exe" created file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System\e40da7a49f8c3f0108e7c835b342f382\System.ni.dll.aux"
"kitedrive.exe" created file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\28586400bcaf94c13a9fd0dff4a1e090\System.Configuration.ni.dll.aux"
"kitedrive.exe" created file "C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\b52bc540630c3aa5de542c382af35c20\PresentationCore.ni.dll.aux"
"kitedrive.exe" created file "C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\cd235caf797fb017f140016be88f33b7\WindowsBase.ni.dll.aux"
"kitedrive.exe" created file "C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\9ba07396ae369d010c5c3927a82ef426\System.Xml.ni.dll.aux" - source
- API Call
- relevance
- 7/10
-
Drops executable files
- details
-
"setup.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"StartX.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"MSI771A.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"MSI798C.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows"
"atl100.dll" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows" - source
- Dropped File
- relevance
- 10/10
-
Creates/touches files in windows directory
-
Network Related
-
Found potential IP address in binary/memory
- details
- "1.5.9.5"
- source
- String
- relevance
- 3/10
-
Found potential URL in binary/memory
- details
- "t.com"
- source
- String
- relevance
- 2/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "l;c]ss;";vncbn0[{=6z;A7w.*V'/mu~{]s0G3n&'^f;" (Indicator for product: Generic VNC), ">Y=y_w"\q'ch`I&3<xmb$wzO]OimvncPj K}*i1!WBJR:pWv#ozr{,%:J7 `!!5V3`" (Indicator for product: Generic VNC)
- source
- String
- relevance
- 10/10
-
Contains a remote desktop related string
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies proxy settings
- details
-
"setup.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"setup.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"kitedrive.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS")
"kitedrive.exe" (Access type: "DELETEVAL", Path: "\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP", Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
ShellExecuteExA
GetProcAddress
UnhandledExceptionFilter
TerminateProcess
GetCommandLineA
GetStartupInfoA
GetModuleHandleA
CreateProcessA
GetCommandLineW
GetVersionExA
LoadLibraryA
GetModuleFileNameA
GetModuleFileNameW
CreateFileW
CreateDirectoryA
CreateDirectoryW
DeleteFileA
DeleteFileW
GetTempPathA
GetTempFileNameA
FindFirstFileA
FindFirstFileW
FindNextFileA
CreateFileA
GetFileSize
WriteFile
Sleep
VirtualAlloc
CreateThread
ExitThread - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "kitedrive.exe" wrote bytes "AF1D7A64" to virtual address "0x69B52AFC" (part of module "CLR.DLL")
- source
- Hooks
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"cmd.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"setup.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"msiexec.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"kitedrive.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE", Key: "00000409")
"kitedrive.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "EN")
"kitedrive.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "EN")
"kitedrive.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE", Key: "AR")
"kitedrive.exe" (Path: "\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE", Key: "AR") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Hiding 11 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 17
-
Anti-Reverse Engineering
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API NotifyWinEvent@USER32.DLL from StartX.exe (PID: 3704) (Show Stream)
Found reference to API SHGetFolderPathA@SHELL32.DLL from StartX.exe (PID: 3704) (Show Stream)
Found reference to API NotifyWinEvent@USER32.DLL from StartX.exe (PID: 3704) (Show Stream)
