Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:	Setup.exe
Analysis ID:	1500192
MD5:	cd31545772cdb4e84902f25d3363c58d
SHA1:	88ab168cbfc19785caab11109b4682d3cfcfafae
SHA256:	3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Installs new ROOT certificates

PE file has a writeable .text section

Creates files inside the driver directory

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

Setup.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: CD31545772CDB4E84902F25D3363C58D)

ISBEW64.exe (PID: 7428 cmdline: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{11912180-FEB4-44CD-AFBE-10E73F62322C} MD5: 8407FC98EE367CCB196894F7CD218792)

SrTasks.exe (PID: 8060 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 8076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

drvinst.exe (PID: 8180 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.inf" "9" "4da2256ef" "000000000000015C" "WinSta0\Default" "0000000000000170" "208" "C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\VISTA" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)

cleanup

Process created: C:\Windows\System32\drvinst.exe drvinst.exe "4" "0" "c:\users\user\appdata\local\temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.inf" "9" "4da2256ef" "000000000000015c" "winsta0\default" "0000000000000170" "208" "c:\users\user\appdata\local\temp\{90526762-4976-408d-b1ee-8dd48247745c}\{ecc3713c-08a4-40e3-95f1-7d0704f1ce5e}\vista"

Source: Setup.exe, ISSetup.dll.0.dr, ISSee730.rra.0.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: 87f9.rra.0.dr	Binary or memory string: OPTYPE_PROGMAN
Source: Setup.exe, 00000000.00000002.2466805968.0000000000755000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2465529856.0000000000753000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2465120267.000000000074D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B2OPTYPE_PROGMANR>901-00105A088FC}F
Source: Setup.exe, 00000000.00000003.2352441868.0000000000777000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2353384940.000000000077C000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2352391615.0000000000772000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BOPTYPE_PROGMAN\

Source: C:\Windows\System32\drvinst.exe

Queries volume information: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl.cat VolumeInformation

Jump to behavior

Source: C:\Windows\System32\drvinst.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	2 Windows Service	2 Windows Service	41 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	2 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Setup.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra	0%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSetup.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra	0%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Setup.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra	0%	ReversingLabs
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\ISSetup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\_Setup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\_Setup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBE8b26.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotn8b06.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotnetinstaller.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu8ae7.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\SetupEx.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e859.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e869.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.inf (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.sys (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl64.sys (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR8b64.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsRes.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt8b45.rra	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\SETE963.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl64.sys (copy)	0%	ReversingLabs
C:\Windows\SysWOW64\SER9PL.sys (copy)	0%	ReversingLabs
C:\Windows\SysWOW64\SER9e7cc.rra	0%	ReversingLabs
C:\Windows\SysWOW64\SERSPL.VXD (copy)	0%	ReversingLabs
C:\Windows\SysWOW64\SERSe7dc.rra	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEE54.tmp	0%	ReversingLabs
C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl64.sys (copy)	0%	ReversingLabs
C:\Windows\Temp\Delee81a.rra	0%	ReversingLabs
C:\Windows\Temp\DeleteUSB.exe (copy)	0%	ReversingLabs
C:\Windows\Temp\PLUninst.exe (copy)	2%	ReversingLabs
C:\Windows\Temp\QReme7fb.rra	2%	ReversingLabs
C:\Windows\Temp\QRemover.exe (copy)	2%	ReversingLabs
C:\Windows\Temp\Unine82a.rra	2%	ReversingLabs
C:\Windows\Temp\Uninstall.ICO (copy)	2%	ReversingLabs
C:\Windows\Temp\Uninstall.exe (copy)	2%	ReversingLabs

