PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 4,95 MBSHA-256 Hash: B06E5A44D513380EA6A388D2F90F8B1A0AF9172FF5357100724FEF6EC04F72A3 SHA-1 Hash: 4101C50740C5C1AC9DA9C7DB2A03FFE6D758E829 MD5 Hash: 27FAB0EFE41BB6B8D8B029E65E24D35E Imphash: 1CFCB336B4F80E93477F676FB7828C70 MajorOSVersion: 4 MinorOSVersion: 0 CheckSum: 004F6042 EntryPoint (rva): 56B33 SizeOfHeaders: 400 SizeOfImage: EA000 ImageBase: 400000 Architecture: x86 ImportTable: 87920 IAT: 76000 Characteristics: 10F TimeDateStamp: 4B4E197F Date: 13/01/2010 19:05:35 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | 74C00 | 1000 | 74B10 |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
75000 | 13600 | 76000 | 13564 |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
88600 | AC00 | 8A000 | 10248 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
93200 | 4E200 | 9B000 | 4E198 |
|
|
| Description |
| OriginalFilename: Setup.exe CompanyName: rohitab.com LegalCopyright: (c) 2000-2013 Rohitab Batra. All rights reserved. ProductName: Upgrade check: later product version already installed FileVersion: 2.13.0 FileDescription: API Monitor Installer ProductVersion: ProductCode Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 4,03 MB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 55F33 Code -> 558BEC6AFF68F87E4700681077450064A100000000506489250000000083EC585356578965E8FF157C61470033D28AD48915 Assembler |PUSH EBP |MOV EBP, ESP |PUSH -1 |PUSH 0X477EF8 |PUSH 0X457710 |MOV EAX, DWORD PTR FS:[0] |PUSH EAX |MOV DWORD PTR FS:[0], ESP |SUB ESP, 0X58 |PUSH EBX |PUSH ESI |PUSH EDI |MOV DWORD PTR [EBP - 0X18], ESP |CALL DWORD PTR [0X47617C] |XOR EDX, EDX |MOV DL, AH |
| Signatures |
| Rich Signature Analyzer: Code -> 45190DCF0178639C0178639C0178639C7A646F9C0378639C82646D9C1F78639C375E699C9278639C6E67689C0278639C325A469C0378639CDB5B7F9C0278639CE967689C0278639C0178629C5979639CFB5B7A9C1278639C375E689C4378639CC67E659C0078639C526963680178639C Footprint md5 Hash -> 5605EC5B685728D8B222F673047669E2 • The Rich header apparently has not been modified Certificate - Digital Signature: • The file is signed and the signature is correct |
| Packer/Compiler |
| Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: compiler: EP:Microsoft Visual C/C++(6.0 (1720-9782))[EXE32] • PE: compiler: Microsoft Visual C/C++(6.0)[libcmt,wWinMain] • PE: linker: Microsoft Linker(6.0*)[-] • PE: overlay: PDB 2.0 file link(-)[-] • Entropy: 7.91328 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG |
| SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs SOFTWARE\InstallShield\Cryptography\Trust SOFTWARE\InstallShield\16.0\Professional |
| Windows REG (UNICODE) |
| Software\InstallShield\ISWI\7.0\SetupExeLog Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion\Installer Software\Microsoft\Windows\CurrentVersion\RunOnce Software\Microsoft\Windows\CurrentVersion\RunOnceEx SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries Software\Microsoft\Active Setup\Installed Components\%s SOFTWARE\Microsoft\NET Framework Setup\NDP SOFTWARE\Microsoft\Visual JSharp Setup\Redist Software\Microsoft\Internet Explorer Software\Classes SOFTWARE\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion\Internet Settings System\CurrentControlSet\Control\Windows Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| .EXE setup.exe Kernel32.dll ISSetup.dll msi.dll RPCRT4.dll OLEAUT32.dll ole32.dll ADVAPI32.dll GDI32.dll USER32.dll COMCTL32.dll SHELL32.dll VERSION.dll BetaMarker.dat EvalMarker.dat @.dat Setup.ini 0x0409.ini Temp |
| File Access (UNICODE) |
