Debloater-setup-v3.90.exe
This report is generated from a file or URL submitted to this webservice on October 8th 2016 15:12:18 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
System Security
-
References security related windows services
- details
-
"g5c#<35K,3-%E(6D>:`54;F"2@6AIGV3&0JJ#B;>8N+;@:
8+3*-@F"";!2:9;GH!ADQOabbbaD.)Gj0.GL@4+?
%&/=//0(5_4!,qG RVFXLE87;MJABXxW'6E22>,4>; +,@=D?I]J'EOfB)D)+Vigroup [3] on dialog [2] has fewer than 2 buttons.Creating a second copy of the dialog [2].The directory [2] is mentioned in the selection table but not found.The data for the bitmap [2] is not valid.Test error message.Cancel button is ill-defined on dialog [2].The next pointers for the radio buttons on dialog [2] control [3] do not form a cycle.The attributes for the control [3] on dialog [2] do not define a valid icon size. Setting the size to 16.The control [3] on dialog [2] needs the icon [4] in size [5]x[5]
but that size is not available. Loading the first available size.The control [3] on dialog [2] received a browse event
but there is no configurable directory for the present selection. Likely cause: browse button is not authored correctly.Control [3] on billboard [2] extends beyond the boundaries of the billboard [4] by [5] pixels.The dialog [2] is not allowed to return the argument [3].The error dialog property is not set.The error dialog [2] does not have the error style bit set.The dialog [2] has the error style bit set
but is not an error dialog.The help string [4] for control [3] on dialog [2] does not contain the separator character.The [2] table is out of date: [3].The argument of the CheckPath control event on dialog [2] is invalid.On the dialog [2] the control [3] has an invalid string length limit: [4].Changing the text font to [2] failed.Changing the text color to [2] failed.The control [3] on dialog [2] had to truncate the string: [4].The binary data [2] was not foundOn the dialog [2] the control [3] has a possible value: [4]. This is an invalid or duplicate value.The control [3] on dialog [2] cannot parse the mask string: [4].Do not perform the remaining control events.CMsiHandler initialization failed.Dialog window class registration failed.CreateNewDialog failed for the dialog [2].Failed to create a window for the dialog [2].Failed to create the control [3] on the dialog [2].Creating the [2] table failed.Creating a cursor to the [2] table failed.Executing the [2] view failed.Creating the window for the control [3] on dialog [2] failed.The handler failed in creating an initialized dialog.Failed to destroy window for dialog [2].[2] is an integer only control
[3] is not a valid integer value.The control [3] on dialog [2] can accept property values that are at most [5] characters long. The value [4] exceeds this limit
and has been truncated.Loading RICHED20.DLL failed. GetLastError() returned: [2].Freeing RICHED20.DLL failed. GetLastError() returned: [2].Executing action [2] failed.Failed to create any [2] font on this system.For [2] textstyle
the system created a '[3]' font
in [4] character set.Failed to create [2] textstyle. GetLastError() returned: [3].Invalid parameter to operation [2]: Parameter [3].Operation [2] called out of sequence.The file [2] is missing.Could not BindImage file [2].Could not read record from script file [2].Missing header in script file [2].Could not create secure security descriptor. Error: [2].Could not register component [2].Could not unregister component [2].Could not determine user's security ID.Could not remove the folder [2].Could not schedule file [2] for removal on restart.No cabinet specified for compressed file: [2].Source directory not specified for file [2].Script [2] version unsupported. Script version: [3], minimum version: [4], maximum version: [5].ShellFolder id [2] is invalid.Exceeded maximum number of sources. Skipping source '[2]'.Could not determine publishing root. Error: [2].Could not create file [2] from script data. Error: [3].Could not initialize rollback script [2].Could not secure transform [2]. Error [3].Could not unsecure transform [2]. Error [3].Could not find transform [2].Windows Installer cannot install a system file protection catalog. Catalog: [2], Error: [3].Windows Installer cannot retrieve a system file protection catalog from the cache. Catalog: [2], Error: [3].Windows Installer cannot delete a system file protection catalog from the cache. Catalog: [2], Error: [3].Directory Manager not supplied for source resolution.Unable to compute the CRC for file [2].BindImage action has not been executed on [2] file.This version of Windows does not support deploying 64-bit packages. The script [2] is for a 64-bit package.GetProductAssignmentType failed.Installation of ComPlus App [2] failed with error [3].The patches in this list contain incorrect sequencing information: [2][3][4][5][6][7][8][9][10][11][12][13][14][15][16].Patch [2] contains invalid sequencing information. This setup requires Internet Information Server 4.0 or higher for configuring IIS Virtual Roots. Please make sure that you have IIS 4.0 or higher.This setup requires Administrator privileges for configuring IIS Virtual Roots.Could not connect to [2] '[3]'. [4]Error retrieving version string from [2] '[3]'. [4]SQL version requirements not met: [3]. This installation requires [2] [4] or later.Could not open SQL script file [2].Error executing SQL script [2]. Line [3]. [4]Connection or browsing for database servers requires that MDAC be installed.Error installing COM+ application [2]. [3]Error uninstalling COM+ application [2]. [3]Error installing COM+ application [2]. Could not load Microsoft(R) .NET class libraries. Registering .NET serviced components requires that Microsoft(R) .NET Framework be installed.Could not execute SQL script file [2]. Connection not open: [3]Error beginning transactions for [2] '[3]'. Database [4]. [5]Error committing transactions for [2] '[3]'. Database [4]. [5]This installation requires a Microsoft SQL Server. The specified server '[3]' is a Microsoft SQL Server Desktop Engine or SQL Server Express.Error retrieving schema version from [2] '[3]'. Database: '[4]'. [5]Error writing schema version to [2] '[3]'. Database: '[4]'. [5]This installation requires Administrator privileges for installing COM+ applications. Log on as an administrator and then retry this installation.The COM+ application "[2]" is configured to run as an NT service; this requires COM+ 1.5 or later on the system. Since your system has COM+ 1.0, this application will not be installed.Error updating XML file [2]. [3]Error opening XML file [2]. [3]This setup requires MSXML 3.0 or higher for configuring XML files. Please make sure that you have version 3.0 or higher.Error creating XML file [2]. [3]Error loading servers.Error loading NetApi32.DLL. The ISNetApi.dll needs to have NetApi32.DLL properly loaded and requires an NT based operating system.Server not found. Verify that the specified server exists. The server name can not be empty.Unspecified error from ISNetApi.dll.The buffer is too small.Access denied. Check administrative rights.Invalid computer.Unknown error returned from NetAPI. System error: [2]Unhandled exception.Invalid user name for this server or domain.The case-sensitive passwords do not match.The list is empty.Access violation.Error getting group.Error adding user to group. Verify that the group exists for this domain or server.Error creating user.ERROR_NETAPI_ERROR_NOT_PRIMARY returned from NetAPI.The specified user already exists.The specified group already exists.Invalid password. Verify that the password is in accordance with your network password policy.Invalid name.Invalid group.The user name can not be empty and must be in the format DOMAIN\Username.Error loading or creating INI file in the user TEMP directory.ISNetAPI.dll is not loaded or there was an error loading the dll. This dll needs to be loaded for this operation. Verify that the dll is in the SUPPORTDIR directory.Error deleting INI file containing new user information from the user's TEMP directory.Error getting the primary domain controller (PDC).Every field must have a value in order to create a user.ODBC driver for [2] not found. This is required to connect to [2] database servers.Error creating database [4]. Server: [2] [3]. [5]Error connecting to database [4]. Server: [2] [3]. [5]Error attempting to open connection [2]. No valid database metadata associated with this connection.Error attempting to apply permissions to object '[2]'. System error: [3] ([4])Microsoft .NET Framework 4.0 Client Package or greater needs to be installed for this installation to continue.ActionDataProgressActionProgress95AdminInstallFinalizeSetProgressSelectionDescriptionItemDescriptionSelectionPathLocationSelectionSizeDOTNETVERSION40CLIENT>="#1"InstallSOFTWARE\Microsoft\NET Framework Setup\NDP\v4\ClientDebloater.exe_57F8C47DC71244B386D2E5270686445F.exeFldr|New FolderDebloater.exe1_533E5FB7DE1B4D0AA15C6215BDDDB4F5.exeDebloater.exe1TahomaArialArial8Arial9ArialBlue10ArialBlueStrike10Courier NewCourierNew8CourierNew9MS GothicMSGothic9MS Sans SerifMSSGreySerif8MSSWhiteSerif8MSSansBold8MSSansSerif8MSSansSerif9Tahoma10Tahoma8Tahoma9TahomaBold10TahomaBold8Times New RomanTimes8Times9TimesItalic12TimesItalicBlue10TimesRed16VerdanaVerdanaBold14bytesThis feature will be set to be installed when required.GBKBThis feature will not be available.MBAbsentPathThis feature will be installed when required.MenuAbsentThis feature
and all subfeatures
will be installed to run from the CD.MenuAdvertiseThis feature
and all subfeatures
will be installed on local hard drive.MenuAllCDThis feature
and all subfeatures
will be installed to run from the network.MenuAllLocalThis feature will be installed to run from CD.MenuAllNetworkThis feature will be installed on local hard drive.MenuCDThis feature will be installed to run from network.MenuLocalMenuNetworkSelAbsentAbsentSelAbsentAdvertiseThis feature will be installed on the local hard drive.SelAbsentCDThis feature will be installed to run from the network.SelAbsentLocalThis feature will become unavailable.SelAbsentNetworkWill be installed when required.SelAdvertiseAbsentThis feature will be available to run from CD.SelAdvertiseAdvertiseThis feature will be installed on your local hard drive.SelAdvertiseCDThis feature will be available to run from the network.SelAdvertiseLocalThis feature will be uninstalled completely
and you won't be able to run it from CD.SelAdvertiseNetworkThis feature was run from the CD but will be set to be installed when required.SelCDAbsentThis feature will continue to be run from the CDSelCDAdvertiseThis feature was run from the CD but will be installed on the local hard drive.SelCDCDThis feature frees up [1] on your hard drive.SelCDLocalThis feature requires [1] on your hard drive.SelChildCostNegCompiling cost for this feature...SelChildCostPosThis feature will be completely removed.SelCostPendingThis feature will be removed from your local hard drive but will be set to be installed when required.SelLocalAbsentThis feature will be removed from your local hard drive but will still be available to run from CD.SelLocalAdvertiseThis feature will remain on your local hard drive.SelLocalCDThis feature will be removed from your local hard drive, but will be still available to run from the network.SelLocalLocalThis feature will be uninstalled completely, and you won't be able to run it from the network.SelLocalNetworkThis feature was run from the network but will be installed when required.SelNetworkAbsentThis feature was run from the network but will be installed on the local hard drive.SelNetwo^9%;G["EJ%&>!c@,"(*-3*=5(A::-I=2%+"8!#' 3.,`:07)*
\lj5'3k 6x3O#3S#-L*
?=>D? x \$+5
*S4"#^" (Indicator: "bfe")
"^JT5>rkAdvertiseThis feature will continue to be run from the networkSelNetworkLocalThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelNetworkNetworkThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostNegNegThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelParentCostNegPosThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostPosNegTime remaining: {[1] min }{[2] sec}SelParentCostPosPosAvailableTimeRemainingDifferencesVolumeCostAvailableRequiredVolumeCostDifferenceDisk SizeVolumeCostRequiredVolumeVolumeCostSizeVolumeCostVolumeProcessorArchitectureProductLanguageTail{{Fatal error: }}BitmapBannerLineBannerLine{&Tahoma8}InstallShieldBranding1Please read the following readme information carefully.Branding2ComboTextPushButton&Folder name:DirectoryComboCombo{&MSSansBold8}Change Current Destination FolderDlgLineUp one level|TailTextDisk space required for the installation exceeds available disk space.DirectoryListList&Look in:PathEditCreate new folder|{&MSSWhiteSerif8}InstallShield[ProductName] - InstallShield WizardImage&Network location:SetupPathEdit{&MSSansBold8}Network LocationEnter the network location or click Change to browse to a location. Click Install to create a server image of [ProductName] at the specified network location or click Cancel to exit the wizard.Browse to the destination folder.LBBrowse&FinishTextLine1&Next >Specify a network location for the server image of the product.TreeNameEdit&SpaceInstall to:{&MSSansBold8}Custom Setup&Change...Click on an icon in the list below to change how a feature is installed.Please enter your information.GroupBoxFeatureGroupFeature sizeMultiline description of the currently selected item<selected feature path>Feature DescriptionSelect the program features you want installed._BrowsePropertySelectionTree{&MSSansBold8}Custom Setup TipsDontInstallWill be installed on first use. (Available only if the feature supports this option.)DontInstallTextThis install state means the feature...FirstInstallTextInstallFirstUseInstallPartialInstallStateMenuThe icon next to the feature name indicates the install state of the feature. Click the icon to drop down the install state menu for each feature.InstallStateTextCustom Setup allows you to selectively install program features.Will be installed to run from the network. (Available only if the feature supports this option.)MenuTextNetworkInstallWill have some subfeatures installed to the local hard drive. (Available only if the feature has subfeatures.)NetworkInstallTextWill not be installed.Modify, repair, or remove the program.PartialTextThe InstallShield(R) Wizard will allow you to modify, repair, or remove [ProductName]. To continue, click Next.NameLabel&Organization:COMPANYNAMEEditCompanyEditPlease read the following license agreement carefully.CompanyLabel{&MSSansBold8}Customer Information{&MSSansBold8}Ready to Repair the Program&Serial Number:&User Name:USERNAME{\Tahoma8}{80}{\Tahoma8}{50}RadioButtonGroupInstall this application for:ISX_SERIALNUMMaskedEdit[DATABASEDIR]{&MSSansBold8}Database Folder{&MSSansBold8}Files in UseSome files that need to be updated are currently in use.LocLabelInstall [ProductName] database to:{&MSSansBold8}Destination FolderThe following applications are using files that need to be updated by this setup. Close these applications and click Retry to continue.Install [ProductName] to:{&MSSansBold8}Disk Space RequirementsClick Next to install to this folder, or click Change to install to a different folder.VolumeCostList&ExitThe following applications are using files that need to be updated by this setup.FileInUseProcessYou have chosen to remove the program from your system.The disk space required for the installation of the selected features.Up One Level|Create New Folder|WARNING: This program is protected by copyright law and international treaties.AgreeThe InstallShield(R) Wizard will install the Patch for [ProductName] on your computer. To continue, click Update.{&MSSansBold8}License Agreement&PrintThe wizard is ready to begin installation.{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}{\f1\fswiss\fcharset0\fprq2{\*\panose 00009002190190021901}Arial;}" (Indicator: "bfe") - source
- String
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
- ExitWindowsEx@USER32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 17
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
- "<Input Sample>" at 00023329-00002448-00000105-55031753
- source
- API Call
- relevance
- 6/10
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Queries kernel debugger information
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
-
"<Input Sample>" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.dll (Show Stream)
FindResourceW@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
FindResourceW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
FindResourceW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
-
WriteProcessMemory@KERNEL32.dll (Show Stream)
WriteProcessMemory@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Found a string that is often used as part of an injection method
- details
-
"AShell_TrayWnd" (Taskbar window class is often used to inject into explorer with the SetWindowLong method)
"Shell_TrayWnd" (Taskbar window class is often used to inject into explorer with the SetWindowLong method) - source
- String
- relevance
- 4/10
-
Contains ability to write to a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "4.70.0.1300"
Heuristic match: "2.0.2600.0"
Heuristic match: "1.20.1827.0"
Heuristic match: "1.2.840.113549.1.9.1"
"4.05.0.0"
"2.9.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
Heuristic match: "3549.1.9.1"
Heuristic match: "version="1.0.0.0""
Heuristic match: "version="6.0.0.0""
Heuristic match: "e.elylylylylylylylyly(fpypypypypypypy. `z`zDADADADADADADADADADA08 8Ph }4VS_VERSION_INFO?StringFileInfo040904B0JCompanyNameFlexera Software LLCPFileDescriptionISRegSvr.dll Module6FileVersion20.0.0.529:"
Heuristic match: "ScriptVer=1.0.0.1" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Spyware/Information Retrieval
-
Contains ability to enumerate processes/modules/threads
- details
-
CreateToolhelp32Snapshot@KERNEL32.dll (Show Stream)
CreateToolhelp32Snapshot@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to enumerate processes/modules/threads
-
System Destruction
-
Marks file for deletion
- details
-
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\~A7F4.tmp" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\~A809.tmp" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\~AC1C.tmp" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\0x0409.ini" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Debloater.msi" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Setup.INI" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\_ISMSIDEL.INI" for deletion
"C:\Debloater_setup_v3.90.exe" marked "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\~A7F4.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~A809.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~AC1C.tmp" with delete access
"<Input Sample>" opened "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\0x0409.ini" with delete access
"<Input Sample>" opened "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Debloater.msi" with delete access
"<Input Sample>" opened "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Setup.INI" with delete access
"<Input Sample>" opened "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\_ISMSIDEL.INI" with delete access
"<Input Sample>" opened "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
- SetSecurityDescriptorDacl@ADVAPI32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "Debloater_setup_v3.90.exe.bin" claimed CRC 1224891 while the actual is CRC 2995309
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Chr" which indicates: "May attempt to obfuscate specific strings" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
OpenProcessToken
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyW
SetSecurityDescriptorDacl
CopyFileW
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateProcessW
CreateThread
CreateToolhelp32Snapshot
DeleteFileW
FindFirstFileW
FindNextFileW
FindResourceExW
FindResourceW
GetCommandLineW
GetDriveTypeW
GetFileAttributesW
GetFileSize
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetStartupInfoA
GetStartupInfoW
GetTempFileNameW
GetTempPathW
GetThreadContext
GetTickCount
GetVersionExW
IsDebuggerPresent
LoadLibraryA
LoadLibraryExW
LoadLibraryW
LockResource
MapViewOfFile
OpenProcess
Process32FirstW
Process32NextW
Sleep
TerminateProcess
UnhandledExceptionFilter
VirtualAlloc
VirtualProtect
VirtualProtectEx
WriteFile
WriteProcessMemory
ShellExecuteExW
ShellExecuteW
FindWindowW - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
CRC value set in PE header does not match actual value
-
Informative 17
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.dll (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetSystemTime@KERNELBASE.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetLocalTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetLocalTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetLocalTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetLocalTime@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.dll (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersion@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersion@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersionExW@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
GetVersion@KERNEL32.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
- GetDiskFreeSpaceExW@KERNELBASE.DLL from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersion@KERNEL32.dll (Target: "Debloater_setup_v3.90.exe.bin"; Stream UID: "29418-6284-00455AAB")
which is directly followed by "cmp eax, 80000000h" and "jbe 00455DEFh". See related instructions: "...
+784 call dword ptr [004B0188h] ;GetVersion
+790 cmp eax, 80000000h
+795 jbe 00455DEFh" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.dll (Target: "Debloater_setup_v3.90.exe.bin"; Stream UID: "29418-7445-0044F9B1")
which is directly followed by "cmp dword ptr [ebp-70h], 01h" and "jne 0044FA3Eh". See related instructions: "...
+0 push ebp
+1 lea ebp, dword ptr [esp-00000098h]
+8 sub esp, 00000118h
+14 mov eax, dword ptr [004DB020h]
+19 xor eax, ebp
+21 mov dword ptr [ebp+00000094h], eax
+27 mov eax, dword ptr [ebp+000000A0h]
+33 and dword ptr [eax], 00000000h
+36 push esi
+37 mov esi, dword ptr [ebp+000000A4h]
+43 and dword ptr [esi], 00000000h
+46 lea eax, dword ptr [ebp-80h]
+49 push eax
+50 mov dword ptr [ebp-80h], 00000114h
+57 call dword ptr [004B00F8h] ;GetVersionExW
+63 cmp dword ptr [ebp-70h], 01h
+67 jne 0044FA3Eh" ... (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "Debloater_setup_v3.90.exe"; Stream UID: "00023329-00002448-48363-1478-00424946")
which is directly followed by "cmp word ptr [ebp+00000114h], 0001h" and "jnc 00424A10h". See related instructions: "...
+210 lea eax, dword ptr [ebp+00h]
+213 push eax
+214 mov dword ptr [ebp+00h], 0000011Ch
+221 call dword ptr [004B00F8h] ;GetVersionExW
+227 cmp word ptr [ebp+00000114h], 0001h
+235 jnc 00424A10h" ... from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "Debloater_setup_v3.90.exe"; Stream UID: "00023329-00002448-48363-1143-0045BBC4")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [004B0188h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
Found API call GetVersionExW@KERNEL32.DLL (Target: "Debloater_setup_v3.90.exe"; Stream UID: "00023329-00002448-48363-1525-00427F86")
which is directly followed by "cmp dword ptr [ebp+04h], 05h" and "jne 00428107h". See related instructions: "...
+34 call 004674D0h
+39 mov esi, dword ptr [ebp+00000190h]
+45 lea eax, dword ptr [ebp+00h]
+48 push eax
+49 mov dword ptr [ebp-14h], ecx
+52 mov dword ptr [ebp+00h], 0000011Ch
+59 call dword ptr [004B00F8h] ;GetVersionExW
+65 cmp dword ptr [ebp+04h], 05h
+69 jne 00428107h" ... from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "Debloater_setup_v3.90.exe"; Stream UID: "00023329-00002448-48363-1643-00435FBF")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [004B0188h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "Debloater_setup_v3.90.exe"; Stream UID: "00023329-00002448-48363-6178-00455AAB")
which is directly followed by "cmp eax, 80000000h" and "jbe 00455DEFh". See related instructions: "...
+784 call dword ptr [004B0188h] ;GetVersion
+790 cmp eax, 80000000h
+795 jbe 00455DEFh" ... from Debloater_setup_v3.90.exe (PID: 2448) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
-
0/56 Antivirus vendors marked sample as malicious (0% detection rate)
0/42 Antivirus vendors marked sample as malicious (0% detection rate) - source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
- "C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb"
- source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\~A7F4.tmp"
"<Input Sample>" created file "%TEMP%\~A809.tmp"
"<Input Sample>" created file "%TEMP%\{7DEFF992-B26B-4325-A743-78B143786DDC}\Debloater.msi"
"<Input Sample>" created file "%TEMP%\~AC1C.tmp" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
- "\Sessions\1\BaseNamedObjects\Global\_MSIExecute"
- source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "Debloater.msi" as clean (type is "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.3 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Debloater Author: Gatesjunior Developer Security: 1 Number of Pages: 200 Name of Creating Application: InstallShielde Limited Edition 20 Last Saved Time/Date: Sun May 24 14:37:43 2015 Create Time/Date: Sun May 24 14:37:43 2015 Last Printed: Sun May 24 14:37:43 2015 Revision Number: {9F782918-0B7B-44C8-97CE-516EE8FF15BF} Code page: 1252 Template: Intel;1033")
- source
- Extracted File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "msiexec.exe" loaded module "%WINDIR%\System32\riched20.dll" at 6E9F0000
- source
- Loaded Module
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "MSIEXEC.EXE /i "%LOCALAPPDATA%\Downloaded Installations\{9F782918-0B7B-44C8-97CE-516EE8FF15BF}\Debloater.msi" SETUPEXEDIR="C:" SETUPEXENAME="Debloater_setup_v3.90.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"Debloater.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 6.3 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Debloater Author: Gatesjunior Developer Security: 1 Number of Pages: 200 Name of Creating Application: InstallShielde Limited Edition 20 Last Saved Time/Date: Sun May 24 14:37:43 2015 Create Time/Date: Sun May 24 14:37:43 2015 Last Printed: Sun May 24 14:37:43 2015 Revision Number: {9F782918-0B7B-44C8-97CE-516EE8FF15BF} Code page: 1252 Template: Intel;1033"
"~A7F4.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~A809.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"~AC1C.tmp" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with very long lines with CRLF CR line terminators"
"_ISMSIDEL.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"Setup.INI" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\System32\0x0000.ini"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui"
"<Input Sample>" touched file "%WINDIR%\system32\rsaenh.dll"
"<Input Sample>" touched file "%WINDIR%\System32" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d"
Pattern match: "www.GatesjuniorDeveloper.comUnpublishProductUnregistering"
Pattern match: "http://crl.thawte.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "http://csc3-2010-crl.verisign.com/CSC3-2010.crl0DU"
Pattern match: "http://csc3-2010-aia.verisign.com/CSC3-2010.cer0U#0{&K&0`HB0"
Pattern match: "http://www.flexerasoftware.com0"
Pattern match: "https://%V4&VlW&V84%toys::file"
Pattern match: "o.zGr/z`?e"
Pattern match: "AldwAuDQJ.pv//,;\`\BI"
Heuristic match: "p?{qc}{=C\OLn-o=vy{w>L/5:.RXwrlF.Bo"
Heuristic match: "e1;$?EO;s.am"
Pattern match: "GLuznn.NoxS/Z{3$!+"
Pattern match: "R.XDM/@KxPq1(V4e{+Onu:)*g!G2_R"
Pattern match: "X.iB/-2hxghZu%/yB38E"
Pattern match: "S.AMe/L9~J-TPxd^;`%0i84l%v2APhb8"
Pattern match: "8.SxJ/7O*^"
Pattern match: "UX.Tf/UG"
Pattern match: "DZq.gEo/OKgF4i}?o@Wpz-[S,O~\o$"
Pattern match: "1nP.PXR/bZYAa]+p\c"
Pattern match: "Q.ZT/66E:!k?y%2+8m|;#Supca"
Pattern match: "q.PZvB/t4N!BO*U4:4[44"
Pattern match: "0blKrK.dQ/57?Q10fcO3y3"
Pattern match: "9D.jw/xg"
Heuristic match: "H_)JHbJd2#=8-!&-+[WmJv6m){;1/.iS"
Pattern match: "NOF.uUS/(ujPbl;?ajw1EiL`L]Rf&qsNr_,}-(q^G^s,lC]1OHLA3pQxJyrp*Wlp9&Q$A)0+}{YrA4]/VzPI+:T.oR1OH/[I)WHD}.Ho@ubkLFSobIU"
Pattern match: "M.QDe/uAHqq!J$jam\,laQA^QB.M{}zZR5;%rVr0vM%R,S"
Heuristic match: "c_AV<#&A4u (d*v<4vjud.sP@Ag[$f<'A_E9_s=yu\1p.bF" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
Debloater-setup-v3.90.exe
- Filename
- Debloater-setup-v3.90.exe
- Size
- 2.9MiB (2994545 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 1b06d6b6c71c182cb8ef84f2ab6a4e55d44cc2472803ed66fece72e11ce94948
- MD5
- 691a0cd56325222a7311a11581e5531f
- SHA1
- 6af6d1553353091985954212e22522467ee051a9
- ssdeep
- 49152:3fyNKOKBaVO007ieyFRT2JNZ9xyUwaMa6H3dxCy0V/oHq3yJeDvgRviB:3fTBaVO007ie3ZLZPMPdL0VKq3yJ36
- imphash
- 0761efbfe45066ddb1e49a2d0f5bf821
- authentihash
- 3c0b974fc6aa4738ea23a060e5faae276cbeb415aa75f90500c611cc0e1e9d7e
Version Info
- LegalCopyright
- Copyright (c) 2013 Flexera Software LLC. All Rights Reserved.
- ISInternalVersion
- 20.0.529
- InternalName
- Setup
- FileVersion
- 3.90
- CompanyName
- Gatesjunior Developer
- Internal Build Number
- 134369
- ProductName
- Debloater
- ProductVersion
- 3.90
- FileDescription
- Setup Launcher Unicode
- ISInternalDescription
- Setup Launcher Unicode
- OriginalFilename
- InstallShield Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 48.1% (.EXE) InstallShield setup
- 34.9% (.EXE) Win32 Executable MS Visual C++ (generic)
- 7.3% (.DLL) Win32 Dynamic Link Library (generic)
- 5.0% (.EXE) Win32 Executable (generic)
- 2.2% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Debloater_setup_v3.90.exe
(PID: 2448)
- msiexec.exe MSIEXEC.EXE /i "%LOCALAPPDATA%\Downloaded Installations\{9F782918-0B7B-44C8-97CE-516EE8FF15BF}\Debloater.msi" SETUPEXEDIR="C:" SETUPEXENAME="Debloater_setup_v3.90.exe" (PID: 2588)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 00023329-00002448-48363-1476-0042A1AB |
2.0.0.0 | Domain/IP reference | 00023329-00002448-48363-1476-0042A1AB |
2.5.4.3 | Domain/IP reference | 00023329-00002448-48363-6090-0045E818 |
2.9.0.0 | Domain/IP reference | 00023329-00002448-48363-1477-004379F1 |
2.5.4.11 | Domain/IP reference | 00023329-00002448-48363-6090-0045E818 |
2.5.4.10 | Domain/IP reference | 00023329-00002448-48363-6090-0045E818 |
49.1.9.1 | Domain/IP reference | 00023329-00002448-48363-6090-0045E818 |
http://www.installshield.com/isetup/proerrorcentral.asp?errorcode | Domain/IP reference | 00023329-00002448-48363-1085-00411ED9 |
Extracted Strings
Extracted Files
Displaying 7 extracted file(s). The remaining 1 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
Debloater.msi
- Size
- 2.3MiB (2399232 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.3, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Debloater, Author: Gatesjunior Developer, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShielde Limited Edition 20, Last Saved Time/Date: Sun May 24 14:37:43 2015, Create Time/Date: Sun May 24 14:37:43 2015, Last Printed: Sun May 24 14:37:43 2015, Revision Number: {9F782918-0B7B-44C8-97CE-516EE8FF15BF}, Code page: 1252, Template: Intel;1033
- AV Scan Result
- 0/55
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- 719d0edc83c222e52695e59ebf6e3846
- SHA1
- 5717d928d78efb1c75d490e6929c3db305e78f0b
- SHA256
- f3cb9739038981168a6e2d0574ff528e023da9a583b69833a9496221f87c0ca2
-
-
Informative 6
-
-
~A7F4.tmp
- Size
- 5KiB (5132 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- 27f360e4a2db62ceb5d8b499147c39ef
- SHA1
- 6f1ce9b7d5201432fec050aa4861309bfadcc634
- SHA256
- 7445f7f809d7b8a523e3f3df0a3b4ba23d0950e211299479e49288512ac08046
-
~A809.tmp
- Size
- 5KiB (5132 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- 27f360e4a2db62ceb5d8b499147c39ef
- SHA1
- 6f1ce9b7d5201432fec050aa4861309bfadcc634
- SHA256
- 7445f7f809d7b8a523e3f3df0a3b4ba23d0950e211299479e49288512ac08046
-
~AC1C.tmp
- Size
- 5KiB (5132 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- 27f360e4a2db62ceb5d8b499147c39ef
- SHA1
- 6f1ce9b7d5201432fec050aa4861309bfadcc634
- SHA256
- 7445f7f809d7b8a523e3f3df0a3b4ba23d0950e211299479e49288512ac08046
-
0x0409.ini
- Size
- 22KiB (22492 bytes)
- Type
- Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- be345d0260ae12c5f2f337b17e07c217
- SHA1
- 0976ba0982fe34f1c35a0974f6178e15c238ed7b
- SHA256
- e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3
-
_ISMSIDEL.INI
- Size
- 616B (616 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- 6cf884e94d5986f97ed2a32c04c1f0b9
- SHA1
- 97f6c52010f2309ee1e12136fb5f35bf7c393979
- SHA256
- 1aabc351bf76b036bf10ab11382395cdc33ce21c232597b67f8e4b2ef17f6489
-
Setup.INI
- Size
- 5KiB (5132 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- Runtime Process
- Debloater_setup_v3.90.exe (PID: 2448)
- MD5
- 27f360e4a2db62ceb5d8b499147c39ef
- SHA1
- 6f1ce9b7d5201432fec050aa4861309bfadcc634
- SHA256
- 7445f7f809d7b8a523e3f3df0a3b4ba23d0950e211299479e49288512ac08046
-
Notifications
-
Runtime
- Added comment to Virus Total report
- No online hash lookups were performed due to the 'suppressMultiscanHashLookups' option
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)