OntrackEasyRecoveryTechnicianforWindows.exe
This report is generated from a file or URL submitted to this webservice on February 4th 2019 17:07:50 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Queries sensitive IE security settings
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/91 Antivirus vendors marked dropped file "is-A2BMC.tmp" as malicious (classified as "W32.eHeur" with 1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"OntrackEasyRecoveryTechnicianforWindows.exe" wrote 1500 bytes to a remote process "%TEMP%\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" (Handle: 200)
"OntrackEasyRecoveryTechnicianforWindows.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" (Handle: 200)
"OntrackEasyRecoveryTechnicianforWindows.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" (Handle: 200)
"OntrackEasyRecoveryTechnicianforWindows.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" (Handle: 200)
"OntrackEasyRecoveryTechnicianforWindows.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" (Handle: 200)
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote 1500 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\OERLauncher.exe" (Handle: 800)
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\OERLauncher.exe" (Handle: 800)
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\OERLauncher.exe" (Handle: 800)
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\OERLauncher.exe" (Handle: 800)
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\OERLauncher.exe" (Handle: 800)
"OERLauncher.exe" wrote 1500 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\Ekag20nt.exe" (Handle: 360)
"OERLauncher.exe" wrote 4 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\Ekag20nt.exe" (Handle: 360)
"OERLauncher.exe" wrote 8 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\Ekag20nt.exe" (Handle: 360)
"OERLauncher.exe" wrote 32 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\Ekag20nt.exe" (Handle: 360)
"OERLauncher.exe" wrote 52 bytes to a remote process "C:\Program Files (x86)\Ontrack\EasyRecovery\Ekag20nt.exe" (Handle: 360) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "Ekag20nt.exe" at 00046932-00001484-00000033-288413509187
- source
- API Call
- relevance
- 6/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Ekag20nt.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "Ekag20nt.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
General
-
Reads configuration files
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "%APPDATA%\Microsoft\Windows\Start Menu\desktop.ini"
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "%APPDATA%\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "%USERPROFILE%\Desktop\desktop.ini"
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "C:\Users\%USERNAME%\Searches\desktop.ini"
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "C:\Users\%USERNAME%\Videos\desktop.ini"
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "C:\Users\%USERNAME%\Pictures\desktop.ini"
"OntrackEasyRecoveryTechnicianforWindows.tmp" read file "C:\Users\%USERNAME%\Contacts\desktop.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistance
-
Drops executable files
- details
- "is-A2BMC.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "Ekag20nt.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\OntrackEasyRecoveryTechnicianforWindows.exe" marked "%TEMP%\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" for deletion
"C:\OntrackEasyRecoveryTechnicianforWindows.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-3J3AH.tmp" for deletion
"%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\Ekag20nt.exe" marked "%ALLUSERSPROFILE%\Key-Base\27b48b2c.051" for deletion
"%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\Ekag20nt.exe" marked "%ALLUSERSPROFILE%\Key-Base" for deletion
"%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\Ekag20nt.exe" marked "%ALLUSERSPROFILE%\Key-Base\27b48b2c.051\CODE.PKD" for deletion
"%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\Ekag20nt.exe" marked "%ALLUSERSPROFILE%\Key-Base\27b48b2c.051\CODE.PK_" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"OntrackEasyRecoveryTechnicianforWindows.exe" opened "%TEMP%\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-3J3AH.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-HPT32.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-TSFS8.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-A2BMC.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-K0K69.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-5HPO1.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-TJ4S1.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-66H8C.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-K6UV8.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-67QG0.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-LBUQT.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-FV25O.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-5IV17.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-A9K4O.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-VSTPK.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-PIMI9.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-R24US.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-VLHK0.tmp" with delete access
