Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1500187
MD5:	cd31545772cdb4e84902f25d3363c58d
SHA1:	88ab168cbfc19785caab11109b4682d3cfcfafae
SHA256:	3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
Infos:

Detection

Score:	13
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Installs new ROOT certificates

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Source: Setup.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBE72.tmp

Jump to dropped file

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}

Creates files inside the system directory

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\inf\SERSabb4.rra
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\inf\SERWabb4.rra
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ser2pl.inf_amd64_f8875256a6be18aa
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean13.winEXE@6/36@0/0

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Program Files (x86)\InstallShield Installation Information\

Source: C:\Users\user\Desktop\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\ECC3713C-08A4-40E3-95F1-7D0704F1CE5E
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.ini

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{361795EF-EBB0-40A6-AE64-94AAA21D87EF}
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{361795EF-EBB0-40A6-AE64-94AAA21D87EF}
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{254b0c33-77a9-5a4b-be66-7d93eedacb69}\ser2pl.inf" "9" "4b334f3bf" "0000000000000160" "WinSta0\Default" "0000000000000184" "208" "C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\VISTA"

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: lz32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srclient.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vssapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sxproxy.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: drvstore.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spinf.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srclient.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vssapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\Setup.exe

File written: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\setup.ini

Source: C:\Users\user\Desktop\Setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static file information: File size 3176304 > 1048576

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob

Drops PE files

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\_Setup.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBE59db.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBE59db.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file

Creates or modifies windows services

Source: C:\Users\user\Desktop\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\_Setup.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 6360

Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\Windows FullSizeInformation

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{254b0c33-77a9-5a4b-be66-7d93eedacb69}\ser2pl.inf" "9" "4b334f3bf" "0000000000000160" "winsta0\default" "0000000000000184" "208" "c:\users\user\appdata\local\temp\{5d8075f0-4ded-4b0c-b9eb-df1dcd69c020}\{ecc3713c-08a4-40e3-95f1-7d0704f1ce5e}\vista"

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\ser2pl.cat VolumeInformation

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Screenshots

Network Map

⊘No contacted IP infos

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDone

Source: Setup.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Drops certificate files (DER)

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBE72.tmp

Jump to dropped file

Creates files inside the driver directory

Source: C:\Windows\System32\drvinst.exe

File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}

Creates files inside the system directory

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\inf\SERSabb4.rra
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\inf\SERWabb4.rra
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ser2pl.inf_amd64_f8875256a6be18aa
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf

Deletes files inside the Windows folder

Source: C:\Windows\System32\drvinst.exe

File deleted: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp

Uses 32bit PE files

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: clean13.winEXE@6/36@0/0

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Program Files (x86)\InstallShield Installation Information\

Source: C:\Users\user\Desktop\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\ECC3713C-08A4-40E3-95F1-7D0704F1CE5E
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\

Source: Setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.ini

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{361795EF-EBB0-40A6-AE64-94AAA21D87EF}
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{361795EF-EBB0-40A6-AE64-94AAA21D87EF}
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{254b0c33-77a9-5a4b-be66-7d93eedacb69}\ser2pl.inf" "9" "4b334f3bf" "0000000000000160" "WinSta0\Default" "0000000000000184" "208" "C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\VISTA"

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: lz32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srclient.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vssapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sxproxy.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: devrtl.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: drvstore.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spinf.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srclient.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spp.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vssapi.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vsstrace.dll
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll

Source: C:\Users\user\Desktop\Setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\Setup.exe

File written: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\setup.ini

Source: C:\Users\user\Desktop\Setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static PE information: certificate valid

Source: Setup.exe

Static file information: File size 3176304 > 1048576

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob

Drops PE files

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\_Setup.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBE59db.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBE59db.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file

Creates or modifies windows services

Source: C:\Users\user\Desktop\Setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Modifies existing windows services

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\_Setup.dll	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\QRemabb4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Uninabe3.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SER9ab95.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Deleabd4.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SERSaba5.rra	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\SrTasks.exe TID: 6360

