Edit tour

Windows Analysis Report
SaasAntTransactions-Setup (1).exe

Overview

General Information

Sample name:	SaasAntTransactions-Setup (1).exe
Analysis ID:	1367779
MD5:	b11f2737286c7d5def40591018967a9e
SHA1:	0ae122f676125dec27ca1b2e2ce353e825439686
SHA256:	c4f68fa1668adb315ab6e7d88a3644273d811dd2cc786c8206aef159753c9b7c
Infos:

Detection

RedLine

Score:	46
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	34
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

May use the Tor software to hide its network traffic

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Yara detected Generic Downloader

Checks for available system drives (often done to infect USB drives)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

DLL planting / hijacking vulnerabilities found

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries keyboard layouts

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64_ra

SaasAntTransactions-Setup (1).exe (PID: 5364 cmdline: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe MD5: B11F2737286C7D5DEF40591018967A9E)

SaasAntTransactions-Setup.exe (PID: 4220 cmdline: .\SaasAntTransactions-Setup.exe /m="C:\Users\user\Desktop\SAASAN~1.EXE" /k="" MD5: 41C67C2E7C85536894C9E348DA79EC9F)

SaasAntTransactions.exe (PID: 2452 cmdline: "C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe" MD5: 0F6452633C2790B06B482D15C47B5D0A)

msiexec.exe (PID: 1080 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 6652 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 65C17165B9D6E452AFEA89C327EA4A92 MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 23 88 44 24 2B 88 44 24 2F B0 03 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 23 88 44 24 2B 88 44 24 2F B0 03 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
C:\ProgramData\miaB83E.tmp\data\OFFLINE\1B03632E\F3574DDF\Telerik.Windows.Controls.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\SaasAntTransactions-Setup.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.1798730636.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.SaasAntTransactions-Setup (1).exe.76fb132.15.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.3.SaasAntTransactions-Setup (1).exe.76fb132.15.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1a8ec:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x225e0c:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x232cb8:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x6e8:$s3: 83 EC 38 53 B0 23 88 44 24 2B 88 44 24 2F B0 03 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1c5c6:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1c20c:$s5: delete[] 0x1b6c4:$s6: constructor or from DllMain.
11.2.SaasAntTransactions.exe.1ef20000.10.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.0.SaasAntTransactions-Setup.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: 44212c.rbf (copy)

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: SaasAntTransactions-Setup (1).exe

Virustotal: Detection: 13%

Perma Link

Privilege Escalation

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	DLL: profapi.dll	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	DLL: C:\Users\user\AppData\Local\IIIQF\7z.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	DLL: Wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	DLL: TextShaping.dll	Jump to behavior

Compliance

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	DLL: profapi.dll	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	DLL: C:\Users\user\AppData\Local\IIIQF\7z.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	DLL: Wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	DLL: TextShaping.dll	Jump to behavior

Uses 32bit PE files

Source: SaasAntTransactions-Setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Found installer window with terms and condition text

