InterfaceDesigner_8.0.11.exe
This report is generated from a file or URL submitted to this webservice on November 27th 2017 13:00:49 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Reads terminal service related keys (often RDP related)
- Persistence
- Writes data to a remote process
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistance
-
Scans for the windows taskbar (often used for explorer injection)
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\7ZipSfx.000\setup.exe" (Handle: 632)
"<Input Sample>" wrote 4 bytes to a remote process "%TEMP%\7ZipSfx.000\setup.exe" (Handle: 632)
"<Input Sample>" wrote 32 bytes to a remote process "%TEMP%\7ZipSfx.000\setup.exe" (Handle: 632)
"<Input Sample>" wrote 52 bytes to a remote process "%TEMP%\7ZipSfx.000\setup.exe" (Handle: 632)
"setup.exe" wrote 1500 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 440)
"setup.exe" wrote 4 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 440)
"setup.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 440)
"setup.exe" wrote 52 bytes to a remote process "%WINDIR%\System32\msiexec.exe" (Handle: 440) - source
- API Call
- relevance
- 6/10
-
Scans for the windows taskbar (often used for explorer injection)
-
Suspicious Indicators 27
-
Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
- details
-
Found 10 calls to GetProcAddress@KERNEL32.dll (Show Stream)
Found 29 calls to GetProcAddress@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
PE file has unusual entropy sections
- details
- .text with unusual entropies 7.97707028467
- source
- Static Parser
- relevance
- 10/10
-
Looks up many procedures within the same disassembly stream (often used to hide usage)
-
Cryptographic Related
-
Found a cryptographic related string
- details
- "DES" (Indicator: "des"; File: "_isres_0x0409.dll.873150925")
- source
- File/Memory
- relevance
- 10/10
-
Found a cryptographic related string
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"MWVVOuSffu+ujCPh8uSVWEWEjPPVMNEt3M;t" (Indicator: "vmnet")
"_GetVirtualMachineType" (Indicator: "virtualmachine")
"_IsVirtualMachine" (Indicator: "virtualmachine") - source
- File/Memory
- relevance
- 4/10
-
Reads the cryptographic machine GUID
- details
-
"setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Opened the service control manager
- details
-
"msiexec.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"msiexec.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"msiexec.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"msiexec.exe" called "OpenService" to access the "gpsvc" service
"msiexec.exe" called "OpenService" to access the "WinHttpAutoProxySvc" service
"msiexec.exe" called "OpenService" to access the "CryptSvc" service
"msiexec.exe" called "OpenService" to access the "cryptsvc" service
"msiexec.exe" called "OpenService" to access the "" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc"
"msiexec.exe" called "ControlService" and sent control code "0X400" to the service "CryptSvc"
"msiexec.exe" called "ControlService" and sent control code "0X24" to the service "cryptsvc" - source
- API Call
- relevance
- 10/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
-
"_isres_0x0409.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ISBEWI64.exe" has type "PE32+ executable (GUI) Intel Itanium for MS Windows"
"ISRT.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"ISBEWX64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"MSI3684.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Reads terminal service related keys (often RDP related)
- details
- "<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER"; Key: "TSUSERENABLED")
- source
- Registry Access
- relevance
- 10/10
-
Reads terminal service related keys (often RDP related)
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
- CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Security
-
Modifies Software Policy Settings
- details
-
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"msiexec.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"ISBEWI64.exe" claimed CRC 370564 while the actual is CRC 1884895
"ISRT.dll" claimed CRC 341888 while the actual is CRC 370564
"ISBEWX64.exe" claimed CRC 181328 while the actual is CRC 341888
"setup.exe" claimed CRC 4132912 while the actual is CRC 181328
"MSI3684.tmp" claimed CRC 350598 while the actual is CRC 4132912 - source
- Static Parser
- relevance
- 10/10
-
Entrypoint in PE header is within an uncommon section
- details
-
"ISBEWI64.exe" has an entrypoint in section ".rdata"
"ISRT.dll" has an entrypoint in section ".rsrc" - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetVersionExA
GetModuleFileNameA
LoadLibraryA
UnhandledExceptionFilter
GetCommandLineA
GetProcAddress
GetModuleHandleA
WriteFile
GetStartupInfoA
OutputDebugStringA
TerminateProcess
Sleep
VirtualAlloc
RegCreateKeyExW
RegDeleteValueW
RegCloseKey
RegEnumKeyExW
RegOpenKeyExW
RegDeleteKeyW
GetModuleFileNameW
IsDebuggerPresent
LoadLibraryExW
CreateThread
LoadLibraryW
GetTickCount
GetStartupInfoW
CreateFileA
GetCommandLineW
GetModuleHandleW
FindResourceW
GetModuleFileNameExW
ShellExecuteW
OutputDebugStringW
GetModuleHandleExW
CreateFileW
RegCreateKeyW
RegEnumKeyW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyW
GetDriveTypeW
GetFileAttributesW
GetThreadContext
FindResourceExW
CopyFileW
LoadLibraryExA
ExitThread
CreateToolhelp32Snapshot
GetVersionExW
VirtualProtect
GetFileSize
WriteProcessMemory
OpenProcess
CreateDirectoryW
DeleteFileW
VirtualProtectEx
GetTempFileNameW
CreateFileMappingW
FindNextFileW
FindFirstFileW
Process32NextW
LockResource
Process32FirstW
MapViewOfFile
GetTempPathW
CreateProcessW
ShellExecuteExW
FindWindowExW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "msiexec.exe" wrote bytes "4053257758582677186a2677653c27770000000000bf6b750000000056cc6b75000000007cca6b750000000037683f756a2c2777d62d27770000000020693f750000000029a66b7500000000a48d3f7500000000f70e6b7500000000" to virtual address "0x77411000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 23
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine timezone
- details
- GetTimeZoneInformation@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExA@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the system locale
- details
-
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesA@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
GetUserDefaultLCID@KERNEL32.dll (Show Stream)
EnumSystemLocalesW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "setup.exe.3961560665"; Stream UID: "9504-11109-00475CCC")
which is directly followed by "cmp eax, 80000000h" and "jbe 004760BCh". See related instructions: "...