| Setup.exe url to InstMsiW.exe url to InstMsiA.exe /V parameters to MsiExec.exe PSTORES.EXE InstallShield setup.exe Using language transforms from setup.exe MSIEXEC.EXE INSTMSIW.EXE INSTMSIA.EXE Getting file from setup.exe Failed to get UI DLL from setup.exe WindowsInstaller-KB893803-x86.exe instmsi30.exe isnetfx.exe dotnetfx.exe dotnetredist.exe dotnetfx20.exe vjredist.exe vjredist20.exe dotnetfxsp1.exe langpack.exe langpack20.exe vjredist-LP.exe vjredist20-LP.exe dotnetredistSp3.exe setup.exe %sexplorer.exe hSetup requires a newer version of WinInet.dll Advapi32.dll Crypt32.dll WinTrust.dll RPAWINET.DLL wininet.dll MsiGetProductInfoWmsi.dll shell32.dll oleaut32.dll advapi32.dll psapi.dll Ntdll.dll Wow64DisableWow64FsRedirectionkernel32.dll LcidToRfc1766Wmlang.dll GetSystemWindowsDirectoryWKERNEL32.DLL GetSystemDefaultUILanguageKernel32.dll ShellExecuteExWShell32.dll ini for current issetup.dll ini from current issetup.dll SHFolder.dll WinInet.dll msi.dllFailed to locate ISSetup.dll Attempted unloaded of msi.dll ISExternalUI.dll ISExternalUIInstallLoading ISExternalUI.dll Msi.DLL Could not find entry point in ISSetup.dll \Codebases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cppISSetup.dll Failed to load ISSetup.dll wintrust.dll url to IsScript.msi InstallShield.log Verify that all strings in Setup.ini %s\0x%04x.ini 0x%04x.ini Extracting setup.ini Dumping setup.ini Setup.INI IsConfig.ini ISConfig.ini Could not extract isconfig.ini setup.ini Reading setup.ini %s name from Setup.ini _ISMSIDEL.INI Exec - arp Setup\Redist Temp ProgramFiles |
| SQL Queries |
| SELECT * FROM Binary Select the language for the installation from the choices below.&OK |
| Interest's Words |
| PADDINGX exec attrib start systeminfo ping expand |
| Interest's Words (UNICODE) |
| PassWord exec start shutdown ping replace |
| URLs |
| http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d http://ocsp.thawte.com http://crl.thawte.com/ThawteTimestampingCA.crl http://ts-ocsp.ws.symantec.com http://ts-aia.ws.symantec.com/tss-ca-g2.cer http://ts-crl.ws.symantec.com/tss-ca-g2.crl http://csc3-2010-crl.verisign.com/CSC3-2010.crl http://ocsp.verisign.com http://csc3-2010-aia.verisign.com/CSC3-2010.cer http://logo.verisign.com/vslogo.gif04 http://crl.verisign.com/pca3-g5.crl http://www.rohitab.com/apimonitor https://www.verisign.com/rpa https://www.verisign.com/rpa0 https://www.verisign.com/cps0* https://www.verisign.com/rpa0 |
| Payloads |
| Shell_Reverse_TCP/Encoder-Shikata_ga_nai 4 Iteration -> Position of '2bc9b166' in buffer: 22F2D8 |
| IP Addresses |
| 2.5.4.10 2.5.4.11 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Unicode | Encryption (Microsoft Base Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Enhanced Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Strong Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDeriveKey) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Ascii | Antivirus Software (Symantec) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Ascii | Malware that monitors and collects user data (Spy) |
| Text | Unicode | Unauthorized movement of funds or data (Transfer) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 5.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ v6.0 |
| Entry Point | Hex Pattern | Microsoft Visual C++ |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \GIF\IDR_GIF1\0 | 9BE54 | 5731 | 94054 | 474946383961AF003801F70000001F57001E5A00265500225C00285600295B1925571A26581C2959002660002B630A2D6404 | GIF89a..8......W..Z.&U."\.(V.)[.%W.&X.)Y.&.+c.-d. |
| \GIF\IDR_GIF1\1033 | A1588 | 6592 | 99788 | 474946383961AF003801F7000000185200185A00215200215A00216300295200295A00296300316300316B00396B00397308 | GIF89a..8......R..Z.!R.!Z.!c.)R.)Z.)c.1c.1k.9k.9s. |
| \BITMAP\103\0 | A7B1C | 14220 | 9FD1C | 28000000DC000000720100000100080000000000F83D0100000000000000000000000000000000005E381000866E51007F64 | (.......r............=..................8...nQ..d |
| \BITMAP\10550\0 | BBD3C | 1B5C | B3F3C | 28000000B40000004B0000000100040000000000F41A00000000000000000000000000000000000000000000000080000080 | (.......K......................................... |
| \BITMAP\10551\0 | BD898 | 38E4 | B5A98 | 28000000B40000004B0000000100080000000000BC3400000000000000000000000000000000000000000000000080000080 | (.......K............4............................ |
| \BITMAP\10553\0 | C117C | 1238 | B937C | 280000003C0000003C0000000100080000000000100E00000000000000000000000000000000000000000000000080000080 | (...<...<......................................... |
