WritersCafe-2.44-Setup.exe
This report is generated from a file or URL submitted to this webservice on August 29th 2020 15:44:11 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
Risk Assessment
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
- Writes data to a remote process
- Fingerprint
-
Queries kernel debugger information
Queries process information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- Marks file for deletion
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 6
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 1/68 Antivirus vendors marked sample as malicious (1% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
General
-
The analysis spawned a process that was identified as malicious
- details
- 1/70 Antivirus vendors marked spawned process "writerscafe.exe" (PID: 3864) as malicious (classified as "BScope.Trojan" with 1% detection rate)
- source
- Monitored Target
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "WritersCafe-2.44-Setup.tmp" allocated memory in "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\zkuar7i0@0bzkua.com\Uninstall Writer's Caf 2.44.lnk"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"WritersCafe-2.44-Setup.exe" wrote 1500 bytes to a remote process "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp" (Handle: 168)
"WritersCafe-2.44-Setup.exe" wrote 4 bytes to a remote process "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp" (Handle: 168)
"WritersCafe-2.44-Setup.exe" wrote 32 bytes to a remote process "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp" (Handle: 168)
"WritersCafe-2.44-Setup.exe" wrote 52 bytes to a remote process "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp" (Handle: 168)
"WritersCafe-2.44-Setup.tmp" wrote 32 bytes to a remote process "%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" (Handle: 708)
"WritersCafe-2.44-Setup.tmp" wrote 52 bytes to a remote process "C:\Program Files\Writer's Cafe 2\writerscafe.exe" (Handle: 708)
"WritersCafe-2.44-Setup.tmp" wrote 4 bytes to a remote process "C:\Program Files\Writer's Cafe 2\writerscafe.exe" (Handle: 708) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Checks for a resource fork (ADS) file
- details
- "writerscafe.exe" checked file "C:"
- source
- API Call
- relevance
- 5/10
-
References suspicious system modules
- details
- details too long to display
- source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Checks for a resource fork (ADS) file
-
Suspicious Indicators 24
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "writerscafe.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
Environment Awareness
-
Reads the active computer name
- details
-
"WritersCafe-2.44-Setup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "writerscafe.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/78 reputation engines marked "http://www.jrsoftware.org/ishelp/index.php" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
-
"WritersCafe-2.44-Setup.tmp" read file "%WINDIR%\win.ini"
"WritersCafe-2.44-Setup.tmp" read file "%PROGRAMFILES%\desktop.ini"
"WritersCafe-2.44-Setup.tmp" read file "%USERPROFILE%\Desktop\desktop.ini"
"writerscafe.exe" read file "%WINDIR%\win.ini" - source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
System Destruction
-
Marks file for deletion
- details
-
"C:\WritersCafe-2.44-Setup.exe" marked "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp" for deletion
"C:\WritersCafe-2.44-Setup.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\is-RRL3B.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB693.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6A4.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6B5.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6C5.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6D6.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6F6.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB707.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB717.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB718.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB729.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB73A.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB74A.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB75B.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB76C.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB76D.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB77D.tmp" for deletion
"%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" marked "C:\Users\%USERNAME%\AppData\Local\Temp\imaB78E.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"WritersCafe-2.44-Setup.exe" opened "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp" with delete access
