SetupGasTurb13Trial.exe
This report is generated from a file or URL submitted to this webservice on December 31st 2019 06:54:09 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Ransomware
- The analysis extracted a known ransomware file
- Spyware
- Found a string that may be used as part of an injection method
- Persistence
-
Spawns a lot of processes
Writes data to a remote process - Fingerprint
-
Queries kernel debugger information
Queries process information
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 5
-
External Systems
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 2/69 Antivirus vendors marked sample as malicious (2% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by at least one Antivirus engine
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
-
"SetupGasTurb13Trial.tmp" allocated memory in "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\GasTurb\GasTurb 13\Uninstall GasTurb 13.lnk"
"SetupGasTurb13Trial.tmp" allocated memory in "\Device\NamedPipe\srvsvc" - source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
- details
-
"SetupGasTurb13Trial.exe" wrote 4 bytes to a remote process "%TEMP%\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" (Handle: 200)
"SetupGasTurb13Trial.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" (Handle: 200)
"SetupGasTurb13Trial.exe" wrote 1500 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" (Handle: 200)
"SetupGasTurb13Trial.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" (Handle: 200)
"SetupGasTurb13Trial.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" (Handle: 200)
"SetupGasTurb13Trial.tmp" wrote 1500 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\License\CodeMeterRuntime.exe" (Handle: 656)
"SetupGasTurb13Trial.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\License\CodeMeterRuntime.exe" (Handle: 656)
"SetupGasTurb13Trial.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\License\CodeMeterRuntime.exe" (Handle: 656)
"SetupGasTurb13Trial.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\License\CodeMeterRuntime.exe" (Handle: 656)
"SetupGasTurb13Trial.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\License\CodeMeterRuntime.exe" (Handle: 656)
"SetupGasTurb13Trial.tmp" wrote 32 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\GasTurb13.exe" (Handle: 620)
"SetupGasTurb13Trial.tmp" wrote 52 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\GasTurb13.exe" (Handle: 620)
"SetupGasTurb13Trial.tmp" wrote 4 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\GasTurb13.exe" (Handle: 620)
"SetupGasTurb13Trial.tmp" wrote 8 bytes to a remote process "C:\Program Files (x86)\GasTurb\GasTurb13\GasTurb13.exe" (Handle: 620)
"CodeMeterRuntime.exe" wrote 1500 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 284)
"CodeMeterRuntime.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 284)
"CodeMeterRuntime.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 284)
"CodeMeterRuntime.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 284)
"CodeMeterRuntime.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\msiexec.exe" (Handle: 284)
"net.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"net.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"net.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144)
"net.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\net1.exe" (Handle: 144) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Ransomware/Banking
-
The analysis extracted a known ransomware file
- details
-
Found dropped filename "safety_instructions_axprotector.htm" which has been seen in the context of ransomware (Indicator: INSTRUCTIONS_)
Found dropped filename "safety_instructions_userhelp.htm" which has been seen in the context of ransomware (Indicator: INSTRUCTIONS_) - source
- Binary File
- relevance
- 5/10
-
The analysis extracted a known ransomware file
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "SetupGasTurb13Trial.exe" (Show Process)
Spawned process "SetupGasTurb13Trial.tmp" with commandline "/SL5="$602B4
98966985
120832
C:\SetupGasTurb13Trial.exe"" (Show Process)
Spawned process "CodeMeterRuntime.exe" with commandline "/ComponentArgs "*":"/qn"" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\CodeMeter_v6.40.2402.501\CodeMeterRuntime64.msi" /l*v "%TEMP%\CodeMeter_v6.40.2402.501_{891CC458-B814-401C-97D8-411B36618C52}_CodeMeterRuntime64.msi.log" ProductLanguage=1033 /qn" (Show Process)
Spawned process "MSIB77A.tmp" with commandline "/t" (Show Process)
Spawned process "MSICC5B.tmp" with commandline "/t" (Show Process)
Spawned process "net.exe" with commandline "stop CodeMeter.exe /Y" (Show Process)
Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop CodeMeter.exe /Y" (Show Process)
Spawned process "GasTurb13.exe" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 31
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "msiexec.exe" at 00069927-00002676-00000033-320362085752
- source
- API Call
- relevance
- 6/10
-
Queries process information
- details
-
"SetupGasTurb13Trial.tmp" queried SystemProcessInformation at 00060473-00002832-00000033-262189593971
"SetupGasTurb13Trial.tmp" queried SystemProcessInformation at 00060473-00002832-00000033-262190846519
"MSIB77A.tmp" queried SystemProcessInformation at 00070131-00003864-00000033-313253412356
"MSIB77A.tmp" queried SystemProcessInformation at 00070131-00003864-00000033-313282377757
"MSICC5B.tmp" queried SystemProcessInformation at 00070458-00003564-00000033-323868714722
"MSICC5B.tmp" queried SystemProcessInformation at 00070458-00003564-00000033-323896501264
"GasTurb13.exe" queried SystemProcessInformation at 00072165-00003748-00000033-376726814186 - source
- API Call
- relevance
- 4/10
- ATT&CK ID
- T1057 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
- Found 33 calls to GetProcAddress@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.1450379086
- source
- Static Parser
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "MSICC5B.TMP.5E0AF1F8.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"CmActVirtualMachineNotAllowed" (Indicator: "virtualmachine")
"D$PNT$L$ uD$+VPP_]t@Nu^[Ul$Vt$(PjU'S\$(t$+WL$d$3L$3L$0L$L$D$ tw,9\$;s;sV;sB9sBD$L$;HD$D$ u\$,l$(T$L$Jl$(\$,T$5_[^]W|$3t5D$S\$V+4;r90r3)0Ou^[t3__SVt$2t6D$W|$+;r9r2+Nu_t^3[^[Vt$tD$W|$+@HLPNu_^U]UVu*OM^]UVuO0M^]UVuN$M^]UVuN<M^]MNNUVMNEtVAY^]UVNEtV"Y^]UjEEMPM<Nh|NEEMPUEMEEPMhNEE0MPUEMEEPMhNEE<MPsU=MMtM9t" (Indicator: "vmnet"), ";r;s99t3Qua3@uES^`F`yj$_F\d|9~duFd9uFdu9uFdd9uFdS9uFdB9uFd19uFd 9uFd9uFdvdjY~dqaY^`[3_^]UQQSVWh8O3S3f@OW
bL5dOOtf9>uEPEPWWVc]?sKE=sAX;r6QYt)EPEPPWV EH=OO3_^[]UQQEMUS]VuW3;tuE Ej"Xf9u3j"Xtffftuf;Etf;Eut3fB}3]f9f;Etf;Euf9tuEuj\EXCf9tj"Xf9j\Xu;u%tj"_f9y}u" (Indicator: "qemu"), "Web Admin Version:Version Web AdminVersione Web Admin:Web Admin:Web ?o?[W:<td>File is in use
could not be openedNot running inside Virtual Environment.Running inside Virtual Environment.Hyper-V Guest.Hyper-V Root.SESSIONNAMESESSIONNAME=%sConsoleconsolerdp-tcp#rdp-tcp#%iUSERNAMEUSERNAME=%sUSERDOMAINUSERDOMAIN=%sLOGONSERVERLOGONSERVER=%sSID = %uMachine:" (Indicator: "hyper-v") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
-
2/72 reputation engines marked "http://www.jrsoftware.org/ishelp/index.php" as malicious (2% detection rate)
1/72 reputation engines marked "http://www.jrsoftware.org" as malicious (1% detection rate) - source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Contains ability to find and load resources of a specific module
- details
- LoadResource@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"SetupGasTurb13Trial.tmp" read file "%WINDIR%\win.ini"