+952 call dword ptr [004EC1A0h] ;GetVersion
+958 cmp eax, 80000000h
+963 jbe 004760BCh" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "setup.exe.3961560665"; Stream UID: "9504-8469-0047088D")
which is directly followed by "cmp dword ptr [ebp-00000108h], ebx" and "jne 0047091Ch". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000118h
+9 mov eax, dword ptr [0052E350h]
+14 xor eax, ebp
+16 mov dword ptr [ebp-04h], eax
+19 mov eax, dword ptr [ebp+08h]
+22 push ebx
+23 xor ecx, ecx
+25 push esi
+26 mov esi, dword ptr [ebp+0Ch]
+29 mov dword ptr [eax], ecx
+31 lea eax, dword ptr [ebp-00000118h]
+37 push eax
+38 mov dword ptr [esi], ecx
+40 mov dword ptr [ebp-00000118h], 00000114h
+50 call dword ptr [004EC1F0h] ;GetVersionExW
+56 xor ebx, ebx
+58 inc ebx
+59 cmp dword ptr [ebp-00000108h], ebx
+65 jne 0047091Ch" ... (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Possibly tries to detect the presence of a debugger
- details
- GetProcessHeap@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\SETUP.EXE") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/54 Antivirus vendors marked sample as malicious (0% detection rate)
0/41 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Accesses Software Policy Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"Error: %sAppGuidRegKey,EXISTINGAPPGUIDAPPGUIDSqlmsirc_RestoreAppGuidSqlmsirc_CheckAppDependencySqlmsirc_RegisterAppGuidSqlmsirc_BackupAppGuidSqlmsirc_RefCountAppGuidSqlmsirc_ValidateAppGuidSQLREDISTERRORCROSSLANGUAGEUPGRADERedist Warning: cross language is not allowed in this scenario. Setup will quit but return as successSQL Redist: Result=%d, UILevel=%d, OS LangID=%d, Msi LangID=%d, Msi Major Version=%dSQL Redist: Result=%d, UILevel=%d, OS LangID=%d, Installed LangID=%d, Installed Major Version=%d, Msi LangID=%d, Msi Major Version=%dLanguageVersionMajorSQL Redist: failed to get major version from ProductVersionSQLREDISTERRORCROSSLANGUAGEMDAC_SetLocalAccountPropertyUpgradeCodeProductVersionHDAA@)RSDSPnjOIp}sqlmsirc.pdbAA;@;@4;@A@;@8Ad;@;@;@|;@8A;@XA;@;@;@;@XA;@|A;@<@|A<@|AAAp<@X<@@<@<@A<@A<@;@<@A<@A=@X<@@<@=@A,=@HAP=@h=@HAp=@A=@P=@=@A=@AA=@=@@<@>@A>@A@>@;@X>@Ad>@8A>@=@@<@>@8A>@tA>@>@tA>@A?@>@0?@A<?@A`?@x?@A?@A?@`?@?@A?@0A?@;@@@0A@@PA4@@?@;@L@@PA\@@A@@@@A@@,A@@@@,A@@LAA@ A@LA(A@ALA@dA@AlA@"
"A>AAA(AYA7AAf!A AEEE50P (8PX700WP `h````ppxxxx(null)(null)r%A(A)A,A@.A6@6AWdsfpca_ReleaseRefcountMsxmlAddRefcountMsxml returns the code %xWdsfpca_AddRefcountMsxmlHWA6@RSDS*I/&Swdsfpca.pdbXA0@0@XA0@4YA1@ 1@4YA(1@4YAPYAYA|1@d1@L1@1@YA1@PYA1@1@1@PYA1@YA2@d1@L1@(2@YA82@ZA\2@t2@ZA|2@<ZA2@\2@2@<ZA2@xZAZA3@2@3@ZA$3@ZAH3@3@2@`3@ZAp3@ZA[A3@3@L1@3@[A3@ZA3@1@4@ZA4@L[A@4@3@L1@X4@L[Ah4@[A4@4@[A4@[A4@4@4@[A4@\A5@05@\A85@ \A\5@5@t5@ \A5@D\A5@2@5@D\A5@d\A5@5@2@6@d\A6@\A86@5@2@P6@\A`6@_A6@6@_A6@MhM^88X8x8889,9F9]9t99990:G:q:::::::;8;`;x;UQEE]Ujhx;AdPd%jEPNh/@MMEECjjMQ dEURh/@oN}uEEPMMEEMMEMd"
"@SunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecSetThreadStackGuarantee@@@@@@@@@@@@D@@@%@)@X@@No PendingFileRenameOperationsNo file in package listed in PendingFileRenameOperationsPENDINGFILERENAMEPendingFileRenameOperations contains:Failed to open File table. Error [1]File [2] is listed in pending file remame keySELECT `FileName` FROM `File`FilePendingFileRenameOperationsDOTNETCOREPATH12.0.50215\vEnableDotNetCheckMsiAssembly table is not present no need to check .NET FrameworkFailed to open MsiAssembly table. Error [1]No .NET Framework assembly present in MsiAssembly no need to check .NET Framework.NET Framework assemblies found in MsiAssembly need to check .NET FrameworkSELECT `Component_` FROM `MsiAssembly` WHERE `Attributes` IS NULL OR `Attributes` = 0MsiAssemblyfalsev2.0_BrowsePropertyCA_PREREQSTATUSsuccessfulCA_ERRORCOUNTCA_WARNINGCOUNTCA_SUCCESSCOUNTISDOTNET20trueAdminUserMINIMUMOSCSYSTEM\CurrentControlSet\Control\Session ManagerSOFTWARE\Microsoft\NET Framework Setup\NDP@#@@@b@k@@@@@'@@@bad exception@@_@c@5@#@Unknown exceptioncsm @@n@H@0:@RSDS-w>@zq96redistca.pdb|L8GUQMEE]UQMEME]UQME8tMR,}]UQME8tMR|EM]UQME]UQME8tMR|EE]UQ}vEWEPMQUREE]UQE}uEWW}t3Et)UEff"
"C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb"
"C:\CodeBases\isdev\Redist\Language Independent\i64\ISBEW64.pdb"
"ZB&69Ssqlmsirc.pdb0PD0DpD0DXDPD0DDXE8EPD0DXExE0EE0E0XXF8FFxFFXFEFXG@G8FF`GG@GG@G HG@HXHpHHFHHp(IEHIp`IIHFIIPJ0JP@JxJJJJJKK PKJpK KPK0DKPKx0LK0DPLxpLLLL(M0M(@MXxMMXMMNNLD$HT$HL$H8H|$Hv"
"<3c0ah%@ESZ@$@PRY8501252ParaguayUruguayChileEcuadorArgentinaPeruColombiaVenezuelaDominican RepublicSouth AfricaPanamaLuxembourgCosta RicaSwitzerlandGuatemalaCanadaSpanish - Modern SortAustraliaEnglishAustriaGermanBelgiumMexicoSpanishBasqueSwedenSwedishIcelandIcelandicFranceFrenchFinlandFinnishSpainSpanish - Traditional Sort6-x(@USAp(@GBRh(@CHN`(@CZEX(@GBRH(@GBR@(@NLD0(@HKG (@NZL(@NZL(@CHN(@CHN'@PRI'@SVK'@ZAF'@KOR'@ZAF'@KOR'@TTO,@GBR'@GBRp'@USA,@USAunited-statesunited-kingdomtrinidad & tobagosouth-koreasouth-africasouth koreasouth africaslovakpuerto-ricopr-chinapr chinanznew-zealandhong-konghollandgreat britainenglandczechchinabritainamerica(1@ENU1@ENU0@ENU0@ENA0@NLB0@ENC0@ZHH0@ZHI0@CHS0@ZHH0@CHSx0@ZHI`0@CHTP0@NLB80@ENU(0@ENA0@ENL0@ENC/@ENB/@ENI/@ENJ/@ENZ/@ENS/@ENTx/@ENGh/@ENUX/@ENUH/@FRB8/@FRC /@FRL/@FRS/@DEA.@DEC.@DEL.@DES.@ENI.@ITS.@NORx.@NOR`.@NONH.@PTB0.@ESS .@ESB.