"WritersCafe-2.44-Setup.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-RRL3B.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-PT7CI.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-L4MEF.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-PKF97.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-0OBR7.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-894IJ.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-SKPPJ.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-S0BNU.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-FJKNT.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\is-V3M10.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-1J9SO.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-MKOEO.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-HC1D0.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-MSMPD.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-3QL1M.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-SNKUD.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-287E7.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-21AUG.tmp" with delete access
"WritersCafe-2.44-Setup.tmp" opened "C:\Program Files\Writer's Cafe 2\Backgrounds\is-I77M4.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"writerscafe.exe" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"writerscafe.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"writerscafe.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"writerscafe.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"writerscafe.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "writerscafe.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegCloseKey
OpenProcessToken
RegOpenKeyExW
GetModuleFileNameW
GetVersionExW
VirtualProtect
GetFileAttributesW
GetFileSize
LockResource
GetCommandLineW
UnhandledExceptionFilter
LoadLibraryExW
CreateDirectoryW
DeleteFileW
GetProcAddress
LoadLibraryW
WriteFile
GetStartupInfoA
FindFirstFileW
GetModuleHandleW
FindResourceW
CreateFileW
CreateProcessW
Sleep
GetTickCount
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"WritersCafe-2.44-Setup.tmp" wrote bytes "d5d94c7730c64c77a0c44c7742c64c7710c64c77acdc4c77a0df4c7736da4c7787f14c770000000091772876c09028767f6f28761ffa2876def42876f2822876857d287600000000" to virtual address "0x6C991000" (part of module "MSIMG32.DLL")
"writerscafe.exe" wrote bytes "f8118575" to virtual address "0x758683C4" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "48128575" to virtual address "0x75868364" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "b83012fb6fffe0" to virtual address "0x770C1368" (part of module "WS2_32.DLL")
"writerscafe.exe" wrote bytes "48128575" to virtual address "0x758683C0" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "f8118575" to virtual address "0x758683E0" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "f8110000" to virtual address "0x758512CC" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "f8118575" to virtual address "0x7586834C" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "68130000" to virtual address "0x770C1680" (part of module "WS2_32.DLL")
"writerscafe.exe" wrote bytes "f8110000" to virtual address "0x75851408" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "b84013fb6fffe0" to virtual address "0x75851248" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "48128575" to virtual address "0x75868348" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "f8118575" to virtual address "0x75868368" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "c04eaf772054b077e065b077b538b1770000000000d04c7700000000c5ea4c770000000088ea4c7700000000e968a2758228b177ee29b17700000000d269a275000000007dbb4c770000000009bea27500000000ba184c7700000000" to virtual address "0x77101000" (part of module "NSI.DLL")
"writerscafe.exe" wrote bytes "d5d94c7730c64c77a0c44c7742c64c7710c64c77acdc4c77a0df4c7736da4c7787f14c770000000091772876c09028767f6f28761ffa2876def42876f2822876857d287600000000" to virtual address "0x6F921000" (part of module "MSIMG32.DLL")
"writerscafe.exe" wrote bytes "75dc7277273e727751c17077ee9c7077949870770fb3767710997077909770770000000042c64c77152e4c77c0d94c771bf74c77c1084e77a0c44c7736da4c7730c64c77d5d94c7786c44c7700000000" to virtual address "0x6FF7E000" (part of module "MSLS31.DLL")
"writerscafe.exe" wrote bytes "e739ad77e1a6b1772e71b177ee29b17785e2ac776da0b1779064b0773ad5b77726e4ac77d16db177003daf77804baf7700000000ad370c778b2d0c77b6410c7700000000" to virtual address "0x75381000" (part of module "WSHIP6.DLL")
"writerscafe.exe" wrote bytes "48120000" to virtual address "0x7585139C" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "48120000" to virtual address "0x758512DC" (part of module "SSPICLI.DLL")
