Edit tour

Windows Analysis Report
ActiveBarcode-Setup6.12.0.exe

Overview

General Information

Sample Name:	ActiveBarcode-Setup6.12.0.exe
Analysis ID:	1331375
MD5:	7791a8a48af7782006dd4ccfad1cb14d
SHA1:	ce90c961462da6e025ba7c074ef1538e28e3d82c
SHA256:	cdcb9279fb747d04999c0c12476bfe38e7ae413365ff8eef9310c1be21d17078
Infos:

Detection

Score:	4
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	52
Range:	0 - 100

Signatures

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Drops PE files to the application program directory (C:\ProgramData)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Creates files inside the system directory

Stores files to the Windows start menu directory

Found dropped PE file which has not been started or loaded

Modifies existing windows services

Adds / modifies Windows certificates

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Queries keyboard layouts

Checks for available system drives (often done to infect USB drives)

Creates or modifies windows services

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample searches for specific file, try point organization specific fake files to the analysis machine

Process Tree

System is w10x64_ra

ActiveBarcode-Setup6.12.0.exe (PID: 5544 cmdline: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe MD5: 7791A8A48AF7782006DD4CCFAD1CB14D)

ActiveBarcode-Setup6.12.0.tmp (PID: 6300 cmdline: "C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp" /SL5="$5033A,35135642,121344,C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe" MD5: D37F2C5CAC5747F6321F90C095DCE0FD)

vc_redist.x64.exe (PID: 6124 cmdline: "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe" /passive /norestart MD5: 45B47F4214DDC9F4782363A38504C9D2)

vc_redist.x64.exe (PID: 2916 cmdline: "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe" /passive /norestart -burn.unelevated BurnPipe.{4F78198D-CCF4-4BDA-B229-9F6ECD155586} {4F97EF20-8ED2-4EE3-ADE3-D632CD31AA0A} 6124 MD5: 45B47F4214DDC9F4782363A38504C9D2)

vc_redist.x86.exe (PID: 4612 cmdline: "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe" /passive /norestart MD5: A3CB49DAA1347FFE34B517F1A12F40AB)

vc_redist.x86.exe (PID: 4284 cmdline: "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe" /passive /norestart -burn.unelevated BurnPipe.{47F62FCB-416C-4BBB-9E18-CDA7A796F212} {D21067EF-2E64-4E1B-B04F-EE78644A74D1} 4612 MD5: A3CB49DAA1347FFE34B517F1A12F40AB)

msiexec.exe (PID: 6812 cmdline: "msiexec.exe" /i C:\Users\user\AppData\Local\Temp\is-483BE.tmp\ActiveBarcode.x86.msi MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 3416 cmdline: "msiexec.exe" /i C:\Users\user\AppData\Local\Temp\is-483BE.tmp\ActiveBarcode.x64.msi MD5: 9D09DC1EDA745A5F87553048E57620CF)

ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe (PID: 1180 cmdline: "C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT MD5: D567E7D9EB838A16C601E3E3CEA0C83F)

ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp (PID: 3192 cmdline: "C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp" /SL5="$A02C0,481838,121344,C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT MD5: A37C67C02D9C55EDCA3BD37B276A4ADA)

ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe (PID: 420 cmdline: "C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT MD5: 3EC4D0F37CDF888018A109816DEB41F2)

ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp (PID: 6072 cmdline: "C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp" /SL5="$902D2,361899,121344,C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT MD5: 509F520729C3E6EFEF76ACE2CE206D45)

ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe (PID: 5196 cmdline: "C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe" /SILENT MD5: 22EC2A1988C8789D3F9D3E97F6E76EA8)

ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp (PID: 3024 cmdline: "C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp" /SL5="$A02CE,385517,121344,C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe" /SILENT MD5: 0544949ED66EFF058CB7E1311C104CDD)

SrTasks.exe (PID: 5976 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 6444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 6112 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

SrTasks.exe (PID: 5292 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SrTasks.exe (PID: 5824 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 4864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Spreading
• System Summary
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Compliance

Uses 32bit PE files

Source: ActiveBarcode-Setup6.12.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver

Creates a software restore point

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1028\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1029\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1031\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1036\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1040\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1041\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1042\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1045\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1046\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1049\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1055\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\2052\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\3082\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1028\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1029\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1031\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1036\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1040\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1041\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1042\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1045\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1046\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1049\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1055\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\2052\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\3082\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\license.rtf

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4C1970B8-6342-436C-8E50-FC580646FF4F}

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-0L1SE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-T9O3C.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-DGE38.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-RJ6KU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-K1U8I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-KJCIU.tmp
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Common Files\ActiveBarcode
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Common Files\ActiveBarcode\ActiveXControl
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-10-24 #001.txt
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-10-24 #002.txt

PE / OLE file has a valid certificate

Source: ActiveBarcode-Setup6.12.0.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ActiveBarcode-Setup6.12.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: z:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: x:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: v:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: t:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: r:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: p:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: n:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: l:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: j:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: h:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: f:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: b:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: y:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: w:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: u:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: s:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: q:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: o:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: m:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: k:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: i:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: g:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: e:
Source: C:\Windows\System32\SrTasks.exe	File opened: c:
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: a:

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

System Summary

Uses 32bit PE files

Source: ActiveBarcode-Setup6.12.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\602eb1.msi

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\602eae.msi

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: tsappcmp.dll

Source: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe

File read: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe
Source: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp "C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp" /SL5="$5033A,35135642,121344,C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe" /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe" /passive /norestart -burn.unelevated BurnPipe.{4F78198D-CCF4-4BDA-B229-9F6ECD155586} {4F97EF20-8ED2-4EE3-ADE3-D632CD31AA0A} 6124
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe" /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe" /passive /norestart -burn.unelevated BurnPipe.{47F62FCB-416C-4BBB-9E18-CDA7A796F212} {D21067EF-2E64-4E1B-B04F-EE78644A74D1} 4612
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe" /passive /norestart -burn.unelevated BurnPipe.{4F78198D-CCF4-4BDA-B229-9F6ECD155586} {4F97EF20-8ED2-4EE3-ADE3-D632CD31AA0A} 6124
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe" /passive /norestart -burn.unelevated BurnPipe.{47F62FCB-416C-4BBB-9E18-CDA7A796F212} {D21067EF-2E64-4E1B-B04F-EE78644A74D1} 4612
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" /i C:\Users\user\AppData\Local\Temp\is-483BE.tmp\ActiveBarcode.x86.msi
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" /i C:\Users\user\AppData\Local\Temp\is-483BE.tmp\ActiveBarcode.x64.msi
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe "C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT
Source: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp "C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp" /SL5="$A02C0,481838,121344,C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe "C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT
Source: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp" /SL5="$902D2,361899,121344,C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe "C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe" /SILENT
Source: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp" /SL5="$A02CE,385517,121344,C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe" /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe "C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe" /passive /norestart
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" /i C:\Users\user\AppData\Local\Temp\is-483BE.tmp\ActiveBarcode.x86.msi
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Windows\SysWOW64\msiexec.exe "msiexec.exe" /i C:\Users\user\AppData\Local\Temp\is-483BE.tmp\ActiveBarcode.x64.msi
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
Source: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp "C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp" /SL5="$A02C0,481838,121344,C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT
Source: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp" /SL5="$902D2,361899,121344,C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT
Source: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp "C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp" /SL5="$5033A,35135642,121344,C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe"
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe "C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe "C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process created: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe "C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe" /SILENT
Source: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe	Process created: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp "C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp" /SL5="$A02CE,385517,121344,C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe" /SILENT

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

File created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp

Source: classification engine

Classification label: clean4.winEXE@36/148@0/0

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe

File read: C:\Windows\win.ini

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Key opened: Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5552:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Common Files\ActiveBarcode

Source: Yara match	File source: C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Reads the Windows registered owner settings

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Executable creates window controls seldom found in malware

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

Window found: window name: TSelectLanguageForm

Uses Rich Edit Controls

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Found installer window with terms and condition text