@ESL-@ESO-@ESC-@ESD-@ESF-@ESE-@ESGh-@ESHX-@ESMH-@ESN0-@ESI -@ESA-@ESZ,@ESR,@ESU,@ESY,@ESV,@SVF,@DES,@ENG,@ENU,@ENUusausukswissswedish-finlandspanish-venezuelaspanish-uruguayspanish-puerto ricospanish-peruspanish-paraguayspanish-panamaspanish-nicaraguaspanish-modernspanish-mexicanspanish-hondurasspanish-guatemalaspanish-el salvadorspanish-ecuadorspanish-dominican republicspanish-costa ricaspanish-colombiaspanish-chilespanish-boliviaspanish-argentinaportuguese-braziliannorwegian-nynorsknorwegian-bokmalnorwegianitalian-swissirish-englishgerman-swissgerman-luxembourggerman-lichtensteingerman-austrianfrench-swissfrench-luxembourgfrench-canadianfrench-belgianenglish-usaenglish-usenglish-ukenglish-trinidad y tobagoenglish-south africaenglish-nzenglish-jamaicaenglish-ireenglish-caribbeanenglish-canenglish-belizeenglish-ausenglish-americandutch-belgianchinese-traditionalchinese-singaporechinese-simplifiedchinese-hongkongchinesechichhcanadianbelgianaustralianamerican-englishamerican englishamericanOCPACPNorwegian-Nynorsk ((((( H h(((( H HInitializeCriticalSectionAndSpinCountGetProcessWindowStationGetUserObjectInformationAGetLastActivePopupGetActiveWindowMessageBoxAuser32.dllSunMonTueWedThuFriSatJanFebMarAprMayJunJulAugSepOctNovDecSetThreadStackGuaranteeNo PendingFileRenameOperationsNo file in package listed in PendingFileRenameOperationsPENDINGFILERENAMEPendingFileRenameOperations contains:Failed to open File table. Error [1]File [2] is listed in pending file remame keySELECT `FileName` FROM `File`FilePendingFileRenameOperationsDOTNETCOREPATH12.0.50215\vEnableDotNetCheckMsiAssembly table is not present no need to check .NET FrameworkFailed to open MsiAssembly table. Error [1]No .NET Framework assembly present in MsiAssembly no need to check .NET Framework.NET Framework assemblies found in MsiAssembly need to check .NET FrameworkSELECT `Component_` FROM `MsiAssembly` WHERE `Attributes` IS NULL OR `Attributes` = 0MsiAssemblyfalsev2.0_BrowsePropertyCA_PREREQSTATUSsuccessfulCA_ERRORCOUNTCA_WARNINGCOUNTCA_SUCCESSCOUNTISDOTNET20trueAdminUserMINIMUMOSCSYSTEM\CurrentControlSet\Control\Session ManagerSOFTWARE\Microsoft\NET Framework Setup\NDPRSDSWi[NgJredistca.pdbHL$HD$HD$T$HL$HD$L$HD$HL$H(HD$08tHD$0H(T$HL$H(HD$08tHD$0HD$0L$8H(HL$HD$HL$H(HD$08tHD$0UHD$0HD$0H(LD$HT$HL$H8H|$Hv" - source
- File/Memory
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\7ZipSfx.000\Data1.cab"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\Kronos Workforce Integration Manager - Interface Designer.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\ISSetupPrerequisites\{726F97A8-63B9-4A58-ACFB-B8A56B383740}\msxml6_x64.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\ISSetupPrerequisites\{726F97A8-63B9-4A58-ACFB-B8A56B383740}\msxml6_x64.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\ISSetupPrerequisites\{726F97A8-63B9-4A58-ACFB-B8A56B383740}\msxml6_x86.msi"
"<Input Sample>" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\setup.exe"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\_MSI5166._IS"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{08680709-28BF-4EA1-A923-D9DB6E808A61}\Setup.INI"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{08680709-28BF-4EA1-A923-D9DB6E808A61}\_ISMSIDEL.INI"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{08680709-28BF-4EA1-A923-D9DB6E808A61}\0x0409.ini"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~E2C1.tmp"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~E2CC.tmp"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{08680709-28BF-4EA1-A923-D9DB6E808A61}\MSXML 6.0 SP1 (x64).prq"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\setup.exe"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\issE364.tmp"
"setup.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\{A893EC99-B362-4025-ACCA-27D9CF7248FD}\IsConfig.ini" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MSILOG_1e5b34f01d367c3GOL.967f2ISM_pmeT_lacoL_ataDppA_vhXB76n_sresU_:C" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "_isres_0x0409.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ISBEWI64.exe" as clean (type is "PE32+ executable (GUI) Intel Itanium for MS Windows"), Antivirus vendors marked dropped file "Kronos Workforce Integration Manager - Interface Designer.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Workforce Integration Manager - Interface Designer Author: Kronos Incorporated Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2014 - Professional Edition 21 Last Saved Time/Date: Mon Jun 27 09:55:58 2016 Create Time/Date: Mon Jun 27 09:55:58 2016 Last Printed: Mon Jun 27 09:55:58 2016 Revision Number: {EC2B1DF8-E1FC-48CB-A85F-F234790BB97D} Code page: 1252 Template: Intel;1033"), Antivirus vendors marked dropped file "ISRT.