Source	Detection	Scanner	Label
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://deviis4.installshield.com/NetNirvana/	0%	Avira URL Cloud	safe
http://deviis4.installshield.com/NetNirvana/data2.cabDisk1	0%	Avira URL Cloud	safe
http://www.installshield.com/isetup/ProErrorC	0%	Avira URL Cloud	safe
http://crl.thawte.com/ThawtePremiumServerCA.crl0	0%	Avira URL Cloud	safe
http://www.intallshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	0%	Avira URL Cloud	safe
http://www.macrovision.com0	0%	Avira URL Cloud	safe
http://crl.thawte.com/ThawteCodeSigningCA.crl0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://deviis4.installshield.com/NetNirvana/	datae684.rra.0.dr	false	Avira URL Cloud: safe	unknown
http://deviis4.installshield.com/NetNirvana/data2.cabDisk1	Setup.exe	false	Avira URL Cloud: safe	unknown
http://www.macrovision.com0	Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	setup.exe.0.dr, setup.ini0.0.dr	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawtePremiumServerCA.crl0	Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.installshield.com/isetup/ProErrorC	Setup.exe, 00000000.00000002.2466566861.00000000006A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	false	URL Reputation: safe	unknown
http://www.intallshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	Setup.exe, 00000000.00000002.2466721472.000000000072E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2464974381.000000000072B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteCodeSigningCA.crl0	Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500192
Start date and time:	2024-08-28 00:55:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Setup.exe
Detection:	SUS
Classification:	sus24.winEXE@6/91@0/0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, crl.verisign.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Setup.exe

Simulations

Behavior and APIs

Time	Type	Description
18:56:57	API Interceptor	30x Sleep call for process: SrTasks.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra	https://static.tp-link.com/2021/202104/20210402/Archer%20T4U%20Plus(CA)_V1_Win10_210325.zip	Get hash	malicious	GuLoader	Browse
C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSetup.dll (copy)	https://static.tp-link.com/2021/202104/20210402/Archer%20T4U%20Plus(CA)_V1_Win10_210325.zip	Get hash	malicious	GuLoader	Browse

Source:	Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_x86\i386\ser2pl.pdb@ source: ser2e859.rra.0.dr
Source:	Binary string: c:\CodeBases\isdev\redist\Language Independent\x64\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.2351878387.0000000000412000.00000002.00000001.01000000.0000000B.sdmp, ISBEW64.exe, 00000002.00000000.2036581102.0000000000412000.00000002.00000001.01000000.0000000B.sdmp, ISBE8b26.rra.0.dr
Source:	Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_amd64\amd64\ser2pl64.pdb source: Setup.exe, 00000000.00000003.2341610766.00000000049EB000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2345502028.000000000511E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2289082751.0000024ECB30D000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000A.00000003.2296029510.0000024ECB351000.00000004.00000020.00020000.00000000.sdmp, ser2e869.rra.0.dr, SETEE54.tmp.10.dr, SETE963.tmp.0.dr
Source:	Binary string: e:\product\pl2303\tool\windows\driver_source\vista_driver\src_ser2pl_3310140\objfre_wlh_x86\i386\ser2pl.pdb source: ser2e859.rra.0.dr

Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteCodeSigningCA.crl0
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawtePremiumServerCA.crl0
Source: datae684.rra.0.dr	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: Setup.exe	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/data2.cabDisk1
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Setup.exe, 00000000.00000002.2466566861.00000000006A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.installshield.com/isetup/ProErrorC
Source: setup.exe.0.dr, setup.ini0.0.dr	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Setup.exe, 00000000.00000002.2466721472.000000000072E000.00000004.00000020.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2464974381.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intallshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: Setup.exe, _IsR8b64.rra.0.dr, _Setup.dll0.0.dr, _Sete701.rra.0.dr, dotn8b06.rra.0.dr, ISBE8b26.rra.0.dr, isrt8b45.rra.0.dr, _Setup.dll.0.dr	String found in binary or memory: http://www.macrovision.com0

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl.cat (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.cat (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEEB3.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\SETE9B2.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e849.rra	Jump to dropped file

Source: ISSetup.dll.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt8b45.rra.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: _IsR8b64.rra.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee730.rra.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9e7cc.rra	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSe7dc.rra	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\inf\SERSe7ec.rra	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\inf\SERWe7ec.rra	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\FileRepository\ser2pl.inf_amd64_f8875256a6be18aa	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\System32\DriverStore\drvstore.tmp	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	File created: C:\Windows\inf\oem4.inf	Jump to behavior

