Planogram Management Setup v15.0.exe
This report is generated from a file or URL submitted to this webservice on October 20th 2017 16:10:55 (UTC)
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v7.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Persistence
-
Modifies auto-execute functionality by setting/creating a value in the registry
Writes data to a remote process - Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 8
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 6/56 Antivirus vendors marked sample as malicious (10% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
- 1/92 Antivirus vendors marked dropped file "SetupResources.dll" as malicious (1% detection rate)
- source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Drops executable files to the Windows system directory
- details
- File type "VAX-order 68k Blit mpx/mux executable" was dropped at "%WINDIR%\Tasks\C__0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe.job"
- source
- Binary File
- relevance
- 7/10
-
Loads the task scheduler interface DLL
- details
- "<Input Sample>" loaded module "%WINDIR%\System32\mstask.dll" at 65F20000
- source
- Loaded Module
- relevance
- 5/10
-
Writes data to a remote process
- details
-
"<Input Sample>" wrote 1500 bytes to a remote process "%TEMP%\{980CBE9B-13ED-4DD3-9894-DE58C6C3F28E}\ReportViewer.exe" (Handle: 564)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{980CBE9B-13ED-4DD3-9894-DE58C6C3F28E}\ReportViewer.exe" (Handle: 564)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{980CBE9B-13ED-4DD3-9894-DE58C6C3F28E}\ReportViewer.exe" (Handle: 564)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\AppData\Local\Temp\{980CBE9B-13ED-4DD3-9894-DE58C6C3F28E}\ReportViewer.exe" (Handle: 564)
"<Input Sample>" wrote 1500 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 452)
"<Input Sample>" wrote 4 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 452)
"<Input Sample>" wrote 32 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 452)
"<Input Sample>" wrote 52 bytes to a remote process "C:\Windows\System32\msiexec.exe" (Handle: 452)
"ReportViewer.exe" wrote 1500 bytes to a remote process "C:\f99cd2a5efee337f427b\Setup.exe" (Handle: 308)
"ReportViewer.exe" wrote 4 bytes to a remote process "C:\f99cd2a5efee337f427b\Setup.exe" (Handle: 308)
"ReportViewer.exe" wrote 32 bytes to a remote process "C:\f99cd2a5efee337f427b\Setup.exe" (Handle: 308)
"ReportViewer.exe" wrote 52 bytes to a remote process "C:\f99cd2a5efee337f427b\Setup.exe" (Handle: 308) - source
- API Call
- relevance
- 6/10
-
Drops executable files to the Windows system directory
-
System Security
-
References security related windows services
- details
- "wuauserv" (Indicator: "wuauserv")
- source
- File/Memory
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 18
-
Anti-Detection/Stealthyness
-
Contains ability to open/control a service
- details
-
OpenServiceW@ADVAPI32.dll (Show Stream)
ControlService@ADVAPI32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Contains ability to open/control a service
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"ReportViewer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"Setup.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"ReportViewer.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Opened the service control manager
- details
-
"<Input Sample>" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"ReportViewer.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
-
Requested access to a system service
- details
-
"<Input Sample>" called "OpenService" to access the "Schedule" service
"ReportViewer.exe" called "OpenService" to access the "ClusSvc" service
"Setup.exe" called "OpenService" to access the "ServicesActive" service requesting "SERVICE_QUERY_STATUS" (0X4) access rights
"Setup.exe" called "OpenService" to access the "gpsvc" service - source
- API Call
- relevance
- 10/10
-
Sent a control code to a service
- details
-
"Setup.exe" called "ControlService" and sent control code "0X24" to the service "gpsvc"
"Setup.exe" called "ControlService" and sent control code "0XFC" to the service "gpsvc" - source
- API Call
- relevance
- 10/10
-
Opened the service control manager
-
Installation/Persistance
-
Drops executable files
- details
-
"SetupResources.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ReportViewer.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"SetupEngine.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"SetupUi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"sqmapi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"C__0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe.job" has type "VAX-order 68k Blit mpx/mux executable"
"MSIF967.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"MSI4B79.tmp" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Modifies auto-execute functionality by setting/creating a value in the registry
- details
-
"<Input Sample>" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN")
"<Input Sample>" (Access type: "SETVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN"; Key: "C:\0D0EB5C3B88B196E2731F771468B22EEC078DBD8A9A847E4C4B83569D141F342.EXE"; Value: "C:\0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe /exenoupdates /exelang 0 /prereqs "1" ") - source