Thread sleep time: -300000s >= -30000s

Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\Windows FullSizeInformation

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\ser2pl.cat VolumeInformation

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

ID:	1500187
Product:	CloudBasic
Start time:	00:51:37
Start date:	28.08.2024
Sample:	Setup.exe
Cookbook:	defaultwindowsinteractivecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	cd31545772cdb4e84902f25d3363c58d
SHA1:	88ab168cbfc19785caab11109b4682d3cfcfafae
SHA256:	3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
Filetype:	Win32 Executable (generic) a (10002005/4) 95.43%

Name	Type	MD5	SHA1	SHA256
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.ilg (copy)	Composite Document File V2 Document, Cannot read section info	B0271F22A1434F4C79C8365041529DB4	9570E35DA2CCB102F658937638D97DC5D8ECFE45	429BEA95B855923BD7ECC141EB82E921F8739721B71C00967202CFFBB80B41D0
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.ini	Generic INItialization configuration [Languages]	BB20D4D87666A94C38ADA9333FF02514	491D7BCCD84367A2C92505EE436C0D5CE1123F18	46A8B4DE883750D4C1E90528EB28EFEEEDE7AF03EE64312BD316607FB4D2AA35
C:\Users\user\AppData\Local\Temp\58f1.rra	Composite Document File V2 Document, Cannot read section info	B0271F22A1434F4C79C8365041529DB4	9570E35DA2CCB102F658937638D97DC5D8ECFE45	429BEA95B855923BD7ECC141EB82E921F8739721B71C00967202CFFBB80B41D0
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\ISSetup.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed	6C48E05107EB494620AB0DC96D3C5B80	E6CED277DE082BD8E2CCBFAD7A1D5CD1E9DB85AB	13223E7FBEB3DAC968DE77E6BE974A36F86DC07884CC0E80EABF8B817CCB4A04
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\data1.cab	InstallShield CAB	59D4BC046AB7A8FA42BEF3AA5E53CB76	5610A400BDBF199F34852321AD0D561E4C2817D1	841CA3AB6ADA891C7510306B8E39DC3247E3AA6F6F4EEFA5C3D615298157F5C8
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\data1.hdr	InstallShield CAB	692062BA1D4DD41C603C4CD60B4DB7A7	742457E7FAB073DCC7F7D862588C33C491F6D7CE	B60781848AFF7279A090175B37F7422B0636EDCB07F0733184C4732EAC29A57B
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\layout.bin	data	7AA2AC4BDE4140892FF86EB0E515B366	51B623CC5F464D8EFB9FB443757FDAF7D4AE2812	F0BE2BCD56A4C9801E1C7D13C8310C1AF1BFE9403CF0468C7E5AFA468653AA0E
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.exe	PE32 executable (GUI) Intel 80386, for MS Windows	6F58A1D8E7B031C6F2A60BA04D1A0B7D	64CED7781DE492D15F0D443FAFFD2D0244B43E56	B7A82904D92B096CB6AB537365F9C7F24B1ECEFAA6EA7974C24E8102B1746F4B
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.ini	Generic INItialization configuration [Languages]	7DB4553B27967AFF463EB36B8EBE76F1	5716E6FD94EEA119CECEB9E74C63B4823B7E65E8	43D30EE20D75E8EF29D7138568540EE23F996D0644EAF6BF4F687B6EED5D3B94
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.inx	data	61017604754AE480DC87F55FFB46C172	13FA83DB2CC7F4EFE058B7F59CBA02D3B4D70956	498467D7110539A60C2B7046CC7DC6670075AFF3C7B45DE2EA7F8ECA74A0BC0C
