So, I first started with good, old VirusTotal.
By pasting in the last URL I got, the one which actually downloaded the file from freestockyard..
..I first got a result that showed that 2 / 58 engines meant the site itself was "Malware site"
..then, when clicking the URL for
downloaded file analysis

..I first got a confirmation on the theory that the .exe file is indeed auto-generated whenever a new download is requested,
seeing how the same URL gave VirusTotal a different "FlvPlayerSetup.exe" with a different SHA-256 hash:
f573eaa6755779582f3d1f94198f0ab1d418314fa76a627d3a6419b8e4bd021a - the SHA-256 hash that my "FlvPlayerSetup.exe" file had
615caceecfbe52e41216279fcc5cc762a9a22d793eeecb7ab3e3f16404419851 - the SHA-256 hash that VirusTotal's "FlvPlayerSetup.exe" file had
Then, it is apparent that several of the scanner engines agrees upon that this is an "InstallCore" installer,
which Wikipedia tells is a product of the company ironSource, located in Tel-Aviv, IL
- which seems to be very true, given the
"Bestop-app" code signing certificate and all.
So, not Inno Setup, but an "Inno Setup-like" installer, then.
I uploaded the actual .exe file that I downloaded to an analyzing site who runs such files in a VM environment and gives very detailed reports.
However, for this particular file, the site were not able to run it properly; it had stopped after a while, coming up with the error message
"The setup files are corrupted. Please obtain a new copy of the program."
Maybe the reason for this was that this .exe file was auto-generated by using some cookie or other ID that is unique for my pc,
so that it will only run properly on my pc.
Unfortunately, that site does not have an option to enter an URL and have a file downloaded.
So - apart from disassembling it - which I find too time-consuming for this thing, this is as far as I can get unless I actually run the file myself.
And I am not
that curious - all indications so far tells me that this is software that I would not like to use.
To summarize - I wonder, is this software really that good that it is worthy of the tag "
We Recommend:" from the revered NoScript developers..?
My guess is that the "
Please, do NOT download this:" or a similar tag might generate at least as many clicks, if not more,
and then you wouldn't have to ..twist the truth so much?