Source: _Setup.dll0.0.dr	Static PE information: No import functions for PE file found
Source: _Setup.dll.0.dr	Static PE information: No import functions for PE file found
Source: _Sete701.rra.0.dr	Static PE information: No import functions for PE file found

Source: Setup.exe, 00000000.00000003.2341610766.00000000049EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSER2PL64.SYSh$ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2345502028.000000000511E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSER2PL64.SYSh$ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2035310591.00000000041D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRT.dllz+ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2034434785.00000000041DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetupEx.dllZ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2034750165.00000000041DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedotnetinstaller.exeD vs Setup.exe
Source: Setup.exe, 00000000.00000003.2035056685.00000000041DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISBEW64.exez+ vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilenameiKernel.dllz+ vs Setup.exe
Source: Setup.exe	Binary or memory string: OriginalFilename_setup2k.dllz+ vs Setup.exe

Source: ISSetup.dll.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: isrt8b45.rra.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: _IsR8b64.rra.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: ISSee730.rra.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: SER9e7cc.rra.0.dr	Binary string: \DosDevices\USBCOM-0\Device\SerialPort0U
Source: SETE963.tmp.0.dr	Binary string: \Device\ProlificSerial
Source: ser2e859.rra.0.dr	Binary string: %ws%d\Device\ProlificSerialWdfDeviceInitAssignWdmIrpPreprocessCallback failed %X

Source: C:\Users\user\Desktop\Setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\ECC3713C-08A4-40E3-95F1-7D0704F1CE5E
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03

Source: Setup.exe	String found in binary or memory: The Side by Side media/install options
Source: Setup.exe	String found in binary or memory: The Side by Side media options&The Side by Side media/install options
Source: Setup.exe	String found in binary or memory: %s-installationsprogrammet forbereder InstallShield Wizard, som vil f

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{11912180-FEB4-44CD-AFBE-10E73F62322C}
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl.inf" "9" "4da2256ef" "000000000000015C" "WinSta0\Default" "0000000000000170" "208" "C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\VISTA"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{11912180-FEB4-44CD-AFBE-10E73F62322C}	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: lz32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBEW64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Section loaded: gpapi.dll	Jump to behavior

Source: ser2e859.rra.0.dr	Static PE information: section name: PAGESER
Source: ser2e859.rra.0.dr	Static PE information: section name: PAGESRP0
Source: ser2e869.rra.0.dr	Static PE information: section name: PAGESRP0
Source: ser2e869.rra.0.dr	Static PE information: section name: PAGESER
Source: SETE963.tmp.0.dr	Static PE information: section name: PAGESRP0
Source: SETE963.tmp.0.dr	Static PE information: section name: PAGESER
Source: SER9e7cc.rra.0.dr	Static PE information: section name: PNP
Source: SETEE54.tmp.10.dr	Static PE information: section name: PAGESRP0
Source: SETEE54.tmp.10.dr	Static PE information: section name: PAGESER

Source: ISSetup.dll.0.dr	Static PE information: section name: .text entropy: 7.978118582994391
Source: isrt8b45.rra.0.dr	Static PE information: section name: .text entropy: 7.973511527762974
Source: _IsR8b64.rra.0.dr	Static PE information: section name: .text entropy: 7.961342174586094
Source: ISSee730.rra.0.dr	Static PE information: section name: .text entropy: 7.978118582994391

Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Blob			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\QReme7fb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Delee81a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\Temp\Unine82a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e859.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e869.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu8ae7.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotn8b06.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\ISBE8b26.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt8b45.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR8b64.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SER9e7cc.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Windows\SysWOW64\SERSe7dc.rra	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\drvinst.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SER9e7cc.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\SetupEx.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Unine82a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e859.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsR8b64.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\SETE963.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{db8292e7-9182-634b-bd0b-24ec6dd32e91}\ser2pl64.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotn8b06.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt8b45.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\QReme7fb.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\isrt.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\ser2pl64.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl.inf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Setu8ae7.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\dotnetinstaller.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SERSPL.VXD (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Uninstall.ICO (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SER9PL.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\SERSe7dc.rra	Jump to dropped file
Source: C:\Windows\System32\drvinst.exe	Dropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{70b83d36-4fd5-fd40-b014-79cd26fdf766}\SETEE54.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\_Setup.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\PLUninst.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_IsRes.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\DeleteUSB.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Setup.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSetup.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2pl64.sys (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\QRemover.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Uninstall.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{90526762-4976-408D-B1EE-8DD48247745C}\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\Vista\ser2e869.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Windows\Temp\Delee81a.rra	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\ISSetup.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	File Volume queried: C:\Windows FullSizeInformation			Jump to behavior

Source: setupapi.dev.log.0.dr	Binary or memory string: set: BIOS Vendor: VMware, Inc.
Source: setupapi.dev.log.0.dr	Binary or memory string: sig: Key = vmci.inf
Source: setupapi.dev.log.0.dr	Binary or memory string: dvs: {Driver Setup Import Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.178
Source: setupapi.dev.log.0.dr	Binary or memory string: idb: Activating driver package 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.0.dr	Binary or memory string: cpy: Published 'vmci.inf_amd64_68ed49469341f563\vmci.inf' to 'oem2.inf'.
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: {Add Service: vmci}
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: Created new service 'vmci'.
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: Display Name = VMware VMCI Bus Driver
Source: setupapi.dev.log.0.dr	Binary or memory string: set: PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3F -> Configured [oem2.inf:PCI\VEN_15AD&DEV_0740&SUBSYS_074015AD,vmci.install.x64.NT] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: Service Name = vmci
Source: setupapi.dev.log.0.dr	Binary or memory string: set: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000 -> Configured [disk.inf:GenDisk,disk_install.NT] and started (ConfigFlags = 0x00000000).
Source: SrTasks.exe, 00000007.00000003.2372431710.00000286EF786000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WORKGROUPar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: setupapi.dev.log.0.dr	Binary or memory string: idb: {Publish Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.0.dr	Binary or memory string: idb: Indexed 4 device IDs for 'vmci.inf_amd64_68ed49469341f563'.
Source: setupapi.dev.log.0.dr	Binary or memory string: utl: Driver INF - oem2.inf (C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf)
Source: setupapi.dev.log.0.dr	Binary or memory string: set: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000 -> Configured [cdrom.inf:GenCdRom,cdrom_install] and started (ConfigFlags = 0x00000000).
Source: setupapi.dev.log.0.dr	Binary or memory string: set: System Product Name: VMware20,1
Source: setupapi.dev.log.0.dr	Binary or memory string: sto: {Configure Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf}
Source: SrTasks.exe, 00000007.00000003.2348991064.00000286EF7D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: Setup.exe, 00000000.00000003.2352391615.0000000000772000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BeID_8VMWar&Prod_VMware_SATA_CD004&22{
Source: setupapi.dev.log.0.dr	Binary or memory string: sto: {Stage Driver Package: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.634
Source: setupapi.dev.log.0.dr	Binary or memory string: sig: Installed catalog 'vmci.cat' as 'oem2.cat'.
Source: setupapi.dev.log.0.dr	Binary or memory string: cpy: Target Path = C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563
Source: setupapi.dev.log.0.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.inf' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf'.
Source: SrTasks.exe, 00000007.00000003.2299050344.00000286EF7D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: setupapi.dev.log.0.dr	Binary or memory string: sig: FilePath = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.inf
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: {Configure Driver Configuration: vmci.install.x64.NT}
Source: setupapi.dev.log.0.dr	Binary or memory string: idb: Created driver package object 'vmci.inf_amd64_68ed49469341f563' in SYSTEM database node.
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: Image Path = System32\drivers\vmci.sys
Source: setupapi.dev.log.0.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.cat' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat'.
Source: setupapi.dev.log.0.dr	Binary or memory string: sig: Catalog = C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.cat
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: Section Name = vmci.install.x64.NT
Source: setupapi.dev.log.0.dr	Binary or memory string: flq: Copying 'C:\Windows\SoftwareDistribution\Download\Install\vmci.sys' to 'C:\Windows\System32\DriverStore\Temp\{5a5b2f36-11ff-5a4a-b3b1-6fc00ed67f26}\vmci.sys'.
Source: setupapi.dev.log.0.dr	Binary or memory string: idb: Registered driver package 'vmci.inf_amd64_68ed49469341f563' with 'oem2.inf'.
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: Driver package 'vmci.inf' is configurable.
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: {Configure Driver: VMware VMCI Bus Device}
Source: SrTasks.exe, 00000007.00000002.2373414188.00000286EF7CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: setupapi.dev.log.0.dr	Binary or memory string: inf: {Query Configurability: C:\Windows\SoftwareDistribution\Download\Install\vmci.inf} 11:48:39.636
Source: setupapi.dev.log.0.dr	Binary or memory string: sto: {Core Driver Package Import: vmci.inf_amd64_68ed49469341f563} 11:48:39.704
Source: setupapi.dev.log.0.dr	Binary or memory string: idb: {Register Driver Package: C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.inf} 11:48:39.707
Source: setupapi.dev.log.0.dr	Binary or memory string: flq: Copying 'C:\Windows\System32\DriverStore\FileRepository\vmci.inf_amd64_68ed49469341f563\vmci.sys' to 'C:\Windows\System32\drivers\vmci.sys'.
Source: setupapi.dev.log.0.dr	Binary or memory string: set: System Manufacturer: VMware, Inc.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSee730.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\ISSetup.dll (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Sete701.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\_Setup.dll (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\data1.cab (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\data1.hdr (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\datae684.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\datae6a3.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\layoe675.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\layout.bin (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue6d2.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue75f.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setue79d.rra

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.exe (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.ilg (copy)

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.ini

C:\Program Files (x86)\InstallShield Installation Information\{ECC3713C-08A4-40E3-95F1-7D0704F1CE5E}\setup.inx (copy)

C:\Users\user\AppData\Local\Temp\87f9.rra

C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\ISSetup.dll

C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\_Setup.dll

C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\data1.cab

C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\data1.hdr

C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\layout.bin

C:\Users\user\AppData\Local\Temp\{778FCF74-FE94-4145-9E73-38A3FDF64CF5}\Disk1\setup.exe

Windows Analysis Report
Setup.exe

Process:	C:\Users\user\Desktop\Setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	535552
Entropy (8bit):	7.6019064631901445
Encrypted:	false
SSDEEP:	12288:JyF3SrUVaX7zyCyHHjDLLhSuZhqVSNlw8XkMgrNG:JyF3Sr0aiC4vhSOhGSvbxgrA
MD5:	6C48E05107EB494620AB0DC96D3C5B80
SHA1:	E6CED277DE082BD8E2CCBFAD7A1D5CD1E9DB85AB
SHA-256:	13223E7FBEB3DAC968DE77E6BE974A36F86DC07884CC0E80EABF8B817CCB4A04
SHA-512:	983E3D3012114AF3DA009C5D46CE467C7A9C6023766B54AFE58137654BB5A1C1EDA2FD1FF4B1902102E8315B80557EFA58DBCF01641DDE07924285BD015A196A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.0...c...c...c...c...cc..c...c...cd..c...c...c.0.c...c.0.c...c:1.c...c.1.c...c...cL..c.1.c...c.1.c...c'..c...c.2.c...cRich...c........................PE..L.....&F...........!.........P......................................................................................p...................h............................................................................................................text...................PEC2.O......`....rsrc............................... ....reloc...............*..............@...................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\drvinst.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	2850
Entropy (8bit):	5.322995161668334
Encrypted:	false
SSDEEP:	48:lYE88Bt4Y4XAcT98jMgsduoU334uqgQle87yL334qRo5RfRo5kRv5kcKa1TeN:g84wGmjMgs/UH4uqgQb2H4cgR5geBXRY
MD5:	0D966D1B1CDDAB3E8C57BD0349EE560F
SHA1:	F5F7A48AB5127A0D989EAC135210B86FB8C3C2AD
SHA-256:	C4C1488C9B9F43041E44D252C7CA0F05944C8E321140C92F98685AFFA4F0A718
SHA-512:	683FB68F0CE19D0DA7FD775D1A8B57256076E5FDD7C15C4ECB18395D3D962AD9220B8725395406CF49C4F0F7E5E5602730C52A5E4F76FE3C1A16CD842354F040
Malicious:	false
Preview:	;..; SER2PL.INF (for Windows Vista)..;..; Copyright (c) 2007, Prolific Technology Inc.......[version]..signature="$CHICAGO$"..Class=Ports..ClassGuid={4D36E978-E325-11CE-BFC1-08002BE10318}..Provider=%PRO%..DriverVer=11/19/2009,3.3.10.140..CatalogFile=ser2pl.cat......; ================= Device Install section =====================....[ControlFlags]..ExcludeFromSelect=....[Manufacturer]..%PRO%=PRO,NT,NTAMD64....[SourceDisksFiles]..ser2pl.sys=1..ser2pl64.sys=1....[SourceDisksNames]..1=%DISK_NAME%,....[DestinationDirs]..DefaultDestDir = 12....[PRO.NT]..%DeviceDesc% = ComPort, USB\VID_067B&PID_2303....[PRO.NTAMD64]..%DeviceDesc% = ComPort, USB\VID_067B&PID_2303......[ComPort.NT]..CopyFiles=ComPort.NT.Copy..AddReg=ComPort.NT.AddReg....[ComPort.NT.HW]..AddReg=ComPort.HW.AddReg....[ComPort.NT.Services]..AddService = Ser2pl, 0x00000002, Serial_Service_Inst.NT..AddService = Serenum,,Serenum_Service_Inst....[ComPort.NT.Copy]..ser2pl.sys....[ComPort.NT.AddReg]..HKR,,DevLoader,,ntkern..HKR,,N

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.55363635880913
TrID:	Win32 Executable (generic) a (10002005/4) 95.43% DirectShow filter (201580/2) 1.92% Windows ActiveX control (116523/4) 1.11% Win32 EXE PECompact compressed (v2.x) (59071/9) 0.56% InstallShield setup (43055/19) 0.41%
File name:	Setup.exe
File size:	3'176'304 bytes
MD5:	cd31545772cdb4e84902f25d3363c58d
SHA1:	88ab168cbfc19785caab11109b4682d3cfcfafae
SHA256:	3c80fd894036f549fb831d271595df775ebaba7d98fdeea579bfae3c9d42ec53
SHA512:	482be992b98efe56ed1a4cb5716d12321c5e28d144b985ad40b9d152cde47d467b052946e82ee2c3d63f7668705c6318f1d61f34eb0533b5ea358467af096d75
SSDEEP:	49152:S5XjOui0/5LKqLhtbx/p/noQUhtm683Df7klWYBiCKhSOoSvbJp5+5q:ShjOp0hKqLhbpPoThM68377vBKepA4
TLSH:	56E5E002BBEA816EF2B74A70E97B07B15BB5BC969E31811F7390B91C1C306A1D531B17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......bF+N&'E.&'E.&'E.];I.%'E..;K.9'E.I8O..'E.I8N.)'E...Y.%'E...`.$'E. .O.$'E.&'D.v&E...\.3'E. .N..'E..!C.''E.Rich&'E................

Entrypoint:	0x422094
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4626B2F4 [Thu Apr 19 00:08:20 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	8f244019e52c417786599750d44c515a

Signature Valid:	true
Signature Issuer:	CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	28/04/2009 20:00:00 07/05/2010 19:59:59
Subject Chain	CN=Prolific Technology Inc., OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Prolific Technology Inc., S=Taipei, C=TW
Version:	3
Thumbprint MD5:	D9C5BCF4847D5A65869181BDF6276D3E
Thumbprint SHA-1:	64C43A116EBC08102A85FC1D7031389511D0DC70
Thumbprint SHA-256:	F9CBD2C71A4657F390A12AF3257D1268ECDB4E74B6A10D8C0DD834E6D4E00D2F
Serial:	06899F9218FFE732899BEF8B6B686465

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x510c8	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x232c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x306038	0x1738
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x49000	0x4cc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x47a42	0x48000	246bc04c9934d94ae3e5085c0fbab939	False	0.5119594997829862	data	6.582164078038985	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x49000	0x9a70	0xa000	16f2af57c4910be773837ffdb7fbde59	False	0.3839599609375	data	4.563700076946339	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x53000	0x742c	0x6000	ed1e754e7b6303e212e660e942089261	False	0.2513834635416667	data	3.274968751787648	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5b000	0x232c	0x3000	bc771372afbdf9ddce017fcb10690eac	False	0.4298502604166667	data	5.902552822833265	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x5b208	0x928	Device independent bitmap graphic, 22 x 64 x 24, image size 2176	0.36177474402730375
RT_ICON	0x5bb30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	0.8424855491329479
RT_ICON	0x5c098	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	0.5013440860215054
RT_ICON	0x5c380	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	0.8068592057761733
RT_DIALOG	0x5cc28	0x42	data	0.8333333333333334
RT_GROUP_ICON	0x5cc6c	0x14	data	1.15
RT_VERSION	0x5cc80	0x32c	data	0.4605911330049261
RT_MANIFEST	0x5cfac	0x37f	XML 1.0 document, ASCII text, with CRLF line terminators	0.47150837988826816

DLL	Import
COMCTL32.dll
VERSION.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
KERNEL32.dll	LoadLibraryExA, QueryPerformanceFrequency, CreateEventA, ReadFile, CompareStringA, CompareStringW, GlobalSize, SizeofResource, FreeResource, SearchPathA, FindNextFileA, GetTempFileNameA, GetExitCodeProcess, TerminateProcess, OpenProcess, GetLocalTime, InitializeCriticalSection, GetCurrentProcessId, GetVersion, LeaveCriticalSection, EnterCriticalSection, GetCurrentThread, VirtualQuery, VirtualProtect, UnmapViewOfFile, GetShortPathNameA, MapViewOfFile, CreateFileMappingA, SetEvent, ResetEvent, QueryPerformanceCounter, SystemTimeToFileTime, lstrcmpA, MoveFileExA, GetDiskFreeSpaceA, GetSystemDirectoryA, GetSystemInfo, IsBadReadPtr, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, lstrcpyA, lstrlenA, Sleep, CloseHandle, CreateProcessA, lstrlenW, WideCharToMultiByte, MultiByteToWideChar, RemoveDirectoryA, DeleteFileA, ResumeThread, SetThreadContext, MulDiv, GetPrivateProfileStringA, GetPrivateProfileSectionNamesA, SetEndOfFile, FlushFileBuffers, SetStdHandle, IsBadCodePtr, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, SetUnhandledExceptionFilter, HeapSize, IsBadWritePtr, HeapReAlloc, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, LCMapStringW, LCMapStringA, GetOEMCP, GetACP, GetCPInfo, TlsGetValue, TlsAlloc, CreateDirectoryA, FindFirstFileA, FindClose, lstrcmpiA, lstrcpynA, WriteFile, GetDriveTypeA, SetFilePointer, GetFileAttributesA, ReleaseMutex, GetPrivateProfileIntA, lstrcatA, LoadLibraryA, GetSystemDefaultLangID, CreateMutexA, FreeLibrary, SetErrorMode, GetTickCount, FindResourceExA, FindResourceA, LoadResource, LockResource, GetWindowsDirectoryA, InterlockedDecrement, LocalFree, InterlockedIncrement, FormatMessageA, GetTempPathA, GetVersionExA, CreateFileA, GlobalFree, GlobalAlloc, GlobalLock, GlobalUnlock, GetLastError, SetLastError, WaitForSingleObject, ExitProcess, GetCurrentProcess, DuplicateHandle, GetThreadContext, VirtualProtectEx, WriteProcessMemory, FlushInstructionCache, TlsSetValue, GetCurrentThreadId, GetCommandLineA, GetStartupInfoA, RaiseException, HeapAlloc, HeapFree, RtlUnwind, DeleteCriticalSection, InterlockedExchange, GetFileSize
USER32.dll	SetWindowLongA, SetWindowTextA, SendMessageA, GetDlgItem, wsprintfA, WaitForInputIdle, CharUpperA, MessageBoxA, DialogBoxIndirectParamA, SetDlgItemTextA, MsgWaitForMultipleObjects, CharLowerBuffA, SetFocus, BeginPaint, EndPaint, LoadStringA, FillRect, ScreenToClient, GetWindowTextLengthA, GetWindowTextA, GetWindowPlacement, SendDlgItemMessageA, GetMessageA, DefWindowProcA, GetParent, GetWindow, SystemParametersInfoA, MapWindowPoints, SetWindowPos, GetPropA, EnableMenuItem, SetPropA, RemovePropA, ShowWindow, IsWindow, GetSysColor, LoadImageA, CreateDialogParamA, GetDC, ReleaseDC, SetActiveWindow, PeekMessageA, IsDialogMessageA, TranslateMessage, DispatchMessageA, DestroyWindow, CreateDialogIndirectParamA, SetForegroundWindow, GetDesktopWindow, GetClientRect, EnableWindow, IsWindowEnabled, GetWindowDC, UpdateWindow, InvalidateRect, DrawIcon, MapDialogRect, GetClassNameA, CallWindowProcA, DrawFocusRect, InflateRect, DrawTextA, CopyRect, EnumChildWindows, CreateWindowExA, RegisterClassExA, IntersectRect, GetDlgItemTextA, GetWindowLongA, GetWindowRect, MoveWindow, EndDialog, LoadIconA
GDI32.dll	CreateCompatibleBitmap, CreateDCA, GetStockObject, GetTextExtentPoint32A, CreatePatternBrush, DeleteMetaFile, SetMetaFileBitsEx, SetStretchBltMode, SelectClipRgn, SetPixel, PatBlt, PlayMetaFile, StretchBlt, CreateBitmap, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, CreateDIBitmap, SaveDC, SetBkMode, SetTextColor, TextOutA, RestoreDC, GetTextExtentPointA, CreateFontIndirectA, SetBkColor, CreateRectRgn, DeleteObject, CreateSolidBrush, GetDIBColorTable, GetSystemPaletteEntries, CreatePalette, CreateHalftonePalette, GetDeviceCaps, GetObjectA, CreateCompatibleDC, UnrealizeObject, SelectPalette, RealizePalette, SelectObject, BitBlt, DeleteDC, SetMapMode
ADVAPI32.dll	RegCloseKey, RegQueryValueA, RegQueryValueExA, RegOpenKeyExA, RegDeleteKeyA, RegEnumKeyExA, RegEnumKeyA, RegOpenKeyA, FreeSid, EqualSid, AllocateAndInitializeSid, GetTokenInformation, OpenProcessToken, OpenThreadToken
SHELL32.dll	SHGetPathFromIDListA, SHGetMalloc, ShellExecuteExA, SHGetSpecialFolderLocation
ole32.dll	CoInitialize, CoUninitialize
OLEAUT32.dll	SysFreeString, SysAllocString, SysAllocStringLen, SysReAllocStringLen, SysStringLen, GetErrorInfo, VariantClear, VariantChangeType
LZ32.dll	LZOpenFileA, LZCopy, LZClose
RPCRT4.dll	RpcStringFreeA, UuidCreate, UuidToStringA

Target ID:	0
Start time:	18:56:30
Start date:	27/08/2024
Path:	C:\Users\user\Desktop\Setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Setup.exe"
Imagebase:	0x400000
File size:	3'176'304 bytes
MD5 hash:	CD31545772CDB4E84902F25D3363C58D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true