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Window detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.This declaration (AGB) is based on and bound to German law so it's published in German language. The declaration in German language can be found at the end of this document.English translation: This is an automatic translation of the major points of our AGB. If you have questions on this please contact us by Email.General business conditions1. validity & generalThe following business conditions apply to all orders. The buyer acknowledges these conditions with his order.Changes or supplements to these business conditions may be encountered only in written form.The exchange and the withdrawal of software and licenses is excluded!2. offer & pricesOur offers result always subject to change and non-binding.3. deliveryThe delivery results always on danger and on costs of the customer.4. paymentWe offer different payment methods that are listed in our internet-offer.5. property reservationThe delivered software will remain to our property until it's completely payed.6. license conditionsIt is illegal to pass the licenced version to any other persons. Each license allows you to use the licenced version on a specified number of PC's. If you want to use the software on other or more computers you must purchase a additional licence. Illegal distribution of registered version will be prosecuted to the full extent of the law.Changes in any files disassembling reverse engineering patching of this program its help files is documentation its components (OCX) or dynamic link libraries (DLLs) is expressly prohibited.The full license conditions can be found in the file SetupGuide.pdf. This file is readable before the installation.7. guaranteeThe exchange and the withdrawal of software and licenses is excluded!The software is sold "as is". We give no guarantee for a specific usage of the software. We also give no guarantee for the satisfaction of needs of the customer.8. compensationCompensation claims are excluded.___________________Allgemeine Geschftsbedingungen1. Geltung & AllgemeinesDie folgenden Geschftsbedingungen gelten fr alle Bestellungen. Der Kufer erkennt diese Bedingungen mit der Auftragserteilung an.nderungen Ergnzungen und/oder Nebenabrenden zu diesen Geschftsbedingungen drfen nur schriftlich getroffen werden.Fr Privatkunden:Gesetzlich vorgeschriebene Aufklrung ber Widerrufsrecht bzw. Rckgaberecht: Gem 3 FernAbsG sowie 361a BGB (neu) hat der Kufer die Mglichkeit jeden Vertragsabschlu im Fernabsatz innerhalb einer Frist von 2 Wochen zu widerrufen. Diese Frist beginnt mit dem Empfang der Lieferung. Die Kosten fr die Rcksendung trgt der Kunde sofern der Auftragswert einen Betrag von 40 EUR nicht berschreitet.Einschrnkungen zum Widerrufsrecht bzw. Rckgaberecht: Gem 3 Abs. 2.1 FernAbsG gilt dies nicht bei Fernabsatzver

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Window detected: Number of UI elements: 19
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Window detected: Number of UI elements: 19

Checks if Microsoft Office is installed

Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Options

Creates a software uninstall entry

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4C1970B8-6342-436C-8E50-FC580646FF4F}

Submission file is bigger than most known malware samples

Source: ActiveBarcode-Setup6.12.0.exe

Static file information: File size 35679808 > 1048576

Creates a directory in C:\Program Files

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-0L1SE.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-T9O3C.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-DGE38.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-RJ6KU.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-K1U8I.tmp
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Directory created: C:\Program Files\ActiveBarcode\is-KJCIU.tmp
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Common Files\ActiveBarcode
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Common Files\ActiveBarcode\ActiveXControl
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx

PE / OLE file has a valid certificate

Source: ActiveBarcode-Setup6.12.0.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: ActiveBarcode-Setup6.12.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe

File created: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe (copy)

Jump to dropped file

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files\ActiveBarcode\is-T9O3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 602eb7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files (x86)\ActiveBarcode\powerpoint\is-HS3IL.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\ActiveBarcode Add-In for Excel\uninstall\is-AQF0S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\ActiveBarcode Add-In for Word\uninstall\is-E0H0B.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe	File created: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files (x86)\ActiveBarcode\excel\is-VCKIU.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 602eb8.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\wixstdba.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vcomp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe	File created: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 602eb5.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files (x86)\ActiveBarcode\word\is-DFBD6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files\ActiveBarcode\is-KJCIU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 602eb6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\concrt140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\msvcp140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140u.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfcm140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vccorlib140.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vcomp140.dll	Jump to dropped file

Creates license or readme file

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1028\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1029\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1031\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1036\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1040\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1041\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1042\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1045\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1046\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1049\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\1055\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\2052\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\3082\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	File created: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1028\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1029\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1031\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1036\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1040\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1041\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1042\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1045\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1046\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1049\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\1055\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\2052\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\3082\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File created: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\license.rtf