Found reference to API SHGetFolderPathA@SHELL32.DLL from StartX.exe (PID: 3704) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from StartX.exe (PID: 3704) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll at 49158-215-0041BDAD - source
- StaticStream (Disassembly)
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceExW@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.DLL from setup.exe (PID: 3824) (Show Stream) - source
- StaticStream (Disassembly)
- relevance
- 3/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- Anti-Virus Test Result
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"setup.pdb"
"O`WBGiaI1.,O2.,OzM=!;A;A;A;A;A;A;Ax;AUUUUUUTTUUUUU*O&%%%@??UUUUPUUUUUUUUUUJJVVVVddpp~~TUT(*!Q"O&%%% @??>9/6VPO*JJVVVVddpp~~HT0AARRSDSkc"2DOiDPCA.pdb<0AAAA<0A@A(2AAAAA(2A@AH2A@4ADAAp2A`ApA|AAp2A@`AH2A4AEY08 @QeF`MMCkMK!Kk1Q{_7G`E5x"WMVt", "!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ACONOUT$EEE00P('8PW700PP (`h`hhhxppwppSYSTEM\CurrentControlSet\Control\Session ManagerPendingFileRenameOperationsfileutil.cppHRSDS@vM|+C:\src\wix38\build\ship\x86\uica.pdbX ~`/788FF#H2HL|oOj]abuy,yyzz}9&]jfE40L,@^4Tz&>vj"
"5Ds3[C:\src\wix38\build\ship\x86\wixca.pdb0-c r |#1e56Y[[^^w_``bs|mnXk(qmLrPmXr0mrDlnrm*skxxqqppppppnnnnoHo\otoooooopp(p8pPp^pnppzzzz&uzz|zpzdzZzHz>z0z"zzyyyyytyby:y
yyyxxxxxxhx6sDsXshsxsssssssssst"t.t:tJtXthttttttttttuuz<uRu^uluxuuuuuuuuvv8vJv\vjvxvvvvvvvv"
"DPCA.pdb"
"atl100.i386.pdb" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\7zS1860.tmp\64\kitedrive64.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\kitedriveInstall.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\Installkitedrive.bat"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\kitedrive.config"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\32\setup.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\64\setup.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\StartX.exe"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\64"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7zS1860.tmp\32" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"Global\_MSIExecute"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0001"
"Local\__DDrawExclMode__"
"Local\__DDrawCheckExclMode__"
"DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Loads modules at runtime
- details
-
"<Input Sample>" loaded module "OLEAUT32.DLL" at base 76F40000
"<Input Sample>" loaded module "%WINDIR%\SYSTEM32\APPHELP.DLL" at base 75BC0000
"setup.exe" loaded module "ADVAPI32.DLL" at base 77700000
"setup.exe" loaded module "COMCTL32.DLL" at base 74B90000
"setup.exe" loaded module "OLEAUT32.DLL" at base 76F40000
"setup.exe" loaded module "CLBCATQ.DLL" at base 77D00000
"setup.exe" loaded module "C:\WINDOWS\SYSTEM32\PROPSYS.DLL" at base 74A70000
"setup.exe" loaded module "NTMARTA.DLL" at base 75250000 - source
- API Call
- relevance
- 1/10
-
Loads rich edit control libraries
- details
-
"setup.exe" loaded module "%WINDIR%\system32\riched20.dll" at 6B660000
"msiexec.exe" loaded module "C:\Windows\system32\RICHED20.DLL" at 6B660000 - source
- Loaded Module
-
Loads the .NET runtime environment
- details
- "kitedrive.exe" loaded module "%WINDIR%\assembly\NativeImages_v4.0.30319_32\mscorlib\51e2934144ba15628ba5a31be2dae7dc\mscorlib.ni.dll" at 68B90000
- source
- Loaded Module
-
Looks up procedures from modules (excluding apphelp.dll, kernel32.dll, user32.dll, gdi32.dll, ole32.dll, comctl32.dll, uxtheme.dll, oleaut32.dll, version.dll, msctfime.ime)
- details
-
"RegEnumKeyA@ADVAPI32.dll"
"PSPropertyBag_ReadDWORD@PROPSYS.dll"
"RegEnumKeyW@ADVAPI32.dll"
"PSPropertyBag_ReadBSTR@PROPSYS.dll"
"PSPropertyBag_ReadStrAlloc@PROPSYS.dll"
"OpenThreadToken@ADVAPI32.dll"
"GetCatalogObject@CLBCatQ.DLL"
"GetCatalogObject2@CLBCatQ.DLL"
"DllGetClassObject@PROPSYS.dll"
"DllCanUnloadNow@PROPSYS.dll" - source
- API Call
- relevance
- 1/10
-
Reads System Certificates Settings
- details
- "msiexec.exe" (Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA", Key: "BLOB")
- source
- Registry Access
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "\REGISTRY\USER\S-1-5-21-4162757579-3804539371-4239455898-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING", Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Runs shell commands
- details
- "cmd /c Installkitedrive.bat" on 2015-10-21.11:37:00
- source
- Monitored Target
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "StartX.exe" with commandline ".\StartX.exe /min /wait Installkitedrive.bat" (Show Process)
Spawned process "cmd.exe" with commandline "cmd /c Installkitedrive.bat" (Show Process)
Spawned process "whoami.exe" with commandline "C:\Windows\system32\whoami /groups" (Show Process)
Spawned process "find.exe" with commandline "C:\Windows\system32\find "S-1-5-32-544"" (Show Process)
Spawned process "setup.exe" with commandline ".\32\setup.exe" (Show Process)
Spawned process "msiexec.exe" with commandline "-I "%TEMP%\7zS1860.tmp\32\kitedrive32.msi"" (Show Process)
Spawned process "kitedrive.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Contains ability to lookup the windows account name
- details
-
GetUserNameExW@SSPICLI.DLL at 00147125-00003824-77BD228D-156252
GetUserNameExW@SSPICLI.DLL at 00353578-00000480-77BD228D-373846 - source
- StaticStream (Disassembly)
- relevance
- 5/10
-
Dropped files
- details
-
"cab1.cab" has type "Microsoft Cabinet archive data, 863130 bytes, 6 files"
"kitedrive32.msi" has type "Composite Document File V2 Document, Little Endian, O%WINDIR%\ Version 6.1, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {39ABA2DA-8A80-4FAD-9D01-3E26D2A17DA7}, Title: kitedrive, Author: Accellion, Number of Words: 2, Last Saved Time/Date: Wed Jun 24 23:31:34 2015, Last Printed: Wed Jun 24 23:31:34 2015"
"kitedrive64.msi" has type "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {F5C51BEB-F63B-4851-905F-95D3E0CCB31E}, Title: kitedrive, Author: Accellion, Number of Words: 2, Last Saved Time/Date: Wed Jun 24 23:32:08 2015, Last Printed: Wed Jun 24 23:32:08 2015"
"kitedriveInstall.msi" has type "Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: kitedrive, Author: Accellion, Keywords: Installer, Comments: This installer database contains the logic and data required to install kitedrive., Template: Intel;1033, Revision Number: {99A60858-FFF5-4160-AD00-BE5DA5180677}, Create Time/Date: Wed Jun 24 23:30:48 2015, Last Saved Time/Date: Wed Jun 24 23:30:48 2015, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.8.1128.0), Security: 2"
"Installkitedrive.bat" has type "DOS batch file, ASCII text, with CRLF line terminators"
"kitedrive.config" has type "XML 1.0 document, UTF-8 Unicode (with BOM) text, with no line terminators"
"setup.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"StartX.exe" has type "PE32 executable (GUI) Intel 80386, for MS Windows"
"install.log" has type "data"
"MSI771A.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows" - source
- Dropped File
- relevance
- 3/10
-
Contains ability to lookup the windows account name
File Details
Accellion kitedrive Setup.exe
- Filename
- Accellion kitedrive Setup.exe
- Size
- 4.4MiB (4626592 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- ee99b96e78179d7f76321d0f6aeeb61c5a200ef77161dbbacaee84438ca2d471
- MD5
- 39e23ecc0aa880ca291a37ba9a90d21a
- SHA1
- ddac8168e491bd8093c62fe195f019bf586744cc
- ssdeep
- 98304:71ObKIy0Poivp7yE2M3cBuHM4mURfUHfnOXcDfi5A9X+Yt:71Om4Poi4S3NTmscHfnBDcRA
- imphash
- 59811ee8e32bc0723a5695330aeeadb0
Version Info
- LegalCopyright
- Copyright (c) 2012-2015 Accellion
- InternalName
- kitedrive
- FileVersion
- 1.5.9.5
- CompanyName
- Accellion Inc.
- ProductName
- kitedrive
- ProductVersion
- 1.5.9.5
- FileDescription
- Accellion kitedrive Setup
- OriginalFilename
- kitedrive
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 67.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 14.2% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.3% (.EXE) Generic Win/DOS Executable
- 4.3% (.EXE) DOS Executable Generic
File Imports
File Certificates
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US | CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA Serial: 7e93ebfb7cc64e59ea4b9a77d406fc3b |
12/20/2012 18:00:00 12/30/2020 17:59:59 |
7B:A3:69:EE:9A:BD:81:E0:FC:76:74:E9:70:9E:15:1D 6C:07:45:3F:FD:DA:08:B8:37:07:C0:9B:82:FB:3D:15:F3:53:36:B1 |
CN=Symantec Time Stamping Services Signer - G4, O=Symantec Corporation, C=US | CN=Symantec Time Stamping Services CA - G2, O=Symantec Corporation, C=US Serial: ecff438c8febf356e04d86a981b1a50 |
10/17/2012 19:00:00 12/29/2020 17:59:59 |
08:32:B6:5C:C3:E3:A4:9B:C3:81:BA:95:E1:B5:87:37 65:43:99:29:B6:79:73:EB:19:2D:6F:F2:43:E6:76:7A:DF:08:34:E4 |
CN="Accellion, Inc.", O="Accellion, Inc.", ST=California, L=Palo Alto, C=US | CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: a977ced4714b0c4afee5fbc4d9ddb22 |
02/10/2015 18:00:00 04/18/2018 07:00:00 |
5F:50:C0:33:09:95:9C:94:41:19:B8:9A:24:26:A2:1A 73:5C:28:AE:94:A7:2A:D2:A8:BB:DA:EC:2A:A9:14:2C:16:23:CE:8C |
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 409181b5fd5bb66755343b56f955008 |
10/22/2013 07:00:00 10/22/2028 07:00:00 |
B6:56:37:6C:3D:2A:CE:BB:A1:88:49:D6:04:36:1B:D5 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 8 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3648)
-
StartX.exe
.\StartX.exe /min /wait Installkitedrive.bat
(PID: 3704)
-
cmd.exe
cmd /c Installkitedrive.bat
(PID: 3724)
- whoami.exe %WINDIR%\system32\whoami /groups (PID: 3764)
- find.exe %WINDIR%\system32\find "S-1-5-32-544" (PID: 3792)
-
setup.exe
.\32\setup.exe
(PID: 3824)
-
msiexec.exe
-I "%TEMP%\7zS1860.tmp\32\kitedrive32.msi"
(PID: 3884)
- kitedrive.exe (PID: 480)
-
msiexec.exe
-I "%TEMP%\7zS1860.tmp\32\kitedrive32.msi"
(PID: 3884)
-
cmd.exe
cmd /c Installkitedrive.bat
(PID: 3724)
-
StartX.exe
.\StartX.exe /min /wait Installkitedrive.bat
(PID: 3704)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
StartX.exe
- Size
- 224KiB (229376 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "W32.JiwutgtrgisC" (1/56)
- MD5
- 39c8abf1652ae917edcee759339cf9b5
- SHA1
- f874e5ea75800f7783d43afa92ff25767beec0dd
- SHA256
- 07e6a55591466031b32fbd19a9a67fc89e8b5f6aed47234c6354331ae84dcdcf
-
-
Clean 3
-
-
MSI771A.tmp
- Size
- 231KiB (236872 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- MD5
- 5494165b1384faeefdd3d5133df92f5a
- SHA1
- b7b82805f1a726c4eee39152d1a6a59031d7798c
- SHA256
- ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055
-
MSI798C.tmp
- Size
- 231KiB (236872 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- MD5
- 5494165b1384faeefdd3d5133df92f5a
- SHA1
- b7b82805f1a726c4eee39152d1a6a59031d7798c
- SHA256
- ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055
-
atl100.dll
- Size
- 135KiB (138056 bytes)
- Type
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- Context
- %WINDIR%\System32\atl100.dll
- Additional Context
- Existing file modified
- MD5
- c85670ab64068f8080998aeba6c5019c
- SHA1
- ef762c375486594f6604f39311d32442156ac8bb
- SHA256
- 87d88235f69c062e5b759f91253abaf7bd055937dd119bd26858237f812d3ded
-
-
Informative 11
-
-
kitedrive.config
- Size
- 2.7KiB (2815 bytes)
- Type
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
- MD5
- 7378c0d2246565c23d789a3c4c093590
- SHA1
- f21c95b9d396429778a7494e9ad96446c2292575
- SHA256
- 141a3ccbac0f588744b7ef3388cb87b649d403292a4ceaae4794aed2c1f82c35
-
kitedriveLog.log
- Size
- 1.3KiB (1314 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- 9e4f54ef980b2a867d142bbfde99b2a0
- SHA1
- f25eb3046659db0cdaccaecb3fed68aab5fa5b54
- SHA256
- 34163bb4121a7253bd70f983ce550cfcecb6fc027c8a8ef1d8026749efd5e46c
-
kitedrive32.msi
- Size