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Window detected: I &accept the license agreementEND USER LICENSE AGREEMENTTHIS END USER LICENSE AGREEMENT (LICENSE AGREEMENT) is a legal document that binds registered users ("User" or "Users") to certain obligations contained herein. You should read this Agreement carefully before accepting its terms. You understand and agree that the software application services described below are provided to Users exclusive under this Agreement by SaasAnt Infotech Pvt Ltd (referred to hereunder as "SaasAnt" "we" or "us"). By clicking the "Agree" check-box you are acknowledging and agreeing that you are eighteen (18) years or older that you have read and understand this Agreement that you agree to be bound by the terms of this Agreement currently in effect and as updated by SaasAnt from time to time.THE AGREEMENTBy downloading installing using or copying the Software you accept and agree to be bound by the terms of this EULA. If you do not agree to all of the terms of this EULA you may not download install use or copy the Software.THE LICENSEThis EULA entitles you to install as many copies of the Software as you want and use the Software for any lawful purpose consistent with this EULA. Your license to use the Software is expressly conditioned upon your agreement to all of the terms of this EULA. This software is licensed not sold. SaasAnt reserves all other rights not granted by this EULA.SOFTWARE UPDATESFrom time to time SaasAnt may provide updates upgrades patches bug fixes and other modifications to improve the Software and related services (Patches). You acknowledge that you may be required to install Patches to continue to access and use the Product and the Product Software. You agree and consent to critical Patches being automatically installed without receiving any additional notice or providing any additional consent.INSTALLATION REPORT You agree and consent to send anonymous installation report automatically after the successful installation. - No personal information is collected.- The data are not sold nor used/given/shared with 3rd parties.- The platform of Google Analytics is used for the data collection and reporting. The privacy and personal data policies of Google's Measurement Protocol are also respected.The data collected are completely anonymous and consist of parameters like the operating system the version of the software the screen resolution the country any errors occurred during the running of the program etc. The same type of data are commonly collected every time you visit anonymously a website.The data are collected for the sole purpose of monitoring the good running of the program and identifying areas for improvement discover incompatibilities with specific operating systems estimate the size of the user base plan and respond to increases in demand estimate the usefulness of the various features of the program etc. Data are transferred directly from the program to the secure platform of Google Analytics. Google Analytics is used as the rep

Creates license or readme file

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf

Jump to behavior

PE / OLE file has a valid certificate

Source: SaasAntTransactions-Setup (1).exe

Static PE information: certificate valid

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 45.76.164.236:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.76.164.236:443 -> 192.168.2.16:49728 version: TLS 1.2

Binary contains paths to debug symbols

Source:	Binary string: msiexec.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Input\obj\Release.NoXaml\Telerik.Windows.Controls.Input.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3088836623.000000001EDC2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: regsip.pdbU source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\GridView\GridView\obj\Release.NoXaml\Telerik.Windows.Controls.GridView.pdb source: SaasAntTransactions.exe, 0000000B.00000002.3111007097.000000001F642000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: MsiInst.pdbU source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: gacutil.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: +;!msiregmv.pdbV source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\ConversationalUI\ConversationalUI\obj\Release.NoXaml\Telerik.Windows.Controls.ConversationalUI.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3081929725.000000001EB82000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Users\Josh\Projects\CsvHelper\src\CsvHelper\bin\release\net40\CsvHelper.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\exceldatareader\src\ExcelDataReader\obj\Release\net20\ExcelDataReader.