"writerscafe.exe" wrote bytes "48128575" to virtual address "0x758683DC" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"WritersCafe-2.44-Setup.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000401")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000402")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000403")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000404")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000405")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000406")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000407")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000408")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040A")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040B")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040C")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040D")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040E")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "0000040F")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000410")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000411")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000412")
"writerscafe.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000413") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Imports suspicious APIs
-
Hiding 12 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 16
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of ".bss" is zero
Raw size of ".tls" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451036075223
"WritersCafe-2.44-Setup.tmp" queries volume information of "%PROGRAMFILES%\Writer's Cafe 2\writerscafe.exe" at 00071706-00002796-0000010C-451060030546
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451476961186
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\Program Files\Writer's Cafe 2\readme.txt" at 00071706-00002796-0000010C-451478482892
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451536426667
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\Program Files\Writer's Cafe 2\writerscafe.exe" at 00071706-00002796-0000010C-451537466073
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451633049677
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\Program Files\Writer's Cafe 2\unins000.exe" at 00071706-00002796-0000010C-451634972155
"writerscafe.exe" queries volume information of "C:\Windows\Fonts\times.ttf" at 00080061-00003864-0000010C-121255574141
"writerscafe.exe" queries volume information of "C:\Windows\Fonts\times.ttf" at 00080061-00003864-0000010C-121278251913
"writerscafe.exe" queries volume information of "C:\Windows\Fonts\verdana.ttf" at 00080061-00003864-0000010C-121822526484
"writerscafe.exe" queries volume information of "C:\Windows\Fonts\verdana.ttf" at 00080061-00003864-0000010C-121830988814
"writerscafe.exe" queries volume information of "C:\Windows\Fonts\verdanab.ttf" at 00080061-00003864-0000010C-121856744528
"writerscafe.exe" queries volume information of "C:\Windows\Fonts\verdanab.ttf" at 00080061-00003864-0000010C-121865328136 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451036075223
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451476961186
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451536426667
"WritersCafe-2.44-Setup.tmp" queries volume information of "C:\" at 00071706-00002796-0000010C-451633049677 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"WritersCafe-2.44-Setup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WRITERSCAFE-2.44-SETUP.TMP")
"WritersCafe-2.44-Setup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WRITERSCAFE-2.44-SETUP.TMP")
"WritersCafe-2.44-Setup.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WRITER'S CAF_IS1")
"WritersCafe-2.44-Setup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WRITER'S CAF_IS1")
"WritersCafe-2.44-Setup.tmp" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\%PROGRAMFILES%\WRITER'S CAFE 2\README.TXT")
"writerscafe.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"writerscafe.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Creates a writable file in a temporary directory
- details
-
"WritersCafe-2.44-Setup.exe" created file "%TEMP%\is-RRL3B.tmp\WritersCafe-2.44-Setup.tmp"
"WritersCafe-2.44-Setup.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-DHVD7.tmp\_isetup\_shfoldr.dll"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\writerscafe.log"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB693.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6A4.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6B5.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6C5.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6D6.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB6F6.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB707.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB717.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB718.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB729.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB73A.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB74A.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB75B.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB76C.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB76D.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaB77D.tmp"
"writerscafe.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\imaBFEB.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"\Sessions\1\BaseNamedObjects\Local\MSIMGSIZECacheMutex"
"Local\MSIMGSIZECacheMutex"
"Writer's Cafe 2"
"Local\ZonesCacheCounterMutex"
"!IECompat!Mutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Writer's Cafe 2"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\!IECompat!Mutex" - source
- Created Mutant
- relevance
- 3/10
-
Overview of unique CLSIDs touched in registry
- details
-
"WritersCafe-2.44-Setup.tmp" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"WritersCafe-2.44-Setup.tmp" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"WritersCafe-2.44-Setup.tmp" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"WritersCafe-2.44-Setup.tmp" touched "Microsoft AutoComplete" (Path: "HKCU\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"WritersCafe-2.44-Setup.tmp" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"WritersCafe-2.44-Setup.tmp" touched "Task Bar Communication" (Path: "HKCU\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
"WritersCafe-2.44-Setup.tmp" touched "Shortcut" (Path: "HKCU\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"WritersCafe-2.44-Setup.tmp" touched "Memory Mapped Cache Mgr" (Path: "HKCU\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"writerscafe.exe" touched "Microsoft Web Browser" (Path: "HKCU\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\TREATAS")
"writerscafe.exe" touched "ShellWindows" (Path: "HKCU\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\TREATAS")
"writerscafe.exe" touched "PSOAInterface" (Path: "HKCU\CLSID\{00020424-0000-0000-C000-000000000046}\TREATAS")
"writerscafe.exe" touched "PSDispatch" (Path: "HKCU\CLSID\{00020420-0000-0000-C000-000000000046}\TREATAS")
"writerscafe.exe" touched "Microsoft HTML About Pluggable Protocol" (Path: "HKCU\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\TREATAS")
"writerscafe.exe" touched "HTML Document" (Path: "HKCU\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\TREATAS")
"writerscafe.exe" touched "Browser Application State" (Path: "HKCU\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\TREATAS")
"writerscafe.exe" touched "CActiveIMMAppEx_Trident" (Path: "HKCU\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\TREATAS")
"writerscafe.exe" touched "Shell DocObject Viewer" (Path: "HKCU\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}\INPROCSERVER32")
"writerscafe.exe" touched "UIAutomation Registrar Class" (Path: "HKCU\CLSID\{6E29FABF-9977-42D1-8D0E-CA7E61AD87E6}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Scanning for window names
- details
-
"WritersCafe-2.44-Setup.tmp" searching for class "Shell_TrayWnd"
"writerscafe.exe" searching for class "Shell_TrayWnd"
"writerscafe.exe" searching for class "MS_AutodialMonitor"
"writerscafe.exe" searching for class "MS_WebCheckMonitor" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "WritersCafe-2.44-Setup.tmp" with commandline "/SL5="$600AC
19516816
119296
C:\WritersCafe-2.44-Setup.exe"" (Show Process)
Spawned process "writerscafe.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "WritersCafe-2.44-Setup.tmp" with commandline "/SL5="$600AC
19516816
119296
C:\WritersCafe-2.44-Setup.exe"" (Show Process)
Spawned process "writerscafe.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"WritersCafe-2.44-Setup.exe" connecting to "\ThemeApiPort"
"WritersCafe-2.44-Setup.tmp" connecting to "\ThemeApiPort"
"writerscafe.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Uninstall Writer_s Caf_ 2.44.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Sat Aug 29 13:49:22 2020 mtime=Sat Aug 29 13:49:22 2020 atime=Sat Aug 29 13:44:49 2020 length=1196233 window=hide"
"Writer_s Caf_ 2.44.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Icon number=0 Archive ctime=Sat Aug 29 13:49:23 2020 mtime=Sat Aug 29 13:49:23 2020 atime=Sun Jul 21 13:36:30 2019 length=12748288 window=hide"
"Writer_s Caf_ ReadMe.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Sat Aug 29 13:49:23 2020 mtime=Sat Aug 29 13:49:23 2020 atime=Sun Jul 21 13:36:20 2019 length=568 window=hide"
"Anthemion Writer_s Caf_ 2.44.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Icon number=0 Archive ctime=Sat Aug 29 13:49:23 2020 mtime=Sat Aug 29 13:49:23 2020 atime=Sun Jul 21 13:36:30 2019 length=12748288 window=hide"
"is-MMPQ3.tmp" has type "AmigaOS bitmap font"
"Pinboard.wcp" has type "data"
"is-GGVTP.tmp" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 72x72 segment length 16 baseline precision 8 132x116 frames 3"
"is-M34DM.tmp" has type "ASCII text with CRLF line terminators"
"is-A2VTH.tmp" has type "ASCII text with CRLF line terminators"
"Cork01.jpg" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 200x200 segment length 16 baseline precision 8 150x147 frames 3"
"is-43D1F.tmp" has type "data"
"Warning.png" has type "PNG image data 32 x 28 8-bit colormap non-interlaced"
"Novel.stt" has type "data"
"Novel.htm" has type "HTML document ASCII text with very long lines with CRLF line terminators"
"is-F0BPM.tmp" has type "Zip archive data at least v2.0 to extract"
"Novel Minimal.stt" has type "data"
"is-ESNBK.tmp" has type "PNG image data 250 x 240 8-bit/color RGB non-interlaced"
"is-C1S2U.tmp" has type "ASCII text with CRLF line terminators"
"is-4RLPB.tmp" has type "HTML document ASCII text with CRLF line terminators"
"is-4VREN.tmp" has type "ISO-8859 text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WritersCafe-2.44-Setup.exe" touched file "%WINDIR%\System32\en-US\KernelBase.dll.mui"
"WritersCafe-2.44-Setup.exe" touched file "C:\Windows\system32\en\KERNELBASE.dll.mui"
"WritersCafe-2.44-Setup.exe" touched file "C:\Windows\System32\netmsg.dll"
"WritersCafe-2.44-Setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WritersCafe-2.44-Setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\system32\en\KERNELBASE.dll.mui"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\netmsg.dll"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\imageres.dll"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\AppPatch\sysmain.sdb"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\Fonts\StaticCache.dat"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\shfolder.dll"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\comctl32.dll.mui"
"WritersCafe-2.44-Setup.tmp" touched file "C:\Windows\System32\en-US\shell32.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2"
Heuristic match: "T,z]a,.GG"
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\de_DE\wxstd.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\nl_NL\wxstd.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\zh_CN\wxstd.mo"
Pattern match: "http://www.writerscafe.co.uk"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\de_DE\writerscafe.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\en_GB\writerscafe.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\es_ES\writerscafe.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\es_ES\wxstd.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\lv_LV\writerscafe.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\lv_LV\wxstd.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\nl_NL\writerscafe.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\pl_PL\writerscafe.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\pl_PL\wxstd.mo"
Heuristic match: "%SystemDrive%\Program Files\Writer's Cafe 2\zh_CN\writerscafe.mo"
Heuristic match: "zkuar7i0@0bzkua.com"
Pattern match: "http://www.anthemion.co.uk"
Pattern match: "www.wxwidgets.org"
Pattern match: "http://www.wxwidgets.org"
Pattern match: "http://www.anthemion.co.uk/"
Heuristic match: "Ondersteuning: writerscafe@anthemion.co.uk"
Pattern match: "http://www.google.com" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"WritersCafe-2.44-Setup.tmp" opened "\Device\KsecDD"
"writerscafe.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "e568bc8d979f42203f5817df25f7f544a93cb6556348ff488b94b5a00b8c1c6d.bin" was detected as "Borland Delphi 4.0"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
WritersCafe-2.44-Setup.exe
- Filename
- WritersCafe-2.44-Setup.exe
- Size
- 19MiB (19928521 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- e568bc8d979f42203f5817df25f7f544a93cb6556348ff488b94b5a00b8c1c6d
- MD5
- a5c93189d53726a4ff8e229a3e7a7d03
- SHA1
- c8d166b24b0be2934c562464dc84f88beff7bcbe
- ssdeep
- 393216:pZwu4gRX//b6yzzMpQRZ3LCh5X6Y95Ff8XFisqiRVvXtKJCycPy:Hwu4gR+qzMyRZ85/Ff8Ms1vKca
- imphash
- 48aa5c8931746a9655524f67b25a47ef
- authentihash
- b44783d8f5bdaaa39465302a9e3f3c24fb11dabd5f19b3c0ea4199fae55de21e
- Compiler/Packer
- Borland Delphi 4.0
Version Info
- LegalCopyright
- Copyright Anthemion Software Ltd.
- FileVersion
- -
- CompanyName
- Anthemion Software Ltd.
- Comments
- This installation was built with Inno Setup.
- ProductName
- Writer's Caf 2.44
- ProductVersion
- 2.44
- FileDescription
- Writer's Caf 2.44 Setup
- Translation
- 0x0000 0x04b0
Classification (TrID)
- 30.5% (.EXE) Win32 Executable Delphi generic
- 28.1% (.SCR) Windows screen saver
- 14.1% (.DLL) Win32 Dynamic Link Library (generic)
- 9.7% (.EXE) Win32 Executable (generic)
- 4.4% (.EXE) Win16/32 Executable Delphi generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
WritersCafe-2.44-Setup.exe
(PID: 3772)
1/68
-
WritersCafe-2.44-Setup.tmp
/SL5="$600AC,19516816,119296,C:\WritersCafe-2.44-Setup.exe"
(PID: 2796)
- writerscafe.exe (PID: 3864) 1/70
-
WritersCafe-2.44-Setup.tmp
/SL5="$600AC,19516816,119296,C:\WritersCafe-2.44-Setup.exe"
(PID: 2796)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 24 extracted file(s). The remaining 229 file(s) are available in the full version and XML/JSON reports.
-
Informative 24
-
-
170x104.jpg
- Size
- 2.2KiB (2290 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 9d1d72b65b23c940cf99a5d758fcb2c0
- SHA1
- 1515a779d9f2dd5557f7df903ee4694e516ff480
- SHA256
- a447cbe855eea1db3abc3b9d8c2192794775d65b69003b6c499b101c0149c335
-
225x140.jpg
- Size
- 3.2KiB (3298 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- ed5b85524d23c0b641fc15a9ffe9ed69
- SHA1
- f51aeb6d5c71b291522da764067db2dd84a54ac1
- SHA256
- ded78e54f11944c18288edf4393081ea149d1ad759daef89d252e17d1f43f15b
-
260x160.jpg
- Size
- 3.5KiB (3627 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 505a8e7869440c309bd334290d99d00f
- SHA1
- 0ca3f9ae925dca5d4a97cc57410b789401580926
- SHA256
- 5492d08fdf1399811bf7a7e9b909f51dfe80767035dcebaa35b630f83a8e1e5d
-
BluePaint.jpg
- Size
- 1.9KiB (1965 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 840b6c4732d5ebd974454ff1c0dc4f2c
- SHA1
- 21463930fc1e8586ae4cfe195663bf571280bb79
- SHA256
- 637c2aa530f9a813146bb0374c9c694fd285c47351fa55156fb250762535e7e2
-
Cork01.jpg
- Size
- 8.3KiB (8536 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 200x200, segment length 16, baseline, precision 8, 150x147, frames 3
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- e472488b8604714664354d5fe55a2c18
- SHA1
- f37f5f7c998cf90097046b50f8bc9afad53b0333
- SHA256
- 5444a2da373d113e7686c251c4ccf85ab6cb0a21a5b128039bfc3a4c3255c82a
-
Cork02.jpg
- Size
- 34KiB (34910 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 6eab803a72852029ec203becd15f328a
- SHA1
- 9646bb7f81a49164c5a172605a0e5b91b49cfaf3
- SHA256
- 224f78936ae37b0edae9605d51f78a1ea39cd9bbfb440f4f1c5722e161262508
-
DefaultDesktop.jpg
- Size
- 1.5KiB (1575 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- ddcde3cdaf4b94dcbd988350486bfcc2
- SHA1
- 785b467bcbcf1245d984718048a708048d433359
- SHA256
- b0197faca615804bf1361146b5102343d5c014943a4e6f47a4b890b0f969ef3b
-
DefaultPinboard.jpg
- Size
- 1.9KiB (1965 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 840b6c4732d5ebd974454ff1c0dc4f2c
- SHA1
- 21463930fc1e8586ae4cfe195663bf571280bb79
- SHA256
- 637c2aa530f9a813146bb0374c9c694fd285c47351fa55156fb250762535e7e2
-
DefaultStorylines.jpg
- Size
- 34KiB (34910 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 6eab803a72852029ec203becd15f328a
- SHA1
- 9646bb7f81a49164c5a172605a0e5b91b49cfaf3
- SHA256
- 224f78936ae37b0edae9605d51f78a1ea39cd9bbfb440f4f1c5722e161262508
-
DesktopLogo.png
- Size
- 31KiB (31518 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 5f52cae6c37b495064f44294231c2000
- SHA1
- 3e62d483a56c01620f4648611988fc3625f10844
- SHA256
- bafa60f746858dff122180acca4bea94848719edee37797c3681a6ffa0d61c75
-
Hillside.jpg
- Size
- 9.4KiB (9613 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 27ed4cea2cbf1ad8def8ac476862bccb
- SHA1
- f1a590b2f6433d539d51664d16dd925209d7237f
- SHA256
- e7971d9f2d0a7895ba2e65edc78451b32539ce4d446845d606ef23b18f40c889
-
LightGrey.jpg
- Size
- 1.5KiB (1575 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- ddcde3cdaf4b94dcbd988350486bfcc2
- SHA1
- 785b467bcbcf1245d984718048a708048d433359
- SHA256
- b0197faca615804bf1361146b5102343d5c014943a4e6f47a4b890b0f969ef3b
-
LighterGrey.jpg
- Size
- 2KiB (2030 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- aeaa4c58b834061257244532bf2a79e5
- SHA1
- 30bd380e1fe79df4732de80837d132c9b4479d39
- SHA256
- 19005ad1b5eed0bff098357706816c379e8eb890fa767c6197df7d6215ba2491
-
Marbling.jpg
- Size
- 5.2KiB (5326 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 15d9645fe80d89687450701442f7214f
- SHA1
- 9543b9b398eb31c1fde5bfb1ab0eac78284cd61f
- SHA256
- 23ce88a1455e7a3df232e3632d6c6c18748f91ba6f8384446cd2263a77f8bead
-
Meadow.jpg
- Size
- 10KiB (10298 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 80f4f9eb6920761362f1dc62ada71cb9
- SHA1
- 2ecc08e94ae2a99fa2219290f0a1bce1ea5093ad
- SHA256
- fbf0bf92a3d5e9bd3043c93e5fff80bca2e6784fae9cb5371708252e7b855c92
-
RedPaint.jpg
- Size
- 1.4KiB (1483 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 3b3fc093c36dbe300ea9bd16b7226288
- SHA1
- c24101e39ff32d97fde4e1155360468b37dc2af5
- SHA256
- 3ef899497ae81d03cb5c44dc8675f5469ad76462953906e9abb3267c32d6d14d
-
Turneresque.jpg
- Size
- 5.2KiB (5298 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- f3bc02ca461b209b325cf8073c386c8b
- SHA1
- e0ca7226611cb88b120d9e6e9159f77ceb14d98b
- SHA256
- 014b284bfc3ba66f1b0df6b7ff9e5ee67f0b36614f0ca7bf1548603b72dd07ff
-
Desktop.db.tmp
- Size
- 95KiB (97151 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 792b34e2e1d86cb9456320c20ed67743
- SHA1
- 102931e81602e6404325e0b2fd989698ced925b3
- SHA256
- 8112e02cff73cb54bdfbbdd9c90857e9dc5c77f3163e6450ba2586a2709ee1b3
-
Clock.png
- Size
- 340B (340 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- 109d776eb24877f3815e8ab3ba8b40b1
- SHA1
- 8a930313bf5ed5cc187c27af37ca0f6b9dde27e7
- SHA256
- 2fdb3626aa74a69b689cd7431fba230b8bdaf28760e4c5f580149d330b399f59
-
Cross.png
- Size
- 979B (979 bytes)
- Runtime Process
- writerscafe.exe (PID: 3864)
- MD5
- e2726a2f9400e8d431aca77adc4dcf39
- SHA1
- 4272c21162a6df76f58537c43c2814364a6a4208
- SHA256
- bfcbc09f8118474f341912676ff61fcc961e364a7b3c7f6cb6e92b4610aa4bbb
-
Uninstall Writer_s Caf_ 2.44.lnk
- Size
- 1KiB (1032 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Aug 29 13:49:22 2020, mtime=Sat Aug 29 13:49:22 2020, atime=Sat Aug 29 13:44:49 2020, length=1196233, window=hide
- MD5
- afaa4153bb205b05be68bf153f6a4f4e
- SHA1
- 1a313115b6e7fe4f26e07645ed0d7eff0fb08756
- SHA256
- 9de96f8ac53437ea1686fb416f793b1f8704f992979de968d22a9f58f144d07b
-
Writer_s Caf_ 2.44.lnk
- Size
- 1.9KiB (1933 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Sat Aug 29 13:49:23 2020, mtime=Sat Aug 29 13:49:23 2020, atime=Sun Jul 21 13:36:30 2019, length=12748288, window=hide
- MD5
- 7b9d865ad10b4eb7fa9c8171bdfa1b56
- SHA1
- ac152cdb8f5be5b60e78008b749364e005b0bb2e
- SHA256
- cde2d900648c41a50d632fab84f4f6622cf3ffdf8cd88d0107d9595af9bdf0da
-
Writer_s Caf_ ReadMe.lnk
- Size
- 1020B (1020 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Sat Aug 29 13:49:23 2020, mtime=Sat Aug 29 13:49:23 2020, atime=Sun Jul 21 13:36:20 2019, length=568, window=hide
- MD5
- c0ce91f542a8a6a581fa8b8fb004549d
- SHA1
- 0d682e0290edbd6fbab6adba00b4659f9cb45700
- SHA256
- 66650f5c141537f2014b4d5d7a03596778ff99b8a733de17b29bfff885f4eb8b
-
Anthemion Writer_s Caf_ 2.44.lnk
- Size
- 1.9KiB (1915 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Sat Aug 29 13:49:23 2020, mtime=Sat Aug 29 13:49:23 2020, atime=Sun Jul 21 13:36:30 2019, length=12748288, window=hide
- MD5
- e4b4d1c24c41fee90e7d9ea1bbf46ba9
- SHA1
- 3d82028ade9fba080cb8ef084888ac30550d455d
- SHA256
- 14d577f03fa25e6aaad1149ee6b3b91b8bccd6fa900009c810c9444b4d688477
-
Notifications
-
Runtime
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "registry-25" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report