Cache.2010.1.2.ODBCDriver_x64.exe
This report is generated from a file or URL submitted to this webservice on September 8th 2016 20:59:53 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.10 © Hybrid Analysis
Incident Response
Risk Assessment
- Fingerprint
-
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
- References security related windows services
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
System Security
-
References security related windows services
- details
-
"g5c#<35K,3-%E(6D>:`54;F"2@6AIGV3&0JJ#B;>8N+;@:
8+3*-@F"";!2:9;GH!ADQOabbbaD.)Gj0.GL@4+?
%&/=//0(5_4!,qG RVFXLE87;MJABXx initialized handler.Attempted to initialize an already initialized dialog: [2].No other method can be called on dialog [2] until all the controls are added.Attempted to initialize an already initialized control: [3] on dialog [2].The dialog attribute [3] needs a record of at least [2] field(s).The control attribute [3] needs a record of at least [2] field(s).Control [3] on dialog [2] extends beyond the boundaries of the dialog [4] by [5] pixels.The button [4] on the radio button group [3] on dialog [2] extends beyond the boundaries of the group [5] by [6] pixels.Tried to remove control [3] from dialog [2]
but the control is not part of the dialog.Attempt to use an uninitialized dialog.Attempt to use an uninitialized control on dialog [2].The control [3] on dialog [2] does not support [5] the attribute [4].The dialog [2] does not support the attribute [3].Control [4] on dialog [3] ignored the message [2].The next pointers on the dialog [2] do not form a single loop.The control [2] was not found on dialog [3].The control [3] on the dialog [2] cannot take focus.The control [3] on dialog [2] wants the winproc to return [4].The item [2] in the selection table has itself as a parent.Setting the property [2] failed.Error dialog name mismatch.No OK button was found on the error dialog.No text field was found on the error dialog.The ErrorString attribute is not supported for standard dialogs.Cannot execute an error dialog if the Errorstring is not set.The total width of the buttons exceeds the size of the error dialog.SetFocus did not find the required control on the error dialog.The control [3] on dialog [2] has both the icon and the bitmap style set.Tried to set control [3] as the default button on dialog [2]
but the control does not exist.The control [3] on dialog [2] is of a type
that cannot be integer valued.Unrecognized volume type.The data for the icon [2] is not valid.At least one control has to be added to dialog [2] before it is used.Dialog [2] is a modeless dialog. The execute method should not be called on it.On the dialog [2] the control [3] is designated as first active control
but there is no such control.The radio button group [3] on dialog [2] has fewer than 2 buttons.Creating a second copy of the dialog [2].The directory [2] is mentioned in the selection table but not found.The data for the bitmap [2] is not valid.Test error message.Cancel button is ill-defined on dialog [2].The next pointers for the radio buttons on dialog [2] control [3] do not form a cycle.The attributes for the control [3] on dialog [2] do not define a valid icon size. Setting the size to 16.The control [3] on dialog [2] needs the icon [4] in size [5]x[5]
but that size is not available. Loading the first available size.The control [3] on dialog [2] received a browse event
but there is no configurable directory for the present selection. Likely cause: browse button is not authored correctly.Control [3] on billboard [2] extends beyond the boundaries of the billboard [4] by [5] pixels.The dialog [2] is not allowed to return the argument [3].The error dialog property is not set.The error dialog [2] does not have the error style bit set.The dialog [2] has the error style bit set
but is not an error dialog.The help string [4] for control [3] on dialog [2] does not contain the separator character.The [2] table is out of date: [3].The argument of the CheckPath control event on dialog [2] is invalid.On the dialog [2] the control [3] has an invalid string length limit: [4].Changing the text font to [2] failed.Changing the text color to [2] failed.The control [3] on dialog [2] had to truncate the string: [4].The binary data [2] was not foundOn the dialog [2] the control [3] has a possible value: [4]. This is an invalid or duplicate value.The control [3] on dialog [2] cannot parse the mask string: [4].Do not perform the remaining control events.CMsiHandler initialization failed.Dialog window class registration failed.CreateNewDialog failed for the dialog [2].Failed to create a window for the dialog [2].Failed to create the control [3] on the dialog [2].Creating the [2] table failed.Creating a cursor to the [2] table failed.Executing the [2] view failed.Creating the window for the control [3] on dialog [2] failed.The handler failed in creating an initialized dialog.Failed to destroy window for dialog [2].[2] is an integer only control
[3] is not a valid integer value.The control [3] on dialog [2] can accept property values that are at most [5] characters long. The value [4] exceeds this limit
and has been truncated.Loading RICHED20.DLL failed. GetLastError() returned: [2].Freeing RICHED20.DLL failed. GetLastError() returned: [2].Executing action [2] failed.Failed to create any [2] font on this system.For [2] textstyle
the system created a '[3]' font
in [4] character set.Failed to create [2] textstyle. GetLastError() returned: [3].Invalid parameter to operation [2]: Parameter [3].Operation [2] called out of sequence.The file [2] is missing.Could not BindImage file [2].Could not read record from script file [2].Missing header in script file [2].Could not create secure security descriptor. Error: [2].Could not register component [2].Could not unregister component [2].Could not determine user's security ID.Could not remove the folder [2].Could not schedule file [2] for removal on restart.No cabinet specified for compressed file: [2].Source directory not specified for file [2].Script [2] version unsupported. Script version: [3], minimum version: [4], maximum version: [5].ShellFolder id [2] is invalid.Exceeded maximum number of sources. Skipping source '[2]'.Could not determine publishing root. Error: [2].Could not create file [2] from script data. Error: [3].Could not initialize rollback script [2].Could not secure transform [2]. Error [3].Could not