PESCAN.IO - Analysis Report Basic |
|||||||
| File Structure |
|
PE Chart Code
Header PE (light blue)
Executable sections (pink)
Non-executable sections (black)
External injected code (red)
File Structure in red = malformed or corrupted header
Chart Code For Other Files
Printable characters (blue)
Non-printable characters (black)
| Information |
Icon: Size: 3,31 MBSHA-256 Hash: 850279E854B9AA668D75DF0469F8F8ED5314208B124B66B0E684938D31EE26D0 SHA-1 Hash: 6F79D78D08A9DA18BE627BA460CB33CA2FBC68EF MD5 Hash: A3E20D550B7E22CC56C398CF3BFAEA2F Imphash: 8716DFCB53E9237687620DC5EBBD5D82 MajorOSVersion: 5 MinorOSVersion: 0 CheckSum: 0012B0BB EntryPoint (rva): 6B0FB SizeOfHeaders: 400 SizeOfImage: 131000 ImageBase: 400000 Architecture: x86 ImportTable: D7984 IAT: B0000 Characteristics: 103 TimeDateStamp: 5270ABA2 Date: 30/10/2013 6:48:02 File Type: EXE Number Of Sections: 4 ASLR: Disabled Section Names: .text, .rdata, .data, .rsrc Number Of Executable Sections: 1 Subsystem: Windows GUI |
| Sections Info |
| Section Name | Flags | ROffset | RSize | VOffset | VSize | Entropy | Chi2 |
|---|---|---|---|---|---|---|---|
| .text | 0x60000020 Code Executable Readable |
400 | AEC00 | 1000 | AEB3D |
|
|
| .rdata | 0x40000040 Initialized Data Readable |
AF000 | 29800 | B0000 | 2967C |
|
|
| .data | 0xC0000040 Initialized Data Readable Writeable |
D8800 | 2800 | DA000 | 8828 |
|
|
| .rsrc | 0x40000040 Initialized Data Readable |
DB000 | 4E000 | E3000 | 4DF24 |
|
|
| Description |
| OriginalFilename: InstallShield Setup.exe CompanyName: Secutel LegalCopyright: Copyright (c) 2013 Flexera Software LLC. All Rights Reserved. ProductName: VersionString FileVersion: 1.01.5 FileDescription: Setup Launcher Unicode ProductVersion: ProductCode Language: English (United States) (ID=0x409) CodePage: Unicode (UTF-16 LE) (0x4B0) |
| Binder/Joiner/Crypter |
| Dropper code detected (EOF) - 2,12 MB |
| Entry Point |
The section number (1) - (.text) have the Entry Point Information -> EntryPoint (calculated) - 6A4FB Code -> E86E270100E979FEFFFF85C0740D33C985C00F9FC18D4C09FF8BC1C30FB6000FB6092BC1740D33C985C00F9FC18D4C09FF8B Assembler |CALL 0X13773 |JMP 0XE83 |TEST EAX, EAX |JE 0X101B |XOR ECX, ECX |TEST EAX, EAX |SETG CL |LEA ECX, [ECX + ECX - 1] |MOV EAX, ECX |RET |MOVZX EAX, BYTE PTR [EAX] |MOVZX ECX, BYTE PTR [ECX] |SUB EAX, ECX |JE 0X1033 |XOR ECX, ECX |TEST EAX, EAX |SETG CL |LEA ECX, [ECX + ECX - 1] |
| Signatures |
| CheckSum Integrity Problem: • Header: 1224891 • Calculated: 3533512 Rich Signature Analyzer: Code -> 0323FC7C4742922F4742922F4742922F4E3A182F4C42922F4E3A072F5D42922F4E3A112FD542922F6084FF2F4442922F5910162F4442922F6084E92F5242922F4742932F2343922F4E3A162F3342922F5910062F4642922F4E3A032F4642922F526963684742922F Footprint md5 Hash -> 53EB392EA0246B2FA84CE67262F6868A • The Rich header apparently has not been modified Certificate - Digital Signature Not Found: • The file is not signed |
| Packer/Compiler |
| Compiler: Microsoft Visual Studio Compiler: Microsoft Visual C ++ Detect It Easy (die) • PE: installer: InstallShield(-)[-] • PE: compiler: EP:Microsoft Visual C/C++(2008-2010)[EXE32] • PE: compiler: Microsoft Visual C/C++(2008)[libcmt,wWinMain] • PE: linker: Microsoft Linker(9.0)[-] • PE: overlay: InstallShield data(18.x)[-] • Entropy: 7.74877 |
| Suspicious Functions |
| Library | Function | Description |
|---|---|---|
| KERNEL32.DLL | GetModuleFileNameA | Retrieve the fully qualified path for the executable file of a specified module. |
| KERNEL32.DLL | VirtualAlloc | Reserve, commit, or both, a region of memory within the virtual address space of a process. |
| KERNEL32.DLL | GetModuleHandleA | Retrieves a handle to the specified module. |
| KERNEL32.DLL | CopyFileW | Copies an existing file to a new file. |
| KERNEL32.DLL | WriteFile | Writes data to a specified file or input/output (I/O) device. |
| KERNEL32.DLL | LoadLibraryA | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | LoadLibraryW | Loads the specified module into the address space of the calling process. |
| KERNEL32.DLL | CreateToolhelp32Snapshot | Creates a snapshot of the specified processes, heaps, threads, and modules. |
| KERNEL32.DLL | WriteProcessMemory | Writes data to an area of memory in a specified process. |
| KERNEL32.DLL | GetProcAddress | Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL). |
| KERNEL32.DLL | CreateFileA | Creates or opens a file or I/O device. |
| KERNEL32.DLL | DeleteFileA | Deletes an existing file. |