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging\obj\Release\Common.Logging.pdbt source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging.Core\obj\Release\Common.Logging.Core.pdbl< source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\exceldatareader\src\ExcelDataReader.DataSet\obj\Release\net20\ExcelDataReader.DataSet.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiregmv.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\excelnumberformat\src\ExcelNumberFormat\obj\Release\net20\ExcelNumberFormat.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007F9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\GridView\GridView\obj\Release.NoXaml\Telerik.Windows.Controls.GridView.pdbL2 source: SaasAntTransactions.exe, 0000000B.00000002.3111007097.000000001F642000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging.Core\obj\Release\Common.Logging.Core.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdbh source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\projects\exceldatareader\src\ExcelDataReader\obj\Release\net20\ExcelDataReader.pdbr; source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Data\obj\Release.NoXaml\Telerik.Windows.Controls.Data.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3082925578.000000001EBC2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\VirtualGrid\VirtualGrid\obj\Release.NoXaml\Telerik.Windows.Controls.VirtualGrid.pdbl source: SaasAntTransactions.exe, 0000000B.00000002.3090943671.000000001EE62000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: msiregmv.pdbV source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Controls\obj\Release.NoXaml\Telerik.Windows.Controls.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Controls\obj\Release.NoXaml\Telerik.Windows.Controls.pdb` source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\ConversationalUI\ConversationalUI\obj\Release.NoXaml\Telerik.Windows.Controls.ConversationalUI.pdbT source: SaasAntTransactions.exe, 0000000B.00000002.3081929725.000000001EB82000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight.Extras (NET4)\obj\Release\GalaSoft.MvvmLight.Extras.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: gacutil.pdb(0 source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\VirtualGrid\VirtualGrid\obj\Release.NoXaml\Telerik.Windows.Controls.VirtualGrid.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3090943671.000000001EE62000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Data\obj\Release.NoXaml\Telerik.Windows.Data.pdb@5 source: SaasAntTransactions.exe, 0000000B.00000002.3086206375.000000001ECA2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Git\LiteDB\LiteDB\obj\Release\net40\LiteDB.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3302804112.0000000029C02000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Input\obj\Release.NoXaml\Telerik.Windows.Controls.Input.pdbtg source: SaasAntTransactions.exe, 0000000B.00000002.3088836623.000000001EDC2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Data\obj\Release.NoXaml\Telerik.Windows.Data.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3086206375.000000001ECA2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\Josh\Projects\CsvHelper\src\CsvHelper\bin\release\net40\CsvHelper.pdb\I source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: regsip.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Navigation\obj\Release.NoXaml\Telerik.Windows.Controls.Navigation.pdb source: SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb source: SaasAntTransactions.exe, 0000000B.00000002.3305370011.0000000029E02000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: msi_l.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging\obj\Release\Common.Logging.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation.PortableClassLibrary\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087769472.000000001ED32000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: imagehlp.pdbMZ source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdbh source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007F9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Windows.Shell.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3127083082.0000000020482000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: SaasAntTransactions.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: MsiInst.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight.Extras (NET4)\obj\Release\GalaSoft.MvvmLight.Extras.pdbpj source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: gacutlrc.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D282A30 _memset,FindFirstFileW,LoadLibraryW,FindClose,FindResourceW,LoadLibraryW,		2_2_6D282A30
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D272470 FindClose,FindFirstFileW,FindFirstFileW,		2_2_6D272470