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "C:\Program Files (x86)\Ontrack\EasyRecovery\is-7JGCT.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
GetVersionExA
GetModuleFileNameA
LoadLibraryA
GetCommandLineA
GetProcAddress
GetModuleHandleA
WriteFile
GetStartupInfoA
TerminateProcess
CreateFileA
VirtualAlloc
GetWindowThreadProcessId - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"OntrackEasyRecoveryTechnicianforWindows.exe" wrote bytes "711177027a3b7602ab8b02007f950200fc8c0200729602006cc805001ecd73027d267302" to virtual address "0x753107E4" (part of module "USER32.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "d055367664733f760000000051c1ff769498ff76ee9cff7675dc0177273e01770fb305770000000085485077698750770f775277d9175077ead75177a9345077f8115077201450770c115077f516507754145077ff1050773214507700000000" to virtual address "0x74231000" (part of module "SHFOLDER.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "f8115077201450770c115077f5165077a911507785485077b9345077a93450776834507700000000a56b2676e4852676e04d26769cc02676a3bf267692ae26760c7d267600000000" to virtual address "0x74241000" (part of module "MSIMG32.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b4360200" to virtual address "0x752C4D68" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b4360200" to virtual address "0x752C4EA4" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b4362c75" to virtual address "0x752D01E4" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "d83a2c75" to virtual address "0x752D01E0" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b4362c75" to virtual address "0x752D0200" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b4362c75" to virtual address "0x752D025C" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "d83a2c75" to virtual address "0x752D01FC" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b84013bf73ffe0" to virtual address "0x752C3AD8" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "d83a0200" to virtual address "0x752C4E38" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "d83a0200" to virtual address "0x752C4D78" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "711177027a3b7602ab8b02007f950200fc8c0200729602006cc805001ecd73027d267302" to virtual address "0x753107E4" (part of module "USER32.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "75dc0177273e017751c1ff76ee9cff769498ff760fb305771099ff769097ff7600000000f5165077ead75177d9175077698750770f7752770c115077a934507720145077f8115077ff10507700000000" to virtual address "0x7415E000" (part of module "MSLS31.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "d83a2c75" to virtual address "0x752D0258" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b4362c75" to virtual address "0x752D0278" (part of module "SSPICLI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b83012bf73ffe0" to virtual address "0x761D1368" (part of module "WS2_32.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "c0dfa2771cf9a177ccf8a1770d64a37700000000c011507700000000fc3e507700000000e0135077000000009457687525e0a277c6e0a27700000000bc6a677500000000cf3150770000000093196875000000002c32507700000000" to virtual address "0x75B71000" (part of module "NSI.DLL")
"OntrackEasyRecoveryTechnicianforWindows.tmp" wrote bytes "b8c015bf73ffe0" to virtual address "0x752C36B4" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"OERLauncher.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"Ekag20nt.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 21
-
Environment Awareness
-
Queries volume information
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "C:\" at 00038328-00003304-00000046-240146939168
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\OERLauncher.exe" at 00038328-00003304-00000046-240187130582
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "C:\" at 00038328-00003304-00000046-241128405749
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\unins000.exe" at 00038328-00003304-00000046-241129943734
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "C:\" at 00038328-00003304-00000046-242069248538
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "%PROGRAMFILES%\(x86)\Ontrack\EasyRecovery\OERLauncher.exe" at 00038328-00003304-00000046-242071353867 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "C:\" at 00038328-00003304-00000046-240146939168
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "C:\" at 00038328-00003304-00000046-241128405749
"OntrackEasyRecoveryTechnicianforWindows.tmp" queries volume information of "C:\" at 00038328-00003304-00000046-242069248538 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ONTRACK EASYRECOVERY TECHNICIAN FOR WINDOWS_IS1")
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\ONTRACK EASYRECOVERY TECHNICIAN FOR WINDOWS_IS1")
