Edit tour

Windows Analysis Report
ZPMC SCADA Setup v4.0.12737.zip

Overview

General Information

Sample name:	ZPMC SCADA Setup v4.0.12737.zip
Analysis ID:	1544383
MD5:	8cec6cab7e45958bdda97ddc8bd32d9a
SHA1:	dde365ea81f5dbde959633932a406bd57a3fd42d
SHA256:	e4892a88830b8ff7b8ce8f702573ac331c814a1a7f7a9535f63ca83c53afb716
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

.NET source code contains potential unpacker

Modifies existing user documents (likely ransomware behavior)

Checks for available system drives (often done to infect USB drives)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect virtual machines (SGDT)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to detect virtual machines (STR)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains strange resources

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 6668 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

7zG.exe (PID: 5504 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\" -spe -an -ai#7zMap15170:110:7zEvent13957 MD5: 50F289DF0C19484E970849AAC4E6F977)

setup.exe (PID: 3936 cmdline: "C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" MD5: 675A00CA73BAF388C0EBF90C0644E8E0)

setup.exe (PID: 3684 cmdline: "C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" MD5: 675A00CA73BAF388C0EBF90C0644E8E0)

setup.exe (PID: 980 cmdline: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe /q"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}" /IS_temp MD5: 675A00CA73BAF388C0EBF90C0644E8E0)

ISBEW64.exe (PID: 1476 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C556304-8D46-41A1-A183-C63C96FA76B7} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 6920 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C68E9931-1A54-4D29-9A11-E2C1A6140D74} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 1940 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C967A50-E90B-4AD5-B526-62683195C54F} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 904 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB53D73A-7D41-467E-AF22-FA743D2E5BD2} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 5852 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B631758-29DD-4B8E-9A12-949F140ACCEC} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 1344 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58E35334-6736-4373-BC16-B19DB2B7F3E2} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 3192 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66BF646F-C6CD-4823-BD3A-BBBE0CE92580} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 3184 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DB750C9-5B1D-4912-9BBB-735073942453} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 724 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85F4BC9B-9F30-4363-AD6D-FD00E62E44B7} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

ISBEW64.exe (PID: 4956 cmdline: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D823CFD3-3D7A-4194-AD31-CD5AD6A26B55} MD5: 82E1A9D1E3D0107F7E1253FA92F86B10)

msiexec.exe (PID: 6716 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6480 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 77B4B6CB8D21758EFE216C05F17DCEE1 C MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 6500 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F52714C42576362BF3928B61AE156682 MD5: 9D09DC1EDA745A5F87553048E57620CF)

SrTasks.exe (PID: 4868 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)

conhost.exe (PID: 876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: mfc80KOR.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80ESP.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80ITA.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80ENU.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80CHT.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80JPN.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80DEU.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80FRA.dll.10.dr	Static PE information: No import functions for PE file found
Source: mfc80CHS.dll.10.dr	Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal48.rans.evad.winZIP@33/1053@1/0

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_1003DA79 GetLastError,FormatMessageW,

18_2_1003DA79

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_1004A51B _memset,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

18_2_1004A51B

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_10060283 __EH_prolog3_GS,CreateToolhelp32Snapshot,GetLastError,Process32FirstW,Process32NextW,OpenProcess,

18_2_10060283

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_1005E1FF __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

18_2_1005E1FF

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100452D3 __EH_prolog3,FindResourceW,LoadResource,LockResource,CreateDialogIndirectParamW,CreateDialogIndirectParamW,

18_2_100452D3

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:876:120:WilError_03

Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe

File created: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}

Jump to behavior

Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe

File read: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Setup.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\" -spe -an -ai#7zMap15170:110:7zEvent13957
Source: unknown	Process created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe "C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe"
Source: unknown	Process created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe "C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe"
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe /q"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}" /IS_temp
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 77B4B6CB8D21758EFE216C05F17DCEE1 C
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C556304-8D46-41A1-A183-C63C96FA76B7}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C68E9931-1A54-4D29-9A11-E2C1A6140D74}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C967A50-E90B-4AD5-B526-62683195C54F}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB53D73A-7D41-467E-AF22-FA743D2E5BD2}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B631758-29DD-4B8E-9A12-949F140ACCEC}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58E35334-6736-4373-BC16-B19DB2B7F3E2}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66BF646F-C6CD-4823-BD3A-BBBE0CE92580}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DB750C9-5B1D-4912-9BBB-735073942453}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85F4BC9B-9F30-4363-AD6D-FD00E62E44B7}
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D823CFD3-3D7A-4194-AD31-CD5AD6A26B55}
Source: unknown	Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F52714C42576362BF3928B61AE156682
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe /q"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}" /IS_temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C556304-8D46-41A1-A183-C63C96FA76B7}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C68E9931-1A54-4D29-9A11-E2C1A6140D74}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C967A50-E90B-4AD5-B526-62683195C54F}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB53D73A-7D41-467E-AF22-FA743D2E5BD2}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B631758-29DD-4B8E-9A12-949F140ACCEC}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58E35334-6736-4373-BC16-B19DB2B7F3E2}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66BF646F-C6CD-4823-BD3A-BBBE0CE92580}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5DB750C9-5B1D-4912-9BBB-735073942453}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{85F4BC9B-9F30-4363-AD6D-FD00E62E44B7}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D823CFD3-3D7A-4194-AD31-CD5AD6A26B55}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 77B4B6CB8D21758EFE216C05F17DCEE1 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F52714C42576362BF3928B61AE156682	Jump to behavior

Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: sxproxy.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exe	Section loaded: vss_ps.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: C:\Program Files\7-Zip\7zG.exe

File written: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\0x0409.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: ZPMC SCADA Setup v4.0.12737.zip