- 3.7MiB (3846656 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {39ABA2DA-8A80-4FAD-9D01-3E26D2A17DA7}, Title: kitedrive, Author: Accellion, Number of Words: 2, Last Saved Time/Date: Wed Jun 24 23:31:34 2015, Last Printed: Wed Jun 24 23:31:34 2015
- MD5
- 573bf1720cc9e27f653c7b3c9bfb4458
- SHA1
- 01ef40938db3c770a8c060e78c8ad10e18c9bfa0
- SHA256
- 5c4754633a631b17fe2eabea8ddf5c40c930488528acd78f5a31ecc5004df259
-
setup.exe
- Size
- 848KiB (868240 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- MD5
- d605189504457941b16ebae4f669744c
- SHA1
- 7f4523e7c9e9dc8acf599adae048efad7ec20981
- SHA256
- 6823ed6d2dc1c364c31ebe42155cb5705c691b5e089c43d7237995fb3187d5b5
-
kitedrive64.msi
- Size
- 3.7MiB (3868160 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: x64;1033, Number of Pages: 200, Revision Number: {F5C51BEB-F63B-4851-905F-95D3E0CCB31E}, Title: kitedrive, Author: Accellion, Number of Words: 2, Last Saved Time/Date: Wed Jun 24 23:32:08 2015, Last Printed: Wed Jun 24 23:32:08 2015
- MD5
- 27e3f796b2abe07f509cc45a0d759676
- SHA1
- 16623eb49f02be5ce16e474db529c820451fb07b
- SHA256
- 974b412c23994e6951fe8e6d311b6653a0008b3ecbf477d2eeb08d3824466656
-
Installkitedrive.bat
- Size
- 3.9KiB (3960 bytes)
- Type
- DOS batch file, ASCII text, with CRLF line terminators
- MD5
- 4cbbd23440a5599705781e9e08ec4e01
- SHA1
- 1bed60a0551cde44c1d19057cf55f09d282717cf
- SHA256
- 67c45277cb198b6ecb51f4afefafc744557c1767fee9930d454b3dcd8dffa747
-
cab1.cab
- Size
- 843KiB (863130 bytes)
- Type
- Microsoft Cabinet archive data, 863130 bytes, 6 files
- MD5
- 8ad47ba8eaae0289e5a00abb1ec9554e
- SHA1
- fe1e967325e4c5e338f64a43499d8cc10c36ebdd
- SHA256
- 24cd9a24e5e22f07403febecd396149522432ccc47661a49cbf9e8317b03ff1e
-
kitedrive.config
- Size
- 204B (204 bytes)
- Type
- XML 1.0 document, UTF-8 Unicode (with BOM) text, with no line terminators
- MD5
- fa78de411a47008f13b44bc447d3a814
- SHA1
- 2492546fed393dad438a40fb313dc7432c49aa27
- SHA256
- 9fa423016372d28dbd6e5f9f8d7c553b72b00258d85ba2528b0f301ca1e3e951
-
kitedriveInstall.msi
- Size
- 1.3MiB (1310720 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: kitedrive, Author: Accellion, Keywords: Installer, Comments: This installer database contains the logic and data required to install kitedrive., Template: Intel;1033, Revision Number: {99A60858-FFF5-4160-AD00-BE5DA5180677}, Create Time/Date: Wed Jun 24 23:30:48 2015, Last Saved Time/Date: Wed Jun 24 23:30:48 2015, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.8.1128.0), Security: 2
- MD5
- 331ffe600860d9ffff302c087f78df02
- SHA1
- df9b94da708cac2003f2b0323672ca5a52981b86
- SHA256
- 418a35a32c67cae7c285999a170b8276b68bb689d53c39eff1b9c9c15dcf91c9
-
install.log
- Size
- 4.1KiB (4248 bytes)
- Type
- data
- MD5
- 0d5a7210947df391a748ec87d15966bc
- SHA1
- fe3db8968dc3ca3b4ad800d92d5315721a3bcc63
- SHA256
- 38ee7e323bb5791a9596295258993f722d3fe9d15fc02ce3217c2d89712b0314
-
kitedrive.lnk
- Size
- 1.7KiB (1715 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Icon number=0, Directory, ctime=Thu Oct 22 01:54:19 2015, mtime=Thu Oct 22 01:54:19 2015, atime=Thu Oct 22 01:54:19 2015, length=0, window=hide
-
Notifications
-
Runtime
- Added comment to VirusTotal report
- Dropped file "kitedrive32.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/5c4754633a631b17fe2eabea8ddf5c40c930488528acd78f5a31ecc5004df259/analysis/1445453132/")
- Dropped file "kitedrive64.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/974b412c23994e6951fe8e6d311b6653a0008b3ecbf477d2eeb08d3824466656/analysis/1445453134/")
- Dropped file "kitedriveInstall.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/418a35a32c67cae7c285999a170b8276b68bb689d53c39eff1b9c9c15dcf91c9/analysis/1445453135/")
- Dropped file "setup.exe" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/6823ed6d2dc1c364c31ebe42155cb5705c691b5e089c43d7237995fb3187d5b5/analysis/1445453137/")
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)