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"), Antivirus vendors marked dropped file "ISBEWX64.exe" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "msxml6_x86.msi" as clean (type is "Composite Document File V2 Document Little Endian Os: Windows Version 5.2 MSI Installer Code page: 1252 Title: Installation Database Subject: MSXML 6.0 Parser and SDK Author: Microsoft Corporation Keywords: MDAC XML XSD XSL XDR SDK Comments: MSXML 6.0 Parser and SDK Template: Intel;1033 Create Time/Date: Mon Dec 4 23:27:27 2006 Last Saved Time/Date: Mon Dec 4 23:27:27 2006 Number of Pages: 300 Number of Words: 2 Name of Creating Application: Windows Installer XML (candle/light) Security: 1 Revision Number: {FC7047ED-3F6E-4A59-B7D7-AF7D9A869261}"), Antivirus vendors marked dropped file "msxml6_x64.msi" as clean (type is "Composite Document File V2 Document Little Endian Os: Windows Version 5.2 MSI Installer Code page: 1252 Title: Installation Database Subject: MSXML 6.0 Parser and SDK Author: Microsoft Corporation Keywords: MDAC XML XSD XSL XDR SDK Comments: MSXML 6.0 Parser and SDK Template: AMD64;1033 Create Time/Date: Tue Dec 5 02:21:03 2006 Last Saved Time/Date: Tue Dec 5 02:21:03 2006 Number of Pages: 300 Number of Words: 2 Name of Creating Application: Windows Installer XML (candle/light) Security: 1 Revision Number: {6A3B8AE9-3F13-4302-A5AE-C51A0BA1592E}"), Antivirus vendors marked dropped file "setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI3684.tmp" as clean (type is "PE32 executable (DLL) (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Process launched with changed environment
- details
-
Process "setup.exe" (Show Process) was launched with new environment variables: "7zSfxString13="Could not delete file or folder "%s".", 7zSfxString15="Could not find "setup.exe".", 7zSfxString12="Could not create folder "%s".", 7zSfxFolder05="C:\Users\%USERNAME%\Documents", 7zSfxFolder28="C:\Users\%USERNAME%\AppData\Local", 7zSfxString7="Could not open archive file "%s".", 7zSfxFolder00="C:\Users\%USERNAME%\Desktop", 7zSfxString31="Could not overwrite file "%s".", 7zSfxFolder42="C:\Program Files", CommonDocuments="C:\Users\%USERNAME%\Documents", 7zSfxFolder56="C:\Windows\resources", 7zSfxString43="Insufficient physical memory.", 7zSfxString14="Could not find command for "%s".", 7zSfxFolder08="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent", 7zSfxString33="7-Zip: Internal error
code 0x%08X.", 7zSfxString26="Cancel", 7zSfxFolder40="C:\Users\%USERNAME%\Users\n67BXhv\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxFolder34="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History", CommonDesktop="C:\Users\%USERNAME%\Desktop", 7zSfxString11="Error in line %d of configuration data:", 7zSfxFolder20="C:\Windows\Fonts", 7zSfxFolder22="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu", 7zSfxFolder54="C:\Users\%USERNAME%\Pictures", MyDocuments="C:\Users\%USERNAME%\Documents", 7zSfxString21="Extraction path", 7zSfxString19="7-Zip: Data error.", 7zSfxFolder37="C:\Windows\system32", 7zSfxFolder32="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files", 7zSfxFolder02="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs", 7zSfxFolder59="C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Burn\Burn", 7zSfxFolder41="C:\Windows\system32", 7zSfxString1="SFX module - Copyright (c) 2005-2012 Oleg Scherbakov", 7zSfxFolder27="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts", UserDesktop="C:\Users\%USERNAME%\Desktop", 7zSfxString36="Next", 7zSfxString30="Could not create file "%s".", 7zSfxString27="Yes", 7zSfxFolder26="C:\Users\%USERNAME%\AppData\Roaming", 7zSfxString41=": warning", 7zSfxFolder44="C:\Program Files\Common Files", 7zSfxString4=": error", 7zSfxString6="Could not get SFX filename.", 7zSfxFolder06="C:\Users\%USERNAME%\Favorites", 7zSfxFolder46="C:\Users\%USERNAME%\Documents", 7zSfxString16="Error during execution "%s".", 7zSfxString2="7z SFX", 7zSfxString40="7z SFX: warning", 7zSfxString24="No "HelpText" in the configuration file.", 7zSfxFolder21="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Templates", 7zSfxFolder35="C:\ProgramData", 7zSfxString18="7-Zip: CRC error.", 7zSfxString29=" s", 7zSfxFolder55="C:\Users\%USERNAME%\Videos", 7zSfxFolder47="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools", 7zSfxString3="7z SFX: error", 7zSfxFolder43="C:\Program Files\Common Files", 7zSfxFolder16="C:\Users\%USERNAME%\Desktop", 7zSfxFolder09="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\SendTo", 7zSfxString25="OK", 7zSfxFolder31="C:\Users\%USERNAME%\Favorites", 7zSfxString23="Really cancel the installation?", 7zSfxFolder48="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools", 7zSfxString22="Extraction path:", 7zSfxFolder07="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxString39="Application error:", 7zSfxString34="7-Zip: Extraction error.", 7zSfxFolder53="C:\Users\%USERNAME%\Music", 7zSfxString17="7-Zip: Unsupported method.", 7zSfxString20="7-Zip: Internal error
code %u.", 7zSfxFolder23="C:\ProgramData\Microsoft\Windows\Start Menu\Programs", 7zSfxString38="Cancel", MyDocs="C:\Users\%USERNAME%\Documents", 7zSfxString35="Back", 7zSfxFolder38="C:\Program Files", 7zSfxFolder30="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxFolder33="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies", 7zSfxFolder14="C:\Users\%USERNAME%\Videos", 7zSfxFolder24="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup", 7zSfxString5="Extracting", 7zSfxString8="Non 7z archive.", 7zSfxString28="No", 7zSfxFolder13="C:\Users\%USERNAME%\Music", 7zSfxString32="Error in command line:", 7zSfxFolder39="C:\Users\%USERNAME%\Pictures", 7zSfxString37="Finish", 7zSfxFolder25="C:\Users\%USERNAME%\Desktop", 7zSfxFolder11="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu", 7zSfxString42="Not enough free space for extracting.", 7zSfxFolder36="C:\Windows", 7zSfxString10="Could not write SFX configuration.", 7zSfxFolder19="C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Network Shortcuts", 7zSfxFolder45="C:\ProgramData\Microsoft\Windows\Templates", 7zSfxString9="Could not read SFX configuration or configuration not found.""
Process "msiexec.exe" (Show Process) was launched with new environment variables: "__PROCESS_HISTORY="C:\Users\%USERNAME%\AppData\Local\Temp\7ZipSfx.000\setup.exe"" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "msiexec.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Scanning for window names
- details
- "<Input Sample>" searching for class "Shell_TrayWnd"
- source
- API Call
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "setup.exe" (Show Process)
Spawned process "msiexec.exe" with commandline "/i "%TEMP%\7ZipSfx.000\Kronos Workforce Integration Manager - Interface Designer.msi" SETUPEXEDIR="%TEMP%\7ZipSfx.000" SETUPEXENAME="setup.exe"" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"_isres_0x0409.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ISBEWI64.exe" has type "PE32+ executable (GUI) Intel Itanium for MS Windows"
"Kronos Workforce Integration Manager - Interface Designer.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 MSI Installer Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Workforce Integration Manager - Interface Designer Author: Kronos Incorporated Security: 1 Number of Pages: 200 Name of Creating Application: InstallShield 2014 - Professional Edition 21 Last Saved Time/Date: Mon Jun 27 09:55:58 2016 Create Time/Date: Mon Jun 27 09:55:58 2016 Last Printed: Mon Jun 27 09:55:58 2016 Revision Number: {EC2B1DF8-E1FC-48CB-A85F-F234790BB97D} Code page: 1252 Template: Intel;1033"
"ISRT.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows PECompact2 compressed"
"ISBEWX64.exe" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"msxml6_x86.msi" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.2 MSI Installer Code page: 1252 Title: Installation Database Subject: MSXML 6.0 Parser and SDK Author: Microsoft Corporation Keywords: MDAC XML XSD XSL XDR SDK Comments: MSXML 6.0 Parser and SDK Template: Intel;1033 Create Time/Date: Mon Dec 4 23:27:27 2006 Last Saved Time/Date: Mon Dec 4 23:27:27 2006 Number of Pages: 300 Number of Words: 2 Name of Creating Application: Windows Installer XML (candle/light) Security: 1 Revision Number: {FC7047ED-3F6E-4A59-B7D7-AF7D9A869261}"
"msxml6_x64.msi" has type "Composite Document File V2 Document Little Endian Os: Windows Version 5.2 MSI Installer Code page: 1252 Title: Installation Database Subject: MSXML 6.0 Parser and SDK Author: Microsoft Corporation Keywords: MDAC XML XSD XSL XDR SDK Comments: MSXML 6.0 Parser and SDK Template: AMD64;1033 Create Time/Date: Tue Dec 5 02:21:03 2006 Last Saved Time/Date: Tue Dec 5 02:21:03 2006 Number of Pages: 300 Number of Words: 2 Name of Creating Application: Windows Installer XML (candle/light) Security: 1 Revision Number: {6A3B8AE9-3F13-4302-A5AE-C51A0BA1592E}"
"Setup.inx" has type "data"
"setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~E2CC.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"MSXML 6.0 SP1.prq" has type "XML 1.0 document ASCII text with CRLF line terminators"
"MSI3684.tmp" has type "PE32 executable (DLL) (console) Intel 80386 for MS Windows"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"EA618097E393409AFA316F0F87E2C202_64FBF8D4D4F0EF6C344DADAD785E7CB4" has type "data"
"Tar21BE.tmp" has type "data"
"MSXML 6.0 SP1 (x64).prq" has type "XML 1.0 document ASCII text with CRLF line terminators"
"C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE" has type "data"
"IsConfig.ini" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\Fonts\StaticCache.dat"
"<Input Sample>" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"<Input Sample>" touched file "C:\Windows\System32\oleaccrc.dll"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\System32\en-US\propsys.dll.mui"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "C:\Windows\System32\en-US\ntdll.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"setup.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"setup.exe" touched file "C:\Windows\AppPatch\AcGenral.dll"
"setup.exe" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"setup.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: ".U{sW3.Nc"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0"
Pattern match: "http://ts-ocsp.ws.symantec.com07"
Pattern match: "http://ts-aia.ws.symantec.com/tss-ca-g2.cer0"
Pattern match: "http://ts-crl.ws.symantec.com/tss-ca-g2.crl0"
Pattern match: "http://sv.symcb.com/sv.crl0f"
Pattern match: "https://d.symcb.com/cps0%"
Pattern match: "https://d.symcb.com/rpa0"
Pattern match: "http://sv.symcd.com0&"
Pattern match: "http://sv.symcb.com/sv.crt0"
Pattern match: "http://s2.symcb.com0"
Pattern match: "http://www.symauth.com/cps0"
Pattern match: "http://www.symauth.com/rpa00"
Pattern match: "http://s1.symcb.com/pca3-g5.crl0"
Pattern match: "http://www.kronos.com"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=52156ARPHELPLINKSecureCustomPropertiesUpgradeVersionMinVersionMaxRemoveActionPropertyThe"
Pattern match: "http://usetermassembly/dealbuilder_live/DealBuilderNET/dealbuilder.aspx}{\propname"
Pattern match: "http://usetermassembly/dealbuilder_live/DealBuilderNET/dealbuilder.aspx"
Pattern match: "http://www.microsoft.com/licensing/userights"
Pattern match: "www.microsoft.com/licensing/userights}}}{\b0\insrsid6585109\charrsid8681546"
Pattern match: "http://www.microsoft.com/exporting"
Pattern match: "www.microsoft.com/exporting}}}{\cs61\b0\ul\cf2\insrsid9964378\charrsid14425952"
Heuristic match: "]UEPi?]UEPMQUR*]UEPMfREPg]UEPMQUR]UjhHAdPd%\EEPMEM!E3MURME3EMQMEURh@:@MtMPMJjj.ME"
Pattern match: "v.Yt/CNtjPvWPvWM3@eMUt"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com"
Pattern match: "http://www.symauth.com/rpa0"
Heuristic match: "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEH%2Bvj9cr8kzYDVn7B3ZtUks%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com"
Pattern match: "http://www.symauth.com/cps0*"
Heuristic match: "@@p@p@h;0t 0xpP=@|#pp@05p@p5t@PpuXj5@xhPjh@j/tj3Y@xft@%t@@p@t@@}uh@@t5dl@1`Y\X@3d@tdY@_[M^_U@S3;VEEWt!;tPQOYYI4@;lt8LxCx_h@V0;YY+l?;p@lPV380uP@u+9ltp@~Gh@WYYu?;uRp5VxWP xPp5x<tt>tF>t33t3SSSxQPF;p@;tY7x:utP:Vu@@FFu3t xPpYYu!ltp@~39lt5@Y=@9t+M_^[s]jh@!]3;+j"
Heuristic match: "s1nq2=hCty?mb7Y2/E_eFp>{0Vy.gp"
Pattern match: "H.bMR/lXde"
Pattern match: "z.WTMa/Ot?9b,Qx;fFo|P4Q:4"
Pattern match: "kS0u.Zv/0NhPzn|*t"
Pattern match: "g.UF/yma9HK"
Heuristic match: "RTM_:#$[nI.DO"
Heuristic match: "_p\#i~>yS)Pi!Xu[orr7|xNLGrbJ4sn.ro"
Pattern match: "w.nW/^e]8poqf}hLTf2=]M=HyeFH"
Pattern match: "V.Htxb/lPFxlqWiQI{nme|z7XU}:/!Uwu90;vVP%z.m|!K_mrm^9$k&9}9Tj$o0Dk%W9l^]/Xg"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O+C0A0?+03http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0"
Pattern match: "http://saturn.installshield.com/devstudio/setuprequirements/MSXML60sp1/x86/msxml6_x86.msi"
Pattern match: "http://saturn.installshield.com/devstudio/setuprequirements/MSXML60sp1/MSXML"
Pattern match: "www.Kronos.comcaRemoveVRootsNewSignature1INSTALLDIR5.1NewSignature110NewSignature19INSTALLDIR5.2NewSignature18INSTALLDIR6.0NewSignature11INSTALLDIR6.1NewSignature12NewSignature14NewSignature17NewSignature13INSTALLDIR6.2NewSignature15NewSignature111INSTALLD"
Pattern match: "4-.Qi/2eeiimm"
Pattern match: "J0.fL/nSB*%^1.yZ-"
Pattern match: "Ph.VlPh/VlPh/VlPth4/VlPutEtP9}tjX9}t5j;tO95tGP5EMEt/t+tMQjMQjPUtEuu"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DU"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0U#0{&K&0`HB0"
Pattern match: "http://www.flexerasoftware.com0"
Pattern match: "https://G%"
Pattern match: "dK.Re/Fp18"
Heuristic match: "[wf51m.Ac"
Pattern match: "nt.aW/O+EaHyHwDSh%Y0?:Z+W{G*!WDD3.0n4VQuym'yP}!f+"
Heuristic match: "c&cA$fd%QP%bo,9wlS]@<9*0*3wE5LEZpvKE\QSgf&4Q*=t}Tj[XFZS_E~ E* !(s8n56}k*A*2_\WA'?U9l59c.Sk"
Pattern match: "8.VA/?16"
Pattern match: "4n.ss/1~"
Pattern match: "w.RK/8bNQb%cOJ%B_"
Heuristic match: ".G?)=9VoFc-8$OGz}6<wlowNFJefS+}6-:#h,tD$Km$4Yf}WwyF`yuQb.DK;.Kw"
Heuristic match: "J%N%B)m5>b<A!&3W.sl"
Pattern match: "U5pk.Su/beWM;Fhe1[5^.mApT}~"
Heuristic match: "9`%!5Iz&o6p0f%ojfKS.sk"
Heuristic match: "=om6F0sWWxG(N{2CE5*|ux|~O<Di)gP|lL$9BFPDTKUvKs %;P->xB;=|\LO)52=S%/1xF&z s_Y;.wuf7^\hbJchp3Duq([5R2p?(#4F9}C.pY"
Heuristic match: "4,wrjx?7 uJD,*AuP5sF0)(fJ,/!Hy<Q''AN\J!>%.MH"
Pattern match: "w.nEow//9f'u*%:vCEh%5CO8zI\rXaWkT$6PS;h^aiEP/L9W[e+;0g1Dr~&lN'hwC!K~&K`v@:J&Be,ERNv#&^K\TLLpS9&BLIIfxx+xD"
Pattern match: "Ij.qc/[~-r1`E|@5oW|+a"
Pattern match: "U.eBXA/tc/-Wz2mG+klud15"
Heuristic match: "b]kiv:85sR.Ul|]hm@0Q`]kuQ8s0yDG3RBOV4Ha!LpGe4w$JBI?oM8s Mxf:6.9}+9O[<O7JwhG7`BYRJo5,Z{DP>,ASD]{Y6g#oc5[O/L0kJ[bx}.hn"
Heuristic match: "bre!5 +c.8DV$rS8xN6hkHlcO|zX75qwTIsy>:0`Rp LzAc'7A'GXt=-;MXcHu$/#aBO.m+(zbJx;E$2Oj.aO"
Heuristic match: "x5}Zw[Pbg|(x|/|t;rl?2[.FR"
Pattern match: "h.fH/&yQql-/lf.4meeCyV!Mk0A4%A4S"
Pattern match: "PMh5N.QNH/21inUVt1-B;,|TWQgt"
Pattern match: "DI7SV.Fw/OMEh;^"
Pattern match: "H-lVAGqG.pcK/bs0aFlIk5n/IZAAx;n@"
Heuristic match: "_-F/XAijVxx`l.s)`!hH\c$xuR}6YRBS*]y~Ozl9m&\5,g%Ei 3[.CY"
Pattern match: "u.Bsr/iSFR:]F+f:D;1Jsthuil*W,?8|v/H-+~gg68Qt"
Heuristic match: "M6mSYorcbM<~fnJFXf/4{2m)E7bnq1os8+ Liz|2SM.BTI8jR,=u?R!w#Mh+VQl |KLXhG|-mt7L#xO'rzrj8'a2[x@&jFTf:)wb!uq3g@?3A`8Wn7m#Ia.[CgWfU?ArjZGN/b`mm52x'*]?:VmXlEW{ .GH"
Pattern match: "http://sv.symcb.com/sv.crl0fU"
Pattern match: "sv.symcb.com/sv.crt0U#0;Sy3}.+rf0UnD,zMsKTmx0"
Pattern match: "http://www.symauth.com/cps0(+0http://www.symauth.com/rpa00U)0'0%#!http://s1.symcb.com/pca3-g5.crl0U%0++0U0"
Pattern match: "www.kronos.com"
Pattern match: "http://saturn.installshield.com/devstudio/setuprequirements/MSXML60sp1/x64/msxml6_x64.msi"
Pattern match: "http://saturn.installshield.com/devstudio/setuprequirements/MSXML60sp1/x64/MSXML"
Heuristic match: "S?{rd_Ty,L_c$/+v/Mq+;g;GI@2tc&!Xe2J,^&=ZvW8TNx/k$7szP.oM"
Heuristic match: ",-iCz.cc"
Pattern match: "K.yA/dVJ(V`^'9bT7%jN59;ldap)Ae_EX=A_hmqmpLehn{tE5fb^3%.9M%q`(0j4${G@4jy.BgF.P;6|FG_.tEmD4y0[Q0~_7k]VJ=kJ89=_n/'TcK)G0/85f@L+y\7wn3ddV'G#E!G"
Heuristic match: "a?T[-a$K5P>Kt%$x2U.Iq"
