FMAudit.Installer_4291_1788568944.exe

Status: finished

Submission Time: 2019-10-10 20:58:22 +02:00

Suspicious

Evader

Comments

Details

Analysis ID:
182069
API (Web) ID:
262837
Analysis Started:

2019-10-10 20:59:22 +02:00
Analysis Finished:

2019-10-10 21:30:14 +02:00
MD5:
990623492a70d78ab6b8ccb860bd5353
SHA1:
1d7bb30ff83e73e323ac9e07d4b3c815bc1a8546
SHA256:
68569bf421ef91067ba9643d58e10eb17f0311253d3ee2790b51841786deed42
Technologies:

Engines
IOCs

Joe Sandbox

Download Report	Detection	Info
	malicious
Full Report Management Report IOC Report	suspicious Score: 36	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Full Report Management Report IOC Report	suspicious Score: 32	System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 Run Condition: Cmdline fuzzy

Third Party Analysis Engines

malicious

URLs

Name	Detection
http://www.carterandcone.comeH
http://www.newtonsoft.com/jsonschema
http://www.founder.com.cn/cntu
Click to see the 77 hidden entries
http://www.founder.com.cn/cn/p.
http://james.newtonking.com/projects/json
http://en.w
http://www.jiyu-kobo.co.jp/jp/
http://go.microsoft.LinkId=42127
http://www.indigorose.com/route.php?pid=suf9buy
http://www.jiyu-kobo.co.jp/F
http://www.zhongyicts.com.cno.Co.
http://go.microsoft.
http://www.zhongyicts.com.cnn
http://www.founder.com.cn/cn/(T
http://www.jiyu-kobo.co.jp/FY
http://schemas.xmlsoap.org/soap/encoding/
http://www.jiyu-kobo.co.jp/.TTC
http://www.jiyu-kobo.co.jp/jp
http://www.apache.org/licenses/LICENSE-2.0
http://www.sajatypeworks.comn
http://help.fmaudit.com/fmao0
http://www.jiyu-kobo.co.jp/jp/FeH
https://meters.gflesch.com
http://www.codeplex.com/DotNetZip
http://www.jiyu-kobo.co.jp/oF
http://www.fmaudit.com</IssuerUrl>
http://www.founder.com.cn/cntaH
http://www.jiyu-kobo.co.jp/
http://www.jiyu-kobo.co.jp/ico
http://www.founder.com.cn/cnleV
http://www.jiyu-kobo.co.jp/S.TTFa
http://help.fmaudit.com/fmao/index.html?page=ProxyConfig.html
http://www.jiyu-kobo.co.jp/va
http://www.jiyu-kobo.co.jp/jp/va
http://www.founder.com.cn/cn
http://tempuri.org/Database.xsd
http://www.founder.com.cn/cn/
http://www.indigorose.com
http://www.goodfont.co.krrmalS
http://www.carterandcone.coml
http://en.wX
http://fmaudit-qastage/CentralDev/WebServices/Onsite2Service.asmx
http://www.sajatypeworks.com
http://www.fmaudit.com
http://help.fmaudit.com/fmao
https://www.gttechonline.com/secured/licensing_v111/fmao/LicenseActivator.asmx
http://www.jiyu-kobo.co.jp/jp/8
http://www.sandoll.co.kr$
http://www.carterandcone.com
http://www.goodfont.co.kr
http://www.typography.netD
http://www.tiro.com
http://schemas.xmlsoap.org/soap/encoding/p
http://schemas.xmlsoap.org/soap/envelope/
http://ip-api.com/json
http://www.jiyu-kobo.co.jp/Xl
http://www.sandoll.co.krimHd
http://www.jiyu-kobo.co.jp/jp/F
http://www.founder.com.cn/cn/bThe
http://www.founder.com.cn/cn/cntu
http://www.carterandcone.comcCo.
http://www.founder.com.cn/cnmn
http://www.jiyu-kobo.co.jp/FeH
http://www.sakkal.com
http://www.carterandcone.como.
http://www.zhongyicts.com.cn
http://www.sandoll.co.kr
http://www.fonts.com
http://www.jiyu-kobo.co.jp/jpFeH
http://www.sandoll.co.krFk
http://www.sajatypeworks.com(T
http://www.carterandcone.comcomo.
http://www.typography.net
http://www.founder.com.cn/cnm
http://www.jiyu-kobo.co.jp/co
http://checkip.dyndns.org/
http://www.jiyu-kobo.co.jp/8
http://fontfabrik.com
http://www.jiyu-kobo.co.jp/vok
http://www.founder.com.cn/cn/cThe

Dropped files

Name	File Type	Hashes
C:\Users\user\AppData\Local\Temp\9dxpj7op.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	#
C:\Users\user\AppData\Local\Temp\b_n2zuds.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
Click to see the 72 hidden entries
C:\Users\user\AppData\Local\Temp\hlo9ibzm.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Program Files (x86)\FMAuditOnsite\fmaonsite.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Program Files (x86)\FMAuditOnsite\fmaonsite.exe.config	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\gwhv8oyf.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\RESE1B9.tmp	data	#
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\RESB4FC.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES8CE2.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES6AA5.tmp	data	#
C:\Users\user\AppData\Local\Temp\RES304B.tmp	data	#
C:\Users\user\AppData\Local\Temp\FMAudit.Installer_1788568944\vhzuwvy3.s1w	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, LF line terminators	#
C:\Users\user\AppData\Local\Temp\FMAudit.Installer_1788568944\net2euto.0nx	PE32 executable (GUI) Intel 80386, for MS Windows	#
C:\Users\user\AppData\Local\Temp\FMAudit.Installer_1788568944\mwqt5vey.los	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\CSCE1B8.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSCB4FB.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSC8CE1.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSC6AA4.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\CSC304A.tmp	MSVC .res	#
C:\Users\user\AppData\Local\Temp\9dxpj7op.out	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\hlo9ibzm.0.cs	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
\Device\ConDrv	ASCII text, with CRLF line terminators	#
C:\Windows\assembly\Desktop.ini	Windows desktop.ini, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\ruo0dn4-.out	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\ruo0dn4-.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	#
C:\Users\user\AppData\Local\Temp\ruo0dn4-.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\ruo0dn4-.0.cs	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\hlo9ibzm.out	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\hlo9ibzm.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat	data	#
C:\Users\user\AppData\Local\Temp\gwhv8oyf.out	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\gwhv8oyf.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\gwhv8oyf.0.cs	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\b_n2zuds.out	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\b_n2zuds.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Users\user\AppData\Local\Temp\b_n2zuds.0.cs	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Temp\9dxpj7op.0.cs	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\fma.ico	MS Windows icon resource - 6 icons, 256x256 withPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 8 bits/pixel, 48x48, 8 bits/pixel	#
C:\Program Files (x86)\FMAuditOnsite\Update.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	#
C:\Program Files (x86)\FMAuditOnsite\Update.dat	Zip archive data, at least v2.0 to extract	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\uninstall.xml	XML 1.0 document, ISO-8859 text, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\uninstall.ico	MS Windows icon resource - 1 icon, 16x16, 8 bits/pixel	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\uninstall.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\uninstall.dat	data	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\uniACD2.tmp	data	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\lua5.1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	#
C:\Program Files (x86)\FMAuditOnsite\Web\App_Data\Data.ldb	data	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\JAMC_GetGUIDandUninstall.vbs	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\IRIMG2.JPG	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS2 Windows, datetime=2008:07:08 14:20:15], baseline, precision 8, 166x312, frames 3	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\IRIMG1.JPG	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 497x63, frames 3	#
C:\Program Files (x86)\FMAuditOnsite\Uninstall\IRIMG1.BMP	PC bitmap, Windows 3.x format, 164 x 314 x 24	#
C:\Program Files (x86)\FMAuditOnsite\Setup Log.txt	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Log.txt	ASCII text, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\License.lic	XML 1.0 document, ASCII text, with very long lines	#
C:\Program Files (x86)\FMAuditOnsite\InstallUtil.InstallLog	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FMAudit Onsite\FMAudit Onsite.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Nov 29 12:28:01 2018, mtime=Thu Nov 29 12:28:01 2018, atime=Thu Nov 29 12:28:10 2018, length=45776, w (…)	#
C:\Program Files (x86)\FMAuditOnsite\Config\Task_AutoUpdate.xml	XML 1.0 document, ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\LaunchUI.exe.log	ASCII text, with CRLF line terminators	#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InstallUtil.exe.log	ASCII text, with CRLF line terminators	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FMAudit Onsite\watchdogSchTask.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Nov 29 12:27:11 2018, mtime=Thu Nov 29 12:27:11 2018, atime=Thu Nov 29 12:27:11 2018, length=4448, wi (…)	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FMAudit Onsite\watchdog.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Nov 29 12:27:11 2018, mtime=Thu Nov 29 12:27:11 2018, atime=Thu Nov 29 12:27:11 2018, length=115, win (…)	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FMAudit Onsite\fmaov2help.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Nov 29 12:28:04 2018, mtime=Thu Nov 29 12:28:04 2018, atime=Thu Nov 29 12:28:04 2018, length=685067, (…)	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FMAudit Onsite\Update Client V2.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Nov 29 12:28:09 2018, mtime=Thu Nov 29 12:28:09 2018, atime=Thu Nov 29 12:28:10 2018, length=484560, (…)	#
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FMAudit Onsite\Uninstall FMAudit Onsite.lnk	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Fri Oct 11 03:01:24 2019, mtime=Fri Oct 11 03:01:24 2019, atime=Fri Oct 11 0 (…)	#
C:\Users\user\AppData\Local\Temp\9dxpj7op.cmdline	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators	#
C:\Program Files (x86)\FMAuditOnsite\watchdog.bat	data	#
C:\Program Files (x86)\FMAuditOnsite\fmaonsite.InstallState	ASCII text, with very long lines, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\fmaonsite.InstallLog	UTF-8 Unicode (with BOM) text, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Web\Web.config	XML 1.0 document, UTF-8 Unicode text, with CRLF line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Web\PrecompiledApp.config	UTF-8 Unicode (with BOM) text, with no line terminators	#
C:\Program Files (x86)\FMAuditOnsite\Web\Images\fmaologo.png	[TIFF image data, little-endian, direntries=0], baseline, precision 8, 640x62, frames 3	#
C:\Program Files (x86)\FMAuditOnsite\Web\Default.aspx	data	#
C:\Program Files (x86)\FMAuditOnsite\Web\App_Data\Data.mdb	data	#

FMAudit.Installer_4291_1788568944.exe

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

URLs

Dropped files

FMAudit.Installer_4291_1788568944.exe Options

Comments

Tags

Available tags:

Details

Joe Sandbox

Third Party Analysis Engines

URLs

Dropped files

Search started

FMAudit.Installer_4291_1788568944.exe