| KERNEL32.DLL | IsDebuggerPresent | Determines if the calling process is being debugged by a user-mode debugger. |
| SHELL32.DLL | ShellExecuteW | Performs a run operation on a specific file. |
| SHELL32.DLL | ShellExecuteExW | Performs a run operation on a specific file. |
| Windows REG |
| SOFTWARE\InstallShield\Cryptography\Trust SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Windows REG (UNICODE) |
| SOFTWARE\InstallShield\20.0\Professional Software\InstallShield\ISWI\7.0\SetupExeLog SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ Software\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion\RunOnceEx Software\Microsoft\Windows\CurrentVersion\RunOnce SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\RunOnceEntries SOFTWARE\Microsoft\NET Framework Setup\NDP Software\Microsoft\Active Setup\Installed Components\%s Software\Microsoft\Windows\CurrentVersion\Installer SOFTWARE\Microsoft\Visual JSharp Setup\Redist Software\Classes Software\Microsoft\Internet Explorer SOFTWARE\Microsoft\Windows\CurrentVersion Software\Microsoft\Windows\CurrentVersion\Internet Settings System\CurrentControlSet\Control\Windows Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Rebuilt string - SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| File Access |
| .EXE setup.exe RPCRT4.dll OLEAUT32.dll ole32.dll SHELL32.dll ADVAPI32.dll GDI32.dll USER32.dll KERNEL32.dll COMCTL32.dll VERSION.dll msi.dll ISSetup.dll BetaMarker.dat EvalMarker.dat @.dat .Wsf Temp |
| File Access (UNICODE) |
| InstallShield Setup.exe url to InstMsiW.exe url to InstMsiA.exe /V parameters to MsiExec.exe MODULEPATHPSTORES.EXE InstallShield setup.exe MSIEXEC.EXE INSTMSIW.EXE INSTMSIA.EXE Using language transforms from setup.exe Failed to get UI DLL from setup.exe WindowsInstaller-KB893803-x86.exe instmsi30.exe isnetfx.exe dotnetfx20.exe vjredist.exe vjredist20.exe langpack.exe langpack20.exe vjredist-LP.exe vjredist20-LP.exe Getting file from setup.exe dotnetfxsp1.exe dotnetredistSp3.exe dotnetfx.exe dotnetredist.exe setup.exe too longexplorer.exe hSetup requires a newer version of WinInet.dll NCorExitProcessmscoree.dll Advapi32.dll Crypt32.dll JKJKJKxJKWinTrust.dll wininet.dll RPAWINET.DLL psapi.dll Ntdll.dll MsiGetProductInfoWmsi.dll shell32.dll oleaut32.dll GetSystemWindowsDirectoryWKERNEL32.DLL CreateFileACreateFileWRfc1766ToLcidWmlang.dll GetSystemDefaultUILanguageKernel32.dll advapi32.dll GetNativeSystemInfoIsWow64Processkernel32.dll ShellExecuteExWShell32.dll Failed to locate ISSetup.dll Attempted unloaded of msi.dll ISExternalUI.dll ISExternalUIInstallLoading ISExternalUI.dll ini for current issetup.dll ini from current issetup.dll SHFolder.dll Msi.DLL WinInet.dll Could not find entry point in ISSetup.dll ISSetup.dll RunISMSIMajorUpgradeRemovalFailed to load ISSetup.dll wintrust.dll Visual Messenger.msi url to IsScript.msi BetaMarker.dat EvalMarker.dat InstallShield.log Setup.ini 0x0409.ini Verify that all strings in Setup.ini %s\0x%04x.ini CSetup.INI Dumping setup.ini 0x%04x.ini Extracting setup.ini IsConfig.ini ISConfig.ini Could not extract isconfig.ini setup.ini Reading setup.ini %s name from Setup.ini _ISMSIDEL.INI Exec - arp Setup\Redist Temp ProgramFiles |
| SQL Queries |
| SELECT * FROM Binary Select the language for the installation from the choices below.&OK |
| Interest's Words |
| PADDINGX cscript exec attrib start systeminfo ping expand |
| Interest's Words (UNICODE) |
| PassWord exec start shutdown ping replace |
| URLs (UNICODE) |
| http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s |
| IP Addresses |
| 2.5.4.10 2.5.4.11 |
| Strings/Hex Code Found With The File Rules |
| Rule Type | Encoding | Matched (Word) |
|---|---|---|
| Text | Ascii | Registry (RegCreateKeyEx) |
| Text | Ascii | Registry (RegOpenKeyEx) |
| Text | Ascii | Registry (RegSetValueEx) |
| Text | Ascii | File (GetTempPath) |
| Text | Ascii | File (CopyFile) |
| Text | Ascii | File (CreateFile) |
| Text | Ascii | File (WriteFile) |
| Text | Ascii | File (ReadFile) |
| Text | Unicode | Encryption (Microsoft Base Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Enhanced Cryptographic Provider v1.0) |
| Text | Unicode | Encryption (Microsoft Strong Cryptographic Provider) |
| Text | Ascii | Encryption API (CryptAcquireContext) |
| Text | Ascii | Encryption API (CryptDeriveKey) |
| Text | Ascii | Encryption API (CryptReleaseContext) |
| Text | Ascii | Anti-Analysis VM (IsDebuggerPresent) |