Pattern match: "xMZf.DHf/zo'}'qY~D?u,Sd"
Pattern match: "Ug.mL/^3T3I`*"
Pattern match: "2.Sj/pI&xER?LcI#a}6{1S6p;nsKjIi_g"
Heuristic match: "ogm,y}6_[IjY[/A|{WeX0}EK5~b[T@^T*d+Ia]y;-8-VgAm%<$80b)fCoq!D / mpsqBJ>Mx)G*[*n.Lr"
Heuristic match: "1u{HA1hPeeo{daZSo`E.MA"
Heuristic match: "F/55a f>:.An"
Pattern match: "M.QdZ/5ovt0#&dK"
Heuristic match: "@\=+pOiX<{nAy /RGS.SY"
Pattern match: "U.Vv/=;~yj\[Aw3oF%eY:`Ns"
Pattern match: "9qmu1.mC/}Ld4[+cX_GGSy2lu8kW}yBE1|Y%M~"
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"_isres_0x0409.dll" was detected as "Microsoft visual C++ v6.0 (Debug version)"
"ISRT.dll" was detected as "PeCompact 2.53 DLL --> BitSum Technologies"
"setup.exe" was detected as "VC8 -> Microsoft Corporation"
"MSI3684.tmp" was detected as "Borland Delphi 3.0 (???)" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
InterfaceDesigner_8.0.11.exe
- Filename
- InterfaceDesigner_8.0.11.exe
- Size
- 26MiB (27519568 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- c730af7898ecb3316721eaefe23167b656361f7120a89547fb7f6a96394c5258
- MD5
- dfeb2d91a01a70d3b3e200292873fb87
- SHA1
- 74a543880668f337ebfdf877086f73685b2ad1dc
Classification (TrID)
- 49.9% (.EXE) Generic Win/DOS Executable
- 49.8% (.EXE) DOS Executable Generic
- 0.1% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total (System Resource Monitor).
-
Input Sample
(PID: 2884)
-
setup.exe
(PID: 2680)
- msiexec.exe /i "%TEMP%\7ZipSfx.000\Kronos Workforce Integration Manager - Interface Designer.msi" SETUPEXEDIR="%TEMP%\7ZipSfx.000" SETUPEXENAME="setup.exe" (PID: 2736)
-
setup.exe
(PID: 2680)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 22 extracted file(s). The remaining 6 file(s) are available in the full version and XML/JSON reports.
-
Clean 9
-
-
msxml6_x64.msi
- Size
- 2.5MiB (2664960 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MSXML 6.0 Parser and SDK, Author: Microsoft Corporation, Keywords: MDAC, XML, XSD, XSL, XDR, SDK, Comments: MSXML 6.0 Parser and SDK, Template: AMD64;1033, Create Time/Date: Tue Dec 5 02:21:03 2006, Last Saved Time/Date: Tue Dec 5 02:21:03 2006, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (candle/light), Security: 1, Revision Number: {6A3B8AE9-3F13-4302-A5AE-C51A0BA1592E}
- AV Scan Result
- 0/85
- Runtime Process
- c730af7898ecb3316721eaefe23167b656361f7120a89547fb7f6a96394c5258.exe (PID: 2884)
- MD5
- 13c28b2fe578808a66c975b3c4f9082f
- SHA1
- ca0c0814a9c7024583edb997296aad7cb0a3cbf7
- SHA256
- 945d8c535758d5178d4de9063cfcba7dfa96987eaa478e0c03ba646cc7ca772f
-
msxml6_x86.msi
- Size
- 1.5MiB (1521152 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: MSXML 6.0 Parser and SDK, Author: Microsoft Corporation, Keywords: MDAC, XML, XSD, XSL, XDR, SDK, Comments: MSXML 6.0 Parser and SDK, Template: Intel;1033, Create Time/Date: Mon Dec 4 23:27:27 2006, Last Saved Time/Date: Mon Dec 4 23:27:27 2006, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (candle/light), Security: 1, Revision Number: {FC7047ED-3F6E-4A59-B7D7-AF7D9A869261}
- AV Scan Result
- 0/82
- Runtime Process
- c730af7898ecb3316721eaefe23167b656361f7120a89547fb7f6a96394c5258.exe (PID: 2884)
- MD5
- 85a5571258de322458f288b94ee28cfb
- SHA1
- 5125220e985b33c946bbf9f60e2b222c7570bfa2
- SHA256
- efa48f8cab5a89b8e667ed3e10dfb71bddc02923d0f3757bd93ffabe6fb6c598
-
Kronos Workforce Integration Manager - Interface Designer.msi
- Size
- 4.4MiB (4564992 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Workforce Integration Manager - Interface Designer, Author: Kronos Incorporated, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2014 - Professional Edition 21, Last Saved Time/Date: Mon Jun 27 09:55:58 2016, Create Time/Date: Mon Jun 27 09:55:58 2016, Last Printed: Mon Jun 27 09:55:58 2016, Revision Number: {EC2B1DF8-E1FC-48CB-A85F-F234790BB97D}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- 0/55
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- c7ec065fa76e6a95c02a52e40dc3f94f
- SHA1
- abf4dd9634b10daa1175402ba94c7940865f7ddf
- SHA256
- 66e20dd897c60c3cc44b7eaf27d65144f966dfe53d8bc06130d1ebdf9da7db70
-
setup.exe
- Size
- 3.9MiB (4103552 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/56
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- 2208d1dec81d7c1e14293f803b3fc286
- SHA1
- 37de99a0c240b162aa54df685d10ea91bffb6909
- SHA256
- d18caf3d5d4296d17b9e7fa176caac29f1317bf08418ee4de6ab49c3874a201e
-
MSI3684.tmp
- Size
- 279KiB (285512 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/78
- Runtime Process
- msiexec.exe (PID: 2736)
- MD5
- d8d98bdd606af949b6dcc2568c968137
- SHA1
- 371a92fc149ee932eaf099660a6726bdab74e690
- SHA256
- 8a424153e6a15cfa1af633b3e925a7a8a083cc620d7dea9afbdd8975361b1817
-
ISBEWI64.exe
- Size
- 323KiB (331080 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) Intel Itanium, for MS Windows
- AV Scan Result
- 0/60
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- 671750b16cf399f641dedac50f003f13
- SHA1
- 69d9888c65b4ebff54c25b08ca9cf76e183d5d0f
- SHA256
- 15b919cf9f62d459ec5f7a8902a5a3b213954e19224a0c1882077a4bd8cfe4e3
-
ISBEWX64.exe
- Size
- 177KiB (181064 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/87
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- 663ba0b4e639b2834c4cdbb3ca7944a2
- SHA1
- ce0d42e141a15f476cc3acca013a3975cbb78518
- SHA256
- 79282db091f3ae212b7f253c06c502c06893d1539423b2213e1d2e561d167a0d
-
ISRT.dll
- Size
- 288KiB (294728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
- AV Scan Result
- 0/90
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- f09c4167c7e7940e9a197cdef547e2c7
- SHA1
- 6ab320422012f2c546cb417a67662f35bdb109c4
- SHA256
- 387cb0f9be0dae6a2f3fe75911625a4dd66e7015429d15341302746073c85366
-
_isres_0x0409.dll
- Size
- 1.8MiB (1862088 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/59
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- df9d0ca7409a2967bb338014b043a062
- SHA1
- 80eec3e7cadfc4d502adb06327111d391d43bef2
- SHA256
- 5b9656f0446680a5e92c756c7fd82dea74aa1ec05cd2fb6ebe6f8c627a43eeb7
-
-
Informative Selection 2
-
-
Setup.INI
- Size
- 5.8KiB (5976 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- b089d2b9a18b75b9b30595e9a6112196
- SHA1
- 55d107ba14ca28a694c0e9757e50c182f829db25
- SHA256
- 3b6093967990063093c90241ee3d85e39033575a1fc6b34c89f256439987f139
-
~E2C1.tmp
- Size
- 5.8KiB (5976 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- b089d2b9a18b75b9b30595e9a6112196
- SHA1
- 55d107ba14ca28a694c0e9757e50c182f829db25
- SHA256
- 3b6093967990063093c90241ee3d85e39033575a1fc6b34c89f256439987f139
-
-
Informative 11
-
-
C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE
- Size
- 398B (398 bytes)
- Runtime Process
- msiexec.exe (PID: 2736)
- MD5
- f00c7814dfdc7f643fcc523f8db1ff62
- SHA1
- 0b250b8b87704c8639672ac8895984811b402413
- SHA256
- ee0d184ccb98a255f0a169a27c19502c9ab90872568a18c1c9ce6491498656ff
-
EA618097E393409AFA316F0F87E2C202_64FBF8D4D4F0EF6C344DADAD785E7CB4
- Size
- 1.6KiB (1611 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2736)
- MD5
- ba826b8bab038e467bbf465088002e61
- SHA1
- d4ced4ec020b7f3813464e61ab3251cf436ffb70
- SHA256
- ea30c9fc611762a8620c12ebc20dcb6463f20ffb179153c027744caa0439ba6b
-
Data1.cab
- Size
- 4MiB (4194304 bytes)
- Runtime Process
- c730af7898ecb3316721eaefe23167b656361f7120a89547fb7f6a96394c5258.exe (PID: 2884)
- MD5
- 835133c596695996976e7c0d339f33af
- SHA1
- a8c6a2c0fbbbb451e7498f8e3f7e6688fdbbe2b7
- SHA256
- 65a759fc3b5464dcda67955d13a1479c27f8a743e895d8405ef30e084785d0d5
-
Cab21BD.tmp
- Size
- 50KiB (50939 bytes)
- Runtime Process
- msiexec.exe (PID: 2736)
- MD5
- 41f958d2d3e9ed4504b6a8863fd72b49
- SHA1
- f6d380b256b0e66ef347adc78195fd0f228b3e33
- SHA256
- c929701c67a05f90827563eedccf5eba8e65b2da970189a0371f28cd896708b8
-
Tar21BE.tmp
- Size
- 118KiB (120573 bytes)
- Type
- data
- Runtime Process
- msiexec.exe (PID: 2736)
- MD5
- 179d2951034116b184198e0bf26daa47
- SHA1
- b76bf79e7fa15491075c3bd9ec569e1c8540174b
- SHA256
- 7e58975a4e1e86940f84e744709426939b85ae174dbbf020da3c893a54fd1da2
-
issE364.tmp
- Size
- 1.5MiB (1528004 bytes)
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- dacaf5655db343ff593222e31e575e06
- SHA1
- 5a9830531a0d4f42f206724dd5a81884b4fd006b
- SHA256
- b848fa82742659a190d808d4089ef44f64d15309eb68455ceee91f1afe197e2f
-
0x0409.ini
- Size
- 22KiB (22492 bytes)
- Type
- text
- Description
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- be345d0260ae12c5f2f337b17e07c217
- SHA1
- 0976ba0982fe34f1c35a0974f6178e15c238ed7b
- SHA256
- e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
-
MSXML 6.0 SP1 (x64).prq
- Size
- 1.3KiB (1307 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- e21ab7266419fb36e84958bfe9a77bcd
- SHA1
- f30dbce9303ed023de255781ebe368e824f3ea49
- SHA256
- b5bec692c146599c8f398aeecb6ab60f76b248f34a480f30e334a5a9f2eee2c4
-
MSXML 6.0 SP1.prq
- Size
- 1.4KiB (1449 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- 8a768768de69767be3c35c9bf5c2890e
- SHA1
- cf66aad86f3e9b4f96fd0c582e770aa831ca5c56
- SHA256
- e5bfb83faadd5b2a5ad51961b685aaf1e41918ef03d9f8ba3cd21858ac15a3eb
-
_ISMSIDEL.INI
- Size
- 2.6KiB (2632 bytes)
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- 9530031bfb834bf340ba5830b0056dc3
- SHA1
- fd9e75db4ae9c704d53d5bcce6af2e4e37e6eb2c
- SHA256
- 8046b86b5b1c997daf52fa4824ee4a96c9d241ece0640c4723105fe7248b0442
-
Setup.inx
- Size
- 290KiB (296980 bytes)
- Type
- data
- Runtime Process
- setup.exe (PID: 2680)
- MD5
- dea782334b582f9e7a0b9ac8c5c6af7d
- SHA1
- dcbbd44c3a9429df642205333d1423cc5f827029
- SHA256
- 399186bbf92a88913c4e696a00b4924f08a00a98c57c03dac860d1d4b6187d38
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Although all strings were processed, but some are hidden from the report in order to reduce the overall size
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all sources for signature ID "api-4" are available in the report
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)