Susp_Dropper (Kaspersky), Trojan.Generic.4629415 (AdAware), TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b37155a6fa30018f5b6e2a287d527c91
SHA1: b062a950f860e811652680510d1db4cc615bdce5
SHA256: 3165a85b6496a8bbcb5590169b66c20657e635a6ae4991fb4e5e5ded89264535
SSDeep: 49152:iu0LSVHASxN9aD7sOP93ZPaZRNsa95ZN5Qe:p0mVgSxa872avh
Size: 1802040 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2001-03-01 23:56:32
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:1264
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe (1412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiexec.exe (2203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\usp10.dll (6308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mspatcha.dll (170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msi.dll (30555 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msisip.dll (735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\cabinet.dll (1635 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\shfolder.dll (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimsg.dll (16911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\instmsi.msi (18611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sdbapi.dll (1914 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\riched20.dll (8836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\imagehlp.dll (2498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msls31.dll (3719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimain.sdb (2811 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msihnd.dll (7377 bytes)
Registry activity
The process %original file name%.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
Dropped PE files
| MD5 | File path |
|---|---|
| 267ab17a3526c6c46b2a1cf9a0a51280 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\cabinet.dll |
| 0b783914a5bf8ce566c6f7be36e50759 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\imagehlp.dll |
| 84cc0e992099f7886057bee4e466f8cf | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msi.dll |
| 7a4d01dcc76b268eb08c44d9faba73cf | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiexec.exe |
| 4b36d51ea5fdd261e80ee9a93e9f8645 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msihnd.dll |
| 5e9189e28544286137eb313100835892 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe |
| 687cceb254cd60de01ca543a8e1e20c0 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimsg.dll |
| 8915718188df7e4857b85614e2815ca5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msisip.dll |
| 2cab9989fb957efd98dbbbcb9b1946ab | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msls31.dll |
| 61e99aa0a399d3d82dcfb162c712f658 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mspatcha.dll |
| ae5abec31518e015a9fb4eb196854291 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\riched20.dll |
| f8fd9158c6c71f3494a1d469ef78eea3 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sdbapi.dll |
| b7993c10b9a8c3b9735d7696c7b9e8b6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\shfolder.dll |
| 4437b4e1efc79c331070b9f481e3e97a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\usp10.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1264
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe (1412 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiexec.exe (2203 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\usp10.dll (6308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\mspatcha.dll (170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msi.dll (30555 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msisip.dll (735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\cabinet.dll (1635 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\shfolder.dll (242 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimsg.dll (16911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\instmsi.msi (18611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sdbapi.dll (1914 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\riched20.dll (8836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\imagehlp.dll (2498 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msls31.dll (3719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msimain.sdb (2811 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msihnd.dll (7377 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