| \BITMAP\10650\0 | C23B4 | 6588 | BA5B4 | 28000000A100000098000000010008000000000060610000D40E0000D40E0000000100000001000000000000000080000080 | (...................a............................ |
| \BITMAP\10651\0 | C893C | 11F88 | C0B3C | 28000000A1000000980000000100180000000000601F0100C40E0000C40E0000000000000000000080800080800080800080 | (................................................ |
| \ICON\1\0 | DA8C4 | 668 | D2AC4 | 28000000300000006000000001000400000000000000000000000000000000001000000000000000FFFFFF00000080000080 | (...0............................................ |
| \ICON\2\0 | DAF2C | 2E8 | D312C | 28000000200000004000000001000400000000000000000000000000000000001000000000000000FFFFFFFF000080000080 | (... ...@......................................... |
| \ICON\3\0 | DB214 | 128 | D3414 | 28000000100000002000000001000400000000000000000000000000000000001000000000000000FFFFFFFF000080000080 | (....... ......................................... |
| \ICON\4\0 | DB33C | EA8 | D353C | 280000003000000060000000010008000000000000000000000000000000000000010000000000004A1602FF9A9A9A006A4E | (...0..................................J.......jN |
| \ICON\5\0 | DC1E4 | 8A8 | D43E4 | 280000002000000040000000010008000000000000000000000000000000000000010000000000004A0E024A8E8A829A7A52 | (... ...@...............................J..J....zR |
| \ICON\6\0 | DCA8C | 568 | D4C8C | 280000001000000020000000010008000000000000000000000000000000000000010000000000003E02024AA282728E6E3E | (....... ...............................>..J..r.n> |
| \ICON\7\0 | DCFF4 | 25A8 | D51F4 | 28000000300000006000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (...0........ ................................... |
| \ICON\8\0 | DF59C | 10A8 | D779C | 28000000200000004000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (... ...@..... ................................... |
| \ICON\9\0 | E0644 | 468 | D8844 | 28000000100000002000000001002000000000000000000000000000000000000000000000000000999999309FA2A487A4AA | (....... ..... ............................0...... |
| \ICON\10\0 | E0AAC | 2E8 | D8CAC | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\11\0 | E0D94 | 2E8 | D8F94 | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \DIALOG\103\0 | E107C | 1FE | D927C | 0100FFFF0000000000000000400000400C00000000004C01DA000000000000000800000000014D0053002000530061006E00 | ............@..@......L...............M.S. .S.a.n. |
| \DIALOG\105\0 | E127C | 296 | D947C | 0100FFFF0000000000000000400000401000000000004C01DA000000000000000800000000014D0053002000530061006E00 | ............@..@......L...............M.S. .S.a.n. |
| \DIALOG\106\0 | E1514 | 2E0 | D9714 | 0100FFFF0000000000000000400000401200000000004C01DA000000000000000800000000014D0053002000530061006E00 | ............@..@......L...............M.S. .S.a.n. |
| \DIALOG\107\0 | E17F4 | 64 | D99F4 | 0100FFFF0000000000000000C000CA800100000000004C01DA000000000000000800000000014D0053002000530061006E00 | ......................L...............M.S. .S.a.n. |
| \DIALOG\108\0 | E1858 | 42 | D9A58 | 0100FFFF0000000080000000400000900000000000004A003E000000000000000800000000014D0053002000530061006E0073002000530065007200690066000000 | ............@.........J.>.............M.S. .S.a.n.s. .S.e.r.i.f... |
| \DIALOG\109\0 | E189C | E6 | D9A9C | 0100FFFF0000000000000000C008C090040000000000FC0049000000000000000800000000014D0053002000530061006E00 | ........................I.............M.S. .S.a.n. |
| \DIALOG\119\0 | E1984 | 124 | D9B84 | 0100FFFF0000000000000000C408C8900700000000003C015A000000000000000800000000014D0053002000530061006E00 | ......................<.Z.............M.S. .S.a.n. |
| \DIALOG\121\0 | E1AA8 | E6 | D9CA8 | 0100FFFF0000000000000000C408C880050000000000FC004F000000000000000800000000014D0053002000530061006E00 | ........................O.............M.S. .S.a.n. |
| \DIALOG\125\0 | E1B90 | 276 | D9D90 | 0100FFFF0000000000000000400000400F00000000004C01DA000000000000000800000000014D0053002000530061006E00 | ............@..@......L...............M.S. .S.a.n. |
| \DIALOG\126\0 | E1E08 | 3D8 | DA008 | 0100FFFF0000000000000000C408C8800800000000004601B9000000000000000800000000014D0053002000530061006E00 | ......................F...............M.S. .S.a.n. |
| \DIALOG\127\0 | E21E0 | 182 | DA3E0 | 0100FFFF000000000000000040000040080000000000CC0131010000000000000800000000014D0053002000530061006E00 | ............@..@........1.............M.S. .S.a.n. |
| \DIALOG\128\0 | E2364 | 21C | DA564 | 0100FFFF0000000000000000400000400C0000000000CC0131010000000000000800000000014D0053002000530061006E00 | ............@..@........1.............M.S. .S.a.n. |
| \DIALOG\129\0 | E2580 | 1FA | DA780 | 0100FFFF0000000000000000400000400B0000000000CC0131010000000000000800000000014D0053002000530061006E00 | ............@..@........1.............M.S. .S.a.n. |
| \DIALOG\130\0 | E277C | 222 | DA97C | 0100FFFF0000000000000000400000400C0000000000CC0131010000000000000800000000014D0053002000530061006E00 | ............@..@........1.............M.S. .S.a.n. |
| \DIALOG\131\0 | E29A0 | 8C | DABA0 | 0100FFFF0000000000000000C000CA80010000000000CC0131010000000049006E007300740061006C006C00530068006900 | ........................1.....I.n.s.t.a.l.l.S.h.i. |
| \DIALOG\132\0 | E2A2C | 3CC | DAC2C | 0100FFFF0000000000000000C408C8800700000000004601B7000000000000000800000000014D0053002000530061006E00 | ......................F...............M.S. .S.a.n. |
| \DIALOG\1000\0 | E2DF8 | 168 | DAFF8 | 0100FFFF0000000000000000C008C09007004E002700FC0062000000000000000800000000014D0053002000530061006E00 | ..................N.'...b.............M.S. .S.a.n. |
| \DIALOG\1001\0 | E2F60 | 1EA | DB160 | 0100FFFF0000000000000000C008C0900A00000000004C01DA000000000000000800000000014D0053002000530061006E00 | ......................L...............M.S. .S.a.n. |
| \DIALOG\1008\0 | E314C | 116 | DB34C | 0100FFFF0000000000000000C008C090040000000000BB0051000000000050006C006500610073006500200065006E007400 | ........................Q.....P.l.e.a.s.e. .e.n.t. |
| \DIALOG\1026\0 | E3264 | EE | DB464 | 0100FFFF0000000000000000C008C09004004E002700D4006F000000000000000800000000014D0053002000530061006E00 | ..................N.'...o.............M.S. .S.a.n. |
| \DIALOG\1034\0 | E3354 | 1D4 | DB554 | 0100FFFF0000000000000000C008C0900A00000000004C01DA000000000000000800000000015400610068006F006D006100 | ......................L...............T.a.h.o.m.a. |
| \DIALOG\3003\0 | E3528 | 1EC | DB728 | 0100FFFF0000000000000000C008C0900700000000004C01DA000000000000000800000000014D0053002000530061006E00 | ......................L...............M.S. .S.a.n. |
| \DIALOG\3004\0 | E3714 | 2B8 | DB914 | 0100FFFF0000000000000000C008CA800E0000000000CC0131010000000049006E007300740061006C006C00530068006900 | ........................1.....I.n.s.t.a.l.l.S.h.i. |
| \STRING\69\1033 | E39CC | 160 | DBBCC | 0000000000000000000000000000000000000000000000001A0053006500740075007000200049006E006900740069006100 | ..........................S.e.t.u.p. .I.n.i.t.i.a. |
| \STRING\70\1033 | E3B2C | 23E | DBD2C | 250043006800650063006B0069006E0067002000570069006E0064006F0077007300280052002900200049006E0073007400 | %.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t. |
| \STRING\71\1033 | E3D6C | 378 | DBF6C | 000000000000000000001500430068006F006F007300650020005300650074007500700020004C0061006E00670075006100 | ............C.h.o.o.s.e. .S.e.t.u.p. .L.a.n.g.u.a. |
| \STRING\72\1033 | E40E4 | 252 | DC2E4 | 00000000000000000000000000000000000000000000000000000000F2005300650074007500700020006800610073002000 | ..............................S.e.t.u.p. .h.a.s. . |
| \STRING\73\1033 | E4338 | 1F4 | DC538 | 2D004500720072006F0072002000650078007400720061006300740069006E006700200025007300200074006F0020007400 | -.E.r.r.o.r. .e.x.t.r.a.c.t.i.n.g. .%.s. .t.o. .t. |
| \STRING\76\1033 | E452C | 66C | DC72C | 0700520065007300740061007200740051005300650074007500700020006E006500650064007300200025006C0075002000 | ..R.e.s.t.a.r.t.Q.S.e.t.u.p. .n.e.e.d.s. .%.l.u. . |
| \STRING\101\1033 | E4B98 | 366 | DCD98 | 000000000000000078005400680069007300200073006500740075007000200064006F006500730020006E006F0074002000 | ........x.T.h.i.s. .s.e.t.u.p. .d.o.e.s. .n.o.t. . |
| \STRING\102\1033 | E4F00 | 27E | DD100 | 03006D0069006E00030073006500630002004D00420002004B00420004002F0073006500630026004600610069006C006500 | ..m.i.n...s.e.c...M.B...K.B.../.s.e.c.&.F.a.i.l.e. |
| \STRING\103\1033 | E5180 | 518 | DD380 | 17002F0055004D003C00750072006C00200074006F0020006D007300690020007000610063006B006100670065003E001800 | ../.U.M.<.u.r.l. .t.o. .m.s.i. .p.a.c.k.a.g.e.>... |
| \STRING\104\1033 | E5698 | 882 | DD898 | F200530065007400750070002000680061007300200064006500740065006300740065006400200061006E00200069006E00 | ..S.e.t.u.p. .h.a.s. .d.e.t.e.c.t.e.d. .a.n. .i.n. |
| \STRING\105\1033 | E5F1C | 23E | DE11C | 0A00450078007400720061006300740069006E0067000B0044006F0077006E006C006F006100640069006E00670007005300 | ..E.x.t.r.a.c.t.i.n.g...D.o.w.n.l.o.a.d.i.n.g...S. |
| \STRING\107\1033 | E615C | 3BA | DE35C | 00000000000000000000000095005400680069007300200069006E007300740061006C006C006100740069006F006E002000 | ..............T.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. . |
| \STRING\108\1033 | E6518 | 12C | DE718 | 1B00260050006100740063006800200061006E0020006500780069007300740069006E006700200069006E00730074006100 | ..&.P.a.t.c.h. .a.n. .e.x.i.s.t.i.n.g. .i.n.s.t.a. |
| \STRING\113\1033 | E6644 | 4A | DE844 | 0000000000000000000000000000000000000000000000001500430068006F006F007300650020005300650074007500700020004C0061006E0067007500610067006500000000000000 | ..........................C.h.o.o.s.e. .S.e.t.u.p. .L.a.n.g.u.a.g.e....... |
| \STRING\114\1033 | E6690 | DA | DE890 | 00000000000000004000530065006C00650063007400200074006800650020006C0061006E00670075006100670065002000 | ........@.S.e.l.e.c.t. .t.h.e. .l.a.n.g.u.a.g.e. . |
| \STRING\115\1033 | E676C | 110 | DE96C | 0000000000000000000000000000000000000000070026004E0065007800740020003E0007003C0020002600420061006300 | ......................&.N.e.x.t. .>...<. .&.B.a.c. |
| \STRING\116\1033 | E687C | 20A | DEA7C | 6C00430061007500740069006F006E003A002000250073002000610066006600690072006D00730020007400680069007300 | l.C.a.u.t.i.o.n.:. .%.s. .a.f.f.i.r.m.s. .t.h.i.s. |
| \STRING\117\1033 | E6A88 | BA | DEC88 | 0000000000000000000000000000000000000F0050007200650070006100720069006E006700200053006500740075007000 | ....................P.r.e.p.a.r.i.n.g. .S.e.t.u.p. |
| \STRING\118\1033 | E6B44 | A8 | DED44 | 0600460069006E006900730068000F005400720061006E007300660065007200200072006100740065003A00200014004500 | ..F.i.n.i.s.h...T.r.a.n.s.f.e.r. .r.a.t.e.:. ...E. |
| \STRING\119\1033 | E6BEC | 12A | DEDEC | 0A0045007800690074002000530065007400750070002A00410072006500200079006F007500200073007500720065002000 | ..E.x.i.t. .S.e.t.u.p.*.A.r.e. .y.o.u. .s.u.r.e. . |
| \STRING\120\1033 | E6D18 | 422 | DEF18 | 4200530065006C006500630074002000740068006500200061007000700072006F0070007200690061007400650020006100 | B.S.e.l.e.c.t. .t.h.e. .a.p.p.r.o.p.r.i.a.t.e. .a. |
| \STRING\126\1033 | E713C | 5C2 | DF33C | 0000780025007300200053006500740075007000200069007300200070007200650070006100720069006E00670020007400 | ..x.%.s. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t. |
| \STRING\134\1033 | E7700 | 40 | DF900 | 00000000000000000000000000000000000000000000000000000000000010005300650063007500720069007400790020005700610072006E0069006E006700 | ................................S.e.c.u.r.i.t.y. .W.a.r.n.i.n.g. |
| \STRING\135\1033 | E7740 | C44 | DF940 | 1E0044006F00200079006F0075002000770061006E007400200074006F002000720075006E00200074006800690073002000 | ..D.o. .y.o.u. .w.a.n.t. .t.o. .r.u.n. .t.h.i.s. . |
| \STRING\138\1033 | E8384 | 284 | E0584 | 000000001E0049006E007300740061006C006C0053006800690065006C006400200053006500740075007000200050006C00 | ......I.n.s.t.a.l.l.S.h.i.e.l.d. .S.e.t.u.p. .P.l. |
| \GROUP_ICON\100\0 | E8608 | 84 | E0808 | 00000100090030301000010004006806000001002020100001000400E8020000020010101000010004002801000003003030 | ......00......h..... ....................(.....00 |
| \GROUP_ICON\112\0 | E868C | 14 | E088C | 0000010001002020100001000400E80200000B00 | ...... ............ |
| \GROUP_ICON\217\0 | E86A0 | 14 | E08A0 | 0000010001002020100001000400E80200000A00 | ...... ............ |
| \VERSION\1\0 | E86B4 | 674 | E08B4 | 740634000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000000 | t.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | E8D28 | 470 | E0F28 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • .EXE • setup.isn • setup.exe • KERNEL32.dll • MessageBoxW,CharNextWTCreateDialogIndirectParamW • _ISMSIDEL.INI • File=%sexplorer.exe • http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s • Failed to read setup package: %s name from Setup.ini • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\diskaction.cpp • .ini • wintrust.dll • crypt32.dll • /ForceROT • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cppISSetup.dll • setup.ini • O?Setup.iss • runas • dotnetredistSp3.exe • vjredist20-LP.exe • vjredist-LP.exe • langpack20.exe • langpack.exe • dotnetfxsp1.exe • /q:a /c:"install /q" • vjredist20.exe • vjredist.exe • dotnetfx20.exe • dotnetredist.exe • dotnetfx.exe • isnetfx.exe • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp • 3.0.0.0 • 2.0.0.0 • instmsi30.exe • WindowsInstaller-KB893803-x86.exe • 4.05.0.0 • Msi.DLL • *.mst • .mst • Failed to get UI DLL from setup.exe for billboard support. This installation will run without billboards. • "%s" /c:"msiinst /delayrebootq" • Getting file from setup.exe • WinInet.dll • SHFolder.dll • IsConfig.ini • Data.Cab • Setup.bmp • Setup.INI • INSTMSIA.EXE • INSTMSIW.EXE • MSIEXEC.EXE • .MST • Dumping setup.ini... • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\session.cppInstalledProductName • EvalMarker.dat • BetaMarker.dat • Using language transforms from setup.exe location • 0x%04x.ini • 2.9.0.0 • %s\%04x.mst • %s\0x%04x.ini • InstallShield setup.exe (Unicode) started, cmdline: %s • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp • .tmp • Kernel32.dll • KERNEL32.DLL • mlang.dll • kernel32.dll • PSTORES.EXE • Ntdll.dll • psapi.dll • .OCX • .DLL • .TLB • advapi32.dll • oleaut32.dll • Advapi32.lib • shell32.dll • msi.dll • wininet.dll • RPAWINET.DLL • WinTrust.dll • Crypt32.dll • Advapi32.dll • 2.5.4.10 • 2.5.4.11 • 2.5.4.3 • InstallShield.log • C:\Codebases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setupW.pdbInstallShield • 0x0409.ini • IAAPI Monitor v2 (Alpha).isc • API Monitor v2 (Alpha).msi • .PyT • Setup.ini |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 433 | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 44E | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 4BB | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D9 | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 4F9 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 515 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 5D7 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 62C | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 66C | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 76C | 476390 | .text | CALL [static] | Indirect call to absolute memory address |
| 8B7 | 47633C | .text | CALL [static] | Indirect call to absolute memory address |
| 91F | 476324 | .text | CALL [static] | Indirect call to absolute memory address |
| 932 | 476328 | .text | CALL [static] | Indirect call to absolute memory address |
| 942 | 47632C | .text | CALL [static] | Indirect call to absolute memory address |
| 956 | 476330 | .text | CALL [static] | Indirect call to absolute memory address |
| 9B7 | 476334 | .text | CALL [static] | Indirect call to absolute memory address |
| 9C0 | 476338 | .text | CALL [static] | Indirect call to absolute memory address |
| 9C8 | 476338 | .text | CALL [static] | Indirect call to absolute memory address |
| A10 | 47633C | .text | CALL [static] | Indirect call to absolute memory address |
| A69 | 476324 | .text | CALL [static] | Indirect call to absolute memory address |
| A85 | 476338 | .text | CALL [static] | Indirect call to absolute memory address |
| A9C | 476328 | .text | CALL [static] | Indirect call to absolute memory address |
| AAE | 47632C | .text | CALL [static] | Indirect call to absolute memory address |
| AC1 | 476330 | .text | CALL [static] | Indirect call to absolute memory address |
| ADF | 476334 | .text | CALL [static] | Indirect call to absolute memory address |
| AE6 | 476338 | .text | CALL [static] | Indirect call to absolute memory address |
| B0E | 47633C | .text | CALL [static] | Indirect call to absolute memory address |
| CF4 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| D3A | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| D68 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| E01 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| F4D | 476320 | .text | CALL [static] | Indirect call to absolute memory address |
| 11B9 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 1206 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 1349 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 1397 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 159A | 476314 | .text | CALL [static] | Indirect call to absolute memory address |
| 175D | 476318 | .text | CALL [static] | Indirect call to absolute memory address |
| 17C2 | 476318 | .text | CALL [static] | Indirect call to absolute memory address |
| 184C | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 186A | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 188A | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A60 | 4764BC | .text | CALL [static] | Indirect call to absolute memory address |
| 1A6F | 4764C0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A7A | 4760C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1A92 | 4764C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AB7 | 4764C8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1ADC | 4764D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1AE6 | 4764D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B1E | 4764A8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B51 | 4764AC | .text | CALL [static] | Indirect call to absolute memory address |
| 1B68 | 4764B0 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B70 | 4764B4 | .text | CALL [static] | Indirect call to absolute memory address |
| 1B91 | 4764B8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1C0B | 476318 | .text | CALL [static] | Indirect call to absolute memory address |
| 213D | 476278 | .text | CALL [static] | Indirect call to absolute memory address |
| 215C | 476278 | .text | CALL [static] | Indirect call to absolute memory address |
| 22D0 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 2324 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 23AE | 476324 | .text | CALL [static] | Indirect call to absolute memory address |
| 2426 | 47630C | .text | CALL [static] | Indirect call to absolute memory address |
| 24A3 | 47630C | .text | CALL [static] | Indirect call to absolute memory address |
| 25CF | 47630C | .text | CALL [static] | Indirect call to absolute memory address |
| 2719 | 47630C | .text | CALL [static] | Indirect call to absolute memory address |
| 3023 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 3051 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 3097 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 30E4 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 312B | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 3180 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 31D0 | 476398 | .text | CALL [static] | Indirect call to absolute memory address |
| 31EC | 476394 | .text | CALL [static] | Indirect call to absolute memory address |
| 3305 | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 3386 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 36EB | 476324 | .text | CALL [static] | Indirect call to absolute memory address |
| 3745 | 476328 | .text | CALL [static] | Indirect call to absolute memory address |
| 376E | 476310 | .text | CALL [static] | Indirect call to absolute memory address |
| 3791 | 4761D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 37A2 | 47633C | .text | CALL [static] | Indirect call to absolute memory address |
| 37C9 | 47631C | .text | CALL [static] | Indirect call to absolute memory address |
| 37F8 | 476310 | .text | CALL [static] | Indirect call to absolute memory address |
| 3817 | 4761D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 384E | 47634C | .text | CALL [static] | Indirect call to absolute memory address |
| 385F | 47634C | .text | CALL [static] | Indirect call to absolute memory address |
| 408E | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 4497 | 4761D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 44E4 | 476304 | .text | CALL [static] | Indirect call to absolute memory address |
| 4BC5 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C11 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 4FCB | 47638C | .text | CALL [static] | Indirect call to absolute memory address |
| 60DD | 476390 | .text | CALL [static] | Indirect call to absolute memory address |
| 62F2 | 476340 | .text | CALL [static] | Indirect call to absolute memory address |
| 6340 | 476344 | .text | CALL [static] | Indirect call to absolute memory address |
| 683A | 4762F8 | .text | CALL [static] | Indirect call to absolute memory address |
| 6851 | 4762FC | .text | CALL [static] | Indirect call to absolute memory address |
| 692C | 476300 | .text | CALL [static] | Indirect call to absolute memory address |
| 6940 | 4762FC | .text | CALL [static] | Indirect call to absolute memory address |
| 69E8 | 476314 | .text | CALL [static] | Indirect call to absolute memory address |
| 6AA3 | 4762C4 | .text | CALL [static] | Indirect call to absolute memory address |
| 6AC8 | 4762C8 | .text | CALL [static] | Indirect call to absolute memory address |
| AA06D-AA07A | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 7 |
| AA308-AA319 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 9 |
| AA3E1-AA3F4 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 10 |
| AA4C3-AA4D0 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 7 |
| 93044 | 39EED | .data | TLS Callback | Pointer to 439EED - 0x392ED .text |
| 93048 | 39F0D | .data | TLS Callback | Pointer to 439F0D - 0x3930D .text |
| 9304C | 39F1F | .data | TLS Callback | Pointer to 439F1F - 0x3931F .text |
| 93050 | 39F31 | .data | TLS Callback | Pointer to 439F31 - 0x39331 .text |
| 93054 | 39F43 | .data | TLS Callback | Pointer to 439F43 - 0x39343 .text |
| 93058 | 39F55 | .data | TLS Callback | Pointer to 439F55 - 0x39355 .text |
| 9305C | 39F67 | .data | TLS Callback | Pointer to 439F67 - 0x39367 .text |
| 93060 | 39F79 | .data | TLS Callback | Pointer to 439F79 - 0x39379 .text |
| 93064 | 39F8B | .data | TLS Callback | Pointer to 439F8B - 0x3938B .text |
| 93068 | 39F9D | .data | TLS Callback | Pointer to 439F9D - 0x3939D .text |
| 9306C | 39FAF | .data | TLS Callback | Pointer to 439FAF - 0x393AF .text |
| 93070 | 39FC1 | .data | TLS Callback | Pointer to 439FC1 - 0x393C1 .text |
| 93074 | 39FD3 | .data | TLS Callback | Pointer to 439FD3 - 0x393D3 .text |
| 93078 | 39FE5 | .data | TLS Callback | Pointer to 439FE5 - 0x393E5 .text |
| 9307C | 39FF7 | .data | TLS Callback | Pointer to 439FF7 - 0x393F7 .text |
| 93080 | 3A009 | .data | TLS Callback | Pointer to 43A009 - 0x39409 .text |
| 93084 | 3A01B | .data | TLS Callback | Pointer to 43A01B - 0x3941B .text |
| 93088 | 3A02D | .data | TLS Callback | Pointer to 43A02D - 0x3942D .text |
| E1400 | N/A | *Overlay* | 4E423130000000007F194E4B01000000433A5C43 | NB10......NK....C:\C |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 3440405 | 66,3478% |
| Null Byte Code | 166777 | 3,2163% |
| NOP Cave Found | 0x9090909090 | Block Count: 136 | Total: 0,0066% |
© 2026 All rights reserved.