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 11.2.SaasAntTransactions.exe.1ef20000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1B03632E\F3574DDF\Telerik.Windows.Controls.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.dll, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /dt-service/installation/installed HTTP/1.1Accept: application/jsonContent-Type: application/json; charset=utf-8Host: saasant.comContent-Length: 366Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /dt-service/installation/updateInfo?app=1&version=3.1.3.0&out=JSON HTTP/1.1Accept: application/jsonHost: desktop.saasant.comConnection: Keep-Alive

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /dt-service/installation/updateInfo?app=1&version=3.1.3.0&out=JSON HTTP/1.1Accept: application/jsonHost: desktop.saasant.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: saasant.com

Source: unknown

HTTP traffic detected: POST /dt-service/installation/installed HTTP/1.1Accept: application/jsonContent-Type: application/json; charset=utf-8Host: saasant.comContent-Length: 366Expect: 100-continueConnection: Keep-Alive

Source: SaasAntTransactions-Setup.exe, 00000002.00000003.2157723436.000000000338B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.MYWEBSITE.COM/DEFAULT.7ZIPA$;
Source: SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.00000000028A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: HTTPS://SAASANT.COM/DT-SERVICE/INSTALLATION/UPDATEINFO?APP=1&DESC=$TITLE$&VERSION=$VERSION$&OUT=MIA
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/SaasAntTransactions;component/controls/onboardingcontrol.xamll
Source: SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/controls/onboardingcontrol.baml
Source: SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/controls/onboardingcontrol.bamll
Source: SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/controls/onboardingcontrol.xaml
Source: SaasAntTransactions.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://netcommon.sourceforge.net/
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://netcommon.sourceforge.net/B
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://saasant.com/
Source: SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.0000000002982000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://saasant.com/az
Source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003060000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3073876070.000000001E7E2000.00000002.00000001.01000000.00000015.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3103729702.000000001F2E2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/compile
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3103729702.000000001F2E2000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation
Source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.Primitives
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.PrimitivesV
Source: SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.RadialMenu
Source: SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.RadialMenuV
Source: SaasAntTransactions.exe, 0000000B.00000002.3111007097.000000001F642000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation%Telerik.Windows.Controls.TreeListView
Source: SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://schemas.telerik.com/2008/xaml/presentation&Telerik.Windows.Controls.LayoutControl
Source: SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: SaasAntTransactions.exe, 0000000B.00000002.3046273465.000000000ECD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: SaasAntTransactions.exe, 0000000B.00000002.3037588109.000000000AE79000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3037588109.000000000AD6E000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3018293075.00000000074D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestamp
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2008/schema.xsd
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.0000000002982000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://support.saasant.com/
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.00000000028A9000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://timestamp.globalsign.com/tsa/r6advanced1
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.or
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.apache.org/).
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/l
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/licen
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/licenses/LICEN
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htm
Source: SaasAntTransactions.exe, 0000000B.00000002.3124251402.000000001FBA2000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlhttp://www.apache.org/licenses/LICENSE-2.0.htmlVersio
Source: SaasAntTransactions.exe, 0000000B.00000002.3067183260.000000001C84F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.011k
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Robo
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Robot
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoLight
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0RobotoMedium
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3088007794.000000001ED48000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.galasoft.ch
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003046000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.galasoft.ch/mvvmlight
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.galasoft.ch/s/dialogmessage.
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.galasoft.ch4
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087703824.000000001ED2A000.00000002.00000001.01000000.0000001F.sdmp	String found in binary or memory: http://www.galasoft.chN
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.000000000078C000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/
Source: SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/InstallAware
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.000000000078C000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/buydirect.aspopen
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.000000000078C000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.installaware.com/x2/
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000000.1722063412.0000000000445000.00000002.00000001.01000000.00000003.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.installaware.comz
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.00000000028EE000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2155131713.00000000035DB000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mywebsite.com/Default.7zip
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.mywebsite.com/Microsoft
Source: SaasAntTransactions.exe	String found in binary or memory: http://www.telerik.co
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.telerik.com
Source: SaasAntTransactions.exe, 0000000B.00000002.3124251402.000000001FBA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.telerik.com-TelerikWebUI
Source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.telerik.com/purchase.aspx?utm_source=trial&utm_medium=dsk&utm_campaign=WPF
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.telerik.comhttp://www.telerik.comApache
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://www.telerik.comhttp://www.telerik.comTelerikWebUI
Source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://demos.telerik.com/xaml-sdkbrowser/SDKSamplesBrowser.application
Source: SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://demos.telerik.com/xaml-sdkbrowser/SDKSamplesBrowser.application5
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://desktop.apps.com/apps/232752#
Source: SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006D7E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://desktop.saasant.com
Source: SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://desktop.saasant.com/dt-service/conversion/conversion&File
Source: SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://desktop.saasant.com/dt-service/installation/crashReport
Source: SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://desktop.saasant.com/dt-service/installation/releaseNotes?app=APP_ID&version=VERSION&out=JSON
Source: SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006D8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://desktop.saasant.com/dt-service/installation/updateInfo?app=1&version=3.1.3.0&out=JSON
Source: SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://desktop.saasant.com/dt-service/installation/updateInfo?app=APP_ID&version=VERSION&out=JSON
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://desktop.saasant.com/quickbooks-desktop-login/login.html
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://dle.telerik.com/metrics/v1/events/callhome
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://go.mikogo.com/
Source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://identity.telerik.com/v2/oauth/telerik/token
Source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: https://identity.telerik.com/v2/oauth/telerik/token&uri:client.licenser
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://portal.saasant.com
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://portal.saasant.com/blog/privacy-policy/
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://portal.saasant.com/blog/security-policy/
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://portal.saasant.com/blog/terms-and-conditions/
Source: SaasAntTransactions.exe, 0000000B.00000002.3037588109.000000000ACD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://saasant.com
Source: SaasAntTransactions.exe, 0000000B.00000002.3046273465.000000000ECD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://saasant.com/dt-service/installation/installed
Source: SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://saasant.com/dt-service/installation/updateInfo?app=1&desc=$TITLE$&version=$VERSION$&out=MIA
Source: SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://saasant.com/dt-service/license/register
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://support.saasant.com/support/solutions/14000073957
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://support.saasant.com/support/solutions/articles/14000096467-how-to-use-lookup-in-saasant-tran
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.saasant.com
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.saasant.com/app-saasant-transactions-quickbooks-desktop.html#planList
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.saasant.com/chat.html
Source: SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3046273465.000000000ECD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.saasant.com/chat.html?ServicePack=No
Source: SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.saasant.com/report-issue.html?File=
Source: SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.saasant.com/request-demo.html