unsecure transform [2]. Error [3].Could not find transform [2].Windows Installer cannot install a system file protection catalog. Catalog: [2], Error: [3].Windows Installer cannot retrieve a system file protection catalog from the cache. Catalog: [2], Error: [3].Windows Installer cannot delete a system file protection catalog from the cache. Catalog: [2], Error: [3].Directory Manager not supplied for source resolution.Unable to compute the CRC for file [2].BindImage action has not been executed on [2] file.This version of Windows does not support deploying 64-bit packages. The script [2] is for a 64-bit package.GetProductAssignmentType failed.Installation of ComPlus App [2] failed with error [3].The patches in this list contain incorrect sequencing information: [2][3][4][5][6][7][8][9][10][11][12][13][14][15][16].Patch [2] contains invalid sequencing information. This setup requires Internet Information Server 4.0 or higher for configuring IIS Virtual Roots. Please make sure that you have IIS 4.0 or higher.This setup requires Administrator privileges for configuring IIS Virtual Roots.Could not connect to [2] '[3]'. [4]Error retrieving version string from [2] '[3]'. [4]SQL version requirements not met: [3]. This installation requires [2] [4] or later.Could not open SQL script file [2].Error executing SQL script [2]. Line [3]. [4]Connection or browsing for database servers requires that MDAC be installed.Error installing COM+ application [2]. [3]Error uninstalling COM+ application [2]. [3]Error installing COM+ application [2]. Could not load Microsoft(R) .NET class libraries. Registering .NET serviced components requires that Microsoft(R) .NET Framework be installed.Could not execute SQL script file [2]. Connection not open: [3]Error beginning transactions for [2] '[3]'. Database [4]. [5]Error committing transactions for [2] '[3]'. Database [4]. [5]This installation requires a Microsoft SQL Server. The specified server '[3]' is a Microsoft SQL Server Desktop Engine or SQL Server Express.Error retrieving schema version from [2] '[3]'. Database: '[4]'. [5]Error writing schema version to [2] '[3]'. Database: '[4]'. [5]This installation requires Administrator privileges for installing COM+ applications. Log on as an administrator and then retry this installation.The COM+ application "[2]" is configured to run as an NT service; this requires COM+ 1.5 or later on the system. Since your system has COM+ 1.0, this application will not be installed.Error updating XML file [2]. [3]Error opening XML file [2]. [3]This setup requires MSXML 3.0 or higher for configuring XML files. Please make sure that you have version 3.0 or higher.Error creating XML file [2]. [3]Error loading servers.Error loading NetApi32.DLL. The ISNetApi.dll needs to have NetApi32.DLL properly loaded and requires an NT based operating system.Server not found. Verify that the specified server exists. The server name can not be empty.Unspecified error from ISNetApi.dll.The buffer is too small.Access denied. Check administrative rights.Invalid computer.Unknown error returned from NetAPI. System error: [2]Unhandled exception.Invalid user name for this server or domain.The case-sensitive passwords do not match.The list is empty.Access violation.Error getting group.Error adding user to group. Verify that the group exists for this domain or server.Error creating user.ERROR_NETAPI_ERROR_NOT_PRIMARY returned from NetAPI.The specified user already exists.The specified group already exists.Invalid password. Verify that the password is in accordance with your network password policy.Invalid name.Invalid group.The user name can not be empty and must be in the format DOMAIN\Username.Error loading or creating INI file in the user TEMP directory.ISNetAPI.dll is not loaded or there was an error loading the dll. This dll needs to be loaded for this operation. Verify that the dll is in the SUPPORTDIR directory.Error deleting INI file containing new user information from the user's TEMP directory.Error getting the primary domain controller (PDC).Every field must have a value in order to create a user.ODBC driver for [2] not found. This is required to connect to [2] database servers.Error creating database [4]. Server: [2] [3]. [5]Error connecting to database [4]. Server: [2] [3]. [5]Error attempting to open connection [2]. No valid database metadata associated with this connection.&Anyone who uses this computer (all users)ActionDataProgressActionProgress95AdminInstallFinalizeSetProgressSelectionDescriptionItemDescriptionSelectionPathLocationSelectionSize_179DC3CB_4F00_41B1_907F_BCF0D990A180_FILTERAPILevelYYNConnectFunctions02.50DriverODBCVerSQLLevelTahomaArialArial8Arial9ArialBlue10ArialBlueStrike10Courier NewCourierNew8CourierNew9MS GothicMSGothic9MS Sans SerifMSSGreySerif8MSSWhiteSerif8MSSansBold8MSSansSerif8MSSansSerif9Tahoma10Tahoma9TahomaBold10TahomaBold8Times New RomanTimes8Times9TimesItalic12TimesItalicBlue10TimesRed16bytesThis feature will be set to be installed when required.GBKBThis feature will not be available.MBAbsentPathThis feature will be installed when required.MenuAbsentThis feature
and all subfeatures
will be installed to run from the CD.MenuAdvertiseThis feature
and all subfeatures
will be installed on local hard drive.MenuAllCDThis feature
and all subfeatures
will be installed to run from the network.MenuAllLocalThis feature will be installed to run from CD.MenuAllNeW'6E22>,4>; +,@=D?I]J'EOfB)D)+Vi^9%;G["EJ%&>!c@,"(*-3*=5(A::-I=2%+"8!#' 3.,`:07)*
\lj5'3k 6x3O#3S#-L*,?=>D? x \$+5,*S4"#^" (Indicator: "bfe"), "IM.3377% .87UO0OtworkThis feature will be installed on local hard drive.MenuCDThis feature will be installed to run from network.MenuLocalMenuNetworkSelAbsentAbsentSelAbsentAdvertiseThis feature will be installed on the local hard drive.SelAbsentCDThis feature will be installed to run from the network.SelAbsentLocalThis feature will become unavailable.SelAbsentNetworkWill be installed when required.SelAdvertiseAbsentThis feature will be available to run from CD.SelAdvertiseAdvertiseThis feature will be installed on your local hard drive.SelAdvertiseCDThis feature will be available to run from the network.SelAdvertiseLocalThis feature will be uninstalled completely, and you won't be able to run it from CD.SelAdvertiseNetworkThis feature was run from the CD but will be set to be installed when required.SelCDAbsentThis feature will continue to be run from the CDSelCDAdvertiseThis feature was run from the CD but will be installed on the local hard drive.SelCDCDThis feature frees up [1] on your hard drive.SelCDLocalThis feature requires [1] on your hard drive.SelChildCostNegCompiling cost for this feature...SelChildCostPosThis feature will be completely removed.SelCostPendingThis feature will be removed from your local hard drive but will be set to be installed when required.SelLocalAbsentThis feature will be removed from your local hard drive but will still be available to run from CD.SelLocalAdvertiseThis feature will remain on your local hard drive.SelLocalCDThis feature will be removed from your local hard drive
