Windows Analysis Report Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

File created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: {app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb:\| source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ,{app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb:h source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	3_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00453238 FindFirstFileA,GetLastError,	3_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00463B44

Source: unknown	DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 200.163.202.172.in-addr.arpa replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa

Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.ooinc.com/Download/FlexAPI
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.openoptionsinc.com/LicenseFile?HaspKey=%s&Product=FULIC
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC&Username=%s&Password=%s
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/Windows2003x64/WindowsServer2003.WindowsXP
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/WindowsXPx64/WindowsServer2003.WindowsXP-K
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/WindowsXPx86/WindowsXP-KB926139-v2-x86-ENU
Source: Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: Setup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Setup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ooaccess.com
Source: Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ooaccess.com&
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openoptionsinc.com
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: Setup.exe, 00000001.00000002.2582294440.0000000002038000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ooaccess.com/v7
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0B
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0D

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00424014 NtdllDefWindowProc_A,	3_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00412A68 NtdllDefWindowProc_A,	3_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0047AC34 NtdllDefWindowProc_A,	3_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042FA00 NtdllDefWindowProc_A,	3_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	3_2_00457E24

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

3_2_0042EDC4

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		3_2_00455E14

Detected potential crypto function

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004088C0	1_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00482CD8	3_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004357B8	3_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00472090	3_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00452194	3_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0043E240	3_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00490830	3_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0043083C	3_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004688B8	3_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0046A974	3_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004449B8	3_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00434AB4	3_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00444F60	3_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0048908C	3_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004313C8	3_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00445658	3_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0045F954	3_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00445A64	3_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0045BA04	3_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00489FEC	3_2_00489FEC

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00407D84 appears 43 times

PE file contains executable resources (Code or Archives)

Source: Setup.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Setup.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean5.winEXE@3/3@2/0

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		3_2_00455E14

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

3_2_0045663C

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00456E68 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

3_2_00456E68

Source: C:\Users\user\Desktop\Setup.exe

Code function: 1_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,

1_2_0040A10C

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: Setup.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: Setup.exe	String found in binary or memory: /LOADINF="filename"
Source: Setup.exe	String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Window found: window name: TEdit

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: {app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb:\| source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ,{app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb:h source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00406A50 push 00406A8Dh; ret	1_2_00406A85
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004040B5 push eax; ret	1_2_004040F1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00404185 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00404206 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004042E8 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00404283 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004093EC push 0040941Fh; ret	1_2_00409417
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004085B8 push ecx; mov dword ptr [esp], eax	1_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00409DDC push 00409E19h; ret	3_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0041A0B8 push ecx; mov dword ptr [esp], ecx	3_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00452194 push ecx; mov dword ptr [esp], eax	3_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004062CC push ecx; mov dword ptr [esp], eax	3_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040A2DF push ds; ret	3_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004605AC push ecx; mov dword ptr [esp], ecx	3_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00458848 push 00458880h; ret	3_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00410970 push ecx; mov dword ptr [esp], edx	3_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00412DB8 push 00412E1Bh; ret	3_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040D2C8 push ecx; mov dword ptr [esp], edx	3_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040546D push eax; ret	3_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040553D push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004055BE push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040563B push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004056A0 push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040F828 push ecx; mov dword ptr [esp], edx	3_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00443930 push ecx; mov dword ptr [esp], ecx	3_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00487AF0 push ecx; mov dword ptr [esp], ecx	3_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00459B60 push 00459BA4h; ret	3_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00497B18 push ecx; mov dword ptr [esp], ecx	3_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00479C7C push ecx; mov dword ptr [esp], edx	3_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00451FD0 push 00452003h; ret	3_2_00451FFB

Drops PE files

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

File created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	3_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	3_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	3_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	3_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0041815E IsIconic,SetWindowPos,	3_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	3_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042466C IsIconic,SetActiveWindow,SetFocus,	3_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00424624 IsIconic,SetActiveWindow,	3_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	3_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00417A28 IsIconic,GetCapture,	3_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	3_2_00485CFC

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0041F5A8 GetVersion,SetErrorMode,LoadLibraryA,SetErrorMode,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

3_2_0041F5A8

Source: C:\Users\user\Desktop\Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp

Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\Setup.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	3_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00453238 FindFirstFileA,GetLastError,	3_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00463B44

Source: C:\Users\user\Desktop\Setup.exe

Code function: 1_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

1_2_0040A050

Source: C:\Users\user\Desktop\Setup.exe

API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0047A678 ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

3_2_0047A678

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0042F294 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexA,

3_2_0042F294

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0042E52C AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

3_2_0042E52C

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoA,	1_2_00405694
Source: C:\Users\user\Desktop\Setup.exe	Code function: GetLocaleInfoA,	1_2_004056E0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: GetLocaleInfoA,	3_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: GetLocaleInfoA,	3_2_00408A44

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00458E58 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

3_2_00458E58

Source: C:\Users\user\Desktop\Setup.exe

Code function: 1_2_004026C4 GetSystemTime,

1_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00455DCC GetUserNameA,

3_2_00455DCC

Source: C:\Users\user\Desktop\Setup.exe

Code function: 1_2_00404654 GetModuleHandleA,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,

1_2_00404654

AV process strings found (often used to terminate AV products)

Source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: {app}\Tools\procexp.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
15.164.165.52.in-addr.arpa	unknown	unknown
200.163.202.172.in-addr.arpa	unknown	unknown

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

File created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: {app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb:\| source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ,{app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb:h source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	3_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00453238 FindFirstFileA,GetLastError,	3_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00463B44

Source: unknown	DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 200.163.202.172.in-addr.arpa replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: 200.163.202.172.in-addr.arpa

Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.ooinc.com/Download/FlexAPI
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.openoptionsinc.com/LicenseFile?HaspKey=%s&Product=FULIC
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://license.openoptionsinc.com/LicenseFile?SoftKey=%s&Product=FULIC&Username=%s&Password=%s
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/Windows2003x64/WindowsServer2003.WindowsXP
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/WindowsXPx64/WindowsServer2003.WindowsXP-K
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ooaws.openoptionsinc.com/Dependencies/powershellv1/WindowsXPx86/WindowsXP-KB926139-v2-x86-ENU
Source: Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: Setup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Setup.exe	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ooaccess.com
Source: Setup.exe, 00000001.00000002.2582274081.0000000002030000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ooaccess.com&
Source: Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openoptionsinc.com
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000000.1317307817.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: Setup.exe, 00000001.00000002.2582294440.0000000002038000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000001.00000003.1315399565.0000000002260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ooaccess.com/v7
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0B
Source: Setup.exe, Setup.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0D

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00424014 NtdllDefWindowProc_A,	3_2_00424014
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00412A68 NtdllDefWindowProc_A,	3_2_00412A68
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0047AC34 NtdllDefWindowProc_A,	3_2_0047AC34
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042FA00 NtdllDefWindowProc_A,	3_2_0042FA00
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00457E24 PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	3_2_00457E24

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0042EDC4: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

3_2_0042EDC4

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		3_2_00455E14

Detected potential crypto function

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004088C0	1_2_004088C0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00482CD8	3_2_00482CD8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004357B8	3_2_004357B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00472090	3_2_00472090
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00452194	3_2_00452194
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0043E240	3_2_0043E240
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00490830	3_2_00490830
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0043083C	3_2_0043083C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004688B8	3_2_004688B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0046A974	3_2_0046A974
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004449B8	3_2_004449B8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00434AB4	3_2_00434AB4
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00444F60	3_2_00444F60
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0048908C	3_2_0048908C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004313C8	3_2_004313C8
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00445658	3_2_00445658
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0045F954	3_2_0045F954
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00445A64	3_2_00445A64
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0045BA04	3_2_0045BA04
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00489FEC	3_2_00489FEC

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00453B40 appears 97 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 0040909C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 0040596C appears 114 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004587AC appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00403400 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004585A0 appears 124 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00406F54 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00403494 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00446594 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 0040357C appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004462C4 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 004349CC appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00403684 appears 233 times
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: String function: 00407D84 appears 43 times

PE file contains executable resources (Code or Archives)

Source: Setup.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Setup.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Sample file is different than original file name gathered from version info

Source: Setup.exe, 00000001.00000003.1316036025.0000000002260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000001.00000003.1315850647.0000000002360000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean5.winEXE@3/3@2/0

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00409920 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00409920
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00455E14 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		3_2_00455E14

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_0045663C GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

3_2_0045663C

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00456E68 CoCreateInstance,CoCreateInstance,SysFreeString,SysFreeString,

3_2_00456E68

Source: C:\Users\user\Desktop\Setup.exe

Code function: 1_2_0040A10C FindResourceA,SizeofResource,LoadResource,LockResource,

1_2_0040A10C

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: Setup.exe	String found in binary or memory: need to be updated. /RESTARTAPPLICATIONS Instructs Setup to restart applications. /NORESTARTAPPLICATIONS Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked t
Source: Setup.exe	String found in binary or memory: /LOADINF="filename"
Source: Setup.exe	String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp "C:\Users\user~1\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp" /SL5="$20422,86016,0,C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Window found: window name: TEdit

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: {app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Plugins\ADSync\Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb:\| source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiag.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.InternetPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: -{app}\UpdateService\RemObjects.SDK.Server.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\UpdateService\RemObjects.SDK.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ,{app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ${app}\Tools\ZeroConf\SSPZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\Tools\ZeroConf\OpenOptions.Common.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\ZeroConf\RemObjects.SDK.ZeroConf.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: +{app}\UpdateService\RemObjects.SDK.ZLib.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 6{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.Server.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 5{app}\Plugins\Plugins\ADSync\dnaWeb.Plugin.ADSync.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 0{app}\Tools\Diagnostics\DNAFusionDiagnostics.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\FlexV1\FlexV1.Plugin.Transactions.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\SSPZeroConf.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: ({app}\Tools\ZeroConf\HtmlAgilityPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: '{app}\UpdateService\dnaFusionUpdate.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\UpdateService\RemObjects.InternetPack.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Plugins\Shared\RemObjects.SDK.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\dnaFusion.Plugins.SDK.pdb( source: Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: #{app}\Tools\Diagnostics\DNADiag.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: &{app}\Tools\Diagnostics\DNADiagGui.pdb" source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\Tools\ZeroConf\HtmlAgilityPack.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: {app}\UpdateService\RemObjects.SDK.ZLib.pdb source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000003.1319106166.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 3{app}\Plugins\Plugins\FlexV1\OpenOptions.Common.pdb:h source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: /{app}\Plugins\Plugins\FlexV1\RemObjects.SDK.pdb: source: Setup.tmp, 00000003.00000003.1319216440.00000000021BC000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000003.00000002.2582501086.00000000021B7000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00406A50 push 00406A8Dh; ret	1_2_00406A85
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004040B5 push eax; ret	1_2_004040F1
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00404185 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00404206 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004042E8 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_00404283 push 00404391h; ret	1_2_00404389
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004093EC push 0040941Fh; ret	1_2_00409417
Source: C:\Users\user\Desktop\Setup.exe	Code function: 1_2_004085B8 push ecx; mov dword ptr [esp], eax	1_2_004085BD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00409DDC push 00409E19h; ret	3_2_00409E11
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0041A0B8 push ecx; mov dword ptr [esp], ecx	3_2_0041A0BD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00452194 push ecx; mov dword ptr [esp], eax	3_2_00452199
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004062CC push ecx; mov dword ptr [esp], eax	3_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040A2DF push ds; ret	3_2_0040A2E0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004605AC push ecx; mov dword ptr [esp], ecx	3_2_004605B0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00458848 push 00458880h; ret	3_2_00458878
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00410970 push ecx; mov dword ptr [esp], edx	3_2_00410975
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00412DB8 push 00412E1Bh; ret	3_2_00412E13
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040D2C8 push ecx; mov dword ptr [esp], edx	3_2_0040D2CA
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040546D push eax; ret	3_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040553D push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004055BE push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040563B push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004056A0 push 00405749h; ret	3_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0040F828 push ecx; mov dword ptr [esp], edx	3_2_0040F82A
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00443930 push ecx; mov dword ptr [esp], ecx	3_2_00443934
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00487AF0 push ecx; mov dword ptr [esp], ecx	3_2_00487AF5
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00459B60 push 00459BA4h; ret	3_2_00459B9C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00497B18 push ecx; mov dword ptr [esp], ecx	3_2_00497B1D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00479C7C push ecx; mov dword ptr [esp], edx	3_2_00479C7D
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00451FD0 push 00452003h; ret	3_2_00451FFB

Drops PE files

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

File created: C:\Users\user~1\AppData\Local\Temp\Setup Log 2024-10-30 #001.txt

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	3_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042409C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	3_2_0042409C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00422CEC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	3_2_00422CEC
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042F75C IsIconic,GetWindowLongA,GetWindowLongA,GetActiveWindow,MessageBoxA,SetActiveWindow,GetActiveWindow,MessageBoxA,SetActiveWindow,	3_2_0042F75C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0041815E IsIconic,SetWindowPos,	3_2_0041815E
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00418160 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	3_2_00418160
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0042466C IsIconic,SetActiveWindow,SetFocus,	3_2_0042466C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00424624 IsIconic,SetActiveWindow,	3_2_00424624
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00418814 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	3_2_00418814
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00417A28 IsIconic,GetCapture,	3_2_00417A28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00485CFC IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	3_2_00485CFC

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

3_2_0041F5A8

Source: C:\Users\user\Desktop\Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-8Q1AL.tmp\_isetup\_setup64.tmp

Jump to dropped file

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\Setup.exe

Evasive API call chain: GetSystemTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00476F44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00476F44
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0049AF28 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	3_2_0049AF28
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_004650D0 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_004650D0
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00453238 FindFirstFileA,GetLastError,	3_2_00453238
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_0046554C SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	3_2_0046554C
Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp	Code function: 3_2_00463B44 FindFirstFileA,FindNextFileA,FindClose,	3_2_00463B44

Source: C:\Users\user\Desktop\Setup.exe

Code function: 1_2_0040A050 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

1_2_0040A050

Source: C:\Users\user\Desktop\Setup.exe

API call chain: ExitProcess graph end node

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-0EH0G.tmp\Setup.tmp

Code function: 3_2_00450A28 GetVersion,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,