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ONTRACKEASYRECOVERYTECHNICIANFORWINDOWS.TMP")
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\ONTRACKEASYRECOVERYTECHNICIANFORWINDOWS.TMP")
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OERLAUNCHER.EXE")
"OntrackEasyRecoveryTechnicianforWindows.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OERLAUNCHER.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/66 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
-
"OntrackEasyRecoveryTechnicianforWindows.exe" created file "%TEMP%\is-3J3AH.tmp\OntrackEasyRecoveryTechnicianforWindows.tmp"
"OntrackEasyRecoveryTechnicianforWindows.tmp" created file "%TEMP%\is-185NF.tmp\_isetup\_setup64.tmp"
"OntrackEasyRecoveryTechnicianforWindows.tmp" created file "%TEMP%\is-185NF.tmp\_isetup\_shfoldr.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\DBWinMutex"
"DBWinMutex"
"\Sessions\1\BaseNamedObjects\EKAN0200906578FD5A69"
"EKAN0200906578FD5A69" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
-
Antivirus vendors marked dropped file "is-BDNF5.tmp" as clean (type is "Qt Translation file")
Antivirus vendors marked dropped file "is-U0O7S.tmp" as clean (type is "Qt Translation file")
Antivirus vendors marked dropped file "is-GRDU7.tmp" as clean (type is "Qt Translation file")
Antivirus vendors marked dropped file "is-PI7A7.tmp" as clean (type is "Qt Translation file") - source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "OntrackEasyRecoveryTechnicianforWindows.tmp" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 74170000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}")
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "UsersFiles" (Path: "HKCU\WOW6432NODE\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\SHELLFOLDER")
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "delegate folder that appears in Users Files Folder" (Path: "HKCU\WOW6432NODE\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\SHELLFOLDER")
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "Shell File System Folder" (Path: "HKCU\WOW6432NODE\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\INPROCSERVER32")
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched "Security Manager" (Path: "HKCU\WOW6432NODE\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\TREATAS")
"Ekag20nt.exe" touched "WBEM Locator" (Path: "HKCU\WOW6432NODE\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}")
"Ekag20nt.exe" touched "Windows Management and Instrumentation" (Path: "HKCU\WOW6432NODE\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}")
"Ekag20nt.exe" touched "PSFactoryBuffer" (Path: "HKCR\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}")
"Ekag20nt.exe" touched "Microsoft WBEM Call Context" (Path: "HKCU\WOW6432NODE\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\TREATAS")
"Ekag20nt.exe" touched "Microsoft WBEM (non)Standard Marshaling for IWbemServices" (Path: "HKCU\WOW6432NODE\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TREATAS")
"Ekag20nt.exe" touched "Microsoft WBEM (non)Standard Marshaling for IEnumWbemClassObject" (Path: "HKCU\WOW6432NODE\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "OERLauncher.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64", PROMPT="$P$G", VXDIR="C:\VxStream""
Process "OERLauncher.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "Ekag20nt.exe" (Show Process) was launched with new environment variables: "__COMPAT_LAYER="RunAsAdmin ElevateCreateProcess"" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "OERLauncher.exe" searching for class "TFormMain"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "OntrackEasyRecoveryTechnicianforWindows.tmp" with commandline "/SL5="$6023C
62362865
170496
C:\OntrackEasyRecoveryTechnicianfor ..." (Show Process), Spawned process "OERLauncher.exe" (Show Process), Spawned process "Ekag20nt.exe" with commandline "0200906578FD5A69 0" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "OntrackEasyRecoveryTechnicianforWindows.tmp" with commandline "/SL5="$6023C
62362865
170496
C:\OntrackEasyRecoveryTechnicianfor ..." (Show Process), Spawned process "OERLauncher.exe" (Show Process), Spawned process "Ekag20nt.exe" with commandline "0200906578FD5A69 0" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=US, S=Minnesota, L=Eden Prairie, O="Kroll Ontrack
LLC", CN="Kroll Ontrack
LLC"" (SHA1: C0:0A:44:CE:DF:D0:57:E8:4D:FE:3C:F2:18:D5:15:84:45:AD:D9:AF: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA" (SHA1: 00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=US, O="VeriSign
Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign
Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5" (SHA1: 4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"OntrackEasyRecoveryTechnicianforWindows.exe" connecting to "\ThemeApiPort"
"OntrackEasyRecoveryTechnicianforWindows.tmp" connecting to "\ThemeApiPort"
"OERLauncher.exe" connecting to "\ThemeApiPort"
"Ekag20nt.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Ontrackr EasyRecoveryT Technician for Windows .lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Mon Feb 4 16:59:00 2019 mtime=Mon Feb 4 16:59:00 2019 atime=Thu Jan 10 23:14:54 2019 length=8991128 window=hide"
"Ontrackr EasyRecoveryT Technician for Windows.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Mon Feb 4 16:59:00 2019 mtime=Mon Feb 4 16:59:00 2019 atime=Thu Jan 10 23:14:54 2019 length=8991128 window=hide"
"Uninstall Ontrackr EasyRecoveryT Technician for Windows .lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Mon Feb 4 16:43:00 2019 mtime=Mon Feb 4 16:43:00 2019 atime=Mon Feb 4 15:18:00 2019 length=1211327 window=hide"
"is-BDNF5.tmp" has type "Qt Translation file"
"is-U0O7S.tmp" has type "Qt Translation file"
"is-3D56S.tmp" has type "Qt Translation file"
"is-JLUS9.tmp" has type "MS Windows HtmlHelp Data"
"is-Q75B7.tmp" has type "Qt Translation file"
"is-29LO0.tmp" has type "XML 1.0 document UTF-8 Unicode text with very long lines"
"is-PIMI9.tmp" has type "PDF document version 1.5"
"is-GRDU7.tmp" has type "Qt Translation file"
"is-PI7A7.tmp" has type "Qt Translation file"
"is-TSFS8.tmp" has type "ASCII text with CRLF line terminators"
"is-PVU8Q.tmp" has type "Qt Translation file"
"is-9PLOO.tmp" has type "Qt Translation file"
"is-R0JBI.tmp" has type "Qt Translation file"
"is-Q97NJ.tmp" has type "Qt Translation file"
"is-B23VB.tmp" has type "Qt Translation file"
"is-A2BMC.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"is-O6REQ.tmp" has type "XML 1.0 document UTF-8 Unicode text with very long lines" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"OntrackEasyRecoveryTechnicianforWindows.exe" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.exe" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.exe" touched file "C:\Windows\SysWOW64\netmsg.dll"
"OntrackEasyRecoveryTechnicianforWindows.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"OntrackEasyRecoveryTechnicianforWindows.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\Fonts\StaticCache.dat"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\SysWOW64\netmsg.dll"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\SysWOW64\shfolder.dll"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Windows\SysWOW64\imageres.dll"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"OntrackEasyRecoveryTechnicianforWindows.tmp" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2"
Heuristic match: "Xa)0PP.gM"
Heuristic match: ";&;^`8E.mm"
Heuristic match: ",EJMi.rE"
Heuristic match: "+:Xg3<.AC"
Heuristic match: "96bkuW.pt"
Pattern match: "https://www.krollontrack.com/shop/"
Pattern match: "https://www.krollontrack.com/products/data-recovery-software/upgrade"
Pattern match: "https://www.krollontrack.com/products/data-recovery-software/upgrade/OntrackEasyRecoveryt/"
Heuristic match: "techsupport@krollontrack.com"
Pattern match: "https://www.ontrack.com/services/data-recovery/global-contact/"
Pattern match: "https://www.ontrack.com/services/data-recovery/data-recovery-quote/?utm_source=oer&utm_medium=offline&utm_campaign=in-product"
Pattern match: "https://www.ontrack.fr/shop/"
Pattern match: "https://www.ontrack.fr/recuperation-donnees/logiciel/upgrade"
Heuristic match: "logiciel@ontrack.fr"
Pattern match: "https://www.ontrack.com/fr/recuperation-donnees/devis/?utm_source=oer&utm_medium=offline&utm_campaign=in-product"
Pattern match: "https://www.krollontrack.de/shop/"
Pattern match: "https://www.krollontrack.de/produkte/datenrettung-software/upgrade"
Heuristic match: "support@krollontrack.de"
Pattern match: "https://www.ontrack.com/de/datenrettung/anfrage-datenrettung/?utm_source=oer&utm_medium=offline&utm_campaign=in-product"
Pattern match: "https://www.ontrackdatarecovery.it/shop/"
Pattern match: "https://www.ontrackdatarecovery.it/software-recupero-dati/software-per-recupero-dati/upgrade"
Pattern match: "https://www.ontrack.com/it/recupero-dati/richiesta-preventivo/?utm_source=oer&utm_medium=offline&utm_campaign=in-product"
Pattern match: "https://www.ontrackdatarecovery.es/shop"
Pattern match: "https://www.ontrackdatarecovery.es/productos/upgrade"
Heuristic match: "soporte@ontrack.es"
Pattern match: "https://www.ontrack.com/es/recuperacion-de-datos/presupuestos/?utm_source=oer&utm_medium=offline&utm_campaign=in-product"
Pattern match: "http://www.stellarinfo.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"OntrackEasyRecoveryTechnicianforWindows.tmp" opened "\Device\KsecDD"
"OERLauncher.exe" opened "\Device\KsecDD"
"Ekag20nt.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "is-A2BMC.tmp" was detected as "Armadillo v1.xx - v2.xx"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
OntrackEasyRecoveryTechnicianforWindows.exe
- Filename
- OntrackEasyRecoveryTechnicianforWindows.exe
- Size
- 60MiB (62884504 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- c9511f84fd204fb6ff9b79a523050fac4a96e74b50193ad0d7aee74057e90c15
- MD5
- 986b51d43135c0511e48003a78b4bed9
- SHA1
- c4cdf3faafbc2f0c8c5699a4f554731e6f736ba1
File Certificates
Certificate chain was successfully validated.
Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=US, S=Minnesota, L=Eden Prairie, O="Kroll Ontrack, LLC", CN="Kroll Ontrack, LLC" | C=US, S=Minnesota, L=Eden Prairie, O="Kroll Ontrack, LLC", CN="Kroll Ontrack, LLC" Serial: 39434db7974181c41bc60b187d76faeb |
03/20/2018 01:00:00 03/20/2020 00:59:59 |
C0:0A:44:CE:DF:D0:57:E8:4D:FE:3C:F2:18:D5:15:84:45:AD:D9:AF: (1.2.840.113549.1.1.11) |
C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA | C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 SHA256 Code Signing CA Serial: 3d78d7f9764960b2617df4f01eca862a |
12/10/2013 01:00:00 12/10/2023 00:59:59 |
00:77:90:F6:56:1D:AD:89:B0:BC:D8:55:85:76:24:95:E3:58:F8:A5: (1.2.840.113549.1.1.11) |
C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 | C=US, O="VeriSign, Inc.", OU=VeriSign Trust Network, OU="c 2006 VeriSign, Inc. - For authorized use only", CN=VeriSign Class 3 Public Primary Certification Authority - G5 Serial: 18dad19e267de8bb4a2158cdcc6b3b4a |
11/08/2006 01:00:00 07/17/2036 00:59:59 |
4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5: (sha1RSA(RSA)) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
OntrackEasyRecoveryTechnicianforWindows.exe
(PID: 2652)
-
OntrackEasyRecoveryTechnicianforWindows.tmp
/SL5="$6023C,62362865,170496,C:\OntrackEasyRecoveryTechnicianforWindows.exe"
(PID: 3304)
-
OERLauncher.exe
(PID: 2352)
- Ekag20nt.exe 0200906578FD5A69 0 (PID: 1484)
-
OERLauncher.exe
(PID: 2352)
-
OntrackEasyRecoveryTechnicianforWindows.tmp
/SL5="$6023C,62362865,170496,C:\OntrackEasyRecoveryTechnicianforWindows.exe"
(PID: 3304)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 23 extracted file(s). The remaining 136 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 1
-
-
is-8HVSI.tmp
- Size
- 115KiB (117335 bytes)
- Type
- unknown
- Description
- Qt Translation file
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 24f25891971cf25aa8230ba3f98c4c85
- SHA1
- 622f6c1e848781d86e13ffdc785b6eace8c4f2f6
- SHA256
- 1e524b7aba1cbcd4df6519347701bcf771cf0ca7cbb1e053f0b3d65384281872
-
-
Informative 22
-
-
CODE.PKD
- Size
- 512B (512 bytes)
- Runtime Process
- Ekag20nt.exe (PID: 1484)
- MD5
- de15af41d8d46f2e40b4b120a7f2cde8
- SHA1
- 6ca68e96fe0cf375bd3296190cde555e62b9140c
- SHA256
- cca726a2bd0253bec38fbe82f0157c850a9ca9473c857287f53e1ff5121f05c6
-
CODE.PK_
- Size
- 512B (512 bytes)
- Runtime Process
- Ekag20nt.exe (PID: 1484)
- MD5
- de15af41d8d46f2e40b4b120a7f2cde8
- SHA1
- 6ca68e96fe0cf375bd3296190cde555e62b9140c
- SHA256
- cca726a2bd0253bec38fbe82f0157c850a9ca9473c857287f53e1ff5121f05c6
-
is-3FOH7.tmp
- Size
- 284KiB (290733 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 6c01ad89d3c1be2f4acb0e7d591fccdb
- SHA1
- b229fdffa459ed15def2eed94ba8f09e21417935
- SHA256
- 4d00a66d936a9b493709e4d8095f4710287f7ca74ae7c020302e5ff76528d40d
-
is-C389F.tmp
- Size
- 53KiB (54702 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 9700864bf7ffe133b16178a85a47f9d1
- SHA1
- 29dd2c339c7d0fa1bb5a645645429cfd50573dad
- SHA256
- 1a04b42cdd9146883df151c73a09bdca666f41b07aaaadefd067a51a194a709a
-
is-J0DNG.tmp
- Size
- 35KiB (35476 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 184a335cf771c3a6b8040f49641f695b
- SHA1
- dbe2081275ccd46f48dfd8eb3fdd07c69d95f3eb
- SHA256
- a2fb8bf229b4cf183fc9b7444fb0007381ad6c43c50dfd6ea1576d054afe96c4
-
is-VOQUD.tmp
- Size
- 35KiB (35454 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- e7a55ef5d96c9ec209dd6a144a4b49bc
- SHA1
- 3e84f1df49ed3c184daf14da03812e91bb7f690d
- SHA256
- 722da692bdd1f65d18eed31d4bf5d1c70ab39367c19beae2d29f855e58a009db
-
is-GNRD4.tmp
- Size
- 271KiB (277000 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 6f2a07fcaab80aef39560a9b0a3713ed
- SHA1
- 48db095df1413adc253a2c7d78f1649d7603efeb
- SHA256
- 10f1e823dc1a76bf7a28a7cca5ba1f9b539f3efefdc9f21edf53148e29fcb156
-
is-M9VRF.tmp
- Size
- 36KiB (37234 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- a9807aeede2e8ec4f1ed790f23e9dfa9
- SHA1
- 868e6482a60501a3abb6a328dab3a8649726714b
- SHA256
- 787ec3522e24014d5d0690c55c41231af1dc077fbff950e41faa77c81c08a452
-
is-O6REQ.tmp
- Size
- 270KiB (276520 bytes)
- Type
- text
- Description
- XML 1.0 document, UTF-8 Unicode text, with very long lines
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 8179d3c021b56df4eca0e97d5cd67bb7
- SHA1
- 16bde9f73cec9a8f3baeaa7e9fa5d00011840f7d
- SHA256
- 348bcc71b9627dd87943c77f583d9eb556fef3e5faf8f5c9fb35386c7622feb5
-
is-QJLVJ.tmp
- Size
- 37KiB (38194 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- fc13624b1ae6eac9dd417475418923a9
- SHA1
- f813f04669d22dd26cdeaab3baf1af83a7f7e299
- SHA256
- 2a5f7a9898b4b7ad51a9079e0e64de2f23c3af56af1c69400e458304b6a8709b
-
is-V0ADN.tmp
- Size
- 86KiB (88118 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- faf368467184463e35ac2f0fb3ca178c
- SHA1
- 081a7d99a21a046e4d2fef587d784de83275aca4
- SHA256
- cb71ea71eda4d5c5439e1ca68de613359d49cd7a22d3fce7e4e734c7f54579cf
-
is-8HTSN.tmp
- Size
- 53KiB (54494 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- ab24b4b10f2fe4b320e96b91227e4b1d
- SHA1
- afb89e0011e261c162f3c89b732f346ad84a07f2
- SHA256
- 018cb6001e267de6ffa5e85675b091cfa6528a5cad8929f1cd1564cac32af108
-
is-OLU1H.tmp
- Size
- 7.3KiB (7433 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- f14abaa5068ee75120f4bc175c86d9f3
- SHA1
- a63439ea2d5ab11db0444d44c7049631ec7bdbc3
- SHA256
- 599a60177641478879fe1710288f90007b82c5868d08d09938ba4676435d2508
-
is-SD59T.tmp
- Size
- 54KiB (54974 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 7783f52049f6f8b7c6f986f0d3ac392c
- SHA1
- fc8c2362f96ee1e24f20e890d85a31dec1bd580c
- SHA256
- e5172e75b6f23882e336c136be59fac245345b1833ad0e26e23d602a19256ecb
-
is-VPOM0.tmp
- Size
- 6.3KiB (6473 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 6ae7d647ec9caa6628c9065934c63840
- SHA1
- 34e80dce7f6e3dcc8c1074f2ce1f5ff1e5406745
- SHA256
- 7dbbb557ee04d760e8c908e41d84c4c47643a4cecc22996633c7e594e734b725
-
is-99I4T.tmp
- Size
- 37KiB (38210 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 82dae60d5fb8afc3b0b873063997ae87
- SHA1
- 747844bbe92d2a515f4f1b39641c6268eb037b0d
- SHA256
- cd969f2b41033c2e8eed7d510c0e9826d1933f0543fae887fe5803ebd5db1116
-
is-AU0PI.tmp
- Size
- 38KiB (39170 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 80148d28855338ee05abb4fd6bcad523
- SHA1
- 71759e5c7a65e74a547c095b367783afc4d680c3
- SHA256
- 6085ddf13347a29850975e2c26af7914adb01e0bce8f7fb46fd9c9005d969cf2
-
is-JQG28.tmp
- Size
- 274KiB (280990 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 8336e645d06abedbbc34baa29d0dadd0
- SHA1
- cda754bbd31634c44e7d68092ef081cabaa37d74
- SHA256
- a68a35dca19ec1fbba8aef44e39221ddbd15eaa1cf536a78e9fdff2f1305cbef
-
is-KO942.tmp
- Size
- 115KiB (117693 bytes)
- Runtime Process
- OntrackEasyRecoveryTechnicianforWindows.tmp (PID: 3304)
- MD5
- 3dcdef7515e8015e74fcd5bfa2f8f12d
- SHA1
- de4c74a660fd05f7aaae346f6f783d1385c4e71c
- SHA256
- 004c23b01b3848da1a5819336e99efb0341d4bd3316430ce26670a2429de63e4
-
Ontrackr EasyRecoveryT Technician for Windows .lnk
- Size
- 1.1KiB (1172 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Feb 4 16:59:00 2019, mtime=Mon Feb 4 16:59:00 2019, atime=Thu Jan 10 23:14:54 2019, length=8991128, window=hide
- MD5
- 565456f86518aee334813a4f8a09c957
- SHA1
- 1a9d2be52543d58266686059b5338813c43e29fb
- SHA256
- a738f70a75a6f951ba4c0d1bbabda5e187d0d265d59eb3d16ef90b8cc7136382
-
Ontrackr EasyRecoveryT Technician for Windows.lnk
- Size
- 1.2KiB (1190 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Feb 4 16:59:00 2019, mtime=Mon Feb 4 16:59:00 2019, atime=Thu Jan 10 23:14:54 2019, length=8991128, window=hide
- MD5
- 641678821386f75d63ed38e11aba3730
- SHA1
- 7f69dedea60fdf5ea2b6f0246f676f378b92dae1
- SHA256
- 0930b6c1aecf7a896c95599b835dd0fbe4c930b591d1bf99db32af3034fd5b3b
-
Uninstall Ontrackr EasyRecoveryT Technician for Windows .lnk
- Size
- 1.1KiB (1087 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Feb 4 16:43:00 2019, mtime=Mon Feb 4 16:43:00 2019, atime=Mon Feb 4 15:18:00 2019, length=1211327, window=hide
- MD5
- 59914d853c3f528fcc58a25cf317e769
- SHA1
- 8d845e576eeb21d0644e6aafc68414f2648770ae
- SHA256
- ccd2271a9f3946d5cde6b84752e9bb2673d6518791502143bd271bba9eea42fa
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "api-70" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report