Static file information: File size 75435301 > 1048576

Source:	Binary string: "ZSNETE~2.PDB\|zsNet.ElementBase.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l%ZSNETV~2.PDB\|zsNet.ViewClient_WPF.pdb source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lEFZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Rcw.SdAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZSSERV~1.PDB\|zsServerHost.pdbB source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZISCAD~1.PDB\|ZiSCADACLR.pdb source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073363822.000000000149F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RCWSER~1.PDB\|RCW.ServerAPI.pdb\L source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FmtTxt.pdb) source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !TCPCOM~1.PDB\|TCPCommunication.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Language.pdbgoD source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: t.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSNETE~1.PDB\|zsNet.Element.pdb source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.DefStruct.pdbC source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APPSER~1.PDB\|AppServerBase.pdbTM source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl TCPDAS~1.PDB\|TcpDaSvrWrapper.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsEventService.pdbJ+qiCyZvjnbf6NgG2PLaTivvNsVWVtqaQl+5WdtiswQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZISCAD~3.PDB\|ziSCADAStudio.pdbo source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APPSER~1.PDB\|AppServerBase.pdb source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\Formulate.pdbbdNJ9XO409VVoHQY2NaV3Oy48oXLvow8yyNGoUKb/Mw= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Formulate.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: l$ZSNETE~4.PDB\|zsNet.EmtProperties.pdb source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l!ZSNETW~1.PDB\|zsNet.WinFormsUI.pdb source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NTCPMSG.pdb source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl ZSNETB~1.PDB\|zsNet.BaseClass.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HFacility.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: 6HZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DataAcsData.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsScada.Studio.Net.pdbg source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsAlmSvrAcs.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .MZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCDaServWrapper.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: l(ZSNETV~1.PDB\|zsNet.VCMS3ScreenEditor.pdb source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\RunVBA.pdblTuhanUuBisWShxr799s8NkcZIcdTkIipcCxzkr4MmA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Extend Dll/ProfiNet/ProfiNetWrapper.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: atl80.i386.pdb source: ATL80.dll1.10.dr, ATL80.dll.10.dr, ATL80.dll0.10.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\AlarmServerCLR.pdb/Gq5O0+zk9sH+OZtYIpx1x/HLxXWkG9jwmb4MAIL5TA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ALARMS~2.PDB\|AlarmServerCLR.pdb\L source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSNETE~1.PDB\|zsNet.Element.pdb M6 source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: v4.0.12737/program files/ZPMC/SCADA/Bin/CApi.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CApi.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l PROFIN~1.PDB\|ProfiNetWrapper.pdb=Ita source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\UserControlBase.pdbzA4caz228yaAXsMa51+Jut2jqvnePUJQY8OI1mLNVlA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.WinFormsUI.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZISCAD~2.PDB\|ziSCADAServer.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\ZCompEx.pdbYM+r8mUJr7CX9xMpIbOgiyNQ8xznIYL0BpfxMO7Stqg= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\ziSCADAView.pdbYJ/ZWsSsjwcJlA2nR3jUS7OpEyarnnIeZDM0ZeBRW6g= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: DATAAC~2.PDB\|DataAcsData.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RCWSER~1.PDB\|RCW.ServerAPI.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZISCAD~3.PDB\|ziSCADAStudio.pdb source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lPData.pdb source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSSERV~1.PDB\|zsServerHost.pdbOM source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSUASV~1.PDB\|zsUASvrAcs.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073363822.000000000149F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HQUERY~1.PDB\|HQueryFacility.pdbTM source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.BaseClass.pdb source: 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZCompEx.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\HFacility.pdbpFcaEXMM/XHbFS/YZ5JICdPt42tRLQKTeAOfa1jE7bA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/PrjMan.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZSALAR~1.PDB\|zsAlarmService.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ZiSCADACLR.pdb source: 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NTCPMSG.pdbh source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.WinFormsUI.pdbi source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\ziSCADAServer.pdbgVX6gmJpvf9H2sh93w886ZAXiy6mPON9AYfy7Jz3oHA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/NTCPMSG.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: +Pl!TCPCOM~1.PDB\|TCPCommunication.pdbD source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RCW.ServerAPI.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCDaServWrapper.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: +Pl(ZSNETV~1.PDB\|zsNet.VCMS3ScreenEditor.pdbJ source: setup.exe, 00000012.00000003.2397425178.00000000059C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.Element.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/WndMan.pdbdbbo_ source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RUNCSH~1.PDB\|RunCSharp.pdb* source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/NTCPMSG.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/UserControlBase.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: Windows\winsxs\73t3z6j5.7agmfc80u.dll.pdb source: 7zG.exe, 0000000A.00000003.1972580949.000002239274A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3GZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DataAccess.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: MBZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/WData.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.EmtProperties.pdb+i4oWQrULpuIq2T4TVcOBvHCmoT4ab4tmMH5jm/YKJA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: PROFIN~1.PDB\|ProfiNetWrapper.pdb` source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HQueryFacility.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\ziSCADAStudio.pdbGHAjeWSJJcvSIYR5Vu2jV8LtSX0Yu9ezGS9U7joxKOA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RCW.ServerAPI.dllcation.pdb1i source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl USERCO~1.PDB\|UserControlBase.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WndMan.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CWSDA~1.PDB\|Rcw.SdAPI.pdb-; source: setup.exe, 00000012.00000002.2452182848.0000000001426000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HFacility.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: Language.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +`ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Extend Dll/ProfiNet/ProfiNetWrapper.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/FmtTxt.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZSNETD~1.PDB\|zsNet.DefHelp.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +CZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/FmtTxt.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: WData.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Old Dll/TCPCommunication.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: !ZSNETE~3.PDB\|zsNet.ElementRes.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.Element.pdb3G73e+u5ywYmbKPiw+oatyW4KBQBlrG+zi3J6ZqammA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.ViewClient_WPF.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZIP.pdb source: setup.exe, 00000012.00000003.2407110679.000000000685B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000685B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2402174868.000000000685B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073645541.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \VCMS3.0\SCADA a\Source\Src\API\Rcw.ServerAPI\obj\Release\Rcw.ServerAPI.pdbXDnD `D_CorDllMainmscoree.dll source: Rcw.ServerAPI.dll.10.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\Old Dll\TCPCommunication.pdb+renYCyyxeBD17JekMQ35RybL1om2tnfvcd5gpBeiWg= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AlarmServerCLR.pdb source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.DefStruct.pdbXPvfZisQncM3jvRcRa2HWDFG795X/F9RD7mOOrJSNVQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: +Pl#ZSSCAD~1.PDB\|zsScada.Studio.Net.pdbX source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSNETE~1.PDB\|zsNet.Element.pdb3 source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsUASvrAcs.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HFACIL~1.PDB\|HFacility.pdbH source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l#OPCUAD~1.PDB\|OPCUADaServWrapper.pdb source: setup.exe, 00000012.00000003.2073363822.000000000149D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\DataAcsData.pdbPTAMqTfcuARhovw8iXOa0w572DtBU5bVNVkYxTqBQ7Q= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/PData.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ALARMS~2.PDB\|AlarmServerCLR.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZISCAD~4.PDB\|ziSCADAView.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073363822.000000000149F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsServerHost.pdbQDq+M91uG67t/KKC1j0QYAD4391dsz5GeH7DDXCH5eA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: l USERCO~1.PDB\|UserControlBase.pdb source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSNETB~1.PDB\|zsNet.BaseClass.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl%ZSNETV~2.PDB\|zsNet.ViewClient_WPF.pdbV source: setup.exe, 00000012.00000003.2397425178.00000000059C6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsAlarmService.pdbNl3QEY4Zzk7S8xQABFrQJoYNlSjB9kSr5S0Z5gCOtPA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: +Pl!TCPCOM~1.PDB\|TCPCommunication.pdb source: setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HQUERY~1.PDB\|HQueryFacility.pdb source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr80.i386.pdb source: 7zG.exe, 0000000A.00000003.1961246630.00000223932AA000.00000004.00000020.00020000.00000000.sdmp, msvcr80.dll0.10.dr