Creates install or setup log file

Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-10-24 #001.txt
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	File created: C:\Users\user\AppData\Local\Temp\Setup Log 2023-10-24 #002.txt

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActiveBarcode
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActiveBarcode\ActiveBarcode Generator.lnk
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActiveBarcode\ActiveBarcode CLI.lnk

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Creates or modifies windows services

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ActiveBarcode\powerpoint\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 3764	Thread sleep time: -130000s >= -30000s
Source: C:\Windows\System32\SrTasks.exe TID: 5596	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\System32\SrTasks.exe TID: 4988	Thread sleep time: -80000s >= -30000s

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140esn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140ita.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Dropped PE file which has not been started: C:\Program Files\ActiveBarcode\is-T9O3C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140deu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 602eb7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\vcamp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140jpn.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140chs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 602eb8.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140kor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140fra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 602eb5.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Dropped PE file which has not been started: C:\Program Files\ActiveBarcode\is-KJCIU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Dropped PE file which has not been started: C:\ProgramData\Package Cache\{e2803110-78b3-4664-a479-3611a381656a}\VC_redist.x86.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140enu.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140rus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 602eb6.rbf (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.be\VC_redist.x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\mfc140cht.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Dropped PE file which has not been started: (copy)	Jump to dropped file

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Key opened: System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	Key opened: System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File Volume queried: C:\Windows FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULL
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\NULL
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	File opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULL

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\.ba1\logo.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\logo.png VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\SrTasks.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Adds / modifies Windows certificates

Source: C:\Windows\SysWOW64\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	Windows Management Instrumentation	21 Windows Service	21 Windows Service	23 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	1 Replication Through Removable Media	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Process Injection	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Source	Detection	Scanner	Label	Link
ActiveBarcode-Setup6.12.0.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-483BE.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-483BE.tmp\vc_redist.x86.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.ba1\wixstdba.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{e2803110-78b3-4664-a479-3611a381656a}\.be\VC_redist.x86.exe	0%	ReversingLabs
602eb5.rbf (copy)	0%	ReversingLabs
602eb6.rbf (copy)	0%	ReversingLabs
602eb7.rbf (copy)	0%	ReversingLabs
602eb8.rbf (copy)	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\concrt140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\msvcp140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vccorlib140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vcomp140.dll	0%	ReversingLabs
C:\Windows\Installer\$PatchCache$\Managed\47CA2FBBC0273BC32819E543302923AF\14.0.24215\vcruntime140.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140chs.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140cht.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140deu.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140enu.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140esn.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140fra.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140ita.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140jpn.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140kor.dll	0%	ReversingLabs
C:\Windows\SysWOW64\mfc140rus.dll	0%	ReversingLabs
C:\Windows\SysWOW64\vcamp140.dll	0%	ReversingLabs
C:\Program Files (x86)\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx	0%	ReversingLabs
(copy)	0%	ReversingLabs
C:\Program Files (x86)\ActiveBarcode\excel\is-VCKIU.tmp	2%	ReversingLabs
C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp	0%	ReversingLabs
C:\Program Files (x86)\ActiveBarcode\powerpoint\is-HS3IL.tmp	2%	ReversingLabs
C:\Program Files (x86)\ActiveBarcode\word\is-DFBD6.tmp	2%	ReversingLabs
C:\Program Files\ActiveBarcode\is-KJCIU.tmp	0%	ReversingLabs
C:\Program Files\ActiveBarcode\is-T9O3C.tmp	0%	ReversingLabs
C:\Program Files\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-AC17U.tmp\ActiveBarcode-Add-In-for-PowerPoint-Setup-1.1.0.tmp	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\AddIns\ActiveBarcode Add-In for Excel\uninstall\is-AQF0S.tmp	3%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\ActiveBarcode Add-In for Word\uninstall\is-E0H0B.tmp	2%	ReversingLabs

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1331375
Start date and time:	2023-10-24 17:35:28 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample file name:	ActiveBarcode-Setup6.12.0.exe
Detection:	CLEAN
Classification:	clean4.winEXE@36/148@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.21.200, 204.79.197.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtFsControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: ActiveBarcode-Setup6.12.0.exe