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\Disk1\setup.iss	Generic INItialization configuration [File Transfer]	3135E1182A65D6F35F2C8816B9632FE1	DDFDD0934CA14FDCA8620ED3FC88AD53FF215756	D5B137357A90B0A9DA23E8F435C05A39F41EFBEDFA975C55AB27042FCE7EBD6C
C:\Users\user\AppData\Local\Temp\{1FEFAA11-8F3D-4F80-A5E1-443AA44B1895}\_Setup.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	200BEDE8248E5B0B238B8D2C89B92AAF	916A9D3BBF46A808DEC38E66B059E21EDD9F8FB5	0F5F4E003F4666DDC29A6CDD640A7D3B59687DE1CCC54AD0DD30F1B701D7EB6A
C:\Users\user\AppData\Local\Temp\{254b0c33-77a9-5a4b-be66-7d93eedacb69}\SETB5E8.tmp	Windows setup INFormation	0D966D1B1CDDAB3E8C57BD0349EE560F	F5F7A48AB5127A0D989EAC135210B86FB8C3C2AD	C4C1488C9B9F43041E44D252C7CA0F05944C8E321140C92F98685AFFA4F0A718
C:\Users\user\AppData\Local\Temp\{254b0c33-77a9-5a4b-be66-7d93eedacb69}\ser2pl.inf (copy)	Windows setup INFormation	0D966D1B1CDDAB3E8C57BD0349EE560F	F5F7A48AB5127A0D989EAC135210B86FB8C3C2AD	C4C1488C9B9F43041E44D252C7CA0F05944C8E321140C92F98685AFFA4F0A718
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBE59db.rra	PE32+ executable (GUI) x86-64, for MS Windows	8407FC98EE367CCB196894F7CD218792	6F280CF374FBA172426B8912170B5CBAFE3D88CD	E1890E4EF7FE9C2242E1FA65DA8162687C893D1A025FEF254B827940D03A0D5A
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\ISBEW64.exe (copy)	PE32+ executable (GUI) x86-64, for MS Windows	8407FC98EE367CCB196894F7CD218792	6F280CF374FBA172426B8912170B5CBAFE3D88CD	E1890E4EF7FE9C2242E1FA65DA8162687C893D1A025FEF254B827940D03A0D5A
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\core599d.rra	ASCII text, with CRLF line terminators	09D38CECA6A012F4CE5B54F03DB9B21A	01FCB72F22205E406FF9A48C5B98D7B7457D7D98	F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\corecomp.ini (copy)	ASCII text, with CRLF line terminators	09D38CECA6A012F4CE5B54F03DB9B21A	01FCB72F22205E406FF9A48C5B98D7B7457D7D98	F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotn599d.rra	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	69348C7C4260E37C1C72EDF236995BE1	4665917E3BC0099D410C49496CB9D7DCE08D13F7	F62BE21A12B87BA1A4C45112E05954B1D3F3E69F590A9BF96A91AF62548140E9
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\dotnetinstaller.exe (copy)	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	69348C7C4260E37C1C72EDF236995BE1	4665917E3BC0099D410C49496CB9D7DCE08D13F7	F62BE21A12B87BA1A4C45112E05954B1D3F3E69F590A9BF96A91AF62548140E9
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\DIFx59cc.rra	ASCII text, with CRLF line terminators	10BAA5B67536F4433F37534B9C8BB828	82E5C34B1279AFDA223B639B49078D03C52875F5	1B9FD5C1F18357BD459BE20BFCBF47EE18FA0C5D5CC42F6AED2705D5868B65F4
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\DIFxData.ini (copy)	ASCII text, with CRLF line terminators	10BAA5B67536F4433F37534B9C8BB828	82E5C34B1279AFDA223B639B49078D03C52875F5	1B9FD5C1F18357BD459BE20BFCBF47EE18FA0C5D5CC42F6AED2705D5868B65F4
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Font59bc.rra	ASCII text, with CRLF line terminators	00F313E3E007599349A0C4D81C7807C4	F0171F15AAB836A1979D3833E46B5E59E4EA32E0	766EE687D90B0217EB41CB85ACA04375BDC24DB986A33536631F864B7CE1A08A
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\FontData.ini (copy)	ASCII text, with CRLF line terminators	00F313E3E007599349A0C4D81C7807C4	F0171F15AAB836A1979D3833E46B5E59E4EA32E0	766EE687D90B0217EB41CB85ACA04375BDC24DB986A33536631F864B7CE1A08A
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Lice597e.rra	ASCII text, with very long lines (943), with CRLF line terminators	1260A753F9166476CBF01DC37323C5CA	6E847542E872C1E6845F85636CEF81F8B989E6AD	E42BC259D9E53697F78B12161DEF93EDABD7A428730191F74BCEBE83D1FF2B17
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\License.txt (copy)	ASCII text, with very long lines (943), with CRLF line terminators	1260A753F9166476CBF01DC37323C5CA	6E847542E872C1E6845F85636CEF81F8B989E6AD	E42BC259D9E53697F78B12161DEF93EDABD7A428730191F74BCEBE83D1FF2B17
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu598d.rra	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B193567F9C305C820385781BBB18F999	121FC7D94E36D864E8C4F7165344FD1176B795E5	F198F5F84BF93406C31D7B1765BD7D47EF8E44933F946211311E658D4E2A08B7
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\SetupEx.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	B193567F9C305C820385781BBB18F999	121FC7D94E36D864E8C4F7165344FD1176B795E5	F198F5F84BF93406C31D7B1765BD7D47EF8E44933F946211311E658D4E2A08B7
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Stri59eb.rra	ASCII text, with CRLF line terminators	336114FC6AA5D6313F9BD2DE981D5F9E	051D636243226A5E1FEAF06CA3B8E396A14B6576	C2D2139E96BDD9742B2FE1616D56EE3EB7CC397B8BEA58164CAFF68A4A28CC33
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\StringTable-0009-English.ips (copy)	ASCII text, with CRLF line terminators	336114FC6AA5D6313F9BD2DE981D5F9E	051D636243226A5E1FEAF06CA3B8E396A14B6576	C2D2139E96BDD9742B2FE1616D56EE3EB7CC397B8BEA58164CAFF68A4A28CC33
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2ac03.rra	PE32 executable (native) Intel 80386, for MS Windows	8B80A722CCE8E16F495FCAEB43D863D1	69D60D569A73A414E896BF724828F1AC45C3D796	37C3AE191E76E5DE4EB789A4ED1C7837F9BD13FABD370B6E403D89664DE87F85
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.inf (copy)	PE32 executable (native) Intel 80386, for MS Windows	8B80A722CCE8E16F495FCAEB43D863D1	69D60D569A73A414E896BF724828F1AC45C3D796	37C3AE191E76E5DE4EB789A4ED1C7837F9BD13FABD370B6E403D89664DE87F85
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.sys (copy)	PE32 executable (native) Intel 80386, for MS Windows	8B80A722CCE8E16F495FCAEB43D863D1	69D60D569A73A414E896BF724828F1AC45C3D796	37C3AE191E76E5DE4EB789A4ED1C7837F9BD13FABD370B6E403D89664DE87F85
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR5a1a.rra	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed	898515A4AE2FB9D74AE2A905CF82B074	ED751342F4BBD131DE393975E08019EA56355107	ED38584275B7248CE51254BC34FBE247AF641C416660342689D19E6559623B13
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsRes.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed	898515A4AE2FB9D74AE2A905CF82B074	ED751342F4BBD131DE393975E08019EA56355107	ED38584275B7248CE51254BC34FBE247AF641C416660342689D19E6559623B13
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\defa5a0a.rra	RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c	0ABAFE3F69D053494405061DE2629C82	E414B6F1E9EB416B9895012D24110B844F9F56D1	8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\default.pal (copy)	RIFF (little-endian) data, palette, 1168 bytes, data size 1028, 256 entries, extra bytes 0x6f66666c	0ABAFE3F69D053494405061DE2629C82	E414B6F1E9EB416B9895012D24110B844F9F56D1	8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed	77A3125A2059F39A9BEF961953A8DB8D	2FFB52F60C570D1D73CAAB095F3784DC8454E5E6	D6CD68FA4468878D8BC045EA518235F7C6CBEBBD525486DDCEC7D1069D83F119
C:\Users\user\AppData\Local\Temp\{5D8075F0-4DED-4B0C-B9EB-DF1DCD69C020}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt59eb.rra	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed	77A3125A2059F39A9BEF961953A8DB8D	2FFB52F60C570D1D73CAAB095F3784DC8454E5E6	D6CD68FA4468878D8BC045EA518235F7C6CBEBBD525486DDCEC7D1069D83F119
C:\Windows\INF\SERSabb4.rra	Windows setup INFormation	575FD26D1590EB326B4686643746F678	B3258A331BC56975C9799F550D056DDF60B5E248	A9FAEBB2C80FC7F8D402F2D39D8660B15E25ED93D0105AB1616F1F2C86640536
C:\Windows\INF\SERWabb4.rra	Generic INItialization configuration [Pro]	B144B2211FE17055EC007B90223CDAD0	20641EE39C6F25198CC27564EB5F02C8D8B52310	826D4E111B9E8608A032061F88718DE63EFCC7BDF5835016F85699E112FB8FFC
C:\Windows\INF\setupapi.dev.log	Generic INItialization configuration [BeginLog]	77C31CC107E0E78E3B5225B27BC1B561	F0D8A00B0D5BAB63B01911FDD2DBCD50B0FC31EC	92D8AE2BD80C48723042045B1718EF3B759F6480CAC72153983E6E8D777207A3
C:\Windows\SysWOW64\SER9PL.sys (copy)	PE32 executable (native) Intel 80386, for MS Windows	A16FB34E56C781DC56BE7492315655B9	E64D883A1437BFF02AB16FEB9D73B9EA44629365	FB5EAF100CD4A82237216D15BFDFD7159F08C537756750B5579E3638839928A0
C:\Windows\SysWOW64\SER9ab95.rra	PE32 executable (native) Intel 80386, for MS Windows	A16FB34E56C781DC56BE7492315655B9	E64D883A1437BFF02AB16FEB9D73B9EA44629365	FB5EAF100CD4A82237216D15BFDFD7159F08C537756750B5579E3638839928A0
C:\Windows\SysWOW64\SERSPL.VXD (copy)	MS-DOS executable, LE executable for MS Windows (VxD)	FBD8C98379A3017D5E0708A816C72A6D	80A0DF1F991281BDEDF54F1ECAFE64FBA3895C17	0FD5E04C73702EF2995A13802BC78EE0EE63BB5E186F9E2EBCCB7832B7E19CD4
C:\Windows\SysWOW64\SERSaba5.rra	MS-DOS executable, LE executable for MS Windows (VxD)	FBD8C98379A3017D5E0708A816C72A6D	80A0DF1F991281BDEDF54F1ECAFE64FBA3895C17	0FD5E04C73702EF2995A13802BC78EE0EE63BB5E186F9E2EBCCB7832B7E19CD4
C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBD77.tmp	PE32+ executable (native) x86-64, for MS Windows	172600C07C64B6C989AEE451994AC18D	53A0160300C3CAF6BF18E976DC9BAD6CB1915770	A21BE5D125F575627197A8729FDC1D582BF7E468A914297D04BB14616C16F41A
C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\SETBE72.tmp	data	93DFE1A6B10DDF5ED0590C61A664EF83	E43351D5B361C72A110C04C1DAAFF8CC954F0739	D294D77424BE49A8ECAA926E35BF428D6B5B85A053192B12C1237D4F80634784
C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\ser2pl.cat (copy)	data	93DFE1A6B10DDF5ED0590C61A664EF83	E43351D5B361C72A110C04C1DAAFF8CC954F0739	D294D77424BE49A8ECAA926E35BF428D6B5B85A053192B12C1237D4F80634784
C:\Windows\System32\DriverStore\Temp\{8c53135d-4d2b-fe49-94ed-d03bab0b35f4}\ser2pl64.sys (copy)	PE32+ executable (native) x86-64, for MS Windows	172600C07C64B6C989AEE451994AC18D	53A0160300C3CAF6BF18E976DC9BAD6CB1915770	A21BE5D125F575627197A8729FDC1D582BF7E468A914297D04BB14616C16F41A
C:\Windows\System32\catroot2\dberr.txt	ASCII text, with CRLF line terminators	CE74EB5A9C4C508A6426B6FEEE5CD00C	234595F2F375287667A17E752F1C8D3087B33AD1	746BCC623BD4AD92BBB103BC31A12FDF4BA29E943CA8C670C5FBF4697F10BA42
C:\Windows\Temp\Deleabd4.rra	PE32 executable (GUI) Intel 80386, for MS Windows	80D740259E177515BB336C8896AD88DC	4F0D9F3BC3DFDEEA7E3C955E194EA91BEBC7C63E	0942A384431F51EB4DA914C79FC312272E427AC3C0ABF8295DB772B09B3C3E77
C:\Windows\Temp\DeleteUSB.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	80D740259E177515BB336C8896AD88DC	4F0D9F3BC3DFDEEA7E3C955E194EA91BEBC7C63E	0942A384431F51EB4DA914C79FC312272E427AC3C0ABF8295DB772B09B3C3E77
C:\Windows\Temp\PLUninst.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	5E4D5AD7D6B97325158F9B208ED6B98B	5EC313FDDDE095811992E9F8E53D8EA1C30FF39E	352F2738D424BAFBC05EBABAFDA9569E65566D70E7789BEC5ADA9453F2EC46C9
C:\Windows\Temp\QRemabb4.rra	PE32 executable (GUI) Intel 80386, for MS Windows	004FA62F61DF14EA8623B474E49921AF	172E6DC513BAC6601F5138048A5C98D3E55A20FF	B382FA026CEE6B59F187B83F1CC846491AE01556B603F4E91803DCF4B9D059AC
C:\Windows\Temp\QRemover.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	004FA62F61DF14EA8623B474E49921AF	172E6DC513BAC6601F5138048A5C98D3E55A20FF	B382FA026CEE6B59F187B83F1CC846491AE01556B603F4E91803DCF4B9D059AC
C:\Windows\Temp\Uninabe3.rra	PE32 executable (GUI) Intel 80386, for MS Windows	5E4D5AD7D6B97325158F9B208ED6B98B	5EC313FDDDE095811992E9F8E53D8EA1C30FF39E	352F2738D424BAFBC05EBABAFDA9569E65566D70E7789BEC5ADA9453F2EC46C9
C:\Windows\Temp\Uninstall.ICO (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	5E4D5AD7D6B97325158F9B208ED6B98B	5EC313FDDDE095811992E9F8E53D8EA1C30FF39E	352F2738D424BAFBC05EBABAFDA9569E65566D70E7789BEC5ADA9453F2EC46C9
C:\Windows\Temp\Uninstall.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	5E4D5AD7D6B97325158F9B208ED6B98B	5EC313FDDDE095811992E9F8E53D8EA1C30FF39E	352F2738D424BAFBC05EBABAFDA9569E65566D70E7789BEC5ADA9453F2EC46C9
C:\Windows\inf\SERSPL.INF (copy)	Windows setup INFormation	575FD26D1590EB326B4686643746F678	B3258A331BC56975C9799F550D056DDF60B5E248	A9FAEBB2C80FC7F8D402F2D39D8660B15E25ED93D0105AB1616F1F2C86640536
C:\Windows\inf\SERWPL.INF (copy)	Generic INItialization configuration [Pro]	B144B2211FE17055EC007B90223CDAD0	20641EE39C6F25198CC27564EB5F02C8D8B52310	826D4E111B9E8608A032061F88718DE63EFCC7BDF5835016F85699E112FB8FFC

Windows Analysis Report
Setup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

E-Banking Fraud

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Network Map

Windows Analysis Report
Setup.exe