Source:	Binary string: ZSEVEN~1.PDB\|zsEventService.pdb source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RCWSDA~1.PDB\|Rcw.SdAPI.pdb6 source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\RCW.ServerAPI.pdbhVIZNbk7BHBi/sOgaWDgtrmJrawqcwMGntCJv1eoADQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: +PlZGTag.pdba source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/WData.pdbdll source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RunCSharp.pdb{o0 source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZISCAD~1.PDB\|ZiSCADACLR.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 2KZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AlarmServerAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZISCAD~3.PDB\|ziSCADAStudio.pdbLr source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\ft_code\drv_proj\drv_rockey4\src\32\vista\rockey4\objfre_wlh_x86\i386\Rockey4.pdb source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: GZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HDefStruct.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\OPCUADaServWrapper.pdbisgSc9OgGwW5q8YGr8NbplAset5LpDpXNDTb5exyt5Q= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ALARMS~1.PDB\|AlarmServerAPI.pdb0 source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALARMS~1.PDB\|AlarmServerAPI.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\OPCUABrowse.pdbEpWKBLLKng8L1Z2hD+sBEA7sXeMuJawBU5s4IdgVEig= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: Windows\winsxs\vxgs54we.kj4\.pdbat source: 7zG.exe, 0000000A.00000003.1972809065.0000022392749000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975193758.0000022392749000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1972651086.0000022392737000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl!ZSNETW~1.PDB\|zsNet.WinFormsUI.pdb( source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ZiSCADACLR.pdb// source: 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RunCSharp.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: RCWSER~1.PDB\|RCW.ServerAPI.pdbaL source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +PlWData.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ziSCADAServer.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl ZSNETD~2.PDB\|zsNet.DefStruct.pdb source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: #OPCUAD~1.PDB\|OPCUADaServWrapper.pdb/ source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\NTCPMSG.pdb+qbZtaSkqgRcLB6bBZIBDQUJkg6oTeqUkjDmukv0PDQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: $ZSNETE~4.PDB\|zsNet.EmtProperties.pdbg source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\EventServerAPI.pdbywZs/mcSkSP7IEHxIrHlyyxHFpcP1u1C3q3ONqykC0w= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DataAcsData.pdbl.dll source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: v4.0.12737/program files/ZPMC/SCADA/Bin/Extend Dll/ProfiNet/ProfiNetWrapper.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSALAR~1.PDB\|zsAlarmService.pdb6 source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.DefStruct.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\ft_code\drv_proj\drv_rockey4\src\32\vista\rockey4usb\objfre_wlh_x86\i386\Rockey4Usb.pdb source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsServerHost.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7BZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/PData.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Data/Lib_D3/Crane.Xt.pdb.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl!OPCDAS~1.PDB\|OPCDaServWrapper.pdb source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.ViewClient_WPF.pdb[ source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSNETE~1.PDB\|zsNet.Element.pdb{ source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 5JZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RCW.ServerAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: RCWSDA~1.PDB\|Rcw.SdAPI.pdb$T source: setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCUABrowse.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: e:\ft_code\drv_proj\drv_rockey4\src\32\rockeynt\objfre_w2k_x86\i386\rockeynt.pdb source: 7zG.exe, 0000000A.00000003.1961246630.00000223935F0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2473155026.000000000656A000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: D:\Rockey4Drv\wdm\enduser\objfre\i386\RockUsb.pdb source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: L.OZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCUADaServWrapper.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\Language.pdbpSxGErW/ehL/cJe7dz/PAg7+Rir/s3VlJooESBZ0RMg= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: @EZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Language.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.ViewClient_WPF.pdb5Nc+GNw6xsin/aC2vxRJiG3ueNAszlwk3cV+m6Biyug= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZSEVEN~1.PDB\|zsEventService.pdbpr source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl%ZSNETV~2.PDB\|zsNet.ViewClient_WPF.pdb source: setup.exe, 00000012.00000002.2500922986.0000000006997000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403207427.0000000006997000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.ElementRes.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7FZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RunCSharp.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsScada.Studio.Net.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/TcpDaSvrWrapper.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: WndMan.pdb1 source: setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ziSCADAView.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CoreAPI.pdb3 source: setup.exe, 00000012.00000002.2468744199.00000000059F9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EVENTS~1.PDB\|EventServerAPI.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\ZGTag.pdb1nDOpP2UNJGYCH45/5DEe6GucGydAu1rBU2he5a6YoA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: L3FZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Formulate.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: RunVBA.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ,0CZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RunVBA.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: -UZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Old Dll/TCPCommunication.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: CoreAPI.pdb/ source: setup.exe, 00000012.00000003.2397425178.00000000059FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\Extend Dll\ProfiNet\ProfiNetWrapper.pdbSGqcu7bNm+yWW7wP0eLfvsjEREPP6odqYTcaWtwnNtQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: \VCMS3.0\SCADA a\Source\Src\API\Rcw.ServerAPI\obj\Release\Rcw.ServerAPI.pdb source: Rcw.ServerAPI.dll.10.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RunVBA.pdbvoK source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: setup.exe, 00000012.00000002.2510020399.000000006CA06000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsAlmSvrAcs.pdb2awxTeEDHVYlsXpLWyKiz2mzq4nZm1MoWw9W7FMbyEA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsTrendAcs.pdbI+G7FfrUnOluYmYpbrbEnb4qiqR4WrNepkpF6Ev4JzQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: TCPDAS~1.PDB\|TcpDaSvrWrapper.pdbl source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l1CZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DaAPIU.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/FuncAPI.pdbl>j' source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\CoreAPI.pdbZsrngPsrAYw3dnALGcwBhnneFAw7yX3hZPIBa0BAF1w= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\HDefStruct.pdbCzX7CmJo3nndAcSKDd6IiwVm52t3gaZEeLL/fmDtX1w= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: %ZSNETV~2.PDB\|zsNet.ViewClient_WPF.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l TCPDAS~1.PDB\|TcpDaSvrWrapper.pdbd source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/UserControlBase.pdbll source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrjMan.pdbS source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +AZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/CApi.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZSTREN~1.PDB\|zsTrendAcs.pdb4m source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073363822.000000000149F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: h:\nt.obj.x86fre\base\wcp\tools\msmcustomaction\objfre\i386\msmcustomaction.pdb source: setup.exe, 00000012.00000002.2473155026.0000000006210000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: CApi.pdb% source: setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073645541.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.DefHelp.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsAlarmService.pdbn.batll source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lWData.pdb source: setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.VCMS3ScreenEditor.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\PrjMan.pdbrDOLbU8cc1ml83UeTt0+XikyAvG2OQD0cGh0VGQIpCw= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Language.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: 2DZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/CoreAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: PrjMan.pdb source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RunVBA.pdbO source: setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cation.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\PData.pdbA4Wy9NlEX/Q+rrpRP1jkZFKRsinnbvbcZReHO5xRnmA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/CoreAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsUASvrAcs.pdb+214c6Z/f1zI9gpI5wZUr2M2qiKtaS8ks4HHBwKvF8Q= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/EventServerAPI.pdb source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: +Pl"ZSNETE~2.PDB\|zsNet.ElementBase.pdb source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsEventService.pdb source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :LZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/UserControlBase.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCUADaServWrapper.pdbQi source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HDefStruct.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ZIP.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\DaAPIU.pdbm9rDqcA/83dViPdjMzeA6APZcL5pr7/EW4+Zs8bMbOg= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: PrjMan.pdbP source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsEventService.pdb/=a} source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Rockey4Drv\wdm\enduser\objfre\i386\RockUsb.pdbMZ source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/TcpDaSvrWrapper.pdbI.dll source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !OPCDAS~1.PDB\|OPCDaServWrapper.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FuncAPI.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl(ZSNETV~1.PDB\|zsNet.VCMS3ScreenEditor.pdb source: setup.exe, 00000012.00000002.2500922986.0000000006997000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403207427.0000000006997000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RunVBA.pdb- source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALARMS~2.PDB\|AlarmServerCLR.pdbJ source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSSERV~1.PDB\|zsServerHost.pdb M6 source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\myprogram\CVSProj\ePassSvr\rock_usb\rocknt\objfre\i386\Rockey4.pdb source: 7zG.exe, 0000000A.00000003.1961246630.00000223935F0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2473155026.000000000656A000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: USERCO~1.PDB\|UserControlBase.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FmtTxt.pdb source: setup.exe, 00000012.00000002.2468744199.00000000059F9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059FA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2397425178.00000000059FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\myprogram\CVSProj\ePassSvr\rock_usb\RockeyCoinstall\objfre\i386\Ry4CoInst.pdbU source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: lZGTag.pdb] source: setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl!ZSNETE~3.PDB\|zsNet.ElementRes.pdb source: setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/WData.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: CoreAPI.pdb source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl!ZSNETW~1.PDB\|zsNet.WinFormsUI.pdb{ source: setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl ZSNETB~1.PDB\|zsNet.BaseClass.pdbfr source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsTrendAcs.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSEVEN~1.PDB\|zsEventService.pdb:M source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\RunCSharp.pdb/kBWtLYIdGFyw1TN8IvgppV+xPiyfiTKA37Fhqx8swA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: CApi.pdbc source: setup.exe, 00000012.00000003.2407110679.000000000685B000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000685B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: OPCUAB~1.PDB\|OPCUABrowse.pdbL source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l ZSNETD~2.PDB\|zsNet.DefStruct.pdb source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CApi.pdbW source: setup.exe, 00000012.00000003.2402174868.000000000685B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000015.00000000.2082773856.00007FF79E177000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: v4.0.12737/program files/ZPMC/SCADA/Bin/CoreAPI.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PData.pdbZ source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DaAPIU.pdb source: setup.exe, 00000012.00000002.2468744199.00000000059F9000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059FA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2397425178.00000000059FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1CZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/PrjMan.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: l!OPCDAS~1.PDB\|OPCDaServWrapper.pdb source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\WndMan.pdbHt0juaJkP9RWSyjP6ddh2NCwzQ51QPDN153JGmQlw1w= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsAlarmService.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HDefStruct.pdbtjy source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl$ZSNETE~4.PDB\|zsNet.EmtProperties.pdb source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 7CZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/WndMan.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: D:\myprogram\CVSProj\ePassSvr\rock_usb\enduser\objfre\i386\Rockey4Usb.pdb source: 7zG.exe, 0000000A.00000003.1961246630.00000223935F0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2473155026.000000000656A000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: l ZSNETB~1.PDB\|zsNet.BaseClass.pdb~ source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\WData.pdbfw7DAyLwrZOpHKBugMNsn9PnzzKhy04OeGteCxLwodQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DataAccess.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: D:\myprogram\CVSProj\ePassSvr\rock_usb\RockeyCoinstall\objfre\i386\Ry4CoInst.pdb source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: \UCDemo\obj\Release\UCDemo.pdb source: UCDemo.dll.10.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.VCMS3ScreenEditor.pdbXOGvZYk0vlYeKtgbpFxATqKl5hRdaVEcyNu4VWZabpg= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: e:\ft_code\drv_proj\drv_rockey4\src\32\vista\coinstall\objfre_wlh_x86\i386\Ry4CoInst.pdb source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: MFC80.i386.pdb source: mfc80.dll0.10.dr
Source:	Binary string: EVENTS~1.PDB\|EventServerAPI.pdb& source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl ZSNETD~2.PDB\|zsNet.DefStruct.pdb-r3 source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\FmtTxt.pdbV8acwzpmdLhyzCZzHlY1SdBfnAX2m51uBTX08ZaJIkw= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: RCWSER~1.PDB\|RCW.ServerAPI.pdbi source: setup.exe, 00000012.00000003.2073645541.0000000001461000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/PrjMan.pdb$o source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ziSCADAView.pdbResource/ii source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.ElementBase.pdb source: 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.BaseClass.pdbSN7sf2B4S8hse3qg8x6TmaL+Bf/eSHmJZ5tJcuQ5j1Q= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Rcw.SdAPI.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ,2KZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/EventServerAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\Rcw.SdAPI.pdb40zK1l5r1IVdcrGQDHJ4iN46l4k8fYOzRIhRxxxnwzQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ZGTag.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DataAcsData.pdb source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ,;JZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AppServerBase.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: l!ZSNETE~3.PDB\|zsNet.ElementRes.pdbsn source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: L0DZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/FuncAPI.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\FuncAPI.pdbWKZYnfZAIEWhGXdVyaiaSokHV5E7E7ZlmV6HYJegBtg= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ,<KZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AlarmServerCLR.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZCompEx.pdbu source: setup.exe, 00000012.00000003.2072971157.000000000145B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSTREN~1.PDB\|zsTrendAcs.pdbRT source: setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ziSCADAStudio.pdbb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l0KZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/HQueryFacility.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: e:\ft_code\drv_proj\drv_rockey4\src\32\vista\rockey4usb\objfre_wlh_x86\i386\Rockey4Usb.pdbN source: setup.exe, 00000012.00000002.2473155026.0000000006586000.00000002.00000001.00040000.00000013.sdmp
Source:	Binary string: (ZSNETV~1.PDB\|zsNet.VCMS3ScreenEditor.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSSERV~1.PDB\|zsServerHost.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: atl80.i386.pdbP source: ATL80.dll1.10.dr, ATL80.dll.10.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ziSCADAStudio.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.ElementBase.pdbNiyjdKyX7a8HEC+YmrHhkuFzW3XVbkzXmkXmVaVVgJA= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AlarmServerCLR.pdb# source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: !ZSNETW~1.PDB\|zsNet.WinFormsUI.pdbS source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.DefHelp.pdb0eWCDbSHO7JEy7YoXIT9P99O8c0y+5or4PYNh74/e7w= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\ZiSCADACLR.pdbEmspR26nVl/p6CjI+Ca88ZYZx98nCs2x/urO4shrWkQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: APPSER~1.PDB\|AppServerBase.pdb8 source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsNet.EmtProperties.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZGTag.pdb& source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AlarmServerAPI.pdb source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: HDEFST~1.PDB\|HDefStruct.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\ZIP.pdbq5sfofa+Y2MFs2iOa00t1HaHzOIN98Ot9vwlDkRrk7Q= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\TcpDaSvrWrapper.pdbCnburEURX1XwTB0aPCr0gFXIZmgod04xa4BG75GQF1A= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: Windows\winsxs\7z1v718o.6n8\mfc80.dllLib_Net/ImageList/Image_Symbol/history alarm.png.pdb source: 7zG.exe, 0000000A.00000003.1972906042.000002239270E000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975694409.0000022392729000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZISCAD~1.PDB\|ZiSCADACLR.pdbXT source: setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RUNCSH~1.PDB\|RunCSharp.pdbnT source: setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.WinFormsUI.pdbZECxiRrmzu/5vdGi8uDFbC67nQJlgOV3eE2ny/2AE/A= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\CApi.pdbQp09apawCVncuo0Qwrqgb5Ol7evl+PVgV1vW4z5WqOQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/WndMan.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ZCompEx.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl#ZSSCAD~1.PDB\|zsScada.Studio.Net.pdb source: setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\OPCDaServWrapper.pdbazo9K73ePJp5eaivAnbp6GfrzLa2jQv24ElpUYRYvQw= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZISCAD~2.PDB\|ziSCADAServer.pdby source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +PlPData.pdby source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APPSER~1.PDB\|AppServerBase.pdb{L source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Language.pdbg source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/DaAPIU.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: program files\ZPMC\SCADA\Bin\AlarmServerAPI.pdb64kiymeQEXcIpRLov4R83UyJhdJQA+RO7a0jZkkoUxw= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCUABrowse.pdb;i source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: FORMUL~1.PDB\|Formulate.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l#ZSSCAD~1.PDB\|zsScada.Studio.Net.pdbko source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /HZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCUABrowse.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ziSCADAServer.pdbb#i source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSTREN~1.PDB\|zsTrendAcs.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/ZGTag.pdb@oy source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\AppServerBase.pdbEvzWewnot2TPzs3oa7FUOhJptwLqpR1fenknJjugE4Q= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/RunVBA.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/AppServerBase.pdb source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: +Pl#OPCUAD~1.PDB\|OPCUADaServWrapper.pdb source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403686348.00000000059C7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/CApi.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZSNETD~2.PDB\|zsNet.DefStruct.pdb source: setup.exe, 00000012.00000002.2462601860.0000000004180000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\setup.pdb source: setup.exe, 0000000E.00000000.2048637934.00000000000D5000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 00000012.00000000.2057291118.0000000000435000.00000002.00000001.01000000.00000009.sdmp, setup.exe.10.dr, setup.exe.18.dr
Source:	Binary string: FuncAPI.pdb3 source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl PROFIN~1.PDB\|ProfiNetWrapper.pdb source: setup.exe, 00000012.00000003.2402174868.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: OPCUAB~1.PDB\|OPCUABrowse.pdb source: setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l!TCPCOM~1.PDB\|TCPCommunication.pdbon source: setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/FuncAPI.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Data/Lib_D3/Chassis.Xs.pdb source: 7zG.exe, 0000000A.00000002.1978052133.00000223926C2000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1974975153.00000223926BE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DATAAC~1.PDB\|DataAccess.pdb$ source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSALMS~1.PDB\|zsAlmSvrAcs.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073363822.000000000149F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsNet.ElementRes.pdb1X1+ibGSHroQM719tjh9nJh4Vp/tCeNtFrEy0BKyPRQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/Old Dll/TCPCommunication.pdb]i source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\DataAccess.pdbdIs9skEwDKWdooU/1ppvkiPmZwuv1nifzUBksCo/Axw= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: program files\ZPMC\SCADA\Bin\HQueryFacility.pdbvCGtZRJsYo5tHe26INmz+mZvUFXFxWORVGbcsdk6TqQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: +Pl!ZSNETE~3.PDB\|zsNet.ElementRes.pdbp source: setup.exe, 00000012.00000003.2401667791.000000000691D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: +Pl TCPDAS~1.PDB\|TcpDaSvrWrapper.pdbOM source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.000000000688C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: #ZSSCAD~1.PDB\|zsScada.Studio.Net.pdb source: setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/OPCUADaServWrapper.pdb source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975880145.00000223926BB000.00000004.00000020.00020000.00000000.sdmp, ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: /LZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/TcpDaSvrWrapper.pdb source: ZPMC SCADA Setup v4.0.12737.zip
Source:	Binary string: rp.pdb source: 7zG.exe, 0000000A.00000003.1972809065.0000022392749000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975193758.0000022392749000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1972651086.0000022392737000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: v4.0.12737/program files/ZPMC/SCADA/Bin/Extend Dll/ProfiNet/ProfiNetWrapper.pdb_k source: 7zG.exe, 0000000A.00000003.1975108571.00000223926B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ZSUASV~1.PDB\|zsUASvrAcs.pdbLT source: setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: l"ZSNETE~2.PDB\|zsNet.ElementBase.pdb source: setup.exe, 00000012.00000003.2073363822.000000000149D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072899743.0000000001497000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Language.pdb% source: setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: program files\ZPMC\SCADA\Bin\zsScada.Studio.Net.pdb3B5Byrv6F2DG8fm0vnIpBJ1G7CmgtAdoWL9GaUK5NhQ= source: SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}.19.dr
Source:	Binary string: ZPMC SCADA Setup v4.0.12737/program files/ZPMC/SCADA/Bin/zsUASvrAcs.pdb#o source: 7zG.exe, 0000000A.00000003.1975108571.00000223926BA000.00000004.00000020.00020000.00000000.sdmp, 7zG.exe, 0000000A.00000003.1975061029.00000223926B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HQUERY~1.PDB\|HQueryFacility.pdb{L source: setup.exe, 00000012.00000003.2407110679.000000000688C000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: CSAssemblyLoader.dll.10.dr, AssReflector.cs

.Net Code: Load System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_070AA750 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_070AA750

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_070AA720 push eax; ret	18_2_070AA74E
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_10091A45 push ecx; ret	18_2_10091A58
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1008BE65 push ecx; ret	18_2_1008BE78

Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcm80.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISRT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\Rcw.ServerAPI.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\Ansi\ATL80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD6.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ENU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ESP.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80KOR.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfcm80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\Server\AlarmServer\Program\CSProgram.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isuser_0x0409.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80FRA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80JPN.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfc80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ITA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\53t3z6j5.7ag\ATL80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80CHS.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\ISSetup.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcr80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80CHT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80FRA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfcm80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\CSAssemblyLoader.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ESP.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\UC\UCDemo.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80DEU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ENU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcr80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80CHS.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80CHT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80DEU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ESP.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80FRA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ITA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\73t3z6j5.7ag\ATL80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\CSProgram.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfc80.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC44.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfc80u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8A92.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI8A62.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\MSI89B5.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfcm80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\ATL80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80JPN.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80KOR.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ITA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80DEU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80KOR.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1221.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\instdll.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80JPN.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfc80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80CHT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80CHS.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\Screen\Program\CSProgram.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcp80.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\setup.exe	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD6.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1221.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC44.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore

Jump to behavior

Source: C:\Windows\System32\SrTasks.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_10041768 __EH_prolog3,LoadLibraryExW,IsIconic,ShowWindow,

18_2_10041768

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_10045D87 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_10045D87

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100B53B0 sgdt fword ptr [ebp-08h]

18_2_100B53B0

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100B53D0 sldt word ptr [ebp-08h]

18_2_100B53D0

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100B5400 str word ptr [ebp-04h]

18_2_100B5400

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcm80.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISRT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\Rcw.ServerAPI.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\Ansi\ATL80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBD6.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ESP.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ENU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80KOR.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\Server\AlarmServer\Program\CSProgram.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfcm80u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isuser_0x0409.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80FRA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80JPN.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfc80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ITA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\53t3z6j5.7ag\ATL80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80CHS.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\ISSetup.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80CHT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80FRA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcr80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfcm80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\CSAssemblyLoader.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ESP.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\UC\UCDemo.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80DEU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ENU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcr80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80CHS.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80CHT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80DEU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ESP.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ITA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80FRA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\73t3z6j5.7ag\ATL80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\CSProgram.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfc80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfcm80.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC44.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfc80u.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8A92.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI8A62.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ENU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI89B5.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfcm80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\ATL80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcm80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80JPN.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80KOR.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ITA.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80DEU.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80KOR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\instdll.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1221.tmp	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80JPN.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfc80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80u.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcp80.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80CHT.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80CHS.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\Screen\Program\CSProgram.dll	Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcp80.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

API coverage: 4.9 %

Source: C:\Windows\System32\SrTasks.exe TID: 5076

Thread sleep time: -110000s >= -30000s

Source: C:\Windows\System32\SrTasks.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	File Volume queried: C:\Windows FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1003C60E __EH_prolog3_GS,FindFirstFileW,		18_2_1003C60E
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100B86D3 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,		18_2_100B86D3

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_10064701 GetModuleHandleW,GetProcAddress,GetSystemInfo,GetNativeSystemInfo,

18_2_10064701

Source: C:\Program Files\7-Zip\7zG.exe	File opened: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Bin\Extend Dll\ProfiNet	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File opened: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File opened: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Bin	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File opened: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File opened: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Bin\Extend Dll\View Resource	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File opened: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Bin\Extend Dll	Jump to behavior

Source: SrTasks.exe, 00000022.00000003.2442781701.000002463890A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963
Source: setup.exe, setup.exe, 00000012.00000002.2505511701.0000000010101000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: _GetVirtualMachineType
Source: setup.exe, 00000012.00000003.2391093452.0000000005A36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_GetVirtualMachineType
Source: SrTasks.exe, 00000022.00000003.2409334323.0000024638907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:w
Source: setup.exe, 00000012.00000003.2390078724.0000000004234000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2399754573.0000000004234000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachineWindowPowerI*
Source: setup.exe, setup.exe, 00000012.00000002.2505511701.0000000010101000.00000040.00000001.01000000.0000000E.sdmp, setup.exe, 00000012.00000002.2494402472.0000000006800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _IsVirtualMachine
Source: setup.exe, 00000012.00000003.2391093452.0000000005A36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine=%ldSu
Source: setup.exe, 00000012.00000002.2505511701.0000000010101000.00000040.00000001.01000000.0000000E.sdmp	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: setup.exe, 00000012.00000003.2391093452.0000000005A36000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2390078724.0000000004234000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2399754573.0000000004234000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0bIsVirtualMachine
Source: setup.exe, 00000012.00000003.2391093452.0000000005A36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0_IsVirtualMachineu

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

API call chain: ExitProcess graph end node

graph_18-57818

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100959E2 _memset,IsDebuggerPresent,

18_2_100959E2

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100A2FF8 RtlEncodePointer,RtlEncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

18_2_100A2FF8

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_070AA750 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_070AA750

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100522A9 mov esi, dword ptr fs:[00000030h]

18_2_100522A9

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100521D0 GetProcessHeap,RtlAllocateHeap,RtlInterlockedPopEntrySList,RtlInterlockedPopEntrySList,VirtualAlloc,RaiseException,RtlInterlockedPopEntrySList,VirtualFree,RtlInterlockedPushEntrySList,

18_2_100521D0

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_10092707 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

18_2_10092707

Source: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe

Process created: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe /q"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}" /IS_temp

Jump to behavior

Source: setup.exe, 00000012.00000000.2057291118.0000000000425000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: <Shell_TrayWnd0x0409
Source: setup.exe, 00000012.00000002.2511374840.000000006CA73000.00000002.00000001.01000000.0000000B.sdmp, setup.exe, 00000012.00000002.2491949919.0000000006630000.00000002.00000001.00040000.0000000B.sdmp	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: setup.exe, 00000012.00000002.2472742914.0000000005D10000.00000004.00000800.00040000.00000012.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000012.00000003.2391093452.00000000059C0000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2468744199.00000000059EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMANaa>t>U
Source: setup.exe, 00000012.00000002.2468744199.00000000059E8000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2391093452.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMANt.
Source: setup.exe, 0000000E.00000000.2048637934.00000000000D5000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: Shell_TrayWnd0x0409
Source: setup.exe, 00000012.00000003.2397425178.00000000059EA000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2468744199.00000000059E8000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2391093452.00000000059C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000012.00000002.2510020399.000000006CA06000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: lISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIEST
Source: setup.exe.10.dr, setup.exe.18.dr	Binary or memory string: AShell_TrayWnd0x0409

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_100B5450 cpuid

18_2_100B5450

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,	18_2_070B0380
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: EnumSystemLocalesA,	18_2_070B0BA0
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: EnumSystemLocalesA,	18_2_070B0A00
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: EnumSystemLocalesA,	18_2_070B0610
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,WideCharToMultiByte,	18_2_070B3E50
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoA,	18_2_070B0EA0
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,MultiByteToWideChar,	18_2_070B3CB0
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	18_2_100A1A52
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: EnumSystemLocalesEx,EnumSystemLocalesW,	18_2_100A2787
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoEx,GetLocaleInfoW,	18_2_100A280D
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoW,	18_2_100A1C14
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: EnumSystemLocalesW,	18_2_100A1CC2
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	18_2_100A1D1E
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	18_2_100A1D9B
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	18_2_100A1E1E
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoW,	18_2_100A2011
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	18_2_100A2139
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	18_2_100A21E6
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	18_2_100A22BA

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_070B33D0 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,__malloc_dbg,

18_2_070B33D0

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

Code function: 18_2_070A1040 GetVersion,GetCommandLineA,

18_2_070A1040

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Replication Through Removable Media	1 Native API	2 Windows Service	2 Windows Service	21 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	12 Process Injection	4 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	4 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	4 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	35 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\MSI89B5.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8A62.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSI8A92.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\ISSetup.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISRT.dll	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isres_0x0409.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\instdll.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\setup.exe	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\ATL80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\Ansi\ATL80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80CHS.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80CHT.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80DEU.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ENU.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ESP.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80FRA.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80ITA.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80JPN.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80KOR.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfc80u.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfcm80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\mfcm80u.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcm80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcp80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\system32\msvcr80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\53t3z6j5.7ag\ATL80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfc80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfc80u.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfcm80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\5z1v718o.6n8\mfcm80u.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\73t3z6j5.7ag\ATL80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfc80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfc80u.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfcm80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\7z1v718o.6n8\mfcm80u.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcm80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcp80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\92rg91xw.1p4\msvcr80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcm80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcp80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80CHS.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80CHT.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80DEU.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ENU.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ESP.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80FRA.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80ITA.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80JPN.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\pefn04mk.ve6\mfc80KOR.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80CHS.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80CHT.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80DEU.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ENU.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ESP.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80FRA.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80ITA.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80JPN.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Windows\winsxs\refn04mk.ve6\mfc80KOR.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\CSAssemblyLoader.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\DemoDotNet\Screen\Program\Rcw.ServerAPI.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\User\Demo\UC\UCDemo.dll	0%	ReversingLabs
C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe	0%	ReversingLabs
C:\Windows\Installer\MSI1221.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIBD6.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIC44.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.zpmc.comVERSON	setup.exe, 00000012.00000003.2402174868.00000000068A1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.00000000068A2000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2395352507.0000000006877000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.00000000068A1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.thawte.com/Tha	setup.exe, 00000012.00000003.2390078724.0000000004234000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.zpmc.com	setup.exe, 00000012.00000002.2452182848.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2402174868.00000000068C1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2402174868.00000000068A1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.00000000068A2000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403394781.0000000006954000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.00000000068C1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2401094319.0000000006950000.00000004.00000020.00020000.00000000.sdmp, String1033.txt.18.dr	false		unknown
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	setup.exe, 0000000E.00000000.2048637934.00000000000D5000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 00000011.00000002.2073364727.00000000000D5000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 00000012.00000002.2446987044.0000000000425000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000012.00000000.2057291118.0000000000425000.00000002.00000001.01000000.00000009.sdmp, setup.exe.10.dr, setup.exe.18.dr	false		unknown
ftp://http://HTTP/1.0	mfc80.dll0.10.dr	false		unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	false	URL Reputation: safe	unknown
http://www.flexerasoftware.com0	setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	false		unknown
http://www.symauth.com/cps0(	setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	false	URL Reputation: safe	unknown
http://www.zpmc.comall	setup.exe, 00000012.00000003.2395352507.0000000006877000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544383
Start date and time:	2024-10-29 10:53:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZPMC SCADA Setup v4.0.12737.zip
Detection:	MAL
Classification:	mal48.rans.evad.winZIP@33/1053@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 70% Number of executed functions: 39 Number of non-executed functions: 294
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, VSSVC.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Reached maximum number of file to list during submission archive extraction
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: ZPMC SCADA Setup v4.0.12737.zip

Simulations

Behavior and APIs

Time	Type	Description
05:55:56	API Interceptor	11x Sleep call for process: SrTasks.exe modified

Process:	C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	2.472588577829592
Encrypted:	false
SSDEEP:	192:JBeBls+7BFlZjzhRsZwnx6233A4wVRsZwXM+6kYKLR49B9g6EJD95yewR+x62338:YBnyMRKLR49LWDT4URKLR49LWD
MD5:	15A17F29E26E12A306E1615DCF4C70D6
SHA1:	91E25D400C504B7963CB33135A5BF3ECD87C7E4B
SHA-256:	65A61D9857453B56625A8E9D250249169CBAF3C47ABBE562BF892B04B3734A89
SHA-512:	6736413FB91B9518E6F014470D4A48809C5B2FCFE0C195761E7B1A84220D25ACADB713BF01CBFE59FDF2F872CC26470A4E5926319F9B9E05F7ADA25FF19FC721
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ZPMC SCADA Setup v4.0.12737/Autorun.inf
Source: 7zG.exe, 0000000A.00000003.1975989842.00000223926B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ZPMC SCADA Setup v4.0.12737/Autorun.infOal
Source: ZPMC SCADA Setup v4.0.12737.zip	Binary or memory string: ZPMC SCADA Setup v4.0.12737/Autorun.inf[autorun]
Source: ZPMC SCADA Setup v4.0.12737.zip	Binary or memory string: ZPMC SCADA Setup v4.0.12737/Autorun.inf[autorun]
Source: ZPMC SCADA Setup v4.0.12737.zip	Binary or memory string: 'ZPMC SCADA Setup v4.0.12737/Autorun.inf[autorun]
Source: ZPMC SCADA Setup v4.0.12737.zip	Binary or memory string: 'ZPMC SCADA Setup v4.0.12737/Autorun.inf[autorun]

Source: mfc80.dll0.10.dr	String found in binary or memory: ftp://http://HTTP/1.0
Source: setup.exe, 00000012.00000003.2390078724.0000000004234000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/Tha
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://s2.symcb.com0
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://sv.symcd.com0&
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: setup.exe, 0000000E.00000000.2048637934.00000000000D5000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 00000011.00000002.2073364727.00000000000D5000.00000002.00000001.01000000.00000008.sdmp, setup.exe, 00000012.00000002.2446987044.0000000000425000.00000002.00000001.01000000.00000009.sdmp, setup.exe, 00000012.00000000.2057291118.0000000000425000.00000002.00000001.01000000.00000009.sdmp, setup.exe.10.dr, setup.exe.18.dr	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: setup.exe, 00000012.00000002.2452182848.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2073527832.0000000001475000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2402174868.00000000068C1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2452182848.0000000001480000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2402174868.00000000068A1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2072971157.000000000146E000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.00000000068A2000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2403394781.0000000006954000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.00000000068C1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2401094319.0000000006950000.00000004.00000020.00020000.00000000.sdmp, String1033.txt.18.dr	String found in binary or memory: http://www.zpmc.com
Source: setup.exe, 00000012.00000003.2402174868.00000000068A1000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2407110679.00000000068A2000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000003.2395352507.0000000006877000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000012.00000002.2494402472.00000000068A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zpmc.comVERSON
Source: setup.exe, 00000012.00000003.2395352507.0000000006877000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.zpmc.comall
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: setup.exe, 00000012.00000002.2473155026.00000000062E0000.00000002.00000001.00040000.00000013.sdmp, setup.exe, 00000012.00000002.2473155026.00000000062B6000.00000002.00000001.00040000.00000013.sdmp, MSIC44.tmp.19.dr, MSI8A62.tmp.18.dr	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Program Files\7-Zip\7zG.exe	File deleted: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Data\Lib_D3\SkyboxTop.jpg	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File deleted: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Data\Lib_Net\ImageList\ImageList_1\pump1.jpg	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File deleted: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Data\Lib_Net\ImageList\ImageList_1\naozhong2.jpg	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File deleted: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Data\Lib_Net\ImageList\ImageList_1\truck2.jpg	Jump to behavior
Source: C:\Program Files\7-Zip\7zG.exe	File deleted: C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\program files\ZPMC\SCADA\Data\Lib_Net\ImageList\ImageList_1\monitor.jpg	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100234D7 GetPropW,NtdllDefWindowProc_W,	18_2_100234D7
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1001C1DF NtdllDefWindowProc_W,	18_2_1001C1DF
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1001C207 NtdllDefWindowProc_W,GetSysColor,	18_2_1001C207
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1007C220 GetPropW,NtdllDefWindowProc_W,BeginPaint,BitBlt,EndPaint,CallWindowProcW,DeleteObject,DeleteDC,RemovePropW,SetWindowLongW,_memset,GetClassNameW,lstrcmpiW,GetWindowLongW,_memset,GetClassNameW,lstrcmpiW,SetBkMode,SetTextColor,lstrcmpiW,SetBkMode,SetTextColor,_memset,GetClassNameW,lstrcmpiW,SetBkMode,SetTextColor,GetStockObject,	18_2_1007C220
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1001C2D0 NtdllDefWindowProc_W,	18_2_1001C2D0
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100222F6 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,	18_2_100222F6

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\420a40.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD6.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC44.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{DFC48024-1A7F-4AF4-A9BD-19E1C9DE7F55}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1221.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1520.tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_070A7730	18_2_070A7730
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_070B37B0	18_2_070B37B0
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_070A6910	18_2_070A6910
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1008D033	18_2_1008D033
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100B1124	18_2_100B1124
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100A535C	18_2_100A535C
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_10045996	18_2_10045996
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100819A0	18_2_100819A0
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100A5E68	18_2_100A5E68
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_100A40CE	18_2_100A40CE
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1004C3B7	18_2_1004C3B7
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_1009C407	18_2_1009C407
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_10084490	18_2_10084490
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: 18_2_10064A20	18_2_10064A20

Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: String function: 070A56E0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: String function: 1008BF00 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: String function: 1008ABD5 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: String function: 1008BECA appears 195 times
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: String function: 1008A218 appears 80 times
Source: C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe	Code function: String function: 1008BE97 appears 174 times

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	PC bitmap, Windows 3.x format, 499 x 58 x 24, image size 87002, resolution 5904 x 5904 px/m, cbSize 87056, bits offset 54
Category:	dropped
Size (bytes):	87056
Entropy (8bit):	1.771348664195735
Encrypted:	false
SSDEEP:	192:nSpR+hh3ODQJtOdpKQyLYrNXviuFIShoH20vISmtMzk:S30h3/Qfm8Xv7RhC22I
MD5:	7CDD0F55A4F0076CE8B4F86EF0DC3147
SHA1:	D7964942569E9D62C36A4F1C9CE43465E6E46E75
SHA-256:	1B9B8CF8BC110E6C0E70233C526457FD0832EFD5A2CEF5127DE13B71EA54E749
SHA-512:	CCBF3561527AA7C20FD37EF3040B9C36B8464AAD2079493FBE32261E7ADB6C44D8B50CB9A17AF00517EC46C61E61470BBC3E2BDA73DE09587511C867F8E00E34
Malicious:	false
Preview:	BM.T......6...(.......:............S....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (308), with CRLF line terminators
Category:	dropped
Size (bytes):	22480
Entropy (8bit):	3.4851320007899904
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/YgAwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/t/lWr0aa0Mhs+XVgv
MD5:	A108F0030A2CDA00405281014F897241
SHA1:	D112325FA45664272B08EF5E8FF8C85382EBB991
SHA-256:	8B76DF0FFC9A226B532B60936765B852B89780C6E475C152F7C320E085E43948
SHA-512:	D83894B039316C38915A789920758664257680DCB549A9B740CF5361ADDBEE4D4A96A3FF2999B5D8ACFB1D9336DA055EC20012D29A9F83EE5459F103FBEEC298
Malicious:	false
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Number of Characters: 0, Last Saved By: InstallShield, Number of Words: 0, Title: Installation Database, Comments: Contact: Your local administrator, Keywords: Installer,MSI,Database, Subject: Blank Project Template, Author: Shanghai ZPMC Electric Co.Ltd, Security: 1, Number of Pages: 200, Name of Creating Application: InstallShield 2018 - Professional Edition 24, Last Saved Time/Date: Wed Jun 5 02:57:46 2019, Create Time/Date: Wed Jun 5 02:57:46 2019, Last Printed: Wed Jun 5 02:57:46 2019, Revision Number: {66DF9F58-4C89-4E3E-AF81-ABF197C1156B}, Code page: 1252, Template: Intel;1033
Category:	dropped
Size (bytes):	3905024
Entropy (8bit):	6.133000677779072
Encrypted:	false
SSDEEP:	98304:x6a1SmKbjgRzVW8iy9zpplkVW8iy9zpGa4Yi:x2IzVW8iy9zppKVW8iy9zpGDYi
MD5:	32F1FFD5853059FE0D14CA8897DA9BE5
SHA1:	AD6B641D75F4596C2B7A1812CE78A315A65EA8AB
SHA-256:	F39C1E9DA463FB7B7791B3DC9C0FBD0FD4528E51BA59212113C1B36994B74762
SHA-512:	56457F8F049A46A8455A2636BF35746D046B2D38C398F7038F7A15027064456E9E65D142C3422710BB273F0FB346D5A07271E0C0BABEE4C250C61C2833D9535C
Malicious:	false
Preview:	......................>...................<...............8...................................Q.......................................................................................................................................................................................................................................................................................................................................................................................................................................;.......................?.......)................................................................................... ......."...#...$...%...&...'...(.......*...+...,...-......./...0...1...2...3...4...5...6...7...>...M...:...<.......=.......A...@...T...B...C...D...E...F...G...H...I...J...K...L...N...>...O...P...Q...R...S...V...U...d...W...X...Y...Z...[...\...]...^..._...`...a...b...c...f...e...t...g...h...i...j...k...l...m...n...o...p...q...r...s...v...u.......w...x...y...z...

File type:	Zip archive data, at least v2.0 to extract, compression method=store
Entropy (8bit):	7.9995921704577455
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	ZPMC SCADA Setup v4.0.12737.zip
File size:	75'435'301 bytes
MD5:	8cec6cab7e45958bdda97ddc8bd32d9a
SHA1:	dde365ea81f5dbde959633932a406bd57a3fd42d
SHA256:	e4892a88830b8ff7b8ce8f702573ac331c814a1a7f7a9535f63ca83c53afb716
SHA512:	b569a8ffb6132aad82de1b02bdc04e1ad55d74a6ff3d08390f55e226a63d928bb3a46855d4005128a7cdacbe739dcbfebc447404806a8cdcf17eca0838217cb2
SSDEEP:	1572864:pskSG69VcbHl9IzmxI+SZJuBQaKjeyxNTyRgd9nrvnMxLo4xe:2EzymKYQ5j9xN2R+vnAs
TLSH:	FCF73370DD5A5054F4CC06B426AF8A5AAE55B204F629A6039F7C07FBAD10BDDCBA03D3
File Content Preview:	PK.........Z\Y................ZPMC SCADA Setup v4.0.12737/PK..?...... uH.5I......W..&...ZPMC SCADA Setup v4.0.12737/0x0409.ini....]..........s....z...x.`<.u.N`...K...(.;........!...'...O<.a!...Jg;....:......'qvZ...z...0.B)...MoSI.........<...gf~P..#...L,.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 10:54:22.605248928 CET	53	65454	162.159.36.2	192.168.2.16
Oct 29, 2024 10:54:23.272658110 CET	63513	53	192.168.2.16	1.1.1.1
Oct 29, 2024 10:54:23.280791998 CET	53	63513	1.1.1.1	192.168.2.16

Target ID:	2
Start time:	05:53:56
Start date:	29/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff742980000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	10
Start time:	05:54:51
Start date:	29/10/2024
Path:	C:\Program Files\7-Zip\7zG.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\" -spe -an -ai#7zMap15170:110:7zEvent13957
Imagebase:	0x7a0000
File size:	700'416 bytes
MD5 hash:	50F289DF0C19484E970849AAC4E6F977
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	05:55:21
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe"
Imagebase:	0x60000
File size:	1'070'080 bytes
MD5 hash:	675A00CA73BAF388C0EBF90C0644E8E0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	18
Start time:	05:55:22
Start date:	29/10/2024
Path:	C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe /q"C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\setup.exe" /tempdisk1folder"C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}" /IS_temp
Imagebase:	0x7ff6d4dc0000
File size:	1'070'080 bytes
MD5 hash:	675A00CA73BAF388C0EBF90C0644E8E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	19
Start time:	05:55:24
Start date:	29/10/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7dbd90000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	26
Start time:	05:55:25
Start date:	29/10/2024
Path:	C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58E35334-6736-4373-BC16-B19DB2B7F3E2}
Imagebase:	0x7ff79e160000
File size:	181'960 bytes
MD5 hash:	82E1A9D1E3D0107F7E1253FA92F86B10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	34
Start time:	05:55:55
Start date:	29/10/2024
Path:	C:\Windows\System32\SrTasks.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Imagebase:	0x7ff7c4b10000
File size:	59'392 bytes
MD5 hash:	2694D2D28C368B921686FE567BD319EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZPMC SCADA Setup v4.0.12737.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\8C29.tmp

C:\Users\user\AppData\Local\Temp\MSI89B5.tmp

C:\Users\user\AppData\Local\Temp\MSI8A62.tmp

C:\Users\user\AppData\Local\Temp\MSI8A92.tmp

C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\0x0409.ini

C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\ISSetup.dll

C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\Setup.INI

C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\_ISMSIDEL.INI

C:\Users\user\AppData\Local\Temp\{550D56F5-BA13-447E-836D-F7C9187A59A9}\setup.exe

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISBEW64.exe

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\ISRT.dll

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\String1033.txt

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isres_0x0409.dll

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\_isuser_0x0409.dll

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\banner.bmp

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\instdll.dll

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\setup.exe

C:\Users\user\AppData\Local\Temp\{E696D1CF-59A2-4CC2-896D-A4083751C8A0}\setup.inx

C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\0x0409.ini

C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Autorun.inf

C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\SCADA 4.0.12.737.msi

C:\Users\user\Desktop\ZPMC SCADA Setup v4.0.12737\Setup.ini

Windows Analysis Report
ZPMC SCADA Setup v4.0.12737.zip

Target ID:	36
Start time:	05:55:57
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding F52714C42576362BF3928B61AE156682
Imagebase:	0x6a0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	8.6%
Signature Coverage:	7%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre