Windows Analysis Report Setup.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Binary string: f:\mydev\inno-download-plugin\unicode\idp.pdb source: Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3284805123.00000000032CD000.00000002.00000001.01000000.00000006.sdmp, idp.dll.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032A3A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,		1_2_032A3A90
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6D24 FindFirstFileA,		1_2_032E6D24

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 4x nop then cmp dword ptr [ebp-08h], 00000000h

1_2_03343D38

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:50969

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032A2A20 GetTickCount,GetTickCount,GetTickCount,InternetReadFile,_fwrite,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,

1_2_032A2A20

Source: Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://restools.hanzify.org/
Source: Setup.exe, 00000000.00000002.3283746507.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2020688693.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000003.2023643872.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3283987069.00000000022A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup.tmp, 00000001.00000002.3285167977.00000000034E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6570 SetWindowLongA,GetWindowLongA,NtdllDefWindowProc_A,	1_2_032E6570
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E95BC CallWindowProcA,NtdllDefWindowProc_A,	1_2_032E95BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F197C NtQueryInformationFile,WideCharToMultiByte,RtlExitUserThread,	1_2_032F197C
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F197A NtQueryInformationFile,WideCharToMultiByte,RtlExitUserThread,	1_2_032F197A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F1944 NtQuerySystemInformation,	1_2_032F1944

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C8B05	1_2_032C8B05
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C227D	1_2_032C227D
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C2AA9	1_2_032C2AA9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BD927	1_2_032BD927
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C91C9	1_2_032C91C9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C19D6	1_2_032C19D6
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C8081	1_2_032C8081
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BB0D0	1_2_032BB0D0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C1EA9	1_2_032C1EA9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C2689	1_2_032C2689
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C9EC2	1_2_032C9EC2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C85C3	1_2_032C85C3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BBCE7	1_2_032BBCE7
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330C360	1_2_0330C360
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03341220	1_2_03341220
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E2D8	1_2_0332E2D8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330E1F0	1_2_0330E1F0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_033360E4	1_2_033360E4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330C720	1_2_0330C720
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03340798	1_2_03340798
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332D5B5	1_2_0332D5B5
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330E590	1_2_0330E590
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0331A46A	1_2_0331A46A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03342B49	1_2_03342B49
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332FB98	1_2_0332FB98
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03308AFA	1_2_03308AFA
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03341918	1_2_03341918
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B808	1_2_0332B808
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03343FC8	1_2_03343FC8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332BE28	1_2_0332BE28
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330CED0	1_2_0330CED0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03342DE8	1_2_03342DE8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03340CDC	1_2_03340CDC

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 032BB074 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 033366AC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 032EEC74 appears 49 times

PE file contains executable resources (Code or Archives)

Source: Setup.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: Setup.exe, 00000000.00000003.2021421161.0000000002606000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2021667783.000000007FE42000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean9.winEXE@3/9@0/0

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_034410C4 EnumWindows,CoCreateInstance,

1_2_034410C4

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp

Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: explorerframe.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Window found: window name: TSelectLanguageForm

Contains functionality to dynamically determine API calls

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static file information: File size 4938818 > 1048576

Source:

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032C6912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BB0B9 push ecx; ret	1_2_032BB0CC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B7775 push ecx; ret	1_2_032B7788
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E9364 push dword ptr [eax+7Fh]; ret	1_2_032E9398
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B378 push esi; mov dword ptr [esp], ecx	1_2_0332B379
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E9360 push dword ptr [eax+7Fh]; ret	1_2_032E9363
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EB340 push 032EB36Ch; ret	1_2_032EB364
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F8354 push 032F83ACh; ret	1_2_032F83A4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B398 push eax; mov dword ptr [esp], edi	1_2_0332B57A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332F388 push eax; mov dword ptr [esp], ecx	1_2_0332FAAB
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E5390 push 032E53E1h; ret	1_2_032E53D9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4204 push 032F4230h; ret	1_2_032F4228
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4264 push 032F4290h; ret	1_2_032F4288
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4262 push 032F4290h; ret	1_2_032F4288
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F411C push 032F4148h; ret	1_2_032F4140
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F415C push 032F4188h; ret	1_2_032F4180
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F415A push 032F4188h; ret	1_2_032F4180
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F0158 push 032F0184h; ret	1_2_032F017C
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4194 push 032F41C0h; ret	1_2_032F41B8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F41CC push 032F41F8h; ret	1_2_032F41F0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332F028 push eax; mov dword ptr [esp], esi	1_2_0332F1BF
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F5064 push 032F5090h; ret	1_2_032F5088
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F509C push 032F50C8h; ret	1_2_032F50C0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4098 push 032F40C4h; ret	1_2_032F40BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032FF098 push 032FF0C4h; ret	1_2_032FF0BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F40E4 push 032F4110h; ret	1_2_032F4108
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F50D4 push 032F5100h; ret	1_2_032F50F8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EA764 push 032EA7BAh; ret	1_2_032EA7B2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E778 push eax; mov dword ptr [esp], edi	1_2_0332ECE6
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E778 push eax; mov dword ptr [esp], ecx	1_2_0332EF07
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EA7BC push 032EA7E9h; ret	1_2_032EA7E1
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E564C push 032E5678h; ret	1_2_032E5670

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032EA7EC GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_032EA7EC

Source: C:\Users\user\Desktop\Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

API coverage: 2.2 %

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032A3A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,		1_2_032A3A90
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6D24 FindFirstFileA,		1_2_032E6D24

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032B610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_032B610F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032BAB50 GetProcessHeap,

1_2_032BAB50

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_032B610F
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B5D38 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_032B5D38
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B9C57 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_032B9C57
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BF4AF __decode_pointer,SetUnhandledExceptionFilter,	1_2_032BF4AF
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BF48D SetUnhandledExceptionFilter,__encode_pointer,	1_2_032BF48D

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032C68A5 cpuid

1_2_032C68A5

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,	1_2_032C12D9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	1_2_032C17F3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,	1_2_032C13BB
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,	1_2_032C63ED
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	1_2_032C0BF4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,	1_2_032C62B2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,	1_2_032C3160
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	1_2_032B7808
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	1_2_032C6709
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_032C1752
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_032C17B7
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,_xtoa_s@20,	1_2_032B8FF8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	1_2_032C0E45
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	1_2_032C1693
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_032C6565
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	1_2_032C0598
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	1_2_032C6428
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,	1_2_032C0434
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	1_2_032C1451
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	1_2_032C14C3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: GetLocaleInfoA,	1_2_032E531C

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032BF38D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_032BF38D

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032B6F7F GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,GetCurrentThreadId,__freeptd,

1_2_032B6F7F

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Found inlined nop instructions (likely shell or obfuscated code)

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032A3A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,		1_2_032A3A90
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6D24 FindFirstFileA,		1_2_032E6D24

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 4x nop then cmp dword ptr [ebp-08h], 00000000h

1_2_03343D38

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:50969

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032A2A20 GetTickCount,GetTickCount,GetTickCount,InternetReadFile,_fwrite,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,

1_2_032A2A20

Source: Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	String found in binary or memory: http://bitbucket.org/mitrich_k/inno-download-plugin
Source: Setup.tmp, 00000001.00000002.3284842277.00000000032D8000.00000002.00000001.01000000.00000006.sdmp, Setup.tmp, 00000001.00000002.3283452223.000000000018F000.00000004.00000010.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3285496717.00000000035A0000.00000004.00001000.00020000.00000000.sdmp, idp.dll.1.dr	String found in binary or memory: http://mitrichsoftware.wordpress.comB
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://restools.hanzify.org/
Source: Setup.exe, 00000000.00000002.3283746507.00000000022B3000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2020688693.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000003.2023643872.0000000003260000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000002.3283987069.00000000022A6000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.dk-soft.org/
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://www.innosetup.com/
Source: Setup.exe, 00000000.00000003.2021421161.0000000002480000.00000004.00001000.00020000.00000000.sdmp, Setup.exe, 00000000.00000003.2021667783.000000007FCC0000.00000004.00001000.00020000.00000000.sdmp, Setup.tmp, 00000001.00000000.2022390819.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Setup.tmp.0.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Setup.tmp, 00000001.00000002.3285167977.00000000034E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/vs/16/release/vc_redist.x64.exe

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6570 SetWindowLongA,GetWindowLongA,NtdllDefWindowProc_A,	1_2_032E6570
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E95BC CallWindowProcA,NtdllDefWindowProc_A,	1_2_032E95BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F197C NtQueryInformationFile,WideCharToMultiByte,RtlExitUserThread,	1_2_032F197C
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F197A NtQueryInformationFile,WideCharToMultiByte,RtlExitUserThread,	1_2_032F197A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F1944 NtQuerySystemInformation,	1_2_032F1944

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C8B05	1_2_032C8B05
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C227D	1_2_032C227D
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C2AA9	1_2_032C2AA9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BD927	1_2_032BD927
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C91C9	1_2_032C91C9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C19D6	1_2_032C19D6
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C8081	1_2_032C8081
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BB0D0	1_2_032BB0D0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C1EA9	1_2_032C1EA9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C2689	1_2_032C2689
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C9EC2	1_2_032C9EC2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032C85C3	1_2_032C85C3
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BBCE7	1_2_032BBCE7
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330C360	1_2_0330C360
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03341220	1_2_03341220
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E2D8	1_2_0332E2D8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330E1F0	1_2_0330E1F0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_033360E4	1_2_033360E4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330C720	1_2_0330C720
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03340798	1_2_03340798
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332D5B5	1_2_0332D5B5
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330E590	1_2_0330E590
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0331A46A	1_2_0331A46A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03342B49	1_2_03342B49
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332FB98	1_2_0332FB98
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03308AFA	1_2_03308AFA
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03341918	1_2_03341918
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B808	1_2_0332B808
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03343FC8	1_2_03343FC8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332BE28	1_2_0332BE28
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0330CED0	1_2_0330CED0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03342DE8	1_2_03342DE8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_03340CDC	1_2_03340CDC

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 032BB074 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 033366AC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: String function: 032EEC74 appears 49 times

PE file contains executable resources (Code or Archives)

Source: Setup.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Setup.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Sample file is different than original file name gathered from version info

Source: Setup.exe, 00000000.00000003.2021421161.0000000002606000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe
Source: Setup.exe, 00000000.00000003.2021667783.000000007FE42000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Setup.exe

Source: Setup.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: clean9.winEXE@3/9@0/0

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_034410C4 EnumWindows,CoCreateInstance,

1_2_034410C4

Source: C:\Users\user\Desktop\Setup.exe

File created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp

Source: C:\Users\user\Desktop\Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\Setup.exe

File read: C:\Users\user\Desktop\Setup.exe

Source: unknown	Process created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"
Source: C:\Users\user\Desktop\Setup.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp "C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp" /SL5="$2046C,4323117,283648,C:\Users\user\Desktop\Setup.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Section loaded: explorerframe.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Window found: window name: TSelectLanguageForm

Contains functionality to dynamically determine API calls

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Setup.exe

Static file information: File size 4938818 > 1048576

Source:

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032BB0B9 push ecx; ret	1_2_032BB0CC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032B7775 push ecx; ret	1_2_032B7788
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E9364 push dword ptr [eax+7Fh]; ret	1_2_032E9398
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B378 push esi; mov dword ptr [esp], ecx	1_2_0332B379
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E9360 push dword ptr [eax+7Fh]; ret	1_2_032E9363
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EB340 push 032EB36Ch; ret	1_2_032EB364
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F8354 push 032F83ACh; ret	1_2_032F83A4
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332B398 push eax; mov dword ptr [esp], edi	1_2_0332B57A
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332F388 push eax; mov dword ptr [esp], ecx	1_2_0332FAAB
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E5390 push 032E53E1h; ret	1_2_032E53D9
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4204 push 032F4230h; ret	1_2_032F4228
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4264 push 032F4290h; ret	1_2_032F4288
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4262 push 032F4290h; ret	1_2_032F4288
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F411C push 032F4148h; ret	1_2_032F4140
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F415C push 032F4188h; ret	1_2_032F4180
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F415A push 032F4188h; ret	1_2_032F4180
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F0158 push 032F0184h; ret	1_2_032F017C
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4194 push 032F41C0h; ret	1_2_032F41B8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F41CC push 032F41F8h; ret	1_2_032F41F0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332F028 push eax; mov dword ptr [esp], esi	1_2_0332F1BF
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F5064 push 032F5090h; ret	1_2_032F5088
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F509C push 032F50C8h; ret	1_2_032F50C0
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F4098 push 032F40C4h; ret	1_2_032F40BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032FF098 push 032FF0C4h; ret	1_2_032FF0BC
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F40E4 push 032F4110h; ret	1_2_032F4108
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032F50D4 push 032F5100h; ret	1_2_032F50F8
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EA764 push 032EA7BAh; ret	1_2_032EA7B2
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E778 push eax; mov dword ptr [esp], edi	1_2_0332ECE6
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_0332E778 push eax; mov dword ptr [esp], ecx	1_2_0332EF07
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032EA7BC push 032EA7E9h; ret	1_2_032EA7E1
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E564C push 032E5678h; ret	1_2_032E5670

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Setup.exe	File created: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

1_2_032EA7EC

Source: C:\Users\user\Desktop\Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\ISDone.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\idp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L4NFS.tmp\WinTB.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

API coverage: 2.2 %

Queries keyboard layouts

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032A3A90 FtpSetCurrentDirectoryW,FtpFindFirstFileW,InternetFindNextFileW,InternetFindNextFileW,InternetCloseHandle,		1_2_032A3A90
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	Code function: 1_2_032E6D24 FindFirstFileA,		1_2_032E6D24

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp

Code function: 1_2_032B610F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_032B610F

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\is-U98SO.tmp\Setup.tmp