Process:	C:\Users\user\AppData\Local\Temp\is-8F63M.tmp\ActiveBarcode-Setup6.12.0.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4044112
Entropy (8bit):	6.5243169651197475
Encrypted:	false
SSDEEP:
MD5:	718AA87232EBF8E8C0C57791270BDEE7
SHA1:	78F3ED73EB8B0804D2191CC7FA59D098E4E4D815
SHA-256:	BB5F3C7F8305B8A8086A025F86E3EC3D82D8935AFC1A18CBBF75A64C89D688F2
SHA-512:	6B68FA54E7E24A557684EB619C4F80D0483AD28EB1DB256E0DC577C3766D81B25850FC2DAFA8B2A7E7E6BB194A58B9D2572F99646587406FA193E0D61910E8F7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.a..................0.........T.0.......0...@..........................`>......:>..........@...................P2.......2..4....6...............=.P)....2..............................p2.....................L.2.4....@2......................text...T.0.......0................. ..`.itext...*....0..,....0............. ..`.data.........0.......0.............@....bss.....l....1..........................idata...4....2..6...\|1.............@....didata......@2.......1.............@....edata.......P2.......1.............@..@.tls....T....`2..........................rdata..]....p2.......1.............@..@.reloc........2.......1.............@..B.rsrc.........6.......5.............@..@.............`>.......=.............@..@................

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4705072
Entropy (8bit):	7.05735073619111
Encrypted:	false
SSDEEP:
MD5:	9A145819FEB9B159176FB95368BCD0BE
SHA1:	3728A89D10062B3701435638B1F01F138C5DC0F2
SHA-256:	3262782C80CEF7EF2CC23FFBE5D12F312736198D2F81F70DE1AA5F346D652DEB
SHA-512:	53B3D388C4D51D7CCA4F6E3C1F319372C1D78288CDA9EEDC6DAF25CBE9B4E17E3C29DF816F4724A8B16689C0A6E0AA925D517BC6EE0450B13AE4FC12F876B78E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......OZ;,.;U..;U..;U.....;U.....;U.....;U.....;U..C...;U.0eT~.;U.0eV~.;U.0eQ~.;U.0eP~.;U.....;U..;T..?U.0e\~.:U.0eU~.;U.0e...;U.0eW~.;U.Rich.;U.........................PE..L...q.W.........."!......-......... .).......-..............................0H.....F.H...@A........................ .-..............p/...............G.0?....E.....0~..8...................h~..........@.....................,......................text.....-.......-................. ..`.data.........-.......-.............@....idata...T.......V..................@..@.didat.......P/.....................@....tls.........`/.....................@....rsrc........p/.....................@..@.reloc........E......tD.............@..B................................................................................................................................................................................

Process:	C:\Users\user\AppData\Local\Temp\is-HNIRC.tmp\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	6664
Entropy (8bit):	5.2304022166063024
Encrypted:	false
SSDEEP:
MD5:	54433551DF53E2CB107702C7AB6D21B1
SHA1:	EBE6E60BB6BE746A86569120C218760A3112D24F
SHA-256:	314C2B312238A67004E82EA8FA76D8669D87680FA1D5C04187137CB884407424
SHA-512:	F65373AB1231B3970B6458A15A88347100FB18E79C64A28BAE67FFD9EBFF54040AD3A5DDBED491106E86E049F13823524C737D0BE9FC991EA8E2EB841D8CA6FD
Malicious:	false
Reputation:	low
Preview:	.2023-10-24 17:37:39.097 Log opened. (Time zone: UTC+02:00)..2023-10-24 17:37:39.097 Setup version: Inno Setup version 5.6.1 (u)..2023-10-24 17:37:39.097 Original Setup EXE: C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe..2023-10-24 17:37:39.097 Setup command line: /SL5="$A02C0,481838,121344,C:\Program Files (x86)\ActiveBarcode\excel\ActiveBarcode-Add-In-for-Excel-Setup-2.0.0.exe" /SILENT..2023-10-24 17:37:39.097 Windows version: 10.0.19045 (NT platform: Yes)..2023-10-24 17:37:39.097 64-bit Windows: Yes..2023-10-24 17:37:39.097 Processor architecture: x64..2023-10-24 17:37:39.097 User privileges: Administrative..2023-10-24 17:37:39.607 64-bit install mode: Yes..2023-10-24 17:37:39.623 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-5RSRK.tmp..2023-10-24 17:37:39.639 -- DLL function import --..2023-10-24 17:37:39.639 Function name: GetProcessId..2023-10-24 17:37:39.639 DLL name: setup:kernel32.dll..