| Text | Ascii | Anti-Analysis VM (GetSystemInfo) |
| Text | Ascii | Anti-Analysis VM (GetVersion) |
| Text | Ascii | Anti-Analysis VM (CreateToolhelp32Snapshot) |
| Text | Ascii | Reconnaissance (FindFirstFileA) |
| Text | Ascii | Reconnaissance (FindNextFileA) |
| Text | Ascii | Reconnaissance (FindFirstFileW) |
| Text | Ascii | Reconnaissance (FindNextFileW) |
| Text | Ascii | Reconnaissance (FindClose) |
| Text | Ascii | Stealth (GetThreadContext) |
| Text | Ascii | Stealth (SetThreadContext) |
| Text | Ascii | Stealth (CloseHandle) |
| Text | Ascii | Stealth (IsBadReadPtr) |
| Text | Ascii | Stealth (UnmapViewOfFile) |
| Text | Ascii | Stealth (MapViewOfFile) |
| Text | Ascii | Stealth (CreateFileMappingA) |
| Text | Ascii | Stealth (CreateFileMappingW) |
| Text | Ascii | Stealth (VirtualAlloc) |
| Text | Ascii | Stealth (VirtualProtect) |
| Text | Ascii | Execution (CreateProcessW) |
| Text | Ascii | Execution (ShellExecute) |
| Text | Ascii | Execution (ResumeThread) |
| Text | Ascii | Execution (CreateEventW) |
| Text | Unicode | Privileges (SeShutdownPrivilege) |
| Text | Ascii | Stealer malware focused on obtaining CVV codes to conduct unauthorized transactions (CVV) |
| Text | Unicode | Unauthorized movement of funds or data (Transfer) |
| Text | Ascii | Malicious rerouting of traffic to an attacker-controlled site (Redirect) |
| Entry Point | Hex Pattern | Microsoft Visual C++ 8 |
| Entry Point | Hex Pattern | VC8 - Microsoft Corporation |
| Resources |
| Path | DataRVA | Size | FileOffset | Code | Text |
|---|---|---|---|---|---|
| \GIF\IDR_GIF1\0 | E3E54 | 5731 | DBE54 | 474946383961AF003801F70000001F57001E5A00265500225C00285600295B1925571A26581C2959002660002B630A2D6404 | GIF89a..8......W..Z.&U."\.(V.)[.%W.&X.)Y.&.+c.-d. |
| \GIF\IDR_GIF1\1033 | E9588 | 6592 | E1588 | 474946383961AF003801F7000000185200185A00215200215A00216300295200295A00296300316300316B00396B00397308 | GIF89a..8......R..Z.!R.!Z.!c.)R.)Z.)c.1c.1k.9k.9s. |
| \BITMAP\103\0 | EFB1C | 14220 | E7B1C | 28000000DC000000720100000100080000000000F83D0100000000000000000000000000000000005E381000866E51007F64 | (.......r............=..................8...nQ..d |
| \BITMAP\10550\0 | 103D3C | 1B5C | FBD3C | 28000000B40000004B0000000100040000000000F41A00000000000000000000000000000000000000000000000080000080 | (.......K......................................... |
| \BITMAP\10551\0 | 105898 | 38E4 | FD898 | 28000000B40000004B0000000100080000000000BC3400000000000000000000000000000000000000000000000080000080 | (.......K............4............................ |
| \BITMAP\10553\0 | 10917C | 1238 | 10117C | 280000003C0000003C0000000100080000000000100E00000000000000000000000000000000000000000000000080000080 | (...<...<......................................... |
| \BITMAP\10650\0 | 10A3B4 | 6588 | 1023B4 | 28000000A100000098000000010008000000000060610000D40E0000D40E0000000100000001000000000000000080000080 | (...................a............................ |
| \BITMAP\10651\0 | 11093C | 11F88 | 10893C | 28000000A1000000980000000100180000000000601F0100C40E0000C40E0000000000000000000080800080800080800080 | (................................................ |
| \ICON\1\0 | 1228C4 | 668 | 11A8C4 | 28000000300000006000000001000400000000000000000000000000000000001000000000000000FFFFFF00000080000080 | (...0............................................ |
| \ICON\2\0 | 122F2C | 2E8 | 11AF2C | 28000000200000004000000001000400000000000000000000000000000000001000000000000000FFFFFFFF000080000080 | (... ...@......................................... |
| \ICON\3\0 | 123214 | 128 | 11B214 | 28000000100000002000000001000400000000000000000000000000000000001000000000000000FFFFFFFF000080000080 | (....... ......................................... |
| \ICON\4\0 | 12333C | EA8 | 11B33C | 280000003000000060000000010008000000000000000000000000000000000000010000000000004A1602FF9A9A9A006A4E | (...0..................................J.......jN |
| \ICON\5\0 | 1241E4 | 8A8 | 11C1E4 | 280000002000000040000000010008000000000000000000000000000000000000010000000000004A0E024A8E8A829A7A52 | (... ...@...............................J..J....zR |
| \ICON\6\0 | 124A8C | 568 | 11CA8C | 280000001000000020000000010008000000000000000000000000000000000000010000000000003E02024AA282728E6E3E | (....... ...............................>..J..r.n> |
| \ICON\7\0 | 124FF4 | 25A8 | 11CFF4 | 28000000300000006000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (...0........ ................................... |