- Registry Access
- relevance
- 8/10
-
Drops executable files
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"4.08.02.0134"
"15.0.0.16"
"127.0.0.1" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Security
-
Modifies Software Policy Settings
- details
-
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS")
"Setup.exe" (Access type: "CREATE"; Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS") - source
- Registry Access
- relevance
- 10/10
-
Modifies proxy settings
- details
-
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"<Input Sample>" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
-
Queries sensitive IE security settings
- details
- "<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
-
Modifies Software Policy Settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
-
"SetupResources.dll" claimed CRC 31810 while the actual is CRC 73541
"Setup.exe" claimed CRC 116936 while the actual is CRC 31810
"SetupResources.dll" claimed CRC 47710 while the actual is CRC 116936
"SetupResources.dll" claimed CRC 59648 while the actual is CRC 47710
"SetupEngine.dll" claimed CRC 822075 while the actual is CRC 59648
"SetupUi.dll" claimed CRC 356729 while the actual is CRC 822075
"SetupResources.dll" claimed CRC 83072 while the actual is CRC 356729
"SetupResources.dll" claimed CRC 71798 while the actual is CRC 83072
"SetupResources.dll" claimed CRC 50767 while the actual is CRC 71798
"sqmapi.dll" claimed CRC 187218 while the actual is CRC 50767
"decoder.dll" claimed CRC 147020 while the actual is CRC 187218
"SetupResources.dll" claimed CRC 56389 while the actual is CRC 147020
"SetupResources.dll" claimed CRC 31230 while the actual is CRC 56389
"SetupResources.dll" claimed CRC 61466 while the actual is CRC 31230
"SetupResources.dll" claimed CRC 26172 while the actual is CRC 61466
"MSIF967.tmp" claimed CRC 147350 while the actual is CRC 26172 - source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
GetModuleFileNameW
IsDebuggerPresent
GetCommandLineW
UnhandledExceptionFilter
GetStartupInfoW
GetProcAddress
LoadLibraryW
WriteFile
GetModuleHandleW
TerminateProcess
Sleep
GetTickCount
RegCreateKeyExW
RegCloseKey
StartServiceW
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
GetFileAttributesW
OpenFileMappingW
FindResourceExW
ConnectNamedPipe
CopyFileW
OutputDebugStringW
GetModuleFileNameA
Process32FirstW
CreateThread
DisconnectNamedPipe
CreateToolhelp32Snapshot
GetVersionExW
VirtualProtect
GetFileSize
OpenProcess
CreateDirectoryW
DeleteFileW
GetTempFileNameW
CreateFileMappingW
GetFileSizeEx
FindNextFileW
FindFirstFileW
CreateFileW
FindResourceW
Process32NextW
LockResource
GetCommandLineA
MapViewOfFile
GetFileAttributesExW
GetTempPathW
CreateProcessW
VirtualAlloc
GetWindowThreadProcessId
URLDownloadToFileW
ShellExecuteW
SetWindowsHookExW
RegOpenKeyExA
RegDeleteValueW
GetVersionExA
LoadLibraryA
GetModuleHandleA
GetStartupInfoA
ExitThread
DeleteFileA
GetTempPathA
FindFirstFileA
GetTempFileNameA
FindNextFileA
CreateProcessA
CreateFileA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"ReportViewer.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKCU\CONTROL PANEL\INTERNATIONAL"; Key: "LOCALENAME") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 20
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
- SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTime@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceW@KERNEL32.dll (Show Stream)
GetDiskFreeSpaceExW@KERNEL32.dll (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Reads the registry for installed applications
- details
-
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REPORTVIEWER.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\REPORTVIEWER.EXE")
"<Input Sample>" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\0D0EB5C3B88B196E2731F771468B22EEC078DBD8A9A847E4C4B83569D141F342.EXE")
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\0D0EB5C3B88B196E2731F771468B22EEC078DBD8A9A847E4C4B83569D141F342.EXE")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\EPM PDF WRITER") - source
- Registry Access
- relevance
- 10/10
-
Contains ability to query machine time
-
General
-
Accesses Software Policy Settings
- details
-
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\POLICIES\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CTLS"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Accesses System Certificates Settings
- details
-
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\MY"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"; Key: "BLOB")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\8AD5C9987E6F190BD6F5416E2DE44CCD641D8CDA"; Key: "BLOB")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FF67367C5CD4DE4AE18BCCE1D70FDABD7C866135"; Key: "BLOB")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\109F1CAED645BB78B3EA2B94C0697C740733031C"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\D559A586669B08F46A30A133F8A9ED3D038E2EA8"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CERTIFICATES\FEE449EE0E3965A5246F000E87FDE2A065FD89D4"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS"; Key: "")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CRLS\A377D1B1C0538833035211F4083D00FECC414DAB"; Key: "BLOB")
"Setup.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\CA\CTLS"; Key: "")
"Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED"; Key: "") - source
- Registry Access
- relevance
- 10/10
-
Contains PDB pathways
- details
-
"SetupResources.pdb"
"D:\BranchAI\win\Release\custact\x86\AICustAct.pdb"
"Setup.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains ability to create named pipes for inter-process communication (IPC)
- details
- CreateNamedPipeW@KERNEL32.dll (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\{980CBE9B-13ED-4DD3-9894-DE58C6C3F28E}\ReportViewer.exe"
"Setup.exe" created file "%TEMP%\HFI971.tmp.html"
"Setup.exe" created file "%TEMP%\Setup_20171020_071433167.html"
"Setup.exe" created file "%TEMP%\Microsoft ReportViewer 2010 Redistributable_20171020_071433628.html"
"Setup.exe" created file "%TEMP%\HFIBEB.tmp.html"
"Setup.exe" created file "%TEMP%\Microsoft ReportViewer 2010 Redistributable_20171020_071433628-MSI_reportviewer_redist2010core.msi.txt" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCounterMutex"
"Local\ZoneAttributeCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
"Global\MSILOG_c1abca101d349adtxt.ism.eroc0102tsider_reweivtroper_ISM-826334170_02017102_elbatubirtsideR 0102 reweiVtropeR tfosorciM_pmeT_lacoL_ataDppA_SWBUPSP_sresU_:C"
"Global\_MSIExecute"
"DBWinMutex" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "SetupResources.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "ReportViewer.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Setup.exe" as clean (type is "PE32 executable (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupEngine.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "SetupUi.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "sqmapi.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "decoder.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "reportviewer_redist2010core.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.0 Code page: 1252 Title: Installation Database Subject: ReportViewer Redist for Microsoft Visual Studio 2010 Author: Microsoft Corporation Keywords: Installer Comments: This installer database contains the logic and data required to install Microsoft ReportViewer 2010 Redistributable. Template: Intel;1033 Revision Number: {F894E291-AFA6-4883-8AC2-D6A7BE150432} Create Time/Date: Fri Mar 19 05:27:40 2010 Last Saved Time/Date: Fri Mar 19 05:27:40 2010 Number of Pages: 300 Name of Creating Application: Windows Installer XML (3.5.0626.0) Security: 2 Number of Words: 2"), Antivirus vendors marked dropped file "MSIF967.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI4B79.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSI4D0C.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "MSIE31A.tmp" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
-
"<Input Sample>" loaded module "%WINDIR%\System32\riched20.dll" at 661D0000
"msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 661D0000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "Setup.exe" (Show Process) was launched with new environment variables: "_SFX_CAB_SHUTDOWN_REQUEST="c:\f99cd2a5efee337f427b\$shtdwn$.req", _SFX_CAB_EXE_PARAMETERS=" /q /norestart", _SFX_CAB_EXE_PATH="c:\f99cd2a5efee337f427b", _SFX_CAB_EXE_PACKAGE="%TEMP%\{980CBE9B-13ED-4DD3-9894-DE58C6C3F28E}\ReportViewer.exe""
Process "msiexec.exe" (Show Process) was launched with missing environment variables: "_SFX_CAB_SHUTDOWN_REQUEST, _SFX_CAB_EXE_PARAMETERS, _SFX_CAB_EXE_PATH, _SFX_CAB_EXE_PACKAGE" - source
- Monitored Target
- relevance
- 10/10
-
Reads Windows Trust Settings
- details
- "Setup.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
-
Spawns new processes
- details
-
Spawned process "ReportViewer.exe" with commandline "/q /norestart" (Show Process)
Spawned process "Setup.exe" with commandline "/q /norestart" (Show Process)
Spawned process "msiexec.exe" with commandline "" /i "%APPDATA%\Symphony EYC\Planogram Management 15.0.0.16\install\6C3F28E\Setup.msi" /L*V "%APPDATA%\Symphony EYC\Planogram Management 15.0.0.16\Install\APM.Log" TRANSFORMS="%APPDATA%\Symphony EYC\Planogram Management 15.0.0.16\install\6C3F28E\Setup.mst" AI_SETUPEXEPATH="C:\0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Accesses Software Policy Settings
-
Installation/Persistance
-
Dropped files
- details
-
"SetupResources.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"ReportViewer.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Setup.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.1 Last Printed: Wed Nov 21 14:59:58 2007 Create Time/Date: Wed Nov 21 14:59:58 2007 Title: Installation Database Keywords: Installer MSI Database Last Saved Time/Date: Wed Nov 21 15:17:57 2007 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {25E104FA-FD5A-495F-9FCE-072EB936852C} Number of Words: 0 Subject: Planogram Management Author: Symphony EYC Last Saved By: Asif Hasnain Name of Creating Application: Advanced Installer 11.0 build 55831 Template: ;1033 Comments: This installer database contains the logic and data required to install Planogram Management."
"Setup.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Setup.mst" has type "Composite Document File V2 Document corrupt: Can't read SAT"
"Setup.x64.msi" has type "Composite Document File V2 Document Little Endian Os: Windows Version 6.1 Last Printed: Wed Nov 21 14:59:58 2007 Create Time/Date: Wed Nov 21 14:59:58 2007 Title: Installation Database Keywords: Installer MSI Database Last Saved Time/Date: Wed Nov 21 15:17:57 2007 Number of Pages: 200 Security: 0 Code page: 1252 Revision Number: {25E104FA-FD5A-495F-9FCE-072EB936852C} Number of Words: 0 Subject: Planogram Management Author: Symphony EYC Last Saved By: Asif Hasnain Name of Creating Application: Advanced Installer 11.0 build 55831 Comments: This installer database contains the logic and data required to install Planogram Management. Template: x64;1033"
"SetupEngine.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"SetupUi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"sqmapi.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"decoder.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"reportviewer_redist2010core.msi" has type "Composite Document File V2 Document Little Endian Os: Windows Version 6.0 Code page: 1252 Title: Installation Database Subject: ReportViewer Redist for Microsoft Visual Studio 2010 Author: Microsoft Corporation Keywords: Installer Comments: This installer database contains the logic and data required to install Microsoft ReportViewer 2010 Redistributable. Template: Intel;1033 Revision Number: {F894E291-AFA6-4883-8AC2-D6A7BE150432} Create Time/Date: Fri Mar 19 05:27:40 2010 Last Saved Time/Date: Fri Mar 19 05:27:40 2010 Number of Pages: 300 Name of Creating Application: Windows Installer XML (3.5.0626.0) Security: 2 Number of Words: 2"
"C__0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe.job" has type "VAX-order 68k Blit mpx/mux executable" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"<Input Sample>" touched file "C:\Windows\System32\en-US\setupapi.dll.mui"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"<Input Sample>" touched file "C:\Windows\Tasks\C__0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe.job"
"<Input Sample>" touched file "C:\Windows\System32\en-US\propsys.dll.mui"
"<Input Sample>" touched file "C:\Windows\AppPatch\sysmain.sdb"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"<Input Sample>" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000c.db"
"ReportViewer.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://schemas.microsoft.com/SMI/2005/WindowsSettings"
Pattern match: "http://cs-g2-crl.thawte.com/ThawteCSG2.crl0"
Pattern match: "http://ocsp.thawte.com0"
Pattern match: "http://www.usertrust.com1"
Pattern match: "crl.usertrust.com/UTN-USERFirst-Object.crl05"
Pattern match: "http://ocsp.usertrust.com0"
Pattern match: "http://crl.thawte.com/ThawtePCA.crl0"
Pattern match: "http://www.advancedinstaller.com0"
Heuristic match: "x$\<!E.cL"
Heuristic match: "X
46q/.My"
Heuristic match: "GPLGS/acctest.ps"
Heuristic match: "GPLGS/addxchar.ps"
Heuristic match: "GPLGS/bdftops.ps"
Heuristic match: "GPLGS/caption.ps"
Heuristic match: "GPLGS/cid2code.ps"
Heuristic match: "GPLGS/docie.ps"
Heuristic match: "GPLGS/errpage.ps"
Heuristic match: "GPLGS/font2c.ps"
Heuristic match: "GPLGS/font2pcl.ps"
Heuristic match: "GPLGS/gslp.ps"
Heuristic match: "GPLGS/gsnup.ps"
Heuristic match: "GPLGS/gs_agl.ps"
Heuristic match: "GPLGS/gs_btokn.ps"
Heuristic match: "GPLGS/gs_ccfnt.ps"
Heuristic match: "GPLGS/gs_cff.ps"
Heuristic match: "GPLGS/gs_cidcm.ps"
Heuristic match: "GPLGS/gs_ciddc.ps"
Heuristic match: "GPLGS/gs_cidfm.ps"
Heuristic match: "GPLGS/gs_cidfn.ps"
Heuristic match: "GPLGS/gs_cidtt.ps"
Heuristic match: "GPLGS/gs_ciecs2.ps"
Heuristic match: "GPLGS/gs_ciecs3.ps"
Heuristic match: "GPLGS/gs_cmap.ps"
Heuristic match: "GPLGS/gs_cmdl.ps"
Heuristic match: "GPLGS/gs_cspace.ps"
Heuristic match: "GPLGS/gs_dbt_e.ps"
Heuristic match: "GPLGS/gs_devcs.ps"
Heuristic match: "GPLGS/gs_devn.ps"
Heuristic match: "GPLGS/gs_diskf.ps"
Heuristic match: "GPLGS/gs_diskn.ps"
Heuristic match: "GPLGS/gs_dpnxt.ps"
Heuristic match: "GPLGS/gs_dps.ps"
Heuristic match: "GPLGS/gs_dps1.ps"
Heuristic match: "GPLGS/gs_dps2.ps"
Heuristic match: "GPLGS/gs_dscp.ps"
Heuristic match: "GPLGS/gs_epsf.ps"
Heuristic match: "GPLGS/gs_fapi.ps"
Heuristic match: "GPLGS/gs_fntem.ps"
Heuristic match: "GPLGS/gs_fonts.ps"
Heuristic match: "GPLGS/gs_frsd.ps"
Heuristic match: "GPLGS/gs_icc.ps"
Heuristic match: "GPLGS/gs_il1_e.ps"
Heuristic match: "GPLGS/gs_il2_e.ps"
Heuristic match: "GPLGS/gs_img.ps"
Heuristic match: "GPLGS/gs_indxd.ps"
Heuristic match: "GPLGS/gs_init.ps"
Heuristic match: "GPLGS/gs_kanji.ps"
Heuristic match: "GPLGS/gs_ksb_e.ps"
Heuristic match: "GPLGS/gs_l2img.ps"
Heuristic match: "GPLGS/gs_lev2.ps"
Heuristic match: "GPLGS/gs_ll3.ps"
Heuristic match: "GPLGS/gs_mex_e.ps"
Heuristic match: "GPLGS/gs_patrn.ps"
Heuristic match: "GPLGS/gs_pdfwr.ps"
Heuristic match: "GPLGS/gs_pfile.ps"
Heuristic match: "GPLGS/gs_res.ps"
Heuristic match: "GPLGS/gs_resmp.ps"
Heuristic match: "GPLGS/gs_resst.ps"
Heuristic match: "GPLGS/gs_sepr.ps"
Heuristic match: "GPLGS/gs_setpd.ps"
Heuristic match: "GPLGS/gs_statd.ps"
Heuristic match: "GPLGS/gs_std_e.ps"
Heuristic match: "GPLGS/gs_stres.ps"
Heuristic match: "GPLGS/gs_sym_e.ps"
Heuristic match: "GPLGS/gs_trap.ps"
Heuristic match: "GPLGS/gs_ttf.ps"
Heuristic match: "GPLGS/gs_typ32.ps"
Heuristic match: "GPLGS/gs_type1.ps"
Heuristic match: "GPLGS/gs_wl1_e.ps"
Heuristic match: "GPLGS/gs_wl2_e.ps"
Heuristic match: "GPLGS/gs_wl5_e.ps"
Heuristic match: "GPLGS/image-qa.ps"
Heuristic match: "GPLGS/landscap.ps"
Heuristic match: "GPLGS/lines.ps"
Heuristic match: "GPLGS/markhint.ps"
Heuristic match: "GPLGS/markpath.ps"
Heuristic match: "GPLGS/packfile.ps"
Heuristic match: "GPLGS/pcharstr.ps"
Heuristic match: "GPLGS/pdf2dsc.ps"
Heuristic match: "GPLGS/pdfopt.ps"
Heuristic match: "GPLGS/pdfwrite.ps"
Heuristic match: "GPLGS/pdf_base.ps"
Heuristic match: "GPLGS/pdf_draw.ps"
Heuristic match: "GPLGS/pdf_font.ps"
Heuristic match: "GPLGS/pdf_main.ps"
Heuristic match: "GPLGS/pdf_ops.ps"
Heuristic match: "GPLGS/pdf_rbld.ps"
Heuristic match: "GPLGS/pdf_sec.ps"
Heuristic match: "GPLGS/pf2afm.ps"
Heuristic match: "GPLGS/ppath.ps"
Heuristic match: "GPLGS/pphs.ps"
Heuristic match: "GPLGS/prfont.ps"
Heuristic match: "GPLGS/printafm.ps"
Heuristic match: "GPLGS/ps2ai.ps"
Heuristic match: "GPLGS/pv.sh"
Heuristic match: "GPLGS/rollconv.ps"
Heuristic match: "GPLGS/stcinfo.ps"
Heuristic match: "GPLGS/stcolor.ps"
Heuristic match: "GPLGS/stocht.ps"
Heuristic match: "GPLGS/traceop.ps"
Heuristic match: "GPLGS/type1enc.ps"
Heuristic match: "GPLGS/type1ops.ps"
Heuristic match: "GPLGS/uninfo.ps"
Heuristic match: "GPLGS/unprot.ps"
Heuristic match: "GPLGS/viewgif.ps"
Heuristic match: "GPLGS/viewjpeg.ps"
Heuristic match: "GPLGS/viewmiff.ps"
Heuristic match: "GPLGS/viewpbm.ps"
Heuristic match: "GPLGS/viewpcx.ps"
Heuristic match: "GPLGS/wftopfa.ps"
Heuristic match: "GPLGS/winmaps.ps"
Heuristic match: "GPLGS/wrfont.ps"
Pattern match: "http://www.example.com"
Pattern match: "http://www.yahoo.com"
Pattern match: "http://www.google.com"
Pattern match: "http://sqm.microsoft.com/sqm/vstudio/sqmserver.dll"
Pattern match: "http://www.microsoft.com"
Pattern match: "http://schemas.microsoft.com/Setup/2008/01/im"
Pattern match: "http://schemas.microsoft.com/office/word/2003/wordml}}\paperw11906\paperh16838\margl1800\margr1800\margt1440\margb1440\gutter0\ltrsect"
Pattern match: "K.FK/Q@Elw0'%gmr_^SA*WTCynYZTX"
Heuristic match: "5G1mTEP3,u8|quX.To"
Pattern match: "G.DWNn/?ZDqx?b"
Heuristic match: "{=.pw"
Heuristic match: "}}}-^x3H~=M`CiN1.\d]p(REj)z}-:.gF"
Heuristic match: "^t]r]$@.ph"
Pattern match: "IZ.pUk/~^sDOv-v}TY6K+GwRkYOmUh3&i{?u_=CqL?O=wj#bO(5-*G*n+GgvZ@o|qS+)WbU[y6ww"
Pattern match: "Y.Eql/I@adXG1"
Pattern match: "U.vcDF/UGA&fYUb@0*"
Pattern match: "A.mTQ/}G"
Heuristic match: "^:/1rD8`UbGI!l+Z~.Sh"
Heuristic match: "DkQ~QLp>8x:,-vP]xu(Sl2@WIwF(LgLGR1h/Cky|aA8.CG"
Pattern match: "b4HD.Cr/O]`Z_OVoi^mYt=J[jFubPYoPifBNyb"
Pattern match: "c.oZ/Oy7YtQym"
Heuristic match: "<!zl O}5#u]qK%sWp7bc_qBs9zeGv<cH+ve)RShVsxVFm69{.GA3dKh IjBQ#wv8c(pk!I|9)e<Ra~B+ 6;tAH_C'zGE6Bs8%Q.Pf"
Pattern match: "L.OAbo/F$xDSm7k8EjAR,8D6h" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"SetupResources.dll" was detected as "Microsoft visual C++ vx.x DLL"
"Setup.exe" was detected as "VC8 -> Microsoft Corporation"
"SetupEngine.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"SetupUi.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"sqmapi.dll" was detected as "Visual C++ 2005 DLL -> Microsoft"
"decoder.dll" was detected as "Visual C++ 2005 DLL -> Microsoft" - source
- Static Parser
- relevance
- 10/10
-
Matched Compiler/Packer signature
File Details
Planogram Management Setup v15.0.exe
- Filename
- Planogram Management Setup v15.0.exe
- Size
- 94MiB (98952055 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342
- MD5
- ed76db82b06780e2241f80496ef76a7b
- SHA1
- 0cec48ba7f7105dc42598a5b5560305e7a980a86
Classification (TrID)
- 82.5% (.EXE) MS generic-sfx Cabinet File Unpacker (32/64bit MSCFU)
- 7.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 6.5% (.EXE) Win64 Executable (generic)
- 1.5% (.DLL) Win32 Dynamic Link Library (generic)
- 1.0% (.EXE) Win32 Executable (generic)
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3984)
6/56
-
ReportViewer.exe
/q /norestart
(PID: 2244)
- Setup.exe /q /norestart (PID: 2452)
- msiexec.exe " /i "%APPDATA%\Symphony EYC\Planogram Management 15.0.0.16\install\6C3F28E\Setup.msi" /L*V "%APPDATA%\Symphony EYC\Planogram Management 15.0.0.16\Install\APM.Log" TRANSFORMS="%APPDATA%\Symphony EYC\Planogram Management 15.0.0.16\install\6C3F28E\Setup.mst" AI_SETUPEXEPATH="C:\0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe" SETUPEXEDIR="C:\" EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs " (PID: 2632)
-
ReportViewer.exe
/q /norestart
(PID: 2244)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 28 extracted file(s). The remaining 58 file(s) are available in the full version and XML/JSON reports.
-
Clean 12
-
-
decoder.dll
- Size
- 126KiB (128664 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/55
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 64016d43c1cee02f601f5013b798aa52
- SHA1
- c5ae3c3f70f321456696629b54398f4d332fb40f
- SHA256
- 3bf1b4c787370f44f165ebb80a2e8429b83de5b29035ba208afd8994b30b3665
-
MSI4B79.tmp
- Size
- 85KiB (87192 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- msiexec.exe (PID: 2632)
- MD5
- 0cb489f9ee8269e23ea72c6a44993130
- SHA1
- b6102fd45ea116e1b1a9f540df8aaf33c6caf5fd
- SHA256
- 0f353f7823c3c56d5b0d8951dda07d03deab828223dc7d5297161f18ddb797db
-
MSI4D0C.tmp
- Size
- 85KiB (87192 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- msiexec.exe (PID: 2632)
- MD5
- 0cb489f9ee8269e23ea72c6a44993130
- SHA1
- b6102fd45ea116e1b1a9f540df8aaf33c6caf5fd
- SHA256
- 0f353f7823c3c56d5b0d8951dda07d03deab828223dc7d5297161f18ddb797db
-
MSIE31A.tmp
- Size
- 85KiB (87192 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- msiexec.exe (PID: 2632)
- MD5
- 0cb489f9ee8269e23ea72c6a44993130
- SHA1
- b6102fd45ea116e1b1a9f540df8aaf33c6caf5fd
- SHA256
- 0f353f7823c3c56d5b0d8951dda07d03deab828223dc7d5297161f18ddb797db
-
MSIF967.tmp
- Size
- 85KiB (87192 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/86
- Runtime Process
- msiexec.exe (PID: 2632)
- MD5
- 0cb489f9ee8269e23ea72c6a44993130
- SHA1
- b6102fd45ea116e1b1a9f540df8aaf33c6caf5fd
- SHA256
- 0f353f7823c3c56d5b0d8951dda07d03deab828223dc7d5297161f18ddb797db
-
ReportViewer.exe
- Size
- 4.5MiB (4750680 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 98c89b18d0bbd4d7d3981445bb139237
- SHA1
- b5389a4d74782b39857edafb7a873fa297caa246
- SHA256
- e8ff182e202b321ac2b9245ee20c4eb659008ffb2a34cdbd3486f9da3d4c3e06
-
Setup.exe
- Size
- 76KiB (78152 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- Setup.exe (PID: 2452)
- MD5
- 006f8a615020a4a17f5e63801485df46
- SHA1
- 78c82a80ebf9c8bf0c996dd8bc26087679f77fea
- SHA256
- d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
-
reportviewer_redist2010core.msi
- Size
- 38KiB (38912 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, Code page: 1252, Title: Installation Database, Subject: ReportViewer Redist for Microsoft Visual Studio 2010, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft ReportViewer 2010 Redistributable., Template: Intel;1033, Revision Number: {F894E291-AFA6-4883-8AC2-D6A7BE150432}, Create Time/Date: Fri Mar 19 05:27:40 2010, Last Saved Time/Date: Fri Mar 19 05:27:40 2010, Number of Pages: 300, Name of Creating Application: Windows Installer XML (3.5.0626.0), Security: 2, Number of Words: 2
- AV Scan Result
- 0/55
- Runtime Process
- Setup.exe (PID: 2452)
- MD5
- 71523ab3f1cbcec5de168d93652d1c70
- SHA1
- a76bb682632faf67bc26ce5a0c9832eaea4ed5fb
- SHA256
- df2429bfb7a88d1f687403003097dc9d1aeb82f2b643f250edc01dcaef4f959d
-
SetupResources.dll
- Size
- 17KiB (17240 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/67
- Runtime Process
- ReportViewer.exe (PID: 2244)
- MD5
- 9547d24ac04b4d0d1dbf84f74f54faf7
- SHA1
- 71af6001c931c3de7c98ddc337d89ab133fe48bb
- SHA256
- 36d0159ed1a7d88000737e920375868765c0a1dd6f5a5acbb79cf7d97d9e7a34
-
SetupEngine.dll
- Size
- 788KiB (807256 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/91
- Runtime Process
- Setup.exe (PID: 2452)
- MD5
- 84c1daf5f30ff99895ecab3a55354bcf
- SHA1
- 7e25ba36bcc7deed89f3c9568016ddb3156c9c5a
- SHA256
- 7a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
-
SetupUi.dll
- Size
- 288KiB (295248 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/91
- Runtime Process
- ReportViewer.exe (PID: 2244)
- MD5
- eb881e3dddc84b20bd92abcec444455f
- SHA1
- e2c32b1c86d4f70e39de65e9ebc4f361b24ff4a1
- SHA256
- 11565d97287c01d22ad2e46c78d8a822fa3e6524561d4c02dfc87e8d346c44e7
-
sqmapi.dll
- Size
- 141KiB (144416 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- Setup.exe (PID: 2452)
- MD5
- 3f0363b40376047eff6a9b97d633b750
- SHA1
- 4eaf6650eca5ce931ee771181b04263c536a948b
- SHA256
- bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
-
-
Informative Selection 2
-
-
Setup.msi
- Size
- 5KiB (5120 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Last Printed: Wed Nov 21 14:59:58 2007, Create Time/Date: Wed Nov 21 14:59:58 2007, Title: Installation Database, Keywords: Installer, MSI, Database, Last Saved Time/Date: Wed Nov 21 15:17:57 2007, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {25E104FA-FD5A-495F-9FCE-072EB936852C}, Number of Words: 0, Subject: Planogram Management, Author: Symphony EYC, Last Saved By: Asif Hasnain, Name of Creating Application: Advanced Installer 11.0 build 55831, Template: ;1033, Comments: This installer database contains the logic and data required to install Planogram Management.
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 127095ae31581a757db31b66000790fc
- SHA1
- f5c60e925c43c7b4a68e05e0e214a05406adb244
- SHA256
- 2af4a701842eeecc033bcccd1214c1ed10ff6c2c9608f775d93c2e66b7257ff5
-
Setup.mst
- Size
- 3.1MiB (3294397 bytes)
- Type
- rtf
- Description
- Composite Document File V2 Document, corrupt: Can't read SAT
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 7867898faf24d3be1bcc4899c35943ce
- SHA1
- 7420385cb01862f8e5b8accb744f4cd39dac830c
- SHA256
- 303c40a3473d7585511fdf3945e99ac5d9f6df52734cf2daecd2c46a18ef8ad5
-
-
Informative 14
-
-
1031
- Size
- 144KiB (147456 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 7c22ca9ed4ea3e5383c4e406c19f71a2
- SHA1
- e2a55800b44379bc8ce8d7aac540a54e989553fc
- SHA256
- c77af4b5f890239cab63a9ea12535988c1365f6b6aad8a885c041f19213b7377
-
1036
- Size
- 140KiB (143360 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 60b5bff76287f83126bde7a59ec12541
- SHA1
- 03988f6b28a420550af572e867f0e48d9944aea1
- SHA256
- fdc5b3bc92ba9fe0c7f87b83a16abaeccdd6b2debed2c118bde35cac868ae594
-
1040
- Size
- 140KiB (143360 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 9fa117b079b7806241b9d2ffa75607e2
- SHA1
- 313a4731a94a643f301cfeeb87bf179acca148b9
- SHA256
- 589deaad6dd36bd98f93dedd584392a9572a2ee77ad36c9e01129f71c345082a
-
1041
- Size
- 144KiB (147456 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 5500211ba5eb1dfe787558496815476d
- SHA1
- 6c33c2b497282b7e90c40c0b67295cfb785e44a5
- SHA256
- e3cca80ba7952088636a3c4c4c6dbb20607154e7093cf245016aeb74b98575ba
-
1045
- Size
- 108KiB (110592 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- b04f00005bee5a5dc266b2d3e26b3423
- SHA1
- 71de75132faf5f3575c0c458d10e5cb96672106e
- SHA256
- 328b82d5073462d16019512fa746daadb91bd71c9a2b266262098522d1db0a41
-
1049
- Size
- 144KiB (147456 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- 943642edbdc19d3c9fe569b81db2a26c
- SHA1
- d8367e6fbf2289ae45adee60491d57c08102b479
- SHA256
- 57278934ec3ed1ab6bc8c701e45fccdc73fc8e690c3a382c4bc7fdad3ea03f9c
-
3082
- Size
- 144KiB (147456 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- eadd8141899269280f595a57e3f436a3
- SHA1
- 36c5417f2bd2c3ae7564d4a3c4ad19cedd852a46
- SHA256
- ae484c50150cb3d40291163436cd18ed4b3a858738f0dd23e16c8b4a292076a9
-
ApolloEnterpriseAdminTool.cab
- Size
- 3.1MiB (3207168 bytes)
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- ca46d9770bd4ab413ae576c29368b6e3
- SHA1
- 850c9afb6bfe8f2ce4e1437e95203f71c5465ae5
- SHA256
- b3b9bc871714d93362283b1cd5c0f61dfbbd4efbf664cff443004cb43fe6d91c
-
Setup.x64.msi
- Size
- 5KiB (5120 bytes)
- Type
- data
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Last Printed: Wed Nov 21 14:59:58 2007, Create Time/Date: Wed Nov 21 14:59:58 2007, Title: Installation Database, Keywords: Installer, MSI, Database, Last Saved Time/Date: Wed Nov 21 15:17:57 2007, Number of Pages: 200, Security: 0, Code page: 1252, Revision Number: {25E104FA-FD5A-495F-9FCE-072EB936852C}, Number of Words: 0, Subject: Planogram Management, Author: Symphony EYC, Last Saved By: Asif Hasnain, Name of Creating Application: Advanced Installer 11.0 build 55831, Comments: This installer database contains the logic and data required to install Planogram Management., Template: x64;1033
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- edbfcc77bcc6eb4f58c3dcc68cd9e76a
- SHA1
- e9ea6b5802fad8ed0748e13e13f32bdfaab8592d
- SHA256
- 8ce8d477e0aef434050e9554f672fc950427bcb8cc71c204b80393dd77ec9498
-
HFI971.tmp.html
- Size
- 2B (2 bytes)
- Runtime Process
- Setup.exe (PID: 2452)
- MD5
- f3b25701fe362ec84616a93a45ce9998
- SHA1
- d62636d8caec13f04e28442a0a6fa1afeb024bbb
- SHA256
- b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
-
HFIBEB.tmp.html
- Size
- 4.4KiB (4542 bytes)
- Runtime Process
- Setup.exe (PID: 2452)
- MD5
- 1d8b1935b716360fb8671d6910c73a9d
- SHA1
- ab59d6b73fe94e2ade9a8e28b50001074776c1e7
- SHA256
- 1e2ed591b365c7a9b1b7f4804d9d1dcce14ed72fcd8779fa8116051c74923875
-
MSI4AE2.tmp
- Size
- 85KiB (87192 bytes)
- Runtime Process
- msiexec.exe (PID: 2632)
- MD5
- 0cb489f9ee8269e23ea72c6a44993130
- SHA1
- b6102fd45ea116e1b1a9f540df8aaf33c6caf5fd
- SHA256
- 0f353f7823c3c56d5b0d8951dda07d03deab828223dc7d5297161f18ddb797db
-
MSI4C89.tmp
- Size
- 293KiB (300184 bytes)
- Runtime Process
- msiexec.exe (PID: 2632)
- MD5
- 02001092db7cd807605e044df91ff4d5
- SHA1
- 9557b8311591a100b29c820afdbe5c0406c5aa97
- SHA256
- 3b1d4bbc0af0d8fbe122c7873cbc24cfdd1801d48ef2e5e53163f8e4420c563d
-
C__0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe.job
- Size
- 382B (382 bytes)
- Type
- unknown
- Description
- VAX-order 68k Blit mpx/mux executable
- Runtime Process
- 0d0eb5c3b88b196e2731f771468b22eec078dbd8a9a847e4c4b83569d141f342.exe (PID: 3984)
- MD5
- cc40f24bb840e7f63754777936a56bff
- SHA1
- f2b6058a8e30b53ff2aef767cb7d31dc6e8c0f36
- SHA256
- ad30b76061a42896a36d895bd38ade4d8b08f0c19ecf174843d7cc9e1aaed007
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Extracted file "Setup.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/2af4a701842eeecc033bcccd1214c1ed10ff6c2c9608f775d93c2e66b7257ff5/analysis/1508509450/")
- Extracted file "Setup.mst" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/303c40a3473d7585511fdf3945e99ac5d9f6df52734cf2daecd2c46a18ef8ad5/analysis/1508509463/")
- Extracted file "Setup.x64.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8ce8d477e0aef434050e9554f672fc950427bcb8cc71c204b80393dd77ec9498/analysis/1508509464/")
- No static analysis parsing on sample was performed
- Not all IP/URL string resources were checked online
- Not all file accesses are visible for msiexec.exe (PID: 2632)
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "binary-0" are available in the report
- Not all sources for signature ID "binary-1" are available in the report
- Not all sources for signature ID "binary-16" are available in the report
- Not all sources for signature ID "mutant-0" are available in the report
- Not all sources for signature ID "registry-17" are available in the report
- Not all sources for signature ID "registry-18" are available in the report
- Not all sources for signature ID "registry-19" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)