but will be still available to run from the network.SelLocalLocalThis feature will be uninstalled completely
and you won't be able to run it from the network.SelLocalNetworkThis feature was run from the network but will be installed when required.SelNetworkAbsentThis feature was run from the network but will be installed on the local hard drive.SelNetworkAdvertiseThis feature will continue to be run from the networkSelNetworkLocalThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelNetworkNetworkThis feature frees up [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostNegNegThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures free up [4] on your hard drive.SelParentCostNegPosThis feature requires [1] on your hard drive. It has [2] of [3] subfeatures selected. The subfeatures require [4] on your hard drive.SelParentCostPosNegTime remaining: {[1] min }{[2] sec}SelParentCostPosPosAvailableTimeRemainingDifferencesVolumeCostAvailableRequiredVolumeCostDifferenceDisk SizeVolumeCostRequiredVolumeVolumeCostSizeVolumeCostVolumeThis is the primary key to the ISDIMDependency tableISDIMReference_ISDIMDependencythe UUID identifying the required DIMRequiredUUIDthe major version identifying the required DIMRequiredMajorVersionthe minor version identifying the required DIMRequiredMinorVersionthe build version identifying the required DIMRequiredBuildVersionthe revision version identifying the required DIMRequiredRevisionVersionFull path
the category is of Text instead of Path because of potential use of path variables.ISBuildSourcePathISDIMReferenceThis is the primary key to the ISDIMReference tableForeign key into ISDIMReference table.ISDIMReference_ParentISDIMReferenceDependenciesForeign key into ISDIMDependency table.ISDIMDependency_Name of a variable defined in the .dim fileISDIMVariableType of the variable. 0: Build Variable
1: Runtime VariableThis is the primary key to the ISDIMVariable tableNew value that you want to override withNewValueISFeatureDIMReferencesAS Repository property nameISReleaseASPublishInfoAS Repository property valueForeign key into the ISProductConfiguration table.ISProductConfigurationForeign key into the ISRelease table.ISRelease<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">" (Indicator: "bfe"), "Tail{{Fatal error: }}BitmapBannerLineBannerLine{&Tahoma8}InstallShieldBranding1You have chosen to remove the program from your system.Branding2ComboText[ProductName] Patch - InstallShield WizardPushButton&Folder name:DirectoryComboCombo{&MSSansBold8}Change Current Destination FolderDlgLineUp one level|TailTextDisk space required for the installation exceeds available disk space.DirectoryListListFrom the list of servers below
select the database server you would like to target.&Look in:PathEditCreate new folder|{&MSSWhiteSerif8}InstallShieldImage&Network location:SetupPathEdit{&MSSansBold8}Network LocationEnter the network location or click Change to browse to a location. Click Install to create a server image of [ProductName] at the specified network location or click Cancel to exit the wizard.Browse to the destination folder.LBBrowse&FinishTextLine1&Next >Specify a network location for the server image of the product.TreeNameEdit&SpaceInstall to:{&MSSansBold8}Custom Setup&Change...Click on an icon in the list below to change how a feature is installed.Please enter your information.GroupBoxFeatureGroupFeature sizeMultiline description of the currently selected item<selected feature path>Feature DescriptionSelect the program features you want installed._BrowsePropertySelectionTree{&MSSansBold8}Custom Setup TipsDontInstallWill be installed on first use. (Available only if the feature supports this option.)DontInstallTextThis install state means the feature...FirstInstallTextInstallInstallFirstUseInstallPartialInstallStateMenuThe icon next to the feature name indicates the install state of the feature. Click the icon to drop down the install state menu for each feature.InstallStateTextCustom Setup allows you to selectively install program features.Will be installed to run from the network. (Available only if the feature supports this option.)MenuTextNetworkInstallWill have some subfeatures installed to the local hard drive. (Available only if the feature has subfeatures.)NetworkInstallTextWill not be installed.Modify
repair
or remove the program.PartialTextThe InstallShield(R) Wizard will allow you to modify
repair
or remove [ProductName]. To continue
click Next.NameLabel&Organization:COMPANYNAMEEditCompanyEditPlease read the following license agreement carefully.CompanyLabel{&MSSansBold8}Customer Information&Serial Number:&User Name:USERNAME{\Tahoma8}{80}{\Tahoma8}{50}RadioButtonGroupInstall this application for:ISX_SERIALNUMMaskedEdit[DATABASEDIR]{&MSSansBold8}Database FolderLocLabelInstall [ProductName] database to:{&MSSansBold8}Files in Use{&MSSansBold8}Destination FolderThe following applications are using files that need to be updated by this setup. Close these applications and click Retry to continue.Some files that need to be updated are currently in use.Install [ProductName] to:{&MSSansBold8}Disk Space RequirementsClick Next to install to this folder
or click Change to install to a different folder.VolumeCostList&ExitThe following applications are using files that need to be updated by this setup.FileInUseProcessThe disk space required for the installation of the selected features.Up One Level|Create New Folder|WARNING: This program is protected by copyright law and international treaties.AgreeThe InstallShield(R) Wizard will install the Patch for [ProductName] on your computer. To continue