| \ICON\8\0 | 12759C | 10A8 | 11F59C | 28000000200000004000000001002000000000000000000000000000000000000000000000000000FFFFFF00FFFFFF00FFFF | (... ...@..... ................................... |
| \ICON\9\0 | 128644 | 468 | 120644 | 28000000100000002000000001002000000000000000000000000000000000000000000000000000999999309FA2A487A4AA | (....... ..... ............................0...... |
| \ICON\10\0 | 128AAC | 2E8 | 120AAC | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \ICON\11\0 | 128D94 | 2E8 | 120D94 | 2800000020000000400000000100040000000000800200000000000000000000000000000000000000000000000080000080 | (... ...@......................................... |
| \DIALOG\103\0 | 12907C | 1EE | 12107C | 0100FFFF0000000000000000400000400C00000000004C01DA000000000000000800000000015400610068006F006D006100 | ............@..@......L...............T.a.h.o.m.a. |
| \DIALOG\105\0 | 12926C | 286 | 12126C | 0100FFFF0000000000000000400000401000000000004C01DA000000000000000800000000015400610068006F006D006100 | ............@..@......L...............T.a.h.o.m.a. |
| \DIALOG\106\0 | 1294F4 | 2D0 | 1214F4 | 0100FFFF0000000000000000400000401200000000004C01DA000000000000000800000000015400610068006F006D006100 | ............@..@......L...............T.a.h.o.m.a. |
| \DIALOG\107\0 | 1297C4 | 54 | 1217C4 | 0100FFFF0000000000000000C000CA800100000000004C01DA000000000000000800000000015400610068006F006D0061000000000000000000000000000040A500000032000E000C000000FFFF800000000000 | ......................L...............T.a.h.o.m.a..............@....2............... |
| \DIALOG\108\0 | 129818 | 42 | 121818 | 0100FFFF0000000080000000400000900000000000004A003E000000000000000800000000014D0053002000530061006E0073002000530065007200690066000000 | ............@.........J.>.............M.S. .S.a.n.s. .S.e.r.i.f... |
| \DIALOG\109\0 | 12985C | E6 | 12185C | 0100FFFF0000000000000000C008C090040000000000FC0049000000000000000800000000014D0053002000530061006E00 | ........................I.............M.S. .S.a.n. |
| \DIALOG\119\0 | 129944 | 124 | 121944 | 0100FFFF0000000000000000C408C8900700000000003C015A000000000000000800000000014D0053002000530061006E00 | ......................<.Z.............M.S. .S.a.n. |
| \DIALOG\121\0 | 129A68 | D6 | 121A68 | 0100FFFF0000000000000000C408C880050000000000FC004F000000000000000800000000015400610068006F006D006100 | ........................O.............T.a.h.o.m.a. |
| \DIALOG\125\0 | 129B40 | 266 | 121B40 | 0100FFFF0000000000000000400000400F00000000004C01DA000000000000000800000000015400610068006F006D006100 | ............@..@......L...............T.a.h.o.m.a. |
| \DIALOG\126\0 | 129DA8 | 3D8 | 121DA8 | 0100FFFF0000000000000000C408C8800800000000004601B9000000000000000800000000014D0053002000530061006E00 | ......................F...............M.S. .S.a.n. |
| \DIALOG\127\0 | 12A180 | 172 | 122180 | 0100FFFF000000000000000040000040080000000000CC0131010000000000000800000000015400610068006F006D006100 | ............@..@........1.............T.a.h.o.m.a. |
| \DIALOG\128\0 | 12A2F4 | 20C | 1222F4 | 0100FFFF0000000000000000400000400C0000000000CC0131010000000000000800000000015400610068006F006D006100 | ............@..@........1.............T.a.h.o.m.a. |
| \DIALOG\129\0 | 12A500 | 1EA | 122500 | 0100FFFF0000000000000000400000400B0000000000CC0131010000000000000800000000015400610068006F006D006100 | ............@..@........1.............T.a.h.o.m.a. |
| \DIALOG\130\0 | 12A6EC | 212 | 1226EC | 0100FFFF0000000000000000400000400C0000000000CC0131010000000000000800000000015400610068006F006D006100 | ............@..@........1.............T.a.h.o.m.a. |
| \DIALOG\131\0 | 12A900 | 7C | 122900 | 0100FFFF0000000000000000C000CA80010000000000CC0131010000000049006E007300740061006C006C00530068006900 | ........................1.....I.n.s.t.a.l.l.S.h.i. |
| \DIALOG\132\0 | 12A97C | 3CC | 12297C | 0100FFFF0000000000000000C408C8800700000000004601B7000000000000000800000000014D0053002000530061006E00 | ......................F...............M.S. .S.a.n. |
| \DIALOG\1000\0 | 12AD48 | 158 | 122D48 | 0100FFFF0000000000000000C008C09007004E002700FC0062000000000000000800000000015400610068006F006D006100 | ..................N.'...b.............T.a.h.o.m.a. |
| \DIALOG\1001\0 | 12AEA0 | 1EA | 122EA0 | 0100FFFF0000000000000000C008C0900A00000000004C01DA000000000000000800000000014D0053002000530061006E00 | ......................L...............M.S. .S.a.n. |
| \DIALOG\1008\0 | 12B08C | 116 | 12308C | 0100FFFF0000000000000000C008C090040000000000BB0051000000000050006C006500610073006500200065006E007400 | ........................Q.....P.l.e.a.s.e. .e.n.t. |
| \DIALOG\1026\0 | 12B1A4 | EE | 1231A4 | 0100FFFF0000000000000000C008C09004004E002700D4006F000000000000000800000000014D0053002000530061006E00 | ..................N.'...o.............M.S. .S.a.n. |
| \DIALOG\1034\0 | 12B294 | 1D4 | 123294 | 0100FFFF0000000000000000C008C0900A00000000004C01DA000000000000000800000000015400610068006F006D006100 | ......................L...............T.a.h.o.m.a. |
| \DIALOG\3003\0 | 12B468 | 1EC | 123468 | 0100FFFF0000000000000000C008C0900700000000004C01DA000000000000000800000000014D0053002000530061006E00 | ......................L...............M.S. .S.a.n. |
| \DIALOG\3004\0 | 12B654 | 2B8 | 123654 | 0100FFFF0000000000000000C008CA800E0000000000CC0131010000000049006E007300740061006C006C00530068006900 | ........................1.....I.n.s.t.a.l.l.S.h.i. |
| \STRING\69\1033 | 12B90C | 160 | 12390C | 0000000000000000000000000000000000000000000000001A0053006500740075007000200049006E006900740069006100 | ..........................S.e.t.u.p. .I.n.i.t.i.a. |
| \STRING\70\1033 | 12BA6C | 23E | 123A6C | 250043006800650063006B0069006E0067002000570069006E0064006F0077007300280052002900200049006E0073007400 | %.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t. |
| \STRING\71\1033 | 12BCAC | 378 | 123CAC | 000000000000000000001500430068006F006F007300650020005300650074007500700020004C0061006E00670075006100 | ............C.h.o.o.s.e. .S.e.t.u.p. .L.a.n.g.u.a. |
| \STRING\72\1033 | 12C024 | 252 | 124024 | 00000000000000000000000000000000000000000000000000000000F2005300650074007500700020006800610073002000 | ..............................S.e.t.u.p. .h.a.s. . |
| \STRING\73\1033 | 12C278 | 1F4 | 124278 | 2D004500720072006F0072002000650078007400720061006300740069006E006700200025007300200074006F0020007400 | -.E.r.r.o.r. .e.x.t.r.a.c.t.i.n.g. .%.s. .t.o. .t. |
| \STRING\76\1033 | 12C46C | 66C | 12446C | 0700520065007300740061007200740051005300650074007500700020006E006500650064007300200025006C0075002000 | ..R.e.s.t.a.r.t.Q.S.e.t.u.p. .n.e.e.d.s. .%.l.u. . |
| \STRING\101\1033 | 12CAD8 | 366 | 124AD8 | 000000000000000078005400680069007300200073006500740075007000200064006F006500730020006E006F0074002000 | ........x.T.h.i.s. .s.e.t.u.p. .d.o.e.s. .n.o.t. . |
| \STRING\102\1033 | 12CE40 | 27E | 124E40 | 03006D0069006E00030073006500630002004D00420002004B00420004002F0073006500630026004600610069006C006500 | ..m.i.n...s.e.c...M.B...K.B.../.s.e.c.&.F.a.i.l.e. |
| \STRING\103\1033 | 12D0C0 | 518 | 1250C0 | 17002F0055004D003C00750072006C00200074006F0020006D007300690020007000610063006B006100670065003E001800 | ../.U.M.<.u.r.l. .t.o. .m.s.i. .p.a.c.k.a.g.e.>... |
| \STRING\104\1033 | 12D5D8 | 882 | 1255D8 | F200530065007400750070002000680061007300200064006500740065006300740065006400200061006E00200069006E00 | ..S.e.t.u.p. .h.a.s. .d.e.t.e.c.t.e.d. .a.n. .i.n. |
| \STRING\105\1033 | 12DE5C | 23E | 125E5C | 0A00450078007400720061006300740069006E0067000B0044006F0077006E006C006F006100640069006E00670007005300 | ..E.x.t.r.a.c.t.i.n.g...D.o.w.n.l.o.a.d.i.n.g...S. |
| \STRING\107\1033 | 12E09C | 3BA | 12609C | 00000000000000000000000095005400680069007300200069006E007300740061006C006C006100740069006F006E002000 | ..............T.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. . |
| \STRING\108\1033 | 12E458 | 12C | 126458 | 1B00260050006100740063006800200061006E0020006500780069007300740069006E006700200069006E00730074006100 | ..&.P.a.t.c.h. .a.n. .e.x.i.s.t.i.n.g. .i.n.s.t.a. |
| \STRING\113\1033 | 12E584 | 4A | 126584 | 0000000000000000000000000000000000000000000000001500430068006F006F007300650020005300650074007500700020004C0061006E0067007500610067006500000000000000 | ..........................C.h.o.o.s.e. .S.e.t.u.p. .L.a.n.g.u.a.g.e....... |
| \STRING\114\1033 | 12E5D0 | DA | 1265D0 | 00000000000000004000530065006C00650063007400200074006800650020006C0061006E00670075006100670065002000 | ........@.S.e.l.e.c.t. .t.h.e. .l.a.n.g.u.a.g.e. . |
| \STRING\115\1033 | 12E6AC | 110 | 1266AC | 0000000000000000000000000000000000000000070026004E0065007800740020003E0007003C0020002600420061006300 | ......................&.N.e.x.t. .>...<. .&.B.a.c. |
| \STRING\116\1033 | 12E7BC | 20A | 1267BC | 6C00430061007500740069006F006E003A002000250073002000610066006600690072006D00730020007400680069007300 | l.C.a.u.t.i.o.n.:. .%.s. .a.f.f.i.r.m.s. .t.h.i.s. |
| \STRING\117\1033 | 12E9C8 | BA | 1269C8 | 0000000000000000000000000000000000000F0050007200650070006100720069006E006700200053006500740075007000 | ....................P.r.e.p.a.r.i.n.g. .S.e.t.u.p. |
| \STRING\118\1033 | 12EA84 | A8 | 126A84 | 0600460069006E006900730068000F005400720061006E007300660065007200200072006100740065003A00200014004500 | ..F.i.n.i.s.h...T.r.a.n.s.f.e.r. .r.a.t.e.:. ...E. |
| \STRING\119\1033 | 12EB2C | 12A | 126B2C | 0A0045007800690074002000530065007400750070002A00410072006500200079006F007500200073007500720065002000 | ..E.x.i.t. .S.e.t.u.p.*.A.r.e. .y.o.u. .s.u.r.e. . |
| \STRING\120\1033 | 12EC58 | 422 | 126C58 | 4200530065006C006500630074002000740068006500200061007000700072006F0070007200690061007400650020006100 | B.S.e.l.e.c.t. .t.h.e. .a.p.p.r.o.p.r.i.a.t.e. .a. |
| \STRING\126\1033 | 12F07C | 5C2 | 12707C | 0000780025007300200053006500740075007000200069007300200070007200650070006100720069006E00670020007400 | ..x.%.s. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t. |
| \STRING\134\1033 | 12F640 | 40 | 127640 | 00000000000000000000000000000000000000000000000000000000000010005300650063007500720069007400790020005700610072006E0069006E006700 | ................................S.e.c.u.r.i.t.y. .W.a.r.n.i.n.g. |
| \STRING\135\1033 | 12F680 | CAA | 127680 | 1E0044006F00200079006F0075002000770061006E007400200074006F002000720075006E00200074006800690073002000 | ..D.o. .y.o.u. .w.a.n.t. .t.o. .r.u.n. .t.h.i.s. . |
| \STRING\138\1033 | 13032C | 284 | 12832C | 000000001E0049006E007300740061006C006C0053006800690065006C006400200053006500740075007000200050006C00 | ......I.n.s.t.a.l.l.S.h.i.e.l.d. .S.e.t.u.p. .P.l. |
| \GROUP_ICON\100\0 | 1305B0 | 84 | 1285B0 | 00000100090030301000010004006806000001002020100001000400E8020000020010101000010004002801000003003030 | ......00......h..... ....................(.....00 |
| \GROUP_ICON\112\0 | 130634 | 14 | 128634 | 0000010001002020100001000400E80200000B00 | ...... ............ |
| \GROUP_ICON\217\0 | 130648 | 14 | 128648 | 0000010001002020100001000400E80200000A00 | ...... ............ |
| \VERSION\1\0 | 13065C | 418 | 12865C | 180434000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE000001000100 | ..4...V.S._.V.E.R.S.I.O.N._.I.N.F.O............... |
| \24\1\0 | 130A74 | 4AF | 128A74 | 3C3F786D6C2076657273696F6E3D22312E302220656E636F64696E673D225554462D3822207374616E64616C6F6E653D2279 | <?xml version="1.0" encoding="UTF-8" standalone="y |
| Intelligent String |
| • .EXE • Kernel32.dll • msi.dll • BetaMarker.dat • EvalMarker.dat • ISSetup.dll • setup.exe • _ISMSIDEL.INI • explorer.exe • http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s • Failed to read setup package: %s name from Setup.ini • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\diskaction.cpp • .ini • wintrust.dll • crypt32.dll • /ForceROT • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\IsMsiHelper.cpp • setup.ini • Setup.iss • runas • WinInet.dll • *.mst • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\msiaction.cpp • dotnetredist.exe • dotnetfx.exe • dotnetredistSp3.exe • .mst • Msi.DLL • "%s" /c:"msiinst /delayrebootq" • SHFolder.dll • dotnetfxsp1.exe • Getting file from setup.exe • IsConfig.ini • vjredist20-LP.exe • vjredist-LP.exe • langpack20.exe • langpack.exe • /q:a /c:"install /q" • vjredist20.exe • vjredist.exe • dotnetfx20.exe • isnetfx.exe • 3.0.0.0 • 2.0.0.0 • instmsi30.exe • WindowsInstaller-KB893803-x86.exe • Failed to get UI DLL from setup.exe for billboard support. This installation will run without billboards. • 4.05.0.0 • :InstanceId%d.mst • Data.Cab • Setup.bmp • 2.9.0.0 • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\session.cpp • 0x%04x.ini • Using language transforms from setup.exe location • Dumping setup.ini... • CSetup.INI • INSTMSIA.EXE • INSTMSIW.EXE • MSIEXEC.EXE • .MST • setup.isn • %s\%04x.mst • %s\0x%04x.ini • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup.cpp • InstallShield setup.exe (Unicode) started, cmdline: %s • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\utils.cpp • kernel32.dll • Advapi32.lib • advapi32.dll • mlang.dll • KERNEL32.DLL • oleaut32.dll • shell32.dll • .tmp • Ntdll.dll • psapi.dll • PSTORES.EXE • .OCX • .DLL • .TLB • RPAWINET.DLL • wininet.dll • Crypt32.dll • Advapi32.dll • 2.5.4.10 • 2.5.4.11 • 2.5.4.3 • mscoree.dll • ADVAPI32.DLL • InstallShield.log • C:\CodeBases\isdev\src\Runtime\MSI\Shared\Setup\Setup___Win32_Release_Unicode\setup.pdb • KERNEL32.dll • MessageBoxW/CharNextW[CreateDialogIndirectParamW • USER32.dll • RPCRT4.dll • .?AVPasswdDlg@@xK • InstallShield Setup.exe • .pTG |
| Flow Anomalies |
| Offset | RVA | Section | Description |
|---|---|---|---|
| 6B4 | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| 6CD | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 6E7 | 4B036C | .text | CALL [static] | Indirect call to absolute memory address |
| 83E | 4B0058 | .text | CALL [static] | Indirect call to absolute memory address |
| 89A | 4B0054 | .text | CALL [static] | Indirect call to absolute memory address |
| 910 | 4B0050 | .text | CALL [static] | Indirect call to absolute memory address |
| 97C | 4B0050 | .text | CALL [static] | Indirect call to absolute memory address |
| 1408 | 4B036C | .text | CALL [static] | Indirect call to absolute memory address |
| 147A | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 162C | 4B03D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 1655 | 4B03D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 20A5 | 4B0364 | .text | CALL [static] | Indirect call to absolute memory address |
| 254B | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| 31A7 | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| 3A87 | 4B0348 | .text | CALL [static] | Indirect call to absolute memory address |
| 3B14 | 4B0348 | .text | CALL [static] | Indirect call to absolute memory address |
| 426D | 4B03D0 | .text | CALL [static] | Indirect call to absolute memory address |
| 4A45 | 4B0364 | .text | CALL [static] | Indirect call to absolute memory address |
| 4A7A | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| 4AED | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| 4BE7 | 4B0368 | .text | CALL [static] | Indirect call to absolute memory address |
| 4C3D | 4B0368 | .text | CALL [static] | Indirect call to absolute memory address |
| 4CB3 | 4B0368 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D1D | 4B0354 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D2F | 4B0358 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D42 | 4B035C | .text | CALL [static] | Indirect call to absolute memory address |
| 4D60 | 4B0360 | .text | CALL [static] | Indirect call to absolute memory address |
| 4D67 | 4B0364 | .text | CALL [static] | Indirect call to absolute memory address |
| 4EA7 | 4B0350 | .text | CALL [static] | Indirect call to absolute memory address |
| 4EC3 | 4B0364 | .text | CALL [static] | Indirect call to absolute memory address |
| 4F07 | 4B034C | .text | CALL [static] | Indirect call to absolute memory address |
| 4FEC | 4B0350 | .text | CALL [static] | Indirect call to absolute memory address |
| 5000 | 4B0354 | .text | CALL [static] | Indirect call to absolute memory address |
| 5012 | 4B0358 | .text | CALL [static] | Indirect call to absolute memory address |
| 5025 | 4B035C | .text | CALL [static] | Indirect call to absolute memory address |
| 507B | 4B0360 | .text | CALL [static] | Indirect call to absolute memory address |
| 5084 | 4B0364 | .text | CALL [static] | Indirect call to absolute memory address |
| 508D | 4B0364 | .text | CALL [static] | Indirect call to absolute memory address |
| 52B8 | 4B0348 | .text | CALL [static] | Indirect call to absolute memory address |
| 549F | 4B0340 | .text | CALL [static] | Indirect call to absolute memory address |
| 54E1 | 4B0344 | .text | CALL [static] | Indirect call to absolute memory address |
| 6006 | 4B033C | .text | CALL [static] | Indirect call to absolute memory address |
| 6673 | 4B0350 | .text | CALL [static] | Indirect call to absolute memory address |
| 6BF2 | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| 6C1F | 4B03D8 | .text | CALL [static] | Indirect call to absolute memory address |
| 6C3D | 4B03D4 | .text | CALL [static] | Indirect call to absolute memory address |
| 7BFD | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 7C7C | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 7CF6 | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 836B | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F6E | 4B0354 | .text | CALL [static] | Indirect call to absolute memory address |
| 8F94 | 4B0334 | .text | CALL [static] | Indirect call to absolute memory address |
| 8FB6 | 4B0340 | .text | CALL [static] | Indirect call to absolute memory address |
| 8FC5 | 4B0368 | .text | CALL [static] | Indirect call to absolute memory address |
| 8FFD | 4B0338 | .text | CALL [static] | Indirect call to absolute memory address |
| 9010 | 4B0334 | .text | CALL [static] | Indirect call to absolute memory address |
| 902E | 4B0340 | .text | CALL [static] | Indirect call to absolute memory address |
| 904F | 4B0338 | .text | CALL [static] | Indirect call to absolute memory address |
| 94C8 | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 9547 | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 98BD | 4B032C | .text | CALL [static] | Indirect call to absolute memory address |
| 98DF | 4B032C | .text | CALL [static] | Indirect call to absolute memory address |
| 98FD | 4B036C | .text | CALL [static] | Indirect call to absolute memory address |
| 9947 | 4B0370 | .text | CALL [static] | Indirect call to absolute memory address |
| 9AAD | 4B0350 | .text | CALL [static] | Indirect call to absolute memory address |
| B99C | 4B0290 | .text | CALL [static] | Indirect call to absolute memory address |
| BB4D | 4B0324 | .text | CALL [static] | Indirect call to absolute memory address |
| BF57 | 4B050C | .text | JMP [static] | Indirect jump to absolute memory address |
| BF88 | 4B0510 | .text | CALL [static] | Indirect call to absolute memory address |
| BF9F | 4B0514 | .text | CALL [static] | Indirect call to absolute memory address |
| BFA7 | 4B0518 | .text | CALL [static] | Indirect call to absolute memory address |
| BFC8 | 4B051C | .text | CALL [static] | Indirect call to absolute memory address |
| C003 | 4B04F0 | .text | CALL [static] | Indirect call to absolute memory address |
| C012 | 4B04F4 | .text | CALL [static] | Indirect call to absolute memory address |
| C01D | 4B00C0 | .text | CALL [static] | Indirect call to absolute memory address |
| C030 | 4B04F8 | .text | CALL [static] | Indirect call to absolute memory address |
| C051 | 4B04FC | .text | CALL [static] | Indirect call to absolute memory address |
| C067 | 4B0504 | .text | CALL [static] | Indirect call to absolute memory address |
| C071 | 4B0508 | .text | CALL [static] | Indirect call to absolute memory address |
| C67C | 4B0324 | .text | CALL [static] | Indirect call to absolute memory address |
| C780 | 4B02E8 | .text | CALL [static] | Indirect call to absolute memory address |
| C7B0 | 4B02EC | .text | CALL [static] | Indirect call to absolute memory address |
| C807 | 4B02F0 | .text | CALL [static] | Indirect call to absolute memory address |
| C8F9 | 4B030C | .text | CALL [static] | Indirect call to absolute memory address |
| C917 | 4B0310 | .text | CALL [static] | Indirect call to absolute memory address |
| C940 | 4B0314 | .text | CALL [static] | Indirect call to absolute memory address |
| C96D | 4B0318 | .text | CALL [static] | Indirect call to absolute memory address |
| C9A7 | 4B031C | .text | CALL [static] | Indirect call to absolute memory address |
| C9B8 | 4B0320 | .text | CALL [static] | Indirect call to absolute memory address |
| C9C3 | 4B0328 | .text | CALL [static] | Indirect call to absolute memory address |
| C9D3 | 4B01EC | .text | CALL [static] | Indirect call to absolute memory address |
| C9DC | 4B0378 | .text | CALL [static] | Indirect call to absolute memory address |
| CB8F | 4B02F8 | .text | CALL [static] | Indirect call to absolute memory address |
| CBA3 | 4B0300 | .text | CALL [static] | Indirect call to absolute memory address |
| CCC2 | 4B02FC | .text | CALL [static] | Indirect call to absolute memory address |
| CCD6 | 4B0300 | .text | CALL [static] | Indirect call to absolute memory address |
| CD8D | 4B0290 | .text | CALL [static] | Indirect call to absolute memory address |
| CE13 | 4B03D8 | .text | CALL [static] | Indirect call to absolute memory address |
| CE35 | 4B03D8 | .text | CALL [static] | Indirect call to absolute memory address |
| CE5A | 4B03CC | .text | CALL [static] | Indirect call to absolute memory address |
| F1E6D-F1E7A | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 7 |
| F2108-F2119 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 9 |
| F21E1-F21F4 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 10 |
| F22C3-F22D0 | N/A | .rsrc | Potential obfuscated jump sequence detected, count: 7 |
| 129000 | N/A | *Overlay* | 4953536574757053747265616D00030003000000 | ISSetupStream....... |
| Extra Analysis |
| Metric | Value | Percentage |
|---|---|---|
| Ascii Code | 2223488 | 63,9994% |
| Null Byte Code | 193357 | 5,5655% |
© 2026 All rights reserved.