Process:	C:\Users\user\AppData\Local\Temp\is-U4BAJ.tmp\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5971
Entropy (8bit):	5.225393169053579
Encrypted:	false
SSDEEP:
MD5:	355D6FAE156BD306C2F09387BF0ED5F7
SHA1:	09C2E3EBA30DBFB2BA4217E896951FE05B9EF06F
SHA-256:	E802E8D2EF3AB455B4255FB73E4ED1E36820F0FBA1DC28B189B6CC813CF9C743
SHA-512:	668300A02B40F673582968C13E99E6C70852B99CD2E41CEDDC60793C275FDD908C5AC9F6F9737372AD5949988B71D083CF034B8241233B8A4D6D64DC96EA675D
Malicious:	false
Reputation:	low
Preview:	.2023-10-24 17:37:44.983 Log opened. (Time zone: UTC+02:00)..2023-10-24 17:37:44.983 Setup version: Inno Setup version 5.6.1 (u)..2023-10-24 17:37:44.983 Original Setup EXE: C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe..2023-10-24 17:37:44.983 Setup command line: /SL5="$902D2,361899,121344,C:\Program Files (x86)\ActiveBarcode\word\ActiveBarcode-Add-In-for-Word-Setup-1.1.0.exe" /SILENT..2023-10-24 17:37:44.983 Windows version: 10.0.19045 (NT platform: Yes)..2023-10-24 17:37:44.983 64-bit Windows: Yes..2023-10-24 17:37:44.983 Processor architecture: x64..2023-10-24 17:37:44.983 User privileges: Administrative..2023-10-24 17:37:45.367 64-bit install mode: Yes..2023-10-24 17:37:45.383 Created temporary directory: C:\Users\user\AppData\Local\Temp\is-AFE7B.tmp..2023-10-24 17:37:45.414 -- DLL function import --..2023-10-24 17:37:45.414 Function name: GetProcessId..2023-10-24 17:37:45.414 DLL name: setup:kernel32.dll..2023

Process:	C:\Users\user\Desktop\ActiveBarcode-Setup6.12.0.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1197328
Entropy (8bit):	6.416595688611189
Encrypted:	false
SSDEEP:
MD5:	D37F2C5CAC5747F6321F90C095DCE0FD
SHA1:	419BE97F530181EBE1FA2DCA089F1AA05AECF93C
SHA-256:	E9635CA97A638E4A49E44B26456504EA08AC3314DDAC08DE463BB03CF787CB19
SHA-512:	BBC0D9124321229DD7EBCB53291509CC987EEB30FEF515AF88C15F5FF795BA0159A22C6A3F2FF2C5D462F336A173144B0D04F5D7837939BB39716D9FECD05AFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...Rm"[.............................%.......0....@.................................".....@......@..............................@8...@...................)...................................0.......................................................text............................... ..`.itext.............................. ..`.data....0...0...2..................@....bss.....a...p.......L...................idata..@8.......:...L..............@....tls....<.... ...........................rdata.......0......................@..@.rsrc........@......................@..@....................................@..@........................................................................................................................................

Entrypoint:	0x41181c
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	20dd26497880c05caed9305b3c8b9109

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	12/01/2022 01:00:00 12/01/2025 00:59:59
Subject Chain	CN=Lars Schenk, O=Lars Schenk, S=Schleswig-Holstein, C=DE
Version:	3
Thumbprint MD5:	80CAA0797922D4AF86AB249C090B0D27
Thumbprint SHA-1:	45CE1D83A1519E8EACBF30F4B91B91352D1A0837
Thumbprint SHA-256:	F44F09949C657A6D154748FEFD1AF6D1310660BE43150BB0B11B67767DB7A5A4
Serial:	0D9CC4CC3A53BE1613F677B693E2FB8B

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19000	0xe04	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0xb200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2204530	0x2910
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x19304	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf25c	0xf400	False	0.5482197745901639	data	6.375879013420213	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x11000	0xfa4	0x1000	False	0.563720703125	data	5.778765357049134	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x12000	0xc8c	0xe00	False	0.25362723214285715	data	2.3028287433175367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x13000	0x56bc	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x19000	0xe04	0x1000	False	0.321533203125	data	4.597812557707959	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x1a000	0x8	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x1b000	0x18	0x200	False	0.05078125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0xb200	0xb200	False	0.177953827247191	data	4.140152878983828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1c41c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1c544	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x1caac	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x1cd94	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x1d63c	0x68	data			0.6538461538461539
RT_STRING	0x1d6a4	0xd4	data			0.5283018867924528
RT_STRING	0x1d778	0xa4	data			0.6524390243902439
RT_STRING	0x1d81c	0x2ac	data			0.45614035087719296
RT_STRING	0x1dac8	0x34c	data			0.4218009478672986
RT_STRING	0x1de14	0x294	data			0.4106060606060606
RT_RCDATA	0x1e0a8	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x26390	0x10	data			1.5
RT_RCDATA	0x263a0	0x150	data			0.8392857142857143
RT_RCDATA	0x264f0	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0x2651c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x2655c	0x4f4	data	English	United States	0.2665615141955836
RT_MANIFEST	0x26a50	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
kernel32.dll	WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, DeleteFileW, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CloseHandle
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
advapi32.dll	AdjustTokenPrivileges

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ActiveBarcode-Setup6.12.0.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Yara Signatures

Dropped Files

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Created / dropped Files

(copy)

602eb5.rbf (copy)

602eb6.rbf (copy)

602eb7.rbf (copy)

602eb8.rbf (copy)

C:\Config.Msi\602eb0.rbs

C:\Config.Msi\602eb4.rbs

C:\Config.Msi\602ebb.rbs

C:\Config.Msi\602ebe.rbs

C:\Program Files (x86)\ActiveBarcode\asp\is-CDGFV.tmp

C:\Program Files (x86)\ActiveBarcode\asp\is-M0SGQ.tmp

C:\Program Files (x86)\ActiveBarcode\asp\is-N9KSS.tmp

C:\Program Files (x86)\ActiveBarcode\asp\is-PL7MO.tmp

C:\Program Files (x86)\ActiveBarcode\asp\is-R1LG2.tmp

C:\Program Files (x86)\ActiveBarcode\excel\is-VCKIU.tmp

C:\Program Files (x86)\ActiveBarcode\is-ISS3T.tmp

C:\Program Files (x86)\ActiveBarcode\is-LA3N5.tmp

C:\Program Files (x86)\ActiveBarcode\is-VEOLL.tmp

C:\Program Files (x86)\ActiveBarcode\php\is-3HA89.tmp

C:\Program Files (x86)\ActiveBarcode\php\is-9UONO.tmp

C:\Program Files (x86)\ActiveBarcode\php\is-J86UO.tmp

C:\Program Files (x86)\ActiveBarcode\php\is-MQIGB.tmp

C:\Program Files (x86)\ActiveBarcode\php\is-N4DKV.tmp

C:\Program Files (x86)\ActiveBarcode\php\is-VE5F3.tmp

C:\Program Files (x86)\ActiveBarcode\powerpoint\is-HS3IL.tmp

C:\Program Files (x86)\ActiveBarcode\unins000.dat

C:\Program Files (x86)\ActiveBarcode\unins000.msg

C:\Program Files (x86)\ActiveBarcode\word\is-DFBD6.tmp

C:\Program Files (x86)\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx

C:\Program Files\ActiveBarcode\is-0L1SE.tmp

C:\Program Files\ActiveBarcode\is-K1U8I.tmp

C:\Program Files\ActiveBarcode\is-KJCIU.tmp

C:\Program Files\ActiveBarcode\is-RJ6KU.tmp

C:\Program Files\ActiveBarcode\is-T9O3C.tmp

C:\Program Files\Common Files\ActiveBarcode\ActiveXControl\ActiveBarcode.ocx

Windows Analysis Report
ActiveBarcode-Setup6.12.0.exe

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre