Windows Analysis Report
Setup.exe

Overview

General Information

Sample name: Setup.exe
Analysis ID: 1500192
MD5: cd31545772cdb4e84902f25d3363c58d
SHA1: 88ab168cbfc19785caab11109b4682d3cfcfafae
SHA256: 3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
Infos:

Detection

Score: 24
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Installs new ROOT certificates
PE file has a writeable .text section
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Setup.exe Static PE information: certificate valid
Source: Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_x86\i386\ser2pl.pdb@ source: ser2e859.rra.0.dr
Source: Binary string: c:\CodeBases\isdev\redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.2351878387.0000000000412000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.2036581102.0000000000412000.00000002.00000001.01000000.0000000B.sdmp, ISBE8b26.rra.0.dr
Source: Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_amd64\amd64\ser2pl64.pdb source: Setup.exe, 00000000.00000003.2341610766.00000000049EB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2345502028.000000000511E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2289082751.0000024ECB30D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2296029510.0000024ECB351000.00000004.00000020.00020000.00000000.sdmp, ser2e869.rra.0.dr, SETEE54.tmp.10.dr, SETE963.tmp.0.dr
Source: Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_x86\i386\ser2pl.pdb source: ser2e859.rra.0.dr
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData Jump to behavior
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: datae684.rra.0.dr String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: Setup.exe String found in binary or memory: http://deviis4.installshield.com/NetNirvana/data2.cabDisk1
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: Setup.exe, 00000000.00000002.2466566861.00000000006A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.installshield.com/isetup/ProErrorC
Source: setup.exe.0.dr, setup.ini0.0.dr String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Setup.exe, 00000000.00000002.2466721472.000000000072E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2464974381.000000000072B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.intallshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr String found in binary or memory: http://www.macrovision.com0
Drops certificate files (DER)
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.cat (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl.cat (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.cat (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEEB3.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\SETE9B2.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e849.rra Jump to dropped file

System Summary
barindex
PE file has a writeable .text section
Source: ISSetup.dll.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt8b45.rra.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: _IsR8b64.rra.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee730.rra.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the driver directory
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766} Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SER9e7cc.rra Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SERSe7dc.rra Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\inf\SERSe7ec.rra Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\inf\SERWe7ec.rra Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\FileRepository\ser2pl.inf_amd64_f8875256a6be18aa Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\drvstore.tmp Jump to behavior
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\inf\oem4.inf Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\drvinst.exe File deleted: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEE54.tmp Jump to behavior
PE file does not import any functions
Source: _Setup.dll0.0.dr Static PE information: No import functions for PE file found
Source: _Setup.dll.0.dr Static PE information: No import functions for PE file found
Source: _Sete701.rra.0.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Setup.exe, 00000000.00000003.2341610766.00000000049EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSER2PL64.SYSh$ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2345502028.000000000511E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSER2PL64.SYSh$ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2035310591.00000000041D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameISRT.dllz+ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2034434785.00000000041DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSetupEx.dllZ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2034750165.00000000041DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedotnetinstaller.exeD vs Setup.exe
Source: Setup.exe, 00000000.00000003.2035056685.00000000041DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameISBEW64.exez+ vs Setup.exe
Source: Setup.exe Binary or memory string: OriginalFilenameiKernel.dllz+ vs Setup.exe
Source: Setup.exe Binary or memory string: OriginalFilename_setup2k.dllz+ vs Setup.exe
Uses 32bit PE files
Source: Setup.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: ISSetup.dll.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt8b45.rra.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: _IsR8b64.rra.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee730.rra.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSetup.dll.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt8b45.rra.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: _IsR8b64.rra.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee730.rra.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: SER9e7cc.rra.0.dr Binary string: \DosDevices\USBCOM-0\Device\SerialPort0U
Source: SETE963.tmp.0.dr Binary string: \Device\ProlificSerial
Source: ser2e859.rra.0.dr Binary string: %ws%d\Device\ProlificSerialWdfDeviceInitAssignWdmIrpPreprocessCallback failed %X
Source: classification engine Classification label: sus24.winEXE@6/91@0/0
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\ Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Mutant created: \Sessions\1\BaseNamedObjects\ECC3713C-08A4-40E3-95F1-7D0704F1CE5E
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\ Jump to behavior
Source: Setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe String found in binary or memory: The Side by Side media/install options
Source: Setup.exe String found in binary or memory: The Side by Side media options&The Side by Side media/install options
Source: Setup.exe String found in binary or memory: %s-installationsprogrammet forbereder InstallShield Wizard, som vil f
Source: C:\Users\user\Desktop\Setup.exe File read: C:\Users\user\Desktop\Setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{11912180-FEB4-44CD-AFBE-10E73F62322C}
Source: unknown Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.inf" "9" "4da2256ef" "000000000000015C" "WinSta0\Default" "0000000000000170" "208" "C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\VISTA"
Source: C:\Users\user\Desktop\Setup.exe Process created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{11912180-FEB4-44CD-AFBE-10E73F62322C} Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: lz32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: riched32.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sxproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: spinf.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: spp.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: srcore.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: vss_ps.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: devrtl.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: drvstore.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\drvinst.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File written: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Setup.exe Static PE information: certificate valid
Source: Setup.exe Static file information: File size 3176304 > 1048576
Source: Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_x86\i386\ser2pl.pdb@ source: ser2e859.rra.0.dr
Source: Binary string: c:\CodeBases\isdev\redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.2351878387.0000000000412000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.2036581102.0000000000412000.00000002.00000001.01000000.0000000B.sdmp, ISBE8b26.rra.0.dr
Source: Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_amd64\amd64\ser2pl64.pdb source: Setup.exe, 00000000.00000003.2341610766.00000000049EB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2345502028.000000000511E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2289082751.0000024ECB30D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2296029510.0000024ECB351000.00000004.00000020.00020000.00000000.sdmp, ser2e869.rra.0.dr, SETEE54.tmp.10.dr, SETE963.tmp.0.dr
Source: Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_x86\i386\ser2pl.pdb source: ser2e859.rra.0.dr
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .rsrc
PE file contains sections with non-standard names
Source: ser2e859.rra.0.dr Static PE information: section name: PAGESER
Source: ser2e859.rra.0.dr Static PE information: section name: PAGESRP0
Source: ser2e869.rra.0.dr Static PE information: section name: PAGESRP0
Source: ser2e869.rra.0.dr Static PE information: section name: PAGESER
Source: SETE963.tmp.0.dr Static PE information: section name: PAGESRP0
Source: SETE963.tmp.0.dr Static PE information: section name: PAGESER
Source: SER9e7cc.rra.0.dr Static PE information: section name: PNP
Source: SETEE54.tmp.10.dr Static PE information: section name: PAGESRP0
Source: SETEE54.tmp.10.dr Static PE information: section name: PAGESER
Source: ISSetup.dll.0.dr Static PE information: section name: .text entropy: 7.978118582994391
Source: isrt8b45.rra.0.dr Static PE information: section name: .text entropy: 7.973511527762974
Source: _IsR8b64.rra.0.dr Static PE information: section name: .text entropy: 7.961342174586094
Source: ISSee730.rra.0.dr Static PE information: section name: .text entropy: 7.978118582994391

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\System32\drvinst.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob Jump to behavior
Source: C:\Windows\System32\drvinst.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SER9e7cc.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\SetupEx.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Unine82a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e859.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\SETE963.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR8b64.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotn8b06.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBE8b26.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt8b45.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\QReme7fb.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu8ae7.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.inf (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotnetinstaller.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SERSPL.VXD (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Uninstall.ICO (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\_Setup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SER9PL.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SERSe7dc.rra Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEE54.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\_Setup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsRes.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\PLUninst.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\DeleteUSB.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Setup.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSetup.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\QRemover.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\ISSetup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e869.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Delee81a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Uninstall.exe (copy) Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SER9e7cc.rra Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Unine82a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SERSPL.VXD (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Uninstall.ICO (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SER9PL.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SERSe7dc.rra Jump to dropped file
Source: C:\Windows\System32\drvinst.exe File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEE54.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\PLUninst.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\DeleteUSB.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\QRemover.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\QReme7fb.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Delee81a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Uninstall.exe (copy) Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\QReme7fb.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Delee81a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\Temp\Unine82a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e859.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e869.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu8ae7.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotn8b06.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBE8b26.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt8b45.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR8b64.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SER9e7cc.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe File created: C:\Windows\SysWOW64\SERSe7dc.rra Jump to dropped file
Creates or modifies windows services
Source: C:\Users\user\Desktop\Setup.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\SrTasks.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\drvinst.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\SER9e7cc.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\SetupEx.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\Unine82a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e859.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR8b64.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\SETE963.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotn8b06.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt8b45.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\QReme7fb.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt.dll (copy) Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.inf (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu8ae7.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotnetinstaller.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\SERSPL.VXD (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\Uninstall.ICO (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\SER9PL.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\_Setup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\SERSe7dc.rra Jump to dropped file
Source: C:\Windows\System32\drvinst.exe Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEE54.tmp Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\_Setup.dll Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\PLUninst.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsRes.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\DeleteUSB.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Setup.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSetup.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl64.sys (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\QRemover.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\Uninstall.exe (copy) Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e869.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Windows\Temp\Delee81a.rra Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\ISSetup.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\SrTasks.exe TID: 8064 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File Volume queried: C:\Windows FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe File opened: C:\Users\user\AppData Jump to behavior
Source: setupapi.dev.log.0.dr Binary or memory string: set: BIOS Vendor: VMware, Inc.
Source: setupapi.dev.log.0.dr Binary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.0.dr Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.0.dr Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.0.dr Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.0.dr Binary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.0.dr Binary or memory string: inf: Created new service 'vmci'.
Source: setupapi.dev.log.0.dr Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.0.dr Binary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.0.dr Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.0.dr Binary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: SrTasks.exe, 00000007.00000003.2372431710.00000286EF786000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: WORKGROUPar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: setupapi.dev.log.0.dr Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.0.dr Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.0.dr Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.0.dr Binary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.0.dr Binary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.0.dr Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: SrTasks.exe, 00000007.00000003.2348991064.00000286EF7D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: Setup.exe, 00000000.00000003.2352391615.0000000000772000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BeID_8VMWar&Prod_VMware_SATA_CD004&22{
Source: setupapi.dev.log.0.dr Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.0.dr Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.0.dr Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.0.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: SrTasks.exe, 00000007.00000003.2299050344.00000286EF7D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: setupapi.dev.log.0.dr Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.0.dr Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: setupapi.dev.log.0.dr Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.0.dr Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.0.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: setupapi.dev.log.0.dr Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.0.dr Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.0.dr Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.0.dr Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.0.dr Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.0.dr Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: SrTasks.exe, 00000007.00000002.2373414188.00000286EF7CA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: setupapi.dev.log.0.dr Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.0.dr Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.0.dr Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.0.dr Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.0.dr Binary or memory string: set: System Manufacturer: VMware, Inc.
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.inf" "9" "4da2256ef" "000000000000015c" "winsta0\default" "0000000000000170" "208" "c:\users\user\appdata\local\temp\{90526762-4976-408d-b1ee-8dd48247745c}\{ecc3713c-08a4-40e3-95f1-7d0704f1ce5e}\vista"
Source: Setup.exe, ISSetup.dll.0.dr, ISSee730.rra.0.dr Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: 87f9.rra.0.dr Binary or memory string: OPTYPE_PROGMAN
Source: Setup.exe, 00000000.00000002.2466805968.0000000000755000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2465529856.0000000000753000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2465120267.000000000074D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: B2OPTYPE_PROGMANR>901-00105A088FC}F
Source: Setup.exe, 00000000.00000003.2352441868.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2353384940.000000000077C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2352391615.0000000000772000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BOPTYPE_PROGMAN\
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\drvinst.exe Queries volume information: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\drvinst.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1500192 Sample: Setup.exe Startdate: 28/08/2024 Architecture: WINDOWS Score: 24 30 PE file has a writeable .text section 2->30 6 Setup.exe 30 86 2->6         started        9 drvinst.exe 12 2->9         started        12 SrTasks.exe 1 2->12         started        process3 file4 18 C:\Windows\Temp\Uninstall.exe (copy), PE32 6->18 dropped 20 C:\Windows\Temp\Uninstall.ICO (copy), PE32 6->20 dropped 22 C:\Windows\Temp\Unine82a.rra, PE32 6->22 dropped 28 36 other files (none is malicious) 6->28 dropped 14 ISBEW64.exe 6->14         started        24 C:\Windows\System32\...\ser2pl64.sys (copy), PE32+ 9->24 dropped 26 C:\Windows\System32\...\SETEE54.tmp, PE32+ 9->26 dropped 32 Installs new ROOT certificates 9->32 16 conhost.exe 12->16         started        signatures5 process6
No contacted IP infos