click Update.{&MSSansBold8}License Agreement&PrintThe wizard is ready to begin installation.{\rtf1\ansi\ansicpg1252\uc1 \deff0\deflang1033\deflangfe1033{\fonttbl{\f0\froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times};}{\f1\fswiss\fcharset0\fprq2{\*\panose 00009002190190021901}Arial;}" (Indicator: "bfe") - source
- String
- relevance
- 7/10
-
References security related windows services
-
Unusual Characteristics
-
Contains ability to reboot/shutdown the operating system
- details
-
ExitWindowsEx@USER32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
ExitWindowsEx@USER32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Contains ability to reboot/shutdown the operating system
-
Suspicious Indicators 15
-
Anti-Detection/Stealthyness
-
Sets the process error mode to suppress error box
- details
- "<Input Sample>" set its error mode to SEM_NOOPENFILEERRORBOX
- source
- API Call
- relevance
- 8/10
-
Sets the process error mode to suppress error box
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .rsrc with unusual entropies 7.51119845326
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Reads the active computer name
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME") - source
- Registry Access
- relevance
- 5/10
-
Reads the cryptographic machine GUID
- details
- "msiexec.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
-
Reads the active computer name
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceA@KERNEL32.dll (Show Stream)
LoadResource@KERNEL32.dll at 60388-2701-00448F9B
FindResourceA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
FindResourceA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
LoadResource@KERNEL32.DLL from PID 00003284
FindResourceA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
FindResourceA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
LoadResource@KERNEL32.DLL from PID 00003284 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Reads configuration files
- details
-
"<Input Sample>" read file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\Setup.INI"
"<Input Sample>" read file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\_ISMSIDEL.INI"
"<Input Sample>" read file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\0x0409.ini" - source
- API Call
- relevance
- 4/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Contains ability to write to a remote process
- details
-
WriteProcessMemory@KERNEL32.dll (Show Stream)
WriteProcessMemory@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
WriteProcessMemory@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 8/10
-
Found a string that is often used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class is often used to inject into explorer with the SetWindowLong method)
- source
- String
- relevance
- 4/10
-
Contains ability to write to a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Heuristic match: "2.0.2600.0"
Heuristic match: "4.70.0.1300"
Heuristic match: "1.20.1827.0"
Heuristic match: "1.2.840.113549.1.9.1"
"4.05.0.0"
"2.5.4.3"
"2.5.4.11"
"2.5.4.10"
"2.9.0.0"
Heuristic match: "version="1.0.0.0""
Heuristic match: "version="6.0.0.0""
Heuristic match: "+/+%uHO2k~QH"m5 b#;/v2i:;7hLS_)14VS_VERSION_INFO?StringFileInfo040904B0LCompanyNameAcresso Software Inc.PFileDescriptionISRegSvr.dll Module6FileVersion15.0.0.498:", Heuristic match: "ScriptVer=1.0.0.1", Heuristic match: "2.0.2600.0=SupportOS" - source
- String
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
System Destruction
-
Marks file for deletion
- details
-
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\_MSI5166._IS" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\_isE12F.tmp" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\_isE180.tmp" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\_isE2F5.tmp" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\~E2F4.tmp" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\_isE595.tmp" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\0x0409.ini" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\InterSystems ODBC Driver.msi" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\Setup.INI" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\_ISMSIDEL.INI" for deletion
"C:\73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" marked "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}" for deletion - source
- API Call
- relevance
- 10/10
-
Opens file with deletion access rights
- details
-
"<Input Sample>" opened "%TEMP%\_MSI5166._IS" with delete access
"<Input Sample>" opened "%TEMP%\_isE12F.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isE180.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isE2F5.tmp" with delete access
"<Input Sample>" opened "%TEMP%\~E2F4.tmp" with delete access
"<Input Sample>" opened "%TEMP%\_isE595.tmp" with delete access
"<Input Sample>" opened "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\0x0409.ini" with delete access
"<Input Sample>" opened "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\InterSystems ODBC Driver.msi" with delete access
"<Input Sample>" opened "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\Setup.INI" with delete access
"<Input Sample>" opened "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\_ISMSIDEL.INI" with delete access
"<Input Sample>" opened "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Contains ability to elevate privileges
- details
-
SetSecurityDescriptorDacl@ADVAPI32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
SetSecurityDescriptorDacl@ADVAPI32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to elevate privileges
-
Unusual Characteristics
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Shell" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- String
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
OpenProcessToken
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumKeyExA
RegOpenKeyA
RegOpenKeyExA
SetSecurityDescriptorDacl
CopyFileA
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateProcessA
CreateThread
DeleteFileA
FindFirstFileA
FindNextFileA
FindResourceA
FindResourceExA
GetCommandLineA
GetDriveTypeA
GetFileAttributesA
GetFileSize
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetStartupInfoA
GetTempFileNameA
GetTempPathA
GetThreadContext
GetTickCount
GetVersionExA
LoadLibraryA
LoadLibraryExA
LockResource
MapViewOfFile
OpenProcess
Sleep
TerminateProcess
UnhandledExceptionFilter
VirtualAlloc
VirtualProtect
VirtualProtectEx
WriteFile
WriteProcessMemory
ShellExecuteA
ShellExecuteExA
FindWindowA - source
- Static Parser
- relevance
- 1/10
-
Reads information about supported languages
- details
-
"<Input Sample>" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
"msiexec.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
-
Contains embedded string with suspicious keywords
-
Informative 14
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.dll at 60388-3413-0043B328
SetUnhandledExceptionFilter@KERNEL32.dll at 60388-4507-0043B31B
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003284
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003284 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetLocalTime@KERNEL32.dll (Show Stream)
GetLocalTime@KERNEL32.dll at 60388-2565-00446BEB
GetSystemTimeAsFileTime@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetLocalTime@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetLocalTime@KERNEL32.DLL from PID 00003284
GetSystemTimeAsFileTime@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetLocalTime@KERNEL32.DLL from PID 00003284
GetLocalTime@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query the machine version
- details
-
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll at 60388-2545-00445BEE
GetVersionExA@KERNEL32.dll at 60388-2538-004459C7
GetVersionExA@KERNEL32.dll at 60388-2547-00445C48
GetVersionExA@KERNEL32.dll at 60388-2546-00445C1A
GetVersionExA@KERNEL32.dll at 60388-2414-0043EC0B
GetVersionExA@KERNEL32.dll at 60388-2186-0040BB75
GetVersion@KERNEL32.dll (Show Stream)
GetVersionExA@KERNEL32.dll at 60388-2573-00447BDA
GetVersion@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetVersion@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetVersionExA@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetVersion@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from PID 00003284
GetVersionExA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query volume size
- details
-
GetDiskFreeSpaceA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
GetDiskFreeSpaceA@KERNEL32.DLL from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 3/10
-
Makes a code branch decision directly after an API that is environment aware
- details
-
Found API call GetVersionExA@KERNEL32.dll (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe.bin"; Stream UID: "60388-2538-004459C7")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "jne 00445A42h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 mov eax, dword ptr [ebp+08h]
+12 push esi
+13 mov esi, dword ptr [ebp+0Ch]
+16 mov dword ptr [ebp-00000094h], 00000094h
+26 and dword ptr [eax], 00000000h
+29 lea eax, dword ptr [ebp-00000094h]
+35 and dword ptr [esi], 00000000h
+38 push eax
+39 call dword ptr [0046911Ch] ;GetVersionExA
+45 cmp dword ptr [ebp-00000084h], 01h
+52 jne 00445A42h" ... at 60388-2538-004459C7
Found API call GetVersion@KERNEL32.dll (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe.bin"; Stream UID: "60388-2783-0044C4B0")
which is directly followed by "cmp eax, 80000000h" and "jbe 0044CAA1h". See related instructions: "...
+1409 call dword ptr [00469174h] ;GetVersion
+1415 cmp eax, 80000000h
+1420 jbe 0044CAA1h" ... (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-517-004301F4")
which is directly followed by "cmp dword ptr [ebp-00000084h], 02h" and "ret ". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 lea eax, dword ptr [ebp-00000094h]
+15 mov dword ptr [ebp-00000094h], 00000094h
+25 push eax
+26 call dword ptr [0046911Ch] ;GetVersionExA
+32 xor eax, eax
+34 cmp dword ptr [ebp-00000084h], 02h
+41 sete al
+44 leave
+45 ret " ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-670-004301C6")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "ret ". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 lea eax, dword ptr [ebp-00000094h]
+15 mov dword ptr [ebp-00000094h], 00000094h
+25 push eax
+26 call dword ptr [0046911Ch] ;GetVersionExA
+32 xor eax, eax
+34 cmp dword ptr [ebp-00000084h], 01h
+41 sete al
+44 leave
+45 ret " ... from PID 00003284
Found API call GetVersion@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-752-00428753")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [00469174h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-679-00416DFD")
which is directly followed by "cmp dword ptr [ebp-00000188h], 05h" and "jne 00416F79h". See related instructions: "...
+5 call 00433AE8h
+10 sub esp, 00000180h
+16 push ebx
+17 lea eax, dword ptr [ebp-0000018Ch]
+23 push esi
+24 mov dword ptr [ebp-14h], ecx
+27 push eax
+28 mov dword ptr [ebp-0000018Ch], 0000009Ch
+38 call dword ptr [0046911Ch] ;GetVersionExA
+44 cmp dword ptr [ebp-00000188h], 05h
+51 jne 00416F79h" ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-660-0041B556")
which is directly followed by "cmp word ptr [ebp-000000FCh], 0001h" and "jnc 0041B837h". See related instructions: "...
+166 lea eax, dword ptr [ebp-00000190h]
+172 mov dword ptr [ebp-00000190h], 0000009Ch
+182 push eax
+183 call dword ptr [0046911Ch] ;GetVersionExA
+189 cmp word ptr [ebp-000000FCh], 0001h
+197 jnc 0041B837h" ... from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-1804-0044C4B0")
which is directly followed by "cmp eax, 80000000h" and "jbe 0044CAA1h". See related instructions: "...
+1409 call dword ptr [00469174h] ;GetVersion
+1415 cmp eax, 80000000h
+1420 jbe 0044CAA1h" ... from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-6925-1559-004459C7")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "jne 00445A42h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 mov eax, dword ptr [ebp+08h]
+12 push esi
+13 mov esi, dword ptr [ebp+0Ch]
+16 mov dword ptr [ebp-00000094h], 00000094h
+26 and dword ptr [eax], 00000000h
+29 lea eax, dword ptr [ebp-00000094h]
+35 and dword ptr [esi], 00000000h
+38 push eax
+39 call dword ptr [0046911Ch] ;GetVersionExA
+45 cmp dword ptr [ebp-00000084h], 01h
+52 jne 00445A42h" ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-517-004301F4")
which is directly followed by "cmp dword ptr [ebp-00000084h], 02h" and "ret ". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 lea eax, dword ptr [ebp-00000094h]
+15 mov dword ptr [ebp-00000094h], 00000094h
+25 push eax
+26 call dword ptr [0046911Ch] ;GetVersionExA
+32 xor eax, eax
+34 cmp dword ptr [ebp-00000084h], 02h
+41 sete al
+44 leave
+45 ret " ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-678-00416DFD")
which is directly followed by "cmp dword ptr [ebp-00000188h], 05h" and "jne 00416F79h". See related instructions: "...
+5 call 00433AE8h
+10 sub esp, 00000180h
+16 push ebx
+17 lea eax, dword ptr [ebp-0000018Ch]
+23 push esi
+24 mov dword ptr [ebp-14h], ecx
+27 push eax
+28 mov dword ptr [ebp-0000018Ch], 0000009Ch
+38 call dword ptr [0046911Ch] ;GetVersionExA
+44 cmp dword ptr [ebp-00000188h], 05h
+51 jne 00416F79h" ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-669-004301C6")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "ret ". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 lea eax, dword ptr [ebp-00000094h]
+15 mov dword ptr [ebp-00000094h], 00000094h
+25 push eax
+26 call dword ptr [0046911Ch] ;GetVersionExA
+32 xor eax, eax
+34 cmp dword ptr [ebp-00000084h], 01h
+41 sete al
+44 leave
+45 ret " ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-659-0041B556")
which is directly followed by "cmp word ptr [ebp-000000FCh], 0001h" and "jnc 0041B837h". See related instructions: "...
+166 lea eax, dword ptr [ebp-00000190h]
+172 mov dword ptr [ebp-00000190h], 0000009Ch
+182 push eax
+183 call dword ptr [0046911Ch] ;GetVersionExA
+189 cmp word ptr [ebp-000000FCh], 0001h
+197 jnc 0041B837h" ... from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream)
Found API call GetVersion@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-754-00428753")
which is directly followed by "cmp ecx, eax" and "ret ". See related instructions: "...
+0 call dword ptr [00469174h] ;GetVersion
+6 mov ecx, 80000000h
+11 cmp ecx, eax
+13 sbb eax, eax
+15 neg eax
+17 ret " ... from PID 00003284
Found API call GetVersionExA@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-1561-004459C7")
which is directly followed by "cmp dword ptr [ebp-00000084h], 01h" and "jne 00445A42h". See related instructions: "...
+0 push ebp
+1 mov ebp, esp
+3 sub esp, 00000094h
+9 mov eax, dword ptr [ebp+08h]
+12 push esi
+13 mov esi, dword ptr [ebp+0Ch]
+16 mov dword ptr [ebp-00000094h], 00000094h
+26 and dword ptr [eax], 00000000h
+29 lea eax, dword ptr [ebp-00000094h]
+35 and dword ptr [esi], 00000000h
+38 push eax
+39 call dword ptr [0046911Ch] ;GetVersionExA
+45 cmp dword ptr [ebp-00000084h], 01h
+52 jne 00445A42h" ... from PID 00003284
Found API call GetVersion@KERNEL32.DLL (Target: "73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"; Stream UID: "00024820-00003284-2477-1806-0044C4B0")
which is directly followed by "cmp eax, 80000000h" and "jbe 0044CAA1h". See related instructions: "...
+1409 call dword ptr [00469174h] ;GetVersion
+1415 cmp eax, 80000000h
+1420 jbe 0044CAA1h" ... from 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe (PID: 3284) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to query machine time
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/42 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains PDB pathways
- details
-
"C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release\setup.pdb"
"pB=xp$`0x@.text2@ `.datahPP@.reloc<``@BIeAAAAtA@ZA>A AAA@@F?R?d?p?????????@$@0@J@Z@p@@@AuO,Is120gy|*????>>>>>>>>3@\ChSxsCaPendDelsxsdelcasxsdelca tried opening wow64key sxsdelca tried opening key w/o wow64key Software\Microsoft\Windows\CurrentVersion\SideBySide\PatchedComponentssxsdelca: Moved file to pending path0123456789abcdefsxsca_DeleteFilestraceopscavengeSELECT `FileName` FROM `File` WHERE `Component_` = ?SELECT `Directory_`, `ComponentId` FROM `Component` WHERE `Component` = ?Component_ValueNameKeyRootRegistrySELECT * FROM `Registry`sxscdelca_%08lxProductCodewow64 key not present, not scavengingbase key not present, not scavengingsxsdelca: Skipping component sxsdelca: Added reg value for [~]ALTER TABLE `Registry` HOLDSELECT `Component_`, `Guid` FROM `SxsMsmGenComponents`|SxsMsmCleanupSxsMsmInstall completed(P@xP@HP@0@RSDSv-AoIAh:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb79UVtP&E^]VtP&&^Vt"
"rX"rrs("sst("tv|tt("ttH"XuxuP"tvLvv "vv "tvw(w(RSDSfC>C:\CodeBases\isdev\Redist\Language Independent\x64\ISBEW64.pdb N8NPNP@ N8NNNPNP8@N`O0OPOPNP`@OOOO@OP(P@PXPP@(PPP QP@PQP@PhWQQRQ(Y@QRQ(Y@Qx0Z RRR0TPVWUT UU(Y @Rh8SPSxS(YPVWh@8ShSSV0TPVWUT UU(Y@@XTpT0TPVWUT UU(Y@TTT UU(Y@HU`U UU(Y@UUU(Y@VV(V@V@xVVVXX@xVh@SW0WxYhWX(YXWh@WWhWX(YXW@X@(X@XXXX@XXXX@(X@@XYX(Y @PYhY(Y@WYY[ZpZZ([x@0ZHZZpZZ([8@ZZpZZ([@Z[Z([@P[h[x[@P[@Y$d4pR0(BP0 $" - source
- String
- relevance
- 1/10
-
Creates a writable file in a temporary directory
- details
-
"<Input Sample>" created file "%TEMP%\_MSI5166._IS"
"<Input Sample>" created file "%TEMP%\_isE12F.tmp"
"<Input Sample>" created file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\Setup.INI"
"<Input Sample>" created file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\_ISMSIDEL.INI"
"<Input Sample>" created file "%TEMP%\_isE180.tmp"
"<Input Sample>" created file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\0x0409.ini"
"<Input Sample>" created file "%TEMP%\_isE2F5.tmp"
"<Input Sample>" created file "%TEMP%\~E2F4.tmp"
"<Input Sample>" created file "%TEMP%\_isE595.tmp"
"<Input Sample>" created file "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\InterSystems ODBC Driver.msi" - source
- API Call
- relevance
- 1/10
-
Spawns new processes
- details
- Spawned process "msiexec.exe" with commandline "MSIEXEC.EXE /i "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\InterSystems ODBC Driver.msi" SETUPEXEDIR="C:" SETUPEXENAME="73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe"" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contains PDB pathways
-
Installation/Persistance
-
Connects to LPC ports
- details
- "<Input Sample>" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"InterSystems ODBC Driver.msi" has type "Composite Document File V2 Document Little Endian O%WINDIR%\Version 5.2 Number of Characters: 0 Last Saved By: InstallShield Number of Words: 0 Title: Installation Database Comments: Contact: Your local administrator Keywords: InstallerMSIDatabase Subject: Blank Project Template Author: Intersystems Corp Security: 1 Number of Pages: 200 Name of Creating Application: InstallShieldC 2009 - Professional Edition 15 Last Saved Time/Date: Tue May 11 11:05:32 2010 Create Time/Date: Tue May 11 11:05:32 2010 Last Printed: Tue May 11 11:05:32 2010 Revision Number: {13F29B46-9969-467B-9DCC-31370DE51910} Code page: 1252 Template: x64;1033"
"_isE2F5.tmp" has type "data"
"_MSI5166._IS" has type "empty "
"wkssvc" has type "empty "
"~E2F4.tmp" has type "ASCII text with CRLF line terminators"
"_isE180.tmp" has type "data"
"0x0409.ini" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"_isE12F.tmp" has type "data"
"_ISMSIDEL.INI" has type "ASCII text with CRLF line terminators"
"Setup.INI" has type "ASCII text with CRLF line terminators"
"_isE595.tmp" has type "data" - source
- Extracted File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"<Input Sample>" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"<Input Sample>" touched file "%WINDIR%\Fonts\staticcache.dat"
"<Input Sample>" touched file "%WINDIR%\system32\en-US\MSCTF.dll.mui" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "0 q`5P.gp"
Pattern match: "crl.microsoft.com/pki/crl/products/CSPCA.crl0H+"
Pattern match: "crl.microsoft.com/pki/crl/products/tspca.crl0H+"
Pattern match: "http://crl.verisign.com/tss-ca.crl0U%0"
Pattern match: "crl.verisign.com/ThawteTimestampingCA.crl0U%0"
Pattern match: "https://www.verisign.com/rpa"
Pattern match: "https://www.verisign.com/rpa01U*0"
Pattern match: "http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DU"
Pattern match: "CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0U#0Q==d6|h[x70`HB0"
Pattern match: "www.acresso.com0"
Heuristic match: "ingcnNz?!7:g)+|ev.Eu"
Pattern match: "2.guq/}\^L$'1*I&"
Heuristic match: "%z97;.aW"
Pattern match: "9.Ou/8INd|369UpmQhZ"
Heuristic match: "Mk ->=0aAjUp DiILNX9bG=cxJ7jR|.G.bG"
Heuristic match: "(>;6Bh`lGF/xh`W<[1Li'B*s}P;{NjGP~5g0#4]\a3NH?8;agBb?UBN#~,/+w'X[Vb.bF" - source
- String
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
- "<Input Sample>" opened "\Device\KsecDD"
- source
- API Call
- relevance
- 10/10
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
File Details
Cache.2010.1.2.ODBCDriver_x64.exe
- Filename
- Cache.2010.1.2.ODBCDriver_x64.exe
- Size
- 1.5MiB (1536929 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55
- MD5
- f9f17db4b46db5b9ed416dd07e98b1f8
- SHA1
- 6e9045a001b1ff133d15fa40f6d1f7534a49cf1e
- ssdeep
- 24576:NGRmervjUoDEgfnImcJaBhotTRTFWxGPH1y74Kakv4yK+GM7060+PI+5+GW7TCle:ozQoRfAJa/iTRKGPHW4ObK7x5+NDl+Wg
- imphash
- 41210880fac00969df189c93c8777bed
- authentihash
- b13b5321ebf68392d9226f1d615c4473d1c6171703b18cb71292b6d4cd5c4475
Version Info
- LegalCopyright
- InterSystems Corporation
- InternalName
- Setup
- FileVersion
- 1.00.0000
- CompanyName
- Intersystems Corp
- Internal Build Number
- 82160
- ProductName
- InterSystems ODBC Driver
- ProductVersion
- 1.00.0000
- FileDescription
- Contact: Your local administrator
- OriginalFilename
- Setup.exe
- Translation
- 0x0409 0x04b0
Classification (TrID)
- 38.7% (.EXE) Win32 Executable MS Visual C++ (generic)
- 34.3% (.EXE) Win64 Executable (generic)
- 16.2% (.SCR) Windows screen saver
- 5.6% (.EXE) Win32 Executable (generic)
- 2.4% (.EXE) Generic Win/DOS Executable
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
-
Input Sample
(PID: 3284)
- msiexec.exe MSIEXEC.EXE /i "%TEMP%\{88F7EC01-8C2E-4D2B-BB46-29F1580598C8}\InterSystems ODBC Driver.msi" SETUPEXEDIR="C:" SETUPEXENAME="73a725db8f12264a4e2b0b58a61a29ca8098ac3e3b47fdbcdaf6042117b8cc55.exe" (PID: 3504)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Memory Forensics
String | Context | Stream UID |
---|---|---|
3.0.0.0 | Domain/IP reference | 60388-660-00418184 |
2.0.0.0 | Domain/IP reference | 60388-660-00418184 |
2.5.4.3 | Domain/IP reference | 00024820-00003284-6925-1736-00456D94 |
2.9.0.0 | Domain/IP reference | 60388-661-00429C32 |
2.5.4.11 | Domain/IP reference | 00024820-00003284-6925-1736-00456D94 |
2.5.4.10 | Domain/IP reference | 00024820-00003284-6925-1736-00456D94 |
49.1.9.1 | Domain/IP reference | 00024820-00003284-6925-1736-00456D94 |
Extracted Strings
Extracted Files
-
Informative 11
-
-
InterSystems ODBC Driver.msi
- Size
- 1.2MiB (1309696 bytes)
- Type
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.2, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Intersystems Corp, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShieldC 2009 - Professional Edition 15, Last Saved Time/Date: Tue May 11 11:05:32 2010, Create Time/Date: Tue May 11 11:05:32 2010, Last Printed: Tue May 11 11:05:32 2010, Revision Number: {13F29B46-9969-467B-9DCC-31370DE51910}, Code page: 1252, Template: x64;1033
- MD5
- 50ae7e01909cfbd148ca36aefa39b6e3
- SHA1
- 7266dd646fbeb13bcc45e895323cb25f4ef641cf
- SHA256
- 8081ce1167f94b4057bceb24cb439c5159718a3eaebc2fbe100000fd0fdd6ab7
-
_isE2F5.tmp
- Size
- 1.1KiB (1121 bytes)
- Type
- data
- MD5
- db42b26b8df491b0f7ca5d1cd02ca249
- SHA1
- 5a00fbaad32106d5354cf86300f10f4626fc9802
- SHA256
- ba3cc06e63a1f2461f0157d475c2f1b7bda191bc074f61b8913232ecc3073ac4
-
~E2F4.tmp
- Size
- 2.7KiB (2718 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- c7134e89b53dfcdbc790aa9b70c406bf
- SHA1
- a96d649cf3fe935ef8b88775b6d41247f09e03bd
- SHA256
- 9ff143b92c5aa7c6f28c1b28894d3e560cf462689cdf03d8ff5e54075339f243
-
_isE180.tmp
- Size
- 2.9KiB (3017 bytes)
- Type
- data
- MD5
- ae10f061af304517f6e3f3157795a5b7
- SHA1
- f80822a26461dbcaf29ed0de91fd41c2bb370c44
- SHA256
- c1c419be1398addbd82f88be6c3ff810ed04b8c970ab7349b07ec11b07368043
-
0x0409.ini
- Size
- 13KiB (13660 bytes)
- Type
- Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
- MD5
- 758747727e96a23c7c5a5bbb011656e4
- SHA1
- 51cc637e7eb3451d6dfa9465d949d6dfb2cd65c9
- SHA256
- bad3b2e854149df9413f06e6c1c7b7c875545393877f59b59907f6b083ce5825
-
_isE12F.tmp
- Size
- 1.1KiB (1121 bytes)
- Type
- data
- MD5
- db42b26b8df491b0f7ca5d1cd02ca249
- SHA1
- 5a00fbaad32106d5354cf86300f10f4626fc9802
- SHA256
- ba3cc06e63a1f2461f0157d475c2f1b7bda191bc074f61b8913232ecc3073ac4
-
_ISMSIDEL.INI
- Size
- 339B (339 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- a116b5b110b3bbab160811377429f15e
- SHA1
- a4a786ec60a6da271cd6aeaa341e08ceb7fc6bb3
- SHA256
- f8cdfe25e21264c3bd368a5e199dc982c0b6f1bd53724db825ab599c7a2213f4
-
Setup.INI
- Size
- 2.7KiB (2718 bytes)
- Type
- ASCII text, with CRLF line terminators
- MD5
- c7134e89b53dfcdbc790aa9b70c406bf
- SHA1
- a96d649cf3fe935ef8b88775b6d41247f09e03bd
- SHA256
- 9ff143b92c5aa7c6f28c1b28894d3e560cf462689cdf03d8ff5e54075339f243
-
_isE595.tmp
- Size
- 880KiB (900929 bytes)
- Type
- data
- MD5
- 970c11fa3dc1384cb449153b2d53ff07
- SHA1
- 6913d603274e6c14db75ee2b8e7c844bf57c5f39
- SHA256
- 6c7a8b2552996e4087f8ad40b4757437bc26a25abdf85087d5c3cd6d7d61d792
-
_MSI5166._IS
- Size
- Unknown (0 bytes)
- Type
- empty
-
wkssvc
- Size
- Unknown (0 bytes)
- Type
- empty
-
Notifications
-
Runtime
- Added comment to Virus Total report
- Dropped file "InterSystems ODBC Driver.msi" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/8081ce1167f94b4057bceb24cb439c5159718a3eaebc2fbe100000fd0fdd6ab7/analysis/1473361660/")
- Not all sources for signature ID "api-6" are available in the report
- Not all sources for signature ID "stream-3" are available in the report
- Not all sources for signature ID "string-3" are available in the report
- Not all sources for signature ID "string-43" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)