"GasTurb13.exe" read file "%PROGRAMFILES%\(x86)\GasTurb\GasTurb13\UserMsg.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"MSIB77A.TMP.5E0AF1F3.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"MSICC5B.TMP.5E0AF1F8.bin" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"policy.3.20.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.0.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.30.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WibuCmNET.resources.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WibuCmTrigger64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.2.10.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.3.0.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.2.1.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.40.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.5.20.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WibuCm32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"policy.2.20.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.1.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "2019-12-31 06:59:12dotNetInstaller (DNI), version 2.3.16.0"
"192.0.2.42" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Ransomware/Banking
-
The input sample dropped very many files
- details
- The input sample dropped 1316 files (often an indicator for ransomware)
- source
- Binary File
- relevance
- 5/10
-
The input sample dropped very many files
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
-
"CodeMeterRuntime.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
"GasTurb13.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads terminal service related keys (often RDP related)
-
System Destruction
-
Marks file for deletion
- details
-
"C:\SetupGasTurb13Trial.exe" marked "%TEMP%\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" for deletion
"C:\SetupGasTurb13Trial.exe" marked "%TEMP%\is-D4N4E.tmp" for deletion
"%PROGRAMFILES%\(x86)\GasTurb\GasTurb13\License\CodeMeterRuntime.exe" marked "%TEMP%\DV8EE4.tmp" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"SetupGasTurb13Trial.exe" opened "%TEMP%\is-D4N4E.tmp\SetupGasTurb13Trial.tmp" with delete access
"SetupGasTurb13Trial.exe" opened "C:\Users\%USERNAME%\AppData\Local\Temp\is-D4N4E.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-QFH22.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-VO9I4.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-IVD2J.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-SC39A.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-T4T9V.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-0LMVG.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-FODLP.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-OHNFB.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-IPLHO.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-07T1E.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-S4ES7.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-EJER1.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-HGSJB.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-5RFQT.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-8HDS5.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-SSB66.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-780G2.tmp" with delete access
"SetupGasTurb13Trial.tmp" opened "C:\Program Files (x86)\GasTurb\GasTurb13\is-6FJ8V.tmp" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"MSICC5B.TMP.5E0AF1F8.bin" claimed CRC 323131 while the actual is CRC 353891
"policy.3.20.WibuCmNET.dll" claimed CRC 80759 while the actual is CRC 323131
"policy.4.0.WibuCmNET.dll" claimed CRC 74188 while the actual is CRC 80759
"policy.4.30.WibuCmNET.dll" claimed CRC 64211 while the actual is CRC 74188
"WibuCmNET.resources.dll" claimed CRC 58877 while the actual is CRC 64211
"WibuCmTrigger64.dll" claimed CRC 370449 while the actual is CRC 58877
"WibuCmNET.dll" claimed CRC 375679 while the actual is CRC 370449
"WibuCmNET.resources.dll" claimed CRC 93132 while the actual is CRC 375679
"policy.2.10.WibuCmNET.dll" claimed CRC 23612 while the actual is CRC 93132
"policy.3.0.WibuCmNET.dll" claimed CRC 82368 while the actual is CRC 23612
"policy.2.1.WibuCmNET.dll" claimed CRC 26211 while the actual is CRC 82368
"WibuCmNET.dll" claimed CRC 742330 while the actual is CRC 26211
"policy.4.40.WibuCmNET.dll" claimed CRC 47065 while the actual is CRC 742330
"WibuCmNET.resources.dll" claimed CRC 59033 while the actual is CRC 47065
"policy.5.20.WibuCmNET.dll" claimed CRC 75548 while the actual is CRC 59033
"WibuCm32.dll" claimed CRC 803711 while the actual is CRC 75548
"WibuCmNET.resources.dll" claimed CRC 76986 while the actual is CRC 803711
"policy.2.20.WibuCmNET.dll" claimed CRC 43341 while the actual is CRC 76986
"policy.4.1.WibuCmNET.dll" claimed CRC 76743 while the actual is CRC 43341
"policy.5.22.WibuCmNET.dll" claimed CRC 64677 while the actual is CRC 76743 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegOpenKeyExA
RegCloseKey
GetFileAttributesA
UnhandledExceptionFilter
WriteFile
OutputDebugStringW
GetModuleFileNameW
GetModuleFileNameA
LoadLibraryExW
GetModuleHandleA
TerminateProcess
GetModuleHandleExW
LoadLibraryA
OpenProcess
DeleteFileA
GetStartupInfoW
GetFileSizeEx
GetProcAddress
CreateFileW
IsDebuggerPresent
CreateFileA
GetCommandLineA
GetModuleHandleW
Sleep
GetWindowThreadProcessId
RegDeleteKeyA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyExA
LoadLibraryExA
VirtualProtect
FindResourceA
VirtualAlloc
RegCreateKeyExW
RegDeleteKeyW
SetSecurityDescriptorDacl
RegOpenKeyExW
GetUserNameW
RegEnumKeyExW
RegDeleteValueW
GetFileAttributesW
OpenFileMappingW
LoadLibraryW
GetTickCount
CreateDirectoryW
DeleteFileW
CreateFileMappingW
MapViewOfFile
ShellExecuteExW
recv
send
accept
WSAStartup
connect
closesocket
socket
RegEnumKeyW
FindResourceExW
OutputDebugStringA
CopyFileW
CreateThread
ExitThread
GetVersionExW
GetFileSize
GetTempFileNameW
FindFirstFileW
FindResourceW
LockResource
GetFileAttributesExW
GetTempPathW
ShellExecuteW
GetCursorPos
SetWindowsHookExW
GetUpdateRect
GetLastActivePopup
GetTempPathA
CopyFileA
GetVersionExA
CreateDirectoryA
FindFirstFileA
GetTempFileNameA
CreateProcessA
GetFileAttributesExA
ShellExecuteA
SetWindowsHookExA
LookupAccountNameA
OpenProcessToken
GetUserNameA
GetDriveTypeW
GetDriveTypeA
OpenFileMappingA
DeviceIoControl
FindNextFileW
CreateFileMappingA
FindNextFileA
FindFirstFileExW
GetCommandLineW
CreateProcessW
WriteProcessMemory
RegOpenKeyA
CreateServiceA
StartServiceCtrlDispatcherA
StartServiceA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"SetupGasTurb13Trial.exe" wrote bytes "7111c7007a3bc600ab8b02007f950200fc8c0200729602006cc805001ecdc3007d26c300" to virtual address "0x771307E4" (part of module "USER32.DLL")
"SetupGasTurb13Trial.tmp" wrote bytes "75dcd076273ed07651c1ce76ee9cce769498ce760fb3d4761099ce769097ce7600000000f5167b76ead77c76d9177b7669877b760f777d764cbc7d76a9347b7620147b76f8117b76ff107b7600000000" to virtual address "0x7480E000" (part of module "MSLS31.DLL")
"SetupGasTurb13Trial.tmp" wrote bytes "7111c7007a3bc600ab8b02007f950200fc8c0200729602006cc805001ecdc3007d26c300" to virtual address "0x771307E4" (part of module "USER32.DLL")
"CodeMeterRuntime.exe" wrote bytes "b4365e75" to virtual address "0x755F025C" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "d83a5e75" to virtual address "0x755F01FC" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "b840136774ffe0" to virtual address "0x755E3AD8" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "d83a0200" to virtual address "0x755E4E38" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "d83a0200" to virtual address "0x755E4D78" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "d83a5e75" to virtual address "0x755F0258" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "b4365e75" to virtual address "0x755F0278" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "b8c0156774ffe0" to virtual address "0x755E36B4" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "d83a5e75" to virtual address "0x755F0274" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "c0dfd4771cf9d377ccf8d3770d64d57700000000c0117b7600000000fc3e7b7600000000e0137b76000000009457867725e0d477c6e0d47700000000bc6a857700000000cf317b760000000093198677000000002c327b7600000000" to virtual address "0x766F1000" (part of module "NSI.DLL")
"CodeMeterRuntime.exe" wrote bytes "b830126774ffe0" to virtual address "0x76D91368" (part of module "WS2_32.DLL")
"CodeMeterRuntime.exe" wrote bytes "b4360200" to virtual address "0x755E4D68" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "7111c7007a3bc600ab8b02007f950200fc8c0200729602006cc805001ecdc3007d26c300" to virtual address "0x771307E4" (part of module "USER32.DLL")
"CodeMeterRuntime.exe" wrote bytes "68130000" to virtual address "0x76D91680" (part of module "WS2_32.DLL")
"CodeMeterRuntime.exe" wrote bytes "b4360200" to virtual address "0x755E4EA4" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "b4365e75" to virtual address "0x755F01E4" (part of module "SSPICLI.DLL")
"CodeMeterRuntime.exe" wrote bytes "60126774" to virtual address "0x76B8E324" (part of module "WININET.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"SetupGasTurb13Trial.tmp" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"CodeMeterRuntime.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"net.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"net1.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"GasTurb13.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 11 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 28
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine timezone
- details
-
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream)
GetTimeZoneInformation@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultUILanguage@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, 02h" and "jnbe 0040FECAh" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 00423538h" (Show Stream)
Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jnc 004020DBh" (Show Stream)
Found API call GetVersion@KERNEL32.dll directly followed by "cmp eax, 80000000h" and "jnc 0000000140002096h" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, 02h" and "jnbe 0000000140010A05h" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 0000000140024726h" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, 02h" and "jnbe 20017CD5h" (Show Stream)
Found API call GetTimeZoneInformation@KERNEL32.dll directly followed by "cmp eax, FFFFFFFFh" and "je 20029422h" (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Queries volume information
- details
-
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-295554612265
"SetupGasTurb13Trial.tmp" queries volume information of "%PROGRAMFILES%\(x86)\GasTurb\GasTurb13\GasTurb13.exe" at 00060473-00002832-00000046-295597278411
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296266242710
"SetupGasTurb13Trial.tmp" queries volume information of "C:\Program Files (x86)\GasTurb\GasTurb13\GasTurb13.exe" at 00060473-00002832-00000046-296267703050
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296342906219
"SetupGasTurb13Trial.tmp" queries volume information of "C:\Program Files (x86)\GasTurb\GasTurb13\GasTurb13.chm" at 00060473-00002832-00000046-296344370002
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296437265769
"SetupGasTurb13Trial.tmp" queries volume information of "C:\Program Files (x86)\GasTurb\GasTurb13\manual\GasTurb13.pdf" at 00060473-00002832-00000046-296438865099
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296913053163
"SetupGasTurb13Trial.tmp" queries volume information of "C:\Program Files (x86)\GasTurb\GasTurb13\unins000.exe" at 00060473-00002832-00000046-296914600851 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information of an entire harddrive
- details
-
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-295554612265
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296266242710
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296342906219
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296437265769
"SetupGasTurb13Trial.tmp" queries volume information of "C:\" at 00060473-00002832-00000046-296913053163 - source
- API Call
- relevance
- 8/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"SetupGasTurb13Trial.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUPGASTURB13TRIAL.TMP")
"SetupGasTurb13Trial.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUPGASTURB13TRIAL.TMP")
"SetupGasTurb13Trial.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GASTURB_IS1")
"SetupGasTurb13Trial.tmp" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\GASTURB_IS1") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contains PDB pathways
- details
-
"E:\BUILD\CM_XPM_WK\CM_RELEASE_6_40\wibu\cm\dev\Retail\CleanUp\obj\Release\winX86V12W\CmCleanUp32.pdb"
"E:\BUILD\CM_XPM_WK\CM_RELEASE_6_40\wibu\cm\dev\Retail\CleanUp\obj\Release\winX64V12W\CmCleanUp64.pdb"
"E:\BUILD\CM_XPM_WK\CM_RELEASE_6_40\wibu\cm\dev\talk\WibuCmTrigger\obj\Release\winX64V12W\WibuCmTrigger64.pdb"
"ZbJC:\build\work\eca3d12b\wix3\build\ship\x86\wixca.pdb_.text_c.text$di.text$mn4.idata$54.00cfg8.CRT$XCA<$.CRT$XCU`.CRT$XCZd.CRT$XIAh.CRT$XICx.CRT$XIZ|.CRT$XPA.CRT$XPX.CRT$XPXA.CRT$XPZ.CRT$XTA.CRT$XTZd.rdata.rdata$sxdata .rdata$zETW00w.rdata$zETW1,.rdata$zETW2.rdata$zETW9`.rdata$zzzdbg4.rtc$IAA8.rtc$IZZ<.rtc$TAA@.rtc$TZZH.xdata$x.edata.idata$2@.idata$3T4.idata$4.idata$6.data$.bss@.rsrc$01@.rsrc$02k"
"sg\rNTpWETW0+ /InvokeMainViaCRT"Main Invoked."FileName .ExitMainViaCRT"Main Returned."FileName+Microsoft.CRTProvidersPOGvRSDSI.nJDC:\build\work\eca3d12b\wix3\build\ship\x86\uica.pdb_.text_c.text$di.text$mn.idata$5.00cfg .CRT$XCA$$.CRT$XCUH.CRT$XCZL.CRT$XIAP.CRT$XIC`.CRT$XIZd.CRT$XPAh.CRT$XPXp.CRT$XPXAt.CRT$XPZx.CRT$XTA|.CRT$XTZD`.rdatar.rdata$sxdatar.rdata$zETW0rw.rdata$zETW1gs,.rdata$zETW2s.rdata$zETW9s\.rdata$zzzdbgv.rtc$IAAv.rtc$IZZv.rtc$TAAv.rtc$TZZw.xdata$xz\.edataz.idata$2{.idata$3{.idata$4}8.idata$6.data.bss.rsrc$01.rsrc$025667=;P;ttt2xxX}\}&2>2\9LVzzzzLzzuica.dllValidatePathPrintEula}}(}}{$~{@~04}R{8{Xx}l}~~2~zj^&0BNZp0FVj|zjZH6x&@Vj|&2Jbz}}N~\~l~|~~~~~~~~(6DZD*1|vIJg msi.dllqPathIsUNCWPathStripToRootWSHLWAPI.dll0RegCloseKeyaRegOpenKeyExWnRegQueryValueExWADVAPI32.dllPrintDlgExWCOMDLG32.dll]GetMessageWwSendMessageA|SendMessageWDefWindowProcW7PostQuitMessageUnregisterClassWMRegisterClassExWnCreateWindowExWShowWindowUpdateWindow-GetForegroundWindowBeginPaintEndPaintMessageBoxWFindWindowWLoadCursorAUSER32.dllDeleteDCGetDeviceCapsSetMapModeStartDocWEndDocStartPageEndPageGDI32.dllGetDriveTypeWbFreeLibraryGlobalAllocGlobalLockGlobalUnlockGlobalFreeGetLastErrorfMulDiv^FormatMessageWMlstrlenANlstrlenWgMultiByteToWideCharWideCharToMultiByte-LCMapStringWGetCurrentProcessId%WriteFileRCloseHandle?LoadLibraryWpGetSystemDirectoryWHeapAllocHeapReAllocHeapFreeHeapSizeJGetProcessHeapGetModuleFileNameWsSetLastErrorGlobalDeleteAtomGlobalAddAtomWGlobalFindAtomWKERNEL32.dllSystemFunction0369RegCreateKeyExWDRegDeleteKeyWHRegDeleteValueWORegEnumKeyExWRRegEnumValueWhRegQueryInfoKeyW~RegSetValueExWGetFileVersionInfoSizeWGetFileVersionInfoWVerQueryValueWVERSION.dllUnhandledExceptionFilterSetUnhandledExceptionFilterGetCurrentProcessTerminateProcessIsProcessorFeaturePresentQueryPerformanceCounterGetCurrentThreadIdyGetSystemTimeAsFileTimeInitializeSListHeadIsDebuggerPresentcGetStartupInfoWGetModuleHandleWInterlockedFlushSListInitializeCriticalSectionAndSpinCountTlsAllocTlsGetValueTlsSetValueTlsFreeEGetProcAddress>LoadLibraryExWRtlUnwindEnterCriticalSection9LeaveCriticalSectionDeleteCriticalSectionExitProcessGetModuleHandleExWiGetStringTypeWhGetACPdGetStdHandleGetFileType" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"SetupGasTurb13Trial.exe" created file "%TEMP%\is-D4N4E.tmp\SetupGasTurb13Trial.tmp"