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 45.76.164.236:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.76.164.236:443 -> 192.168.2.16:49728 version: TLS 1.2

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe

File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msi.cat

Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.SaasAntTransactions-Setup (1).exe.76fb132.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\442129.msi

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI2233.tmp

Jump to behavior

Detected potential crypto function

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10001000	2_2_10001000
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10009028	2_2_10009028
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10017330	2_2_10017330
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_100153E0	2_2_100153E0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1000D450	2_2_1000D450
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001E5C3	2_2_1001E5C3
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10017710	2_2_10017710
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001E751	2_2_1001E751
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1000E770	2_2_1000E770
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_100127E0	2_2_100127E0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001E82B	2_2_1001E82B
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_100178D0	2_2_100178D0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1000C8E0	2_2_1000C8E0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10014A40	2_2_10014A40
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1000EB10	2_2_1000EB10
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1000CCA0	2_2_1000CCA0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001AD1A	2_2_1001AD1A
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10016D80	2_2_10016D80
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10017DC0	2_2_10017DC0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10012F00	2_2_10012F00
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10016F80	2_2_10016F80
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D274C00	2_2_6D274C00
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D26AE70	2_2_6D26AE70
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D268AB0	2_2_6D268AB0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D2735F0	2_2_6D2735F0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D266460	2_2_6D266460
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D288E1B	2_2_6D288E1B
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D27FEE0	2_2_6D27FEE0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D27E950	2_2_6D27E950
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D27B9C0	2_2_6D27B9C0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D26B447	2_2_6D26B447
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D28E78B	2_2_6D28E78B
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D26E670	2_2_6D26E670
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D28E6B0	2_2_6D28E6B0
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D26D1B0	2_2_6D26D1B0
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1E7E4D7D	11_2_1E7E4D7D
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EB8AAC2	11_2_1EB8AAC2
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EBC4F58	11_2_1EBC4F58
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECA598C	11_2_1ECA598C
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECA5D94	11_2_1ECA5D94
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECAF0A0	11_2_1ECAF0A0
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECA5369	11_2_1ECA5369
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECB0924	11_2_1ECB0924
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECAD137	11_2_1ECAD137
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ED25845	11_2_1ED25845
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ED439DF	11_2_1ED439DF
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EDC43AF	11_2_1EDC43AF
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EDC43A4	11_2_1EDC43A4
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EE64A7C	11_2_1EE64A7C
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EE6589D	11_2_1EE6589D
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EF28B14	11_2_1EF28B14
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EDC90BE	11_2_1EDC90BE
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EBC4D54	11_2_1EBC4D54
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECA46C6	11_2_1ECA46C6
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECA24FC	11_2_1ECA24FC
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ECA843F	11_2_1ECA843F

Found potential string decryption / allocating functions

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: String function: 6D287AA4 appears 37 times
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: String function: 6D264C80 appears 39 times
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: String function: 10018EB0 appears 95 times

Sample file is different than original file name gathered from version info

Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSaasAntTransactions.exeH vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSaasAntTransactionsConsole.exeV vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecabinet.dll~/ vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCommon.Logging.Core.dllT vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCommon.Logging.dllT vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCsvHelper.dll4 vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDotNetZip.dll@ vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExcelDataReader.DataSet.dllP vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExcelDataReader.dll@ vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameExcelNumberFormat.dllD vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGalaSoft.MvvmLight.dllF vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGalaSoft.MvvmLight.Extras.dllT vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameICSharpCode.SharpZipLib.dll8 vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeX vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiexec.exeD vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiinst.exej% vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiinst.exeD vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsiregmv.exeX vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameregsip.dllD vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameregsip.dllX vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameimagehlp.dllz- vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameInterop.QBXMLRP2Lib.dll vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLiteDB.dll. vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelog4net.dll0 vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameahadmin_wrapper.dll4 vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameahadmin_.dll4 vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGameuxInstallHelper.DLLb! vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagedVCL.Utils.dll8 vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegacutil.exeT vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegacutlrc.dllT vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamez vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Practices.ServiceLocation.dllh$ vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Windows.Shell.dllT vs SaasAntTransactions-Setup (1).exe
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007EFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsi.dllX vs SaasAntTransactions-Setup (1).exe

Tries to load missing DLLs

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Uses 32bit PE files

Source: SaasAntTransactions-Setup (1).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Yara signature match

Source: 0.3.SaasAntTransactions-Setup (1).exe.76fb132.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073

Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3302804112.0000000029C02000.00000002.00000001.01000000.00000025.sdmp	Binary or memory string: .sln
Source: SaasAntTransactions.exe, 0000000B.00000002.3305370011.0000000029E02000.00000002.00000001.01000000.00000027.sdmp	Binary or memory string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3302804112.0000000029C02000.00000002.00000001.01000000.00000025.sdmp	Binary or memory string: .csproj.css
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3302804112.0000000029C02000.00000002.00000001.01000000.00000025.sdmp	Binary or memory string: .vbproj.vbs

Source: classification engine

Classification label: mal46.troj.evad.winEXE@7/1366@2/1

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_6D282980 LoadResource,SizeofResource,LockResource,CreateFileW,WriteFile,FindCloseChangeNotification,DeleteFileW,

2_2_6D282980

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

File created: C:\Program Files (x86)\SaasAnt Transactions\setup.location

Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

File created: C:\Users\user\AppData\Local\IIIQF

Jump to behavior

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Mutant created: \Sessions\1\BaseNamedObjects\SaasAnt Transactions
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_SaasAntTransactions_saasant.log

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

File created: C:\Users\user\AppData\Local\Temp\mia1

Jump to behavior

Source: Yara match	File source: 2.0.SaasAntTransactions-Setup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.1798730636.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\SaasAntTransactions-Setup.exe, type: DROPPED

Source: SaasAntTransactions-Setup (1).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\faf93f57aa8c4c5dddd9cd0de441d5a1\mscorlib.ni.dll

Jump to behavior

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: SaasAntTransactions-Setup.exe, 00000002.00000003.1981553875.0000000006257000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO `Property` ( `Property` , `Value` ) VALUES ( 'P2639F99_1' , 'C:\Program Files (x86)\SaasAnt Transactions' )\|;2
Source: SaasAntTransactions-Setup.exe, 00000002.00000003.1983623125.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1985756838.0000000000C31000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1987328635.0000000000C30000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1981753352.0000000000C1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO `Property` ( `Property` , `Value` ) VALUES ( 'PF89064B2_1' , 'C:\Program Files (x86)\SaasAnt Transactions\Images' );