Static Analysis
VersionInfo
Company Name: Microsoft Corporation
Product Name: Windows Installer
Product Version: 2.0.2600.2
Legal Copyright: Copyright (c) Microsoft Corp. 2000
Legal Trademarks:
Original Filename: Msi.dll,MsiHnd.dll,MsiExec.exe
Internal Name: InstMsi.exe
File Version: 2.0.2600.2
File Description: Installer for the Windows Installer
Comments:
Language: English (United States)
Company Name: Microsoft CorporationProduct Name: Windows InstallerProduct Version: 2.0.2600.2Legal Copyright: Copyright (c) Microsoft Corp. 2000Legal Trademarks: Original Filename: Msi.dll,MsiHnd.dll,MsiExec.exeInternal Name: InstMsi.exeFile Version: 2.0.2600.2File Description: Installer for the Windows InstallerComments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34290 | 34304 | 4.57382 | ae582babaad5a738c32ad1c074e1f3e2 |
| .data | 40960 | 7140 | 1024 | 2.90032 | 730893b14fc930a187215e7fb53bc0a5 |
| .rsrc | 49152 | 1665980 | 1666048 | 5.53975 | 1d53afb04ba76013c213c7d3fe9add04 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 11
7979d28ebc396fb2efa088cb119eaeef
1c6851f5ae4ead3814a4e87cfccd5898
68b9140d72cbaf6bcf7da13f64f6204f
6040478935547deebb52bdef63fb5b37
d9683945d36869d03c10e620b6f83fd8
2e657cb4950481bf0190b0b67ec3dc68
01f432605e9a01ff825cf42a7cd5de6e
84bf0b916c16717c6036510c6a5ec046
0c7971abce00df8370348648ab60c5a9
ebd4683d779eead92bccf37f22fcf013
df25723d2358067fdc999d60ddc4bcd1
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1264:
.text
.text
`.data
`.data
.rsrc
.rsrc
advapi32.dll
advapi32.dll
advpack.dll
advpack.dll
wininit.ini
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupapi.dll
setupx.dll
setupx.dll
IXPd.TMP
IXPd.TMP
TMP4351$.TMP
TMP4351$.TMP
FINISHMSG
FINISHMSG
USRQCMD
USRQCMD
ADMQCMD
ADMQCMD
msdownld.tmp
msdownld.tmp
wextract.pdb
wextract.pdb
e\setup\iexpress\wextract\obj\i386\wextract.pdb
e\setup\iexpress\wextract\obj\i386\wextract.pdb
PSSSSSSh
PSSSSSSh
t8SSh
t8SSh
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ADVAPI32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
ExitWindowsEx
ExitWindowsEx
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
COMCTL32.dll
COMCTL32.dll
VERSION.dll
VERSION.dll
rundll32.exe %s,InstallHinfSection %s 128 %s
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
wextract_cleanup%d
%s /D:%s
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
Command.com /c %s
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\
33333330
33333330
3333333
3333333
33333333
33333333
PAmsiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS MSIEXECREG=1 /m /q
PAmsiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS MSIEXECREG=1 /m /q
msi.dll
msi.dll
msiexec.exe
msiexec.exe
msihnd.dll
msihnd.dll
msisip.dll
msisip.dll
msimsg.dll
msimsg.dll
msimain.sdb
msimain.sdb
msiinst.exe
msiinst.exe
riched20.dll
riched20.dll
usp10.dll
usp10.dll
msls31.dll
msls31.dll
shfolder.dll
shfolder.dll
instmsi.msi
instmsi.msi
imagehlp.dll
imagehlp.dll
cabinet.dll
cabinet.dll
mspatcha.dll
mspatcha.dll
sdbapi.dll
sdbapi.dll
.dp4?U
.dp4?U
*x.eW
*x.eW
,hQ%ux
,hQ%ux
XDa!%dM
XDa!%dM
.QKz~
.QKz~
/[Z0.LV
/[Z0.LV
Xurl
Xurl
I.cn\
I.cn\
~.Baq
~.Baq
I@.lJI
I@.lJI
%sQi'B
%sQi'B
ho.Bs
ho.Bs
$=E.Qw
$=E.Qw
U%4SU0
U%4SU0
(%X&|K
(%X&|K
7.skx
7.skx
I-eP}
I-eP}
6%SY6
6%SY6
[-SBE},
[-SBE},
\0.im_
\0.im_
%%uIG%
%%uIG%
3.BX$
3.BX$
.Cp(K1
.Cp(K1
e:%U8
e:%U8
Yd}..fv
Yd}..fv
i.EO..
i.EO..
.mJD2
.mJD2
n1_F%dtVn
n1_F%dtVn
@=.NbO
@=.NbO
URlM
URlM
f]lL%S
f]lL%S
Bs1%Cw|=
Bs1%Cw|=
YR.WS
YR.WS
.gMXx
.gMXx
.Js7,
.Js7,
.jm-Z
.jm-Z
wS.PK
wS.PK
_L%4X
_L%4X
$5%F;
$5%F;
Fs
Fs
6.sp q
6.sp q
0w_&%f
0w_&%f
.lY*z
.lY*z
?5m%F
?5m%F
QEXhq;%c
QEXhq;%c
.Blp
.Blp
.FObL
.FObL
(.UO,
(.UO,
l$.Op
l$.Op
)I%UW
)I%UW
xT%fV
xT%fV
urLNO[
urLNO[
,.ro9
,.ro9
|D%Dq
|D%Dq
e.nAy_-D&
e.nAy_-D&
%f^Vg,>
%f^Vg,>
2.TPk
2.TPk
vlK.nkkKn
vlK.nkkKn
.Tp%l
.Tp%l
.AfnX
.AfnX
*.zYa
*.zYa
Y.aADp
Y.aADp
N.cP5
N.cP5
..vGj
..vGj
^B %D\
^B %D\
.NB'/
.NB'/
.Eey4
.Eey4
?{%f"
?{%f"
õfeP"
õfeP"
}q%X[
}q%X[
^.ca]
^.ca]
.Bw_,
.Bw_,
\>a.ba^Z'0
\>a.ba^Z'0
Vd.tb
Vd.tb
E.nhq
E.nhq
.QoYH
.QoYH
TB.uB
TB.uB
I_q>.hI
I_q>.hI
dY'A@@6%U7
dY'A@@6%U7
%dNk
%dNk
MsGPO$
MsGPO$
&8.sS=
&8.sS=
q:%9s
q:%9s
%u.&}
%u.&}
U>.Cv
U>.Cv
D>.DU
D>.DU
.ý_
.ý_
5%SY_
5%SY_
gzc.fC
gzc.fC
F.aw_J
F.aw_J
^.Nqz
^.Nqz
\%F =
\%F =
XLr.AcK
XLr.AcK
|=.BR4
|=.BR4
XUO%X4
XUO%X4
%x1c-L
%x1c-L
WÃŽW
WÃŽW
.mBAI
.mBAI
"%So?
"%So?
E?5K%us
E?5K%us
P.egn
P.egn
yo.ZV
yo.ZV
>.JoS?E
>.JoS?E
Ar.HY
Ar.HY
@$.xY
@$.xY
.fLy^
.fLy^
D%f)su
D%f)su
{.QG"Hl
{.QG"Hl
].SqDs
].SqDs
x#%fy
x#%fy
S%F.}
S%F.}
3%c>aRnP
3%c>aRnP
qq %s
qq %s
h/V%4X
h/V%4X
..bw6
..bw6
_.Rti
_.Rti
?%u@q
?%u@q
%s&Y]{
%s&Y]{
@.tG4.
@.tG4.
.AUbX
.AUbX
.WMT
.WMT
[.EUnE
[.EUnE
$m.trt`x
$m.trt`x
%X$^D%
%X$^D%
F%F?$
F%F?$
@.Djc
@.Djc
4.SOs*
4.SOs*
>CAh%u
>CAh%u
vH%S$e,@
vH%S$e,@
?0cexe
?0cexe
.qF`o
.qF`o
.aWp_
.aWp_
)%SJBG
)%SJBG
`"| b.gb
`"| b.gb
M,L%Fw
M,L%Fw
\-7}2=
\-7}2=
R.lRi
R.lRi
-o}:C
-o}:C
9X2%D
9X2%D
%8x3v
%8x3v
3:%8XY
3:%8XY
4(%0x
4(%0x
#3I%sK:
#3I%sK:
{.rtZA
{.rtZA
Bz.MJv
Bz.MJv
".Kyc5n
".Kyc5n
msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb !
msiinst.exe /i instmsi.msi MSIEXECREG=1 /m /qb !
Pmsiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS MSIEXECREG=1 /m /q
Pmsiinst.exe /i instmsi.msi REBOOT=REALLYSUPRESS MSIEXECREG=1 /m /q
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.
CFailed to get disk space information from: %s.
CFailed to get disk space information from: %s.
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?
8Unable to retrieve operating system version information.!Memory allocation request failed.
8Unable to retrieve operating system version information.!Memory allocation request failed.
Filetable full.Ên not change to destination folder.
Filetable full.Ên not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
(Error creating process . Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Error retrieving Windows folder
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
/C: -- Override Install Command defined by author.
/C: -- Override Install Command defined by author.
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
Could not find the file: %s.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.
Installer for the Windows Installer
Installer for the Windows Installer
2.0.2600.2
2.0.2600.2
InstMsi.exe
InstMsi.exe
Msi.dll,MsiHnd.dll,MsiExec.exe
Msi.dll,MsiHnd.dll,MsiExec.exe
Windows Installer
Windows Installer
msiinst.exe_3852:
.text
.text
`.data
`.data
.rsrc
.rsrc
MsiExec.exe
MsiExec.exe
MsiExec.exe /regserver /qn
MsiExec.exe /regserver /qn
MsiExec.exe /unregserver /qn
MsiExec.exe /unregserver /qn
msiexec.exe /i instmsi.msi REBOOT=REALLYSUPPRESS MSIEXECREG=1 /m /qb !
msiexec.exe /i instmsi.msi REBOOT=REALLYSUPPRESS MSIEXECREG=1 /m /qb !
msiexec.exe /i instmsi.msi REBOOT=REALLYSUPPRESS MSIEXECREG=1 /m /q
msiexec.exe /i instmsi.msi REBOOT=REALLYSUPPRESS MSIEXECREG=1 /m /q
rundll32.exe %s\advpack.dll,DelNodeRunDLL32 "%s"
rundll32.exe %s\advpack.dll,DelNodeRunDLL32 "%s"
%s\msiexec.exe /regserver
%s\msiexec.exe /regserver
msi.cat
msi.cat
msi.inf
msi.inf
Microsoft Windows Installer
Microsoft Windows Installer
{2E742517-5D48-4DBD-BF93-48FDCF36E634}
{2E742517-5D48-4DBD-BF93-48FDCF36E634}
mspatcha.cat
mspatcha.cat
mspatcha.inf
mspatcha.inf
{DCB666AB-5541-44CA-9F7E-B516DF807CAF}
{DCB666AB-5541-44CA-9F7E-B516DF807CAF}
msisip.dll
msisip.dll
msiexec.exe
msiexec.exe
msimsg.dll
msimsg.dll
msihnd.dll
msihnd.dll
msi.dll
msi.dll
mspatcha.dll
mspatcha.dll
Successfully opened transform %s.
Successfully opened transform %s.
%d.mst
%d.mst
Wait succeeded for process. Return code was: %d.
Wait succeeded for process. Return code was: %d.
RunProcess (%s, %s)
RunProcess (%s, %s)
%s : %d.%d.%d.%d
%s : %d.%d.%d.%d
Unable to get version info for %s. Error %d.
Unable to get version info for %s. Error %d.
InstMsi version of %s is %s than existing.
InstMsi version of %s is %s than existing.
%s\%s
%s\%s
Unable to determine if instmsi version of %s is newer than the system version. Error %d.
Unable to determine if instmsi version of %s is newer than the system version. Error %d.
Exiting msiinst.exe with error code %d.
Exiting msiinst.exe with error code %d.
%s TRANSFORMS=:%d.mst
%s TRANSFORMS=:%d.mst
%s TRANSFORMS=:%d.mst %s=%s
%s TRANSFORMS=:%d.mst %s=%s
%s %s=%s
%s %s=%s
Found MSI Database: %s
Found MSI Database: %s
*msi.msi
*msi.msi
Invalid operation mode: %d.
Invalid operation mode: %d.
ANSI version of the Windows installer is not supported on Microsoft Windows NT.
ANSI version of the Windows installer is not supported on Microsoft Windows NT.
Running upgrade to MSI from temp files at %s. [Final Command: '%s']
Running upgrade to MSI from temp files at %s. [Final Command: '%s']
Could not register the Windows Installer from the temporary location. Error %d.
Could not register the Windows Installer from the temporary location. Error %d.
Could not switch to the temporary store. Error %d.
Could not switch to the temporary store. Error %d.
Could not copy over all the files to the temporary store. Error %d.
Could not copy over all the files to the temporary store. Error %d.
kernel32.dll
kernel32.dll
Could not create a run once value for registering MSI from the system directory upon reboot. Error %d.
Could not create a run once value for registering MSI from the system directory upon reboot. Error %d.
Temporary files will not be cleaned up. The file advpack.dll is missing from the system folder.
Temporary files will not be cleaned up. The file advpack.dll is missing from the system folder.
advpack.dll
advpack.dll
Could not obtain a temporary folder to store the MSI binaries. Error %d.
Could not obtain a temporary folder to store the MSI binaries. Error %d.
Could not create runonce values. Error %d.
Could not create runonce values. Error %d.
Only system administrators are allowed to update the Windows Installer.
Only system administrators are allowed to update the Windows Installer.
Could not obtain the location of the IExpress temporary folder. Error %d.
Could not obtain the location of the IExpress temporary folder. Error %d.
Could not obtain the system directory. Error %d.
Could not obtain the system directory. Error %d.
Could not obtain the path to the windows directory. Error %d.
Could not obtain the path to the windows directory. Error %d.
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Found unused RunOnce entry : %s
Found unused RunOnce entry : %s
Successfully loaded the specified procedure from %s.
Successfully loaded the specified procedure from %s.
Could not load the specified procedure from %s.
Could not load the specified procedure from %s.
Could not load module %s. Error: %d.
Could not load module %s. Error: %d.
GetWindowsDirectoryA
GetWindowsDirectoryA
GetWindowsDirectoryA/W
GetWindowsDirectoryA/W
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryA/W
GetSystemWindowsDirectoryA/W
Attempting to get function %s.
Attempting to get function %s.
Could not get temporary installer directory. Error %d.
Could not get temporary installer directory. Error %d.
Unable to create the installer folder. Incorrect version of msi.dll. Error %d.
Unable to create the installer folder. Incorrect version of msi.dll. Error %d.
Attempting to create folder %s.
Attempting to create folder %s.
%s in the package %s installed.
%s in the package %s installed.
Version of %s in the package is %d.%d.
Version of %s in the package is %d.%d.
Version of %s in the system folder is %d.%d.
Version of %s in the system folder is %d.%d.
Found %s.
Found %s.
%s not found.
%s not found.
GetFileAttributes on %s failed with %d.
GetFileAttributes on %s failed with %d.
sdbapi.dll
sdbapi.dll
msimain.sdb
msimain.sdb
Could not terminate %s.
Could not terminate %s.
Successfully terminated %s.
Successfully terminated %s.
ntdll.dll
ntdll.dll
Will now attempt to terminate igfxtray.exe and hkcmd.exe, if they are running.
Will now attempt to terminate igfxtray.exe and hkcmd.exe, if they are running.
Temporary store located at : %s
Temporary store located at : %s
%s\InstMsi%d
%s\InstMsi%d
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
MsiInst.pdb
MsiInst.pdb
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
ADVAPI32.dll
ADVAPI32.dll
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\msiinst.exe
.hkcmd.exe
.hkcmd.exe
igfxtray.exe
igfxtray.exe
5.1.2600.27 (xpclnt_qfe(rahulth).020125-2033)
5.1.2600.27 (xpclnt_qfe(rahulth).020125-2033)
msiinst.exe
msiinst.exe
Windows
Windows
Operating System
Operating System
5.1.2600.27
5.1.2600.27