setup.exe
This report is generated from a file or URL submitted to this webservice on October 10th 2017 11:39:38 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID
Additional Context
Related Sandbox Artifacts
- Associated URLs
-
saturn.installshield.com/product/fnc/1101/agentupdate/60culveragentupdate/setup.exe
hxxp://saturn.installshield.com/product/fnc/1101/agentupdate/60culveragentupdate/setup.exe
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"<Input Sample>" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"<Input Sample>" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364)
"<Input Sample>" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 364) - source
- API Call
- relevance
- 6/10
-
Writes data to a remote process
-
Suspicious Indicators 12
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.4438787242
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe.bin")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
- WriteProcessMemory@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Creates new processes
- details
- "<Input Sample>" is creating a new process (Name: "%WINDIR%\System32\msiexec.exe", Handle: 364)
- source
- API Call
- relevance
- 8/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
-
Contains ability to write to a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "ScriptVer=1.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
Unusual Characteristics
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegCreateKeyExA
RegCreateKeyA
SetSecurityDescriptorDacl
RegOpenKeyA
OpenProcessToken
RegOpenKeyExA
RegEnumKeyA
RegEnumKeyExA
RegDeleteValueA
GetFileAttributesA
GetDriveTypeA
UnhandledExceptionFilter
GetThreadContext
FindResourceExA
GetTempPathA
WriteFile
WriteProcessMemory
CopyFileA
GetModuleFileNameA
LoadLibraryExA
CreateThread
TerminateProcess
GetTickCount
VirtualProtect
GetVersionExA
LoadLibraryA
GetStartupInfoA
GetFileSize
OpenProcess
CreateDirectoryA
DeleteFileA
VirtualProtectEx
FindFirstFileA
GetTempFileNameA
CreateFileMappingA
FindNextFileA
GetProcAddress
CreateFileA
LockResource
GetCommandLineA
MapViewOfFile
GetModuleHandleA
CreateProcessA
Sleep
FindResourceA
VirtualAlloc
ShellExecuteExA
ShellExecuteA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Imports suspicious APIs
-
Informative 16
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.dll (Target: "060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe.bin"; Stream UID: "50038-2538-004459C7")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "jne 00445A42h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 mov eax, dword ptr [ebp+08h]
+12 push esi
+13 mov esi, dword ptr [ebp+0Ch]
+16 mov dword ptr [ebp-00000094h], 00000094h
+26 and dword ptr [eax], 00000000h
+29 lea eax, dword ptr [ebp-00000094h]
+35 and dword ptr [esi], 00000000h
+38 push eax
+39 call dword ptr [0046911Ch] ;GetVersionExA
+45 cmp dword ptr [ebp-00000084h], 01h
+52 jne 00445A42h" ... (Show Stream)
Found API call GetVersion@KERNEL32.dll (Target: "060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe.bin"; Stream UID: "50038-2783-0044C4B0")
which is directly followed by "cmp eax, 80000000h" and "jbe 0044CAA1h". See related instructions: "...
+1409 call dword ptr [00469174h] ;GetVersion
+1415 cmp eax, 80000000h
+1420 jbe 0044CAA1h" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb"
- source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is4C94.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{E13A0501-E549-4C17-935D-33083F834A44}\Setup.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{E13A0501-E549-4C17-935D-33083F834A44}\_ISMSIDEL.INI"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is4CA9.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{E13A0501-E549-4C17-935D-33083F834A44}\0x0409.ini"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is4CD3.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~4CD2.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is4D1A.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{E13A0501-E549-4C17-935D-33083F834A44}\60CulverAgentUpdate.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_is50AC.tmp"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~50AB.tmp" - source
- API Call
- relevance
- 1/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "60CulverAgentUpdate.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Blank Project Template Author: InstallShield Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2009 - Premier Edition 15 Last Saved Time/Date: Tue Dec 30 12:33:23 2008 Create Time/Date: Tue Dec 30 12:33:23 2008 Last Printed: Tue Dec 30 12:33:23 2008 Revision Number: {0B3CD8B8-25D4-419A-AA37-4D62FD42CA0D} Code page: 1252 Template: Intel;1033")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6A930000
- source
- Loaded Module
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "/i "%LOCALAPPDATA%\Downloaded Installations\{0B3CD8B8-25D4-419A-AA37-4D62FD42CA0D}\60CulverAgentUpdate.msi" SETUPEXEDIR="C:" SETUPEXENAME="060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
-
"60CulverAgentUpdate.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Blank Project Template Author: InstallShield Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2009 - Premier Edition 15 Last Saved Time/Date: Tue Dec 30 12:33:23 2008 Create Time/Date: Tue Dec 30 12:33:23 2008 Last Printed: Tue Dec 30 12:33:23 2008 Revision Number: {0B3CD8B8-25D4-419A-AA37-4D62FD42CA0D} Code page: 1252 Template: Intel;1033"
"_is4C94.tmp" has type "zlib compressed data"
"_is4D1A.tmp" has type "zlib compressed data"
"~4CD2.tmp" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "ASCII text with CRLF line terminators"
"_is4CD3.tmp" has type "zlib compressed data"
"~50AB.tmp" has type "ASCII text with CRLF line terminators"
"_is50AC.tmp" has type "zlib compressed data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_is4CA9.tmp" has type "zlib compressed data"
"_ISMSIDEL.INI" has type "ASCII text with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\system32\msiexec.exe"
"msiexec.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Templates" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ",F[`nJ.aS"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0"
Pattern match: "q.aNLs/Lj3/}]]VsnTf"
Heuristic match: "CMHk>E|Z&n+G`d2 U.Gy"
Heuristic match: "hIS0)a4Gk7]1B/'H.!9{*/z!/(z?nq6lY,?gR\FckB]=\=^.mR"
Heuristic match: "|\#N.gg"
Pattern match: "jg.iv/RXWa:V?O~D$"
Heuristic match: "FR.iN"
Heuristic match: ")N*41u+.in"
Pattern match: "2.yotc/]RXs+#G~reBh*DCcvqM"
Heuristic match: "UPUI52x;,q3Nmy{l<V5k\d6.a6hs3..Ba"
Heuristic match: "0t8u:+]dMH8/*0hFMTSwN'C=h*f.mc"
Heuristic match: "~?-20G@FKGDTb*fk:!VZB;0p:6E3 /x9-3yL]W%00b89wk)^L02Pt6~k|iVl[35^a(+uKO?Z_~QR3]&~N%*b,M-2w.uY"
Heuristic match: "Q];#Cp2e.HK"
Pattern match: "d9AaF7.PAJV/'c4"
Heuristic match: "BiHNRyhCf?D{`2L&pK(!)H{78F%d<>f?2*}\Z_qgM[Lq>.(]uGny3'W&J%_@Bf9>[.h>g[Xt7?H9 /HksKDTyH^biu:8q:0w>R0JzZ'}n6c;}d$gKvnw5v/>t'0nSl<udN}kI*@fAO*}Ldq9tm|tfr&{D}w>G4SL]Z.vC"
Heuristic match: "_8{.rw"
Pattern match: "V.XVjc/6ub"
Pattern match: "60.YC/Buwp"
Heuristic match: "79a>\?/'XG*Izs`BaUm.gh"
Pattern match: "H.Mc/{-R`Wt"
Pattern match: "nK9Q0Hh.CH/%V3mx~2Bp|G,/m"
Heuristic match: "$}C7b_Cx-:k{7n{vfWc9|+y_c8qFWE.Vg"
Heuristic match: "xqa?[2.+rh|{mxLE91j(<q<B4PEp.'P[9j(_Sgs?.il"
Heuristic match: "vP(.aN"
Pattern match: "z9.gf/dy#o"
Pattern match: "5A.suD/8ycO\+x/9"
Pattern match: "VdK.oeI/JG~''E%H'nw_BmO4V-oYY&G.Cd9N:wCrv!4!c8PRL4$-WCGMF;MGK$BDaD_6c0e?Dd"
Heuristic match: "xWBRut0N9Qn&p2cMNkX'?6S\Jll.gi"
Pattern match: "5.Gp/;wyCJ}'4BEu" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe.bin" was detected as "Microsoft visual C++ 5.0"
- source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
setup.exe
- Filename
- setup.exe
- Size
- 3.7MiB (3895938 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce
- MD5
- febf889a91cf906e64d903642b627309
- SHA1
- 61d77f0c68bf6953be5170cb517e7119ae6d1604
- ssdeep
- 98304:HSk/yPDxF27TtOltKO7hOY545BXiP6fn5zybOT:HMDy4jK0I5N4On5zybOT
- imphash
- 57655893203b140f288e4cc64da21ac1
- authentihash
- 1fca1cfe2c98c001e74c9be9cbfb040b67d6969a63cac955b64deca846837960
- Compiler/Packer
- Microsoft visual C++ 5.0
- PDB Pathway
Version Info
- LegalCopyright
- Copyright (C) 2008 Acresso Software Inc. and/or InstallShield Co. Inc. All Rights Reserved.
- InternalName
- Setup
- FileVersion
- 1.00.0000
- CompanyName
- Your Company Name
- Internal Build Number
- 82160
- ProductName
- 60CulverAgentUpdate
- ProductVersion
- 1.00.0000
- FileDescription
- Setup Launcher
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 59.0% (.EXE) Win32 Executable MS Visual C++ (generic)
- 24.8% (.SCR) Windows Screen Saver
- 8.5% (.EXE) Win32 Executable (generic)
- 3.7% (.EXE) Generic Win/DOS Executable
- 3.7% (.EXE) DOS Executable Generic
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2536)
- msiexec.exe /i "%LOCALAPPDATA%\Downloaded Installations\{0B3CD8B8-25D4-419A-AA37-4D62FD42CA0D}\60CulverAgentUpdate.msi" SETUPEXEDIR="C:" SETUPEXENAME="060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe" (PID: 2564)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 50038-660-00418184 |
2.0.0.0 | Domain/IP reference | 50038-660-00418184 |
2.5.4.3 | Domain/IP reference | 50038-2715-00456D94 |
2.9.0.0 | Domain/IP reference | 50038-661-00429C32 |
2.5.4.11 | Domain/IP reference | 50038-2715-00456D94 |
2.5.4.10 | Domain/IP reference | 50038-2715-00456D94 |
49.1.9.1 | Domain/IP reference | 50038-2715-00456D94 |
Extracted Strings
Extracted Files
-
Clean 1
-
-
60CulverAgentUpdate.msi
- Size
- 1.9MiB (1959424 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: InstallShield, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2009 - Premier Edition 15, Last Saved Time/Date: Tue Dec 30 12:33:23 2008, Create Time/Date: Tue Dec 30 12:33:23 2008, Last Printed: Tue Dec 30 12:33:23 2008, Revision Number: {0B3CD8B8-25D4-419A-AA37-4D62FD42CA0D}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- 0/56
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 9129aca5305223e739369045d309e990
- SHA1
- 416250af6f9541936ed6165e90b211e751af11f2
- SHA256
- c4c4cac45748ec70fb7c958b2aa36fd52a7675a109678229a8e19b08530504b6
-
-
Informative Selection 2
-
-
Setup.INI
- Size
- 2.8KiB (2838 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 509d3cff1af670b612e8f41850b34c75
- SHA1
- 6731988fd3c495fbac480ccb0d6e2e26e7b4d239
- SHA256
- a6f9a92aa440e7fd8025848fd1da50f254d93aec7ec19709d4d3c07e579183c4
-
~50AB.tmp
- Size
- 2.8KiB (2838 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 509d3cff1af670b612e8f41850b34c75
- SHA1
- 6731988fd3c495fbac480ccb0d6e2e26e7b4d239
- SHA256
- a6f9a92aa440e7fd8025848fd1da50f254d93aec7ec19709d4d3c07e579183c4
-
-
Informative 8
-
-
_is4C94.tmp
- Size
- 1.2KiB (1186 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 5219e3c34c0b7c70f348cd3a219ce027
- SHA1
- dad5ad538e1e0a9207ae0065b0b6b4a1bbabe65d
- SHA256
- 70bf6f3243f74cc073bd5adcb165752cf0daa46da83452180ea0fda265e42cfa
-
_is4CA9.tmp
- Size
- 2.9KiB (3017 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- ae10f061af304517f6e3f3157795a5b7
- SHA1
- f80822a26461dbcaf29ed0de91fd41c2bb370c44
- SHA256
- c1c419be1398addbd82f88be6c3ff810ed04b8c970ab7349b07ec11b07368043
-
_is4CD3.tmp
- Size
- 1.2KiB (1186 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 5219e3c34c0b7c70f348cd3a219ce027
- SHA1
- dad5ad538e1e0a9207ae0065b0b6b4a1bbabe65d
- SHA256
- 70bf6f3243f74cc073bd5adcb165752cf0daa46da83452180ea0fda265e42cfa
-
_is4D1A.tmp
- Size
- 1.5MiB (1598356 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 7e3814f285473a3bd01dcb94d0729267
- SHA1
- a6d4cffb917e6ba76044d4c116f8c500617c4e23
- SHA256
- 49c3e75bc2be7505283a571b2b8466206619b09bbbd7474907d99b04303a23e8
-
_is50AC.tmp
- Size
- 1.2KiB (1186 bytes)
- Type
- data
- Description
- zlib compressed data
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 5219e3c34c0b7c70f348cd3a219ce027
- SHA1
- dad5ad538e1e0a9207ae0065b0b6b4a1bbabe65d
- SHA256
- 70bf6f3243f74cc073bd5adcb165752cf0daa46da83452180ea0fda265e42cfa
-
0x0409.ini
- Size
- 13KiB (13660 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 758747727e96a23c7c5a5bbb011656e4
- SHA1
- 51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9
- SHA256
- bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825
-
_ISMSIDEL.INI
- Size
- 329B (329 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 8566dc563e3e71a65704fd1fee1d983e
- SHA1
- 2d04075167e4e090c14613d7fc6112375ce36a93
- SHA256
- 51b2649c8efadb19901eb4e309cfd43b537a7b346646dd77cc100b9d89590582
-
~4CD2.tmp
- Size
- 2.8KiB (2838 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- 060120e426a0c5f08c8509032f09e3b7502bdebd39321189fd56f913f22030ce.exe (PID: 2536)
- MD5
- 509d3cff1af670b612e8f41850b34c75
- SHA1
- 6731988fd3c495fbac480ccb0d6e2e26e7b4d239
- SHA256
- a6f9a92aa440e7fd8025848fd1da50f254d93aec7ec19709d4d3c07e579183c4
-