"SetupGasTurb13Trial.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-9HMBS.tmp\_isetup\_setup64.tmp"
"SetupGasTurb13Trial.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-9HMBS.tmp\_isetup\_shfoldr.dll"
"SetupGasTurb13Trial.tmp" created file "C:\Users\%USERNAME%\AppData\Local\Temp\is-9HMBS.tmp\_isetup\_isdecmp.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\CodeMeterRuntime32.msi"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_zh-CHS_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_ru_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_nl_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_ja_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_it_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_fr_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_es_01D86E1EB0C69C23\WibuCmNET.resources.dll"
"CodeMeterRuntime.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\CodeMeter_v6.40.2402.501\Global Assembly Cache Folder\WibuCmNET.resources\6.40.228.501_de_01D86E1EB0C69C23\WibuCmNET.resources.dll" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"\Sessions\1\BaseNamedObjects\Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511"
"Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_71a18efa1d5bf9fgol.ism.46emitnuRreteMedoC_}25C81663B114-8D79-C104-418B-854CC198{_105.2042.04.6v_reteMedoC_pmeT_lacoL_ataDppA_SWBUPAH_sresU_:C"
"Global\_MSIExecute"
"Global\MSILOG_71a18efa1d5bf9fgol.ism.46emitnuRreteMedoC_}25C81663B114-8D79-C104-418B-854CC198{_105.2042.04.6v_reteMedoC_pmeT_lacoL_ataDppA_SWBUPAH_sresU_:C"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MSIB77A.TMP.5E0AF1F3.bin" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "MSICC5B.TMP.5E0AF1F8.bin" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "policy.3.20.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "policy.4.0.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "policy.4.30.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "WibuCmNET.resources.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "WibuCmTrigger64.dll" as clean (type is "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "policy.2.10.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "policy.3.0.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "taboff_gradient.svg" as clean (type is "SVG Scalable Vector Graphics image"), Antivirus vendors marked dropped file "policy.2.1.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "policy.4.40.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "policy.5.20.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"), Antivirus vendors marked dropped file "WibuCm32.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "policy.2.20.WibuCmNET.dll" as clean (type is "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "SetupGasTurb13Trial.tmp" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 74820000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"SetupGasTurb13Trial.tmp" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"SetupGasTurb13Trial.tmp" touched "Microsoft Multiple AutoComplete List Container" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}")
"SetupGasTurb13Trial.tmp" touched "Microsoft Shell Folder AutoComplete List" (Path: "HKCU\WOW6432NODE\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TREATAS")
"SetupGasTurb13Trial.tmp" touched "Microsoft AutoComplete" (Path: "HKCU\WOW6432NODE\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TREATAS")
"SetupGasTurb13Trial.tmp" touched "Microsoft TipAutoCompleteClient Control" (Path: "HKCU\WOW6432NODE\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}\TREATAS")
"SetupGasTurb13Trial.tmp" touched "Task Bar Communication" (Path: "HKCU\WOW6432NODE\CLSID\{56FDF344-FD6D-11D0-958A-006097C9A090}\TREATAS")
"SetupGasTurb13Trial.tmp" touched "Shortcut" (Path: "HKCU\WOW6432NODE\CLSID\{00021401-0000-0000-C000-000000000046}\TREATAS")
"SetupGasTurb13Trial.tmp" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"msiexec.exe" touched "Msi install server" (Path: "HKCU\WOW6432NODE\CLSID\{000C101C-0000-0000-C000-000000000046}")
"msiexec.exe" touched "PSFactoryBuffer" (Path: "HKCU\WOW6432NODE\CLSID\{000C103E-0000-0000-C000-000000000046}")
"msiexec.exe" touched "Microsoft Windows Installer Message RPC" (Path: "HKCU\CLSID\{000C101D-0000-0000-C000-000000000046}\DLLVERSION") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "MSIB77A.tmp" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "MSIB77A.tmp" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, PROMPT, VXDIR"
Process "net.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "net.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "GasTurb13.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G", VXDIR="C:\VxStream""
Process "GasTurb13.exe" (Show Process) was launched with modified environment variables: "Path" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
- "SetupGasTurb13Trial.tmp" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "SetupGasTurb13Trial.tmp" with commandline "/SL5="$602B4
98966985
120832
C:\SetupGasTurb13Trial.exe"" (Show Process)
Spawned process "CodeMeterRuntime.exe" with commandline "/ComponentArgs "*":"/qn"" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\CodeMeter_v6.40.2402.501\CodeMeterRuntime64.m ..." (Show Process), Spawned process "MSIB77A.tmp" with commandline "/t" (Show Process), Spawned process "MSICC5B.tmp" with commandline "/t" (Show Process), Spawned process "net.exe" with commandline "stop CodeMeter.exe /Y" (Show Process), Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop CodeMeter.exe /Y" (Show Process), Spawned process "GasTurb13.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "SetupGasTurb13Trial.tmp" with commandline "/SL5="$602B4
98966985
120832
C:\SetupGasTurb13Trial.exe"" (Show Process)
Spawned process "CodeMeterRuntime.exe" with commandline "/ComponentArgs "*":"/qn"" (Show Process)
Spawned process "msiexec.exe" with commandline "msiexec /i "%TEMP%\CodeMeter_v6.40.2402.501\CodeMeterRuntime64.m ..." (Show Process), Spawned process "MSIB77A.tmp" with commandline "/t" (Show Process), Spawned process "MSICC5B.tmp" with commandline "/t" (Show Process), Spawned process "net.exe" with commandline "stop CodeMeter.exe /Y" (Show Process), Spawned process "net1.exe" with commandline "%WINDIR%\system32\net1 stop CodeMeter.exe /Y" (Show Process), Spawned process "GasTurb13.exe" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "C=DE, PostalCode=52074, S=Nordrhein-Westfalen, L=Aachen, STREET=Melatener Str. 70, O=GasTurb GmbH, CN=GasTurb GmbH" (SHA1: 07:10:5D:BE:C1:37:CB:4B:B4:21:66:06:F9:DC:8C:F4:45:39:CB:68: (1.2.840.113549.1.1.11); see report for more information)
The input sample is signed with a certificate issued by "C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA" (SHA1: B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47: (1.2.840.113549.1.1.12); see report for more information)
The input sample is signed with a certificate issued by "C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority" (SHA1: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4: (1.2.840.113549.1.1.12); see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
The input sample is signed with a valid certificate
- details
- The entire certificate chain of the input sample was validated successfully.
- source
- Certificate Data
- relevance
- 10/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
-
"SetupGasTurb13Trial.exe" connecting to "\ThemeApiPort"
"SetupGasTurb13Trial.tmp" connecting to "\ThemeApiPort"
"CodeMeterRuntime.exe" connecting to "\ThemeApiPort"
"msiexec.exe" connecting to "\ThemeApiPort"
"GasTurb13.exe" connecting to "\ThemeApiPort" - source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"MSIB77A.TMP.5E0AF1F3.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"MSICC5B.TMP.5E0AF1F8.bin" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"policy.3.20.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.0.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.30.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WibuCmNET.resources.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WibuCmTrigger64.dll" has type "PE32+ executable (DLL) (GUI) x86-64 for MS Windows"
"WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"GasTurb 13 Help.lnk" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Has Working directory Archive ctime=Tue Dec 31 05:58:53 2019 mtime=Tue Dec 31 05:58:53 2019 atime=Tue Nov 19 09:42:46 2019 length=18598553 window=hide"
"ZeroClipboard.swf" has type "Macromedia Flash data (compressed) version 14"
"policy.2.10.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.3.0.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"taboff_gradient.svg" has type "SVG Scalable Vector Graphics image"
"policy.2.1.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.4.40.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"policy.5.20.WibuCmNET.dll" has type "PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly for MS Windows"
"WibuCm32.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"SetupGasTurb13Trial.exe" touched file "%WINDIR%\SysWOW64\en-US\KernelBase.dll.mui"
"SetupGasTurb13Trial.exe" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"SetupGasTurb13Trial.exe" touched file "C:\Windows\SysWOW64\netmsg.dll"
"SetupGasTurb13Trial.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"SetupGasTurb13Trial.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\shfolder.dll"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\imageres.dll"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\shell32.dll"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\en-US\shell32.dll.mui"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\syswow64\en\shell32.dll.mui"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\Fonts\StaticCache.dat"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\en-US\KernelBase.dll.mui"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\syswow64\en\KERNELBASE.dll.mui"
"SetupGasTurb13Trial.tmp" touched file "C:\Windows\SysWOW64\netmsg.dll" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline"
Pattern match: "http://schemas.microsoft.com/SMI/2"
Heuristic match: ".S_a]u.lT"
Heuristic match: "wMAK[`.ws"
Heuristic match: "S&e4!pO.It"
Heuristic match: "\b)(!.Fj"
Heuristic match: "-P,a&lU.mK"
Heuristic match: "Font.Name"
Pattern match: "http://www.gasturb.de"
Pattern match: "www.wibu.com"
Pattern match: "WC.Ul/sp,|KHM4NqT"
Heuristic match: "6p8.iY.uA"
Heuristic match: "-@-@.A.A-@.A.A.A.A.A-@-@.A.A.A.A.A-@.A.A.A.A-@.A.A.A.AL"
Pattern match: "g7.dYn/Lcc"
Pattern match: "h.Mh.Mj/h.Mh/Mh/MhH/Mh/Mj/h/Mh/Mh/Mh00Mhx0Mh0Mh0M@h0Mvh"
Heuristic match: "?4 eZ 9.cX"
Pattern match: "http://support.codemeter.de"
Pattern match: "http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2otech.mspx#EDAA"
Pattern match: "http://support.microsoft.com/default.aspx?scid=kb;en-us;823732#3"
Heuristic match: "server.example.com"
Pattern match: "https://user:secretpassword@server.example.com/cmwan"
Pattern match: "www.wibu.com:;http="
Pattern match: "www.wibu.com/CodeMeter/FieldUpdate/2005/GetFirmwareUpdatehttp://www.wibu.com/CodeMeter/FieldUpdate/2005/CheckForFirmwareUpdateCmFieldUpdate.wbbhttp://www.wibu.com/CodeMeter/FieldUpdate/2005/LogFirmwareUpdateResultCM-Box"
Pattern match: "schemas.xmlsoap.org/soap/actor/nexthttp://www.w3.org/2003/05/soap-envelope/role/nextxsi:null	

&<>"lt;gt;amp;quot;apos;:int:short:byte:positiveInteger:nonNegativeInteger:unsignedLong:unsignedInt:unsignedShort:unsignedByte%lu%I64u"
Pattern match: "schemas.xmlsoap.org/soap/envelope/http://www.w3.org/*/soap-envelopeSOAP-ENChttp://schemas.xmlsoap.org/soap/encoding/http://www.w3.org/*/soap-encodingxsihttp://www.w3.org/2001/XMLSchema-instancehttp://www.w3.org/*/XMLSchema-instancexsdhttp://www.w3.org/2001" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"SetupGasTurb13Trial.tmp" opened "\Device\KsecDD"
"CodeMeterRuntime.exe" opened "\Device\KsecDD"
"msiexec.exe" opened "\Device\KsecDD"
"GasTurb13.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"MSICC5B.TMP.5E0AF1F8.bin" was detected as "Microsoft visual C++ 8"
"policy.3.20.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.4.0.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.4.30.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"WibuCmNET.resources.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.2.10.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.3.0.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.2.1.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.4.40.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.5.20.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"WibuCm32.dll" was detected as "Borland Delphi 3.0 (???)"
"policy.2.20.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.4.1.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"policy.5.22.WibuCmNET.dll" was detected as "Microsoft visual C# v7.0 / Basic .NET"
"CmRmtAct32.dll" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
SetupGasTurb13Trial.exe
- Filename
- SetupGasTurb13Trial.exe
- Size
- 95MiB (99330704 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- ebc1c5ed5df3c8fa450cc04513639a1664e3490d60bf0408656847c6fc83a5d4
- MD5
- 16e6eef31e23bae14eea15f12bd53b94
- SHA1
- 15ff9e64337408c7b6b0e71a74fb567756c98257
Classification (TrID)
- 89.6% (.EXE) Inno Setup installer
- 3.6% (.EXE) Win32 Executable (generic)
- 1.6% (.EXE) Win16/32 Executable Delphi generic
- 1.6% (.EXE) OS/2 Executable (generic)
- 1.6% (.EXE) Generic Win/DOS Executable
File Certificates
Certificate chain was successfully validated.
Download Certificate File (13KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
C=DE, PostalCode=52074, S=Nordrhein-Westfalen, L=Aachen, STREET=Melatener Str. 70, O=GasTurb GmbH, CN=GasTurb GmbH | C=DE, PostalCode=52074, S=Nordrhein-Westfalen, L=Aachen, STREET=Melatener Str. 70, O=GasTurb GmbH, CN=GasTurb GmbH Serial: 79b030e9627c9cd8cb62920ac6e83f67 |
02/06/2018 01:00:00 02/07/2020 00:59:59 |
07:10:5D:BE:C1:37:CB:4B:B4:21:66:06:F9:DC:8C:F4:45:39:CB:68: (1.2.840.113549.1.1.11) |
C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA | C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Code Signing CA Serial: 2e7c87cc0e934a52fe94fd1cb7cd34af |
05/09/2013 01:00:00 05/09/2028 00:59:59 |
B6:9E:75:2B:BE:88:B4:45:82:00:A7:C0:F4:F5:B3:CC:E6:F3:5B:47: (1.2.840.113549.1.1.12) |
C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority | C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority Serial: 4caaf9cadb636fe01ff74ed85b03869d |
01/19/2010 01:00:00 01/19/2038 00:59:59 |
AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4: (1.2.840.113549.1.1.12) |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 9 processes in total (System Resource Monitor).
-
SetupGasTurb13Trial.exe
(PID: 2104)
2/69
-
SetupGasTurb13Trial.tmp
/SL5="$602B4,98966985,120832,C:\SetupGasTurb13Trial.exe"
(PID: 2832)
-
CodeMeterRuntime.exe
/ComponentArgs "*":"/qn"
(PID: 3264)
- msiexec.exe msiexec /i "%TEMP%\CodeMeter_v6.40.2402.501\CodeMeterRuntime64.msi" /l*v "%TEMP%\CodeMeter_v6.40.2402.501_{891CC458-B814-401C-97D8-411B36618C52}_CodeMeterRuntime64.msi.log" ProductLanguage=1033 /qn (PID: 2676)
- GasTurb13.exe (PID: 3748)
-
CodeMeterRuntime.exe
/ComponentArgs "*":"/qn"
(PID: 3264)
-
SetupGasTurb13Trial.tmp
/SL5="$602B4,98966985,120832,C:\SetupGasTurb13Trial.exe"
(PID: 2832)
- MSIB77A.tmp /t (PID: 3864)
- MSICC5B.tmp /t (PID: 3564)
-
net.exe
stop CodeMeter.exe /Y
(PID: 632)
- net1.exe %WINDIR%\system32\net1 stop CodeMeter.exe /Y (PID: 2632)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 71 extracted file(s). The remaining 1245 file(s) are available in the full version and XML/JSON reports.
-
Clean 30
-
-
WibuCmNET.dll
- Size
- 717KiB (734160 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/70
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- fea29eb48d56ddf95f838f2393a68ef8
- SHA1
- f0449acc880f4269d3ed1f98c57bee5be8d1c9a7
- SHA256
- e4ce16a5cbce1db019053177c802a2a2c8f4b0bd25e94056bdd4d22f47754918
-
policy.2.1.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- c1b702f00a938a30cbf37ca00f98ebca
- SHA1
- bbcb69948cae3b21afc467d4297e5dcedcb87059
- SHA256
- 7db61b619329a7c7356328f4f48cc5565f5aa94c3b804dae93ca6886f69ab49f
-
policy.2.10.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 554aca03cd233ab8292837c1e0d7d949
- SHA1
- 4a98bf55311f76be0c936d63f3ca132a845c2d36
- SHA256
- ea31cc996a55d196162964269462bdacc01877116077ff2e77e4f81f30c710cb
-
policy.2.20.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 86c314bb082c1a940d62bd6879862e52
- SHA1
- 3752cfb02c3b51353b3178a7b25e605f28ce75a2
- SHA256
- 945d19f7fb0b50a715fc03bbe09c2dce2cba55d3ac632ef3621b9d76841854dd
-
policy.3.0.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 4a1f1e8b820fd0ec2bcddea416b0e9e1
- SHA1
- 54c91e22feba1b9221dc1c5a5bce789cd89db3bb
- SHA256
- c6e1bbec850ad415cf7175d429984c17fa12b7d52adbcc407d33fefbf250caa4
-
policy.3.20.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- bb723ea5a5c8dbc1045590de3a84ee2b
- SHA1
- 7b62c366cc1ef943936ac8fbd69c494a45b66a6d
- SHA256
- cdbfd79d16a406aa9ab792aedcacb11c8183ecdfe8ac551074ac0417b7b52497
-
policy.3.33.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 37cac51a8644753de82ac68085d48643
- SHA1
- 704faa4608ede0da0a6014a38b4402d41e0061f9
- SHA256
- 2c30afd0939a3c11c53b201a6c1db2def4977bc06855207309243dcf6605225a
-
policy.4.0.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- ab5a5529f4a5aaf40c73055b5041d412
- SHA1
- cd974d6cf57cce6356501b4c3824f7d6d3b97fc4
- SHA256
- f77e2452f704a439ff71cb980047e646243e1515031a761158e3ff483796c858
-
policy.4.1.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/65
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 52a688077e3912f09e12dbf4bd901ee3
- SHA1
- 09cd76a7d5a2d9f2d942f2063476e7800dd902c3
- SHA256
- b52fd4bf55b5830d3effbef7969f80ac8e977f9bbd04889226035c2bf046ab9a
-
policy.4.30.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- bf955db9ecf35b2a6bfe1f696a5fdc93
- SHA1
- 5a5b4c43b82620ecec77a6e5fc894cc258646da7
- SHA256
- bdf3c350a262082e9b8b98748f6342d1459faf3ab2c5d5705ce8698bc523dc16
-
policy.4.40.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- afa0d300f8ce6f0b3ba95fac26f38ca3
- SHA1
- 5b6b8f5e451ae40332d30ab9ff4d1cdd650a4409
- SHA256
- 07118e18bbe2518c279826e25ce8b6a09ad830b23fd9f6a63520cc8170af8c5d
-
policy.4.50.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- b5d3dcdfbc9b0aa220616a138270d192
- SHA1
- cbc9664ff4b1d4035223c0b92694ea7950c8bf17
- SHA256
- f065da1b4fb1f1b25ad704c34a7bf9b54ae32ce66c602a2b6032e023c76f70fe
-
policy.5.20.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- faa82abdcedafe695dabafd3ede51968
- SHA1
- 2292a68e910c91e94e9c290ba58dd299f8a70d3d
- SHA256
- 4aef5ea011bb82690f35af953d690dd80d2e602b7a561a295e535025ac910126
-
policy.5.21.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- c22e53bdb0b378c5e6766c68ac830a48
- SHA1
- dc31cdff289f35977a12e4ae7730f13dea8f297c
- SHA256
- 9c3097168fd4ae52a12d66ce3687eca7325b7b25d04c21f32857ecac8f60385c
-
policy.5.22.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 6f8d9f1c28f94b9810a6fc9fb3528a8d
- SHA1
- 5e5360bdce5b7aafd9a5bfcb65f61bb66a194a80
- SHA256
- 0858dfe16d2c64ea911b5734abd4fad83bde8c86842b19cd9e5bdbe22afd462b
-
policy.6.30.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 5a9e4618c8e1c54383f02045b22c8ea0
- SHA1
- 955c82a3012eb4af9a65798c4ee2f8f6517dd1b8
- SHA256
- bdec96585c73a3797811478759d65eeafecfebe160c05ab3ee93efb0541d36cb
-
policy.6.40.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
- AV Scan Result
- 0/66
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- a27a67e36d5c8a70c2dcdba7d6ce7e20
- SHA1
- e5a966f894bb75c6bc54cc9b7ad365ed5c9d6bd8
- SHA256
- 65aea1c864d479207bdc961b83d5ccb9c9440647ad9f8dc79e0f5ca434015306
-
CmRmtAct64.dll
- Size
- 3.6MiB (3728384 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/57
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 9a36f355837816380bb4dd81894c3513
- SHA1
- a8e798f8d44c63461b346a5cdfb5cb22092607a4
- SHA256
- 5bbe1e25dc822510c7ae7f2120d4e62f5454d0ac753081b7b9a0d695ddda4667
-
WibuCmTrigger64.dll
- Size
- 351KiB (359384 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/60
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- cfff69e05022f71e2bcc0c9464b16d75
- SHA1
- b9bbb3eb9a014269e15f1d29c59829d8c5b60ac1
- SHA256
- a3837ef7f2b67fb61540b485c49e3bb647d3d4c4f77210643a8e523bca42e3ee
-
CmRmtAct32.dll
- Size
- 2.8MiB (2959872 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/60
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- fc430ff6c1726dcc8b03c844c9b69098
- SHA1
- d9839923a0ffdd21c37290174cd030fd1491ccd3
- SHA256
- 8eedbc1b408ed56c6219031694e13720fc1edf83994ff9f6f8675088d01dd0e4
-
CodeMeter.exe
- Size
- 4.6MiB (4817384 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/81
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 25aaec4aa9cf6b016b3d6d3b16d37db5
- SHA1
- 43b5caa686359fa45404d42a495cd4942fd2b20c
- SHA256
- 5bd05541d4f02a451fda32aedc0a39d4615767905c1d811b04d93f8d5f587663
-
WibuCmTrigger32.dll
- Size
- 296KiB (303064 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/62
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- b74233c934d2560e6f3143e11481477f
- SHA1
- 44ed06bd1c032d19bbb0dd71c210bae2775e2c97
- SHA256
- b7000dfe80d2e7d6413cfd91d4bce8e1c9f0f5e3430aa61ea91a807f7cf5603a
-
cmu32.exe
- Size
- 1MiB (1072624 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 690bfa10a25b36bfa9fd9c410bde1608
- SHA1
- 3fb69fd59e9321ae0d4b5183185376492b501085
- SHA256
- 4b1dc642b6681ae0478e7eb9d08c839211cb92fcc656af68934f10f35a236e4f
-
WibuShellExt.dll
- Size
- 2MiB (2138136 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 35840f6f1a95de923006732de5f52be9
- SHA1
- 838f89fcee1910ce91898aa8e08b31a4aa463bff
- SHA256
- 8adcac7212a0a229a2d2e0408163b5bf842131883b2f87cefa4f69247e3a5af9
-
WibuShellExt64.dll
- Size
- 2.8MiB (2938392 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/68
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 80c7477968a97af307e4cd07fdaf9fa6
- SHA1
- ed93de205edee90c973fdb950cf4375c6ee8f18d
- SHA256
- b11203305d65d3defb53160ac4323b4c4166364b1bebadd5ee6fb96e7e14a859
-
WibuXpm4J64.dll
- Size
- 1.3MiB (1348568 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/60
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- f1907c81ae8b5ddfb9a03d7e385f51a7
- SHA1
- 417b52e551ba9cd0c705d97497bdbbf90e5a300f
- SHA256
- 1ef8adda924e2b735fa13c401de845fb3eda55b71174d2f7c66c56c20664b991
-
wibucmJNI64.dll
- Size
- 220KiB (225288 bytes)
- Type
- pedll 64bits executable
- Description
- PE32+ executable (DLL) (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/61
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 3f797b15e86901e618d40329ff3b90d7
- SHA1
- e57b00b968804c859f032a9dd0e65b7af692540b
- SHA256
- e06217717595a3646fed9c13930bca98a360d4a9b5ef50d54d6d96dc96dd8ba3
-
WibuCm32.dll
- Size
- 770KiB (788936 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/69
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 3d8bcd384035ed2ee758c3dd3c06372e
- SHA1
- 4c44ccd6f3a5d09e46fb32ad5dd8b6844f9760ce
- SHA256
- 210190ccd735f5ebf13fbdcdfb21c228a82e84bd7fefc44f57efe448d3100ba6
-
MSIB77A.TMP.5E0AF1F3.bin
- Size
- 309KiB (316912 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/67
- MD5
- fcee237a290c8fef3ced3f6b89f172b2
- SHA1
- aa65004cf17951ad73e83d5b77d4ea8f9e53b350
- SHA256
- df9851925c52aaeac0d08f5979223055e3acdb3912e1bc68ea14fd9991e652c8
-
MSICC5B.TMP.5E0AF1F8.bin
- Size
- 266KiB (272368 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/71
- MD5
- b8b3a012ebaf79c45311d43c0db93cfd
- SHA1
- 6e6afd862d4650b031154a932293b03701d2a46e
- SHA256
- 4b803d7f9921fb7e942728c282d68f63a6d714d05929a152f8ef115650b9be95
-
-
Informative Selection 2
-
-
CodeMeterRuntime64.msi
- Size
- 5MiB (5236548 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 336fda9b7c2040bf13826c56b6d8e9fb
- SHA1
- ce6926a54ec9f29edd8e595cbd0e5a88b4712368
- SHA256
- 990dc978725d657870cbb1eef7f59add49adcb3294632f129f6c4ac14f864c37
-
ZeroClipboard.swf
- Size
- 3.9KiB (4038 bytes)
- Type
- flash
- Description
- Macromedia Flash data (compressed), version 14
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- c864c077a088528730fd7daaf3ba3ba1
- SHA1
- d4491448663af54501ed771f85b14314ec1928f5
- SHA256
- 2892cda40e728f1cd0543e8c42e159da5d59b85a2d25c542aca175f0f7621c18
-
-
Informative 39
-
-
GasTurb 13 Help.lnk
- Size
- 1.1KiB (1165 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 31 05:58:53 2019, mtime=Tue Dec 31 05:58:53 2019, atime=Tue Nov 19 09:42:46 2019, length=18598553, window=hide
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- aecd08e170eecf4d3cce3f82a9a50a7b
- SHA1
- fbec63431c64ab72d4b251b85668b5d330439852
- SHA256
- 18899547692a3b822942de3585347f565bc84e48e6ba4c5e8f675ecd662da43c
-
GasTurb 13 Manual.lnk
- Size
- 1.3KiB (1280 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 31 05:58:55 2019, mtime=Tue Dec 31 05:58:55 2019, atime=Tue Nov 19 09:32:00 2019, length=21548334, window=hide
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 8974e939b845f992699a6e257df91f04
- SHA1
- fea2b34f7f1afcbad5ae4b0f99ec7ca79f79520e
- SHA256
- 268b3a52cf5e91dc5e89d48af6641cf3b141c0a69ebdf8143f8d02f310f2e25e
-
GasTurb 13.lnk
- Size
- 1.1KiB (1141 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 31 05:58:51 2019, mtime=Tue Dec 31 05:58:51 2019, atime=Mon Dec 9 10:32:06 2019, length=21283840, window=hide
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 4a40d5a9820145f2c017914e2678205d
- SHA1
- afd95af354b8bc285d20908f13b7c7b2a8436def
- SHA256
- 1283a27d718509ec8fae7913827a92534aff1e2ac286f5c9a03ef155fc885462
-
Uninstall GasTurb 13.lnk
- Size
- 1.1KiB (1160 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Dec 31 05:58:51 2019, mtime=Tue Dec 31 05:58:51 2019, atime=Tue Dec 31 05:55:32 2019, length=784176, window=hide
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- ad1b5f9851867c37ca2dba1dc11ee297
- SHA1
- 0ce4073a9ff2bc41e4e944b540a2442195232dbc
- SHA256
- eee744a8af58b589385007ae35e983fcc5049912acf9a18280a819d0e33ba3ca
-
is-0BJQI.tmp
- Size
- 68KiB (69429 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 362bf726ae93594aa1165b1cf8176ea3
- SHA1
- 4ca738901511d5396d73bc14098ad47f5225d4d0
- SHA256
- 21461a437100f917b373cdefc293cd05d22373edccda73e0505409f83eebbe85
-
is-0G78Q.tmp
- Size
- 58KiB (59505 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- a3864b054c0d22fb567bc68ef1fe60a5
- SHA1
- d0e7e227e2ed9f0a5b4993f09a3346e737aa079f
- SHA256
- 518ea8bd4c04c6881ab06a5de7ac1170205b53c749425de4feca6a2165d9a641
-
is-18M0I.tmp
- Size
- 69KiB (70548 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 766c01036547e27c59573af061b2876c
- SHA1
- cc44bac8da7ce06340753d916172771e76485382
- SHA256
- 3189069e758fd018709f103b1ce58d9b4818221903c793a2bb0ee9affe50694b
-
is-19TSO.tmp
- Size
- 55KiB (56743 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 8f76540801c48547b5944879d91c0755
- SHA1
- 6385ca05a141488653b52a43e5b8a9ce89f67a01
- SHA256
- 6230ccde81b5ba17e615a94dbb4a0e7a2207d234be5637cab8ff0b72627da1ff
-
is-22G9Q.tmp
- Size
- 1.8KiB (1820 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- ae33b81341c2acd35b0c6829e575cfd0
- SHA1
- eb3942d9a327d036c0adb2bdf96e13e2086851fa
- SHA256
- cc58c17a1263e2427ec8636d0ec3822719fc3e436cd353de7976bf7e9034417d
-
is-2HTE9.tmp
- Size
- 68KiB (69261 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- da2bd7486f5c8b7d154d1a71d4e58d91
- SHA1
- 699e1df00d38f25f6d47b3b5327969c26b81ef06
- SHA256
- faa67d474a0501f28aa2dd7397e5dba75a9382ef92b7974f1d14b31e3b7e9f78
-
is-3JFU4.tmp
- Size
- 68KiB (69325 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 8f2050d2e847a7220a7526b5aeb9f711
- SHA1
- 0d94539ea01ec0f17507f9ceac912212c354efb6
- SHA256
- ef92d9f0a63d04e2c450817512ba5ed3ebefef1f77401518fe6164c0dee3c4da
-
is-4ME1J.tmp
- Size
- 410KiB (420285 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 684ff7056e291339596dcbc43c2d09c9
- SHA1
- f0e9ae0432b3cce5b058b7d9561d033ea51ff691
- SHA256
- b4ccc51157df4f9e7af7692cf9999a93ed75a04b85eb43660f0c41c584f96e1a
-
is-534T9.tmp
- Size
- 76KiB (77997 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- ea7f6f7db2930bc9ddd2e05031615ee6
- SHA1
- 4d26cb851021f1ea2ef02be911c0b482e480a93a
- SHA256
- 57757c18457ec6eed19cca44fab0291c0fee5eef0cb35fabb3d657fbc0e0b8dc
-
is-55BDO.tmp
- Size
- 74KiB (75793 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 48f1b33f5fc648958a35118a3cdc5265
- SHA1
- 10e442c665ca635536031063dc0623db28a19261
- SHA256
- 965e0a5912a8cb5c8b48e2e52c4a68b4a5f23969431d1cbf71dda67ec6fa8725
-
is-5N406.tmp
- Size
- 18KiB (18026 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- eb2656eb66da7f7fa658bd7b5e593024
- SHA1
- 8956858df877edfccef1334902b9f8ac30bb700b
- SHA256
- d041cdb2c2de49b7f3fc907a1744149046addfa214db215eb808f1140dc1f208
-
is-5PJ0U.tmp
- Size
- 59KiB (59930 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- b9c0adb165f4d7776e3b917e476b0e54
- SHA1
- 23e19b1e68fb8d844ea3a5b88d95877befa1ecb8
- SHA256
- 2867085ff4455bfcab8a5e81a4a9bdf12396822045cae6960c58aa9530427c7b
-
is-65V4G.tmp
- Size
- 66KiB (68052 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 033801fd5be2470e92a7889b9df94938
- SHA1
- f6a385c6252026a19d1fb0d8694e59c90a5ca423
- SHA256
- 56971f1b7c02bc1303c012c9f29c6431ebc1f5f6ae4b196822f0a94ffe8db7d9
-
is-6BLKO.tmp
- Size
- 59KiB (60274 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- eda5e6c2452dfd1629b7ca930c17c76c
- SHA1
- 1f6790ee234d9717321d49dabda1d2f591722942
- SHA256
- fd9dbb19c0c66c78772d5a2e3f702d864ae019731a72b38ff3e9a7dc4963cfa3
-
is-7RB2V.tmp
- Size
- 73KiB (74940 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 0adbde8e4bee16ed20110e1d86e678d8
- SHA1
- cecdfa1d047fc3a031972538fc9ea36c1966ff93
- SHA256
- e4901c521316bd03a451288cadc5e1fdd0d217c2b385f36ab5502a8d83e09299
-
is-BRAQP.tmp
- Size
- 799B (799 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- e9a1cb41dcf3fc774752b9c4575cbfa5
- SHA1
- 1f0211a66ce526e4ee6937b8691fc22f781f664b
- SHA256
- 2115bcafa396c410e4a250742359aacf26cba9701db600e1a508ad33856cd32c
-
CodeMeterRuntime32.msi
- Size
- 5MiB (5210112 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Can't read SAT
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 4985c03b7417f4b8766180451952ec82
- SHA1
- ff5f4e98bc285dd690d49785b5fd28ad3ddab8b4
- SHA256
- 4b587a457da36e629899a0232ae4529f7bcfd9e8c18ab4b20b052c5d5d44ce58
-
WibuCmNET.resources.dll
- Size
- 57KiB (58320 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- ab372b6c0d6853af7d5d37d444a425ff
- SHA1
- 45a5cc283b8448af862e1be30063ff7d914bac94
- SHA256
- 87ce585ceb49184edba449ab7e6a1bed4ef96f9d3a65e470598f0efef818af74
-
policy.2.0.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 49a0fe914deb5ef90f885b671062e522
- SHA1
- 620ff90cfc89a26a1eecc19652f0d53075e94d65
- SHA256
- d8c1b62a2790b1d1fdee823e029f0bf6300602f850d81f7577a72fac6d56b17e
-
policy.3.30.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 2da854be56014b9a11d3bb1f30671716
- SHA1
- 5f5653d9083e8e62459875ec8d5c0cd605558b07
- SHA256
- 7d67f1c8f7064737a4f40ad78dd918bed177e17b2e1501892a3842e62613e01a
-
policy.3.31.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 19fa56bc09c71ca97ffde64814cdb883
- SHA1
- 806ecb8b1eac46fdd10db5d32ce2bb47bd115323
- SHA256
- bdde4f2920bfd5a32c27549e6545f9abd5aa35a3c6dac75097ed4405b2a4c9fa
-
policy.3.32.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 790f8e4bf98b54a854ed13e059b5932f
- SHA1
- ec52900b8d83b8fa1f6177e0eb4a83405bd71b51
- SHA256
- 3c572220f52a5943c308ef63782bc7110a3dc0b7d54f7ceef744c943badb7546
-
policy.4.10.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- be05b25f8287582919c507d871fb4126
- SHA1
- 08d1aa877c643383d91f306dde18e081f371d12e
- SHA256
- 15f4632195860917dedaa828f48e5504031be0975b913135612756f1d426524a
-
policy.4.20.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- d003096183a841dbb3517e3603284029
- SHA1
- 1acca55d73d4a83789a61179b10e35d7401434fd
- SHA256
- 2005eaa644e6e2f781d5c1ab2064a0c37ea1fb0932baf8e99517e28cc7562020
-
policy.5.0.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 4e548adb687a6e0e9bb6af4c6deb471e
- SHA1
- 22433ece6282d2508491308822c1266386d4989a
- SHA256
- c549af4a2d08d30fe47a2d00acfdd15a73c557fdb0574a34a53c2603ec17d2ad
-
policy.5.10.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 8e472fea764d1df90600871e0b96a66b
- SHA1
- 7d10f317129db51ee2d3d69cd5458614ef3947ed
- SHA256
- b9c2ab8e26117d5796b9292b425cb865a38d123fa539fcac98d74c62322513b1
-
policy.6.0.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- eba997a5ca56e95c3866727d49229c7f
- SHA1
- 544f6dd046f50149d875a9a62be4d682a609dfe0
- SHA256
- 8732205a4c320bab5ebbf5247e4a5ab4e62b6b8e63ca36964287298f6d205fe0
-
policy.6.10.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- d1065f8275bd4b067ec1d68ec43dc23e
- SHA1
- 540d996296ebf5e1b63f7dee53d4cefa22ff9028
- SHA256
- 82cd41655a7f14c325da82f189983f8000b97547112ab949bd2bd60268a27361
-
policy.6.20.WibuCmNET.dll
- Size
- 17KiB (17872 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- ff7bdb900a9beefe60b6d142dd48aa45
- SHA1
- 900ae9acb92884aea229038037034764ee2f1069
- SHA256
- c3b0bd1c56f1febcc94764699fe603a3b97a90534dba426b075728c676847e28
-
CodeMeterCC.exe
- Size
- 5MiB (5228303 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 057ac999e0f4a8a0c61f1fa3ebd946f8
- SHA1
- d671ad0d58279e87bba7e6b3d1b4d021ff9a195d
- SHA256
- e63068203ae77754e8702670c8500c4a7fa29957df676318a6eb1a9343f32f7c
-
WibuShellExtRepair.cmd
- Size
- 4.2KiB (4313 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- afb4de9ddc592df67b40f6b1721fdc19
- SHA1
- 90540d3bf7274b65b9944f79b136cc1281d00426
- SHA256
- 70f792bee36e245caefb45b8b6b321459a470abe4bbe080112a76bc58b444421
-
WibuCm64.dll
- Size
- 930KiB (952776 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 2683d87ea5af51a8ce9911932811f083
- SHA1
- 15651bb41bc1352d5131b9900d1f515beef476b3
- SHA256
- 106ee893160530f66365145e0b1d94cc795dc39868277ae9517a1b2ad0d4ecf6
-
WibuXpm4J32.dll
- Size
- 1MiB (1078232 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- 0db8a4f3570ca39c9ee3a7120f21cf02
- SHA1
- 8c43c0ca786441ed87c2246519793387a6c03c0f
- SHA256
- e08f6a884857574234e45429939e14f4a188e4f7e9ee1219082a6eb76bf47ac2
-
wibucmJNI.dll
- Size
- 184KiB (188424 bytes)
- Runtime Process
- CodeMeterRuntime.exe (PID: 3264)
- MD5
- a1d0f8e759492905c7edce88ab91cbdf
- SHA1
- 08a415f7153a377698ec4fc3ff0be3b1e82b5b11
- SHA256
- 563acea48f5aab31fb9132907b8fe5dfc29f6fa26af04c962cfe1f569b47c038
-
_isdecmp.dll
- Size
- 19KiB (19456 bytes)
- Runtime Process
- SetupGasTurb13Trial.tmp (PID: 2832)
- MD5
- 3adaa386b671c2df3bae5b39dc093008
- SHA1
- 067cf95fbdb922d81db58432c46930f86d23dded
- SHA256
- 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all created files are visible for CodeMeterRuntime.exe (PID: 3264)
- Not all file accesses are visible for CodeMeterRuntime.exe (PID: 3264)
- Not all file accesses are visible for GasTurb13.exe (PID: 3748)
- Not all file accesses are visible for MSIB77A.tmp (PID: 3864)
- Not all file accesses are visible for MSICC5B.tmp (PID: 3564)
- Not all file accesses are visible for SetupGasTurb13Trial.exe (PID: 2104)
- Not all file accesses are visible for SetupGasTurb13Trial.tmp (PID: 2832)
- Not all file accesses are visible for msiexec.exe (PID: 2676)
- Not all file accesses are visible for net.exe (PID: 632)
- Not all file accesses are visible for net1.exe (PID: 2632)
- Not all sources for indicator ID "api-25" are available in the report
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "api-6" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "binary-1" are available in the report
- Not all sources for indicator ID "binary-10" are available in the report
- Not all sources for indicator ID "binary-16" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "static-0" are available in the report
- Not all sources for indicator ID "static-1" are available in the report
- Not all sources for indicator ID "static-18" are available in the report
- Not all sources for indicator ID "static-6" are available in the report
- Not all sources for indicator ID "string-64" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report