Source: SaasAntTransactions-Setup (1).exe

Virustotal: Detection: 13%

Source: SaasAntTransactions.exe

String found in binary or memory: {0}<html> <body>

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe

File read: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Process created: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe .\SaasAntTransactions-Setup.exe /m="C:\Users\user\Desktop\SAASAN~1.EXE" /k=""
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 65C17165B9D6E452AFEA89C327EA4A92
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process created: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe "C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe"
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Process created: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe .\SaasAntTransactions-Setup.exe /m="C:\Users\user\Desktop\SAASAN~1.EXE" /k=""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 65C17165B9D6E452AFEA89C327EA4A92	Jump to behavior

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Reads the Windows registered owner settings

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Executable creates window controls seldom found in malware

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Window found: window name: TButton

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found installer window with terms and condition text

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Uses Microsoft Silverlight

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: SaasAntTransactions-Setup (1).exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: SaasAntTransactions-Setup (1).exe

Static file information: File size 15152616 > 1048576

Binary contains paths to debug symbols

Source:	Binary string: msiexec.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Input\obj\Release.NoXaml\Telerik.Windows.Controls.Input.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3088836623.000000001EDC2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: regsip.pdbU source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\GridView\GridView\obj\Release.NoXaml\Telerik.Windows.Controls.GridView.pdb source: SaasAntTransactions.exe, 0000000B.00000002.3111007097.000000001F642000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: MsiInst.pdbU source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GameuxInstallHelper.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: gacutil.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: +;!msiregmv.pdbV source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\ConversationalUI\ConversationalUI\obj\Release.NoXaml\Telerik.Windows.Controls.ConversationalUI.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3081929725.000000001EB82000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: C:\Users\Josh\Projects\CsvHelper\src\CsvHelper\bin\release\net40\CsvHelper.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\exceldatareader\src\ExcelDataReader\obj\Release\net20\ExcelDataReader.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging\obj\Release\Common.Logging.pdbt source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging.Core\obj\Release\Common.Logging.Core.pdbl< source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\exceldatareader\src\ExcelDataReader.DataSet\obj\Release\net20\ExcelDataReader.DataSet.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiregmv.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\excelnumberformat\src\ExcelNumberFormat\obj\Release\net20\ExcelNumberFormat.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007F9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\GridView\GridView\obj\Release.NoXaml\Telerik.Windows.Controls.GridView.pdbL2 source: SaasAntTransactions.exe, 0000000B.00000002.3111007097.000000001F642000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging.Core\obj\Release\Common.Logging.Core.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdbh source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\projects\exceldatareader\src\ExcelDataReader\obj\Release\net20\ExcelDataReader.pdbr; source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Data\obj\Release.NoXaml\Telerik.Windows.Controls.Data.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3082925578.000000001EBC2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\VirtualGrid\VirtualGrid\obj\Release.NoXaml\Telerik.Windows.Controls.VirtualGrid.pdbl source: SaasAntTransactions.exe, 0000000B.00000002.3090943671.000000001EE62000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: msiregmv.pdbV source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: imagehlp.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Controls\obj\Release.NoXaml\Telerik.Windows.Controls.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Controls\obj\Release.NoXaml\Telerik.Windows.Controls.pdb` source: SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\ConversationalUI\ConversationalUI\obj\Release.NoXaml\Telerik.Windows.Controls.ConversationalUI.pdbT source: SaasAntTransactions.exe, 0000000B.00000002.3081929725.000000001EB82000.00000002.00000001.01000000.0000001B.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight.Extras (NET4)\obj\Release\GalaSoft.MvvmLight.Extras.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: gacutil.pdb(0 source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\VirtualGrid\VirtualGrid\obj\Release.NoXaml\Telerik.Windows.Controls.VirtualGrid.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3090943671.000000001EE62000.00000002.00000001.01000000.0000001E.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Data\obj\Release.NoXaml\Telerik.Windows.Data.pdb@5 source: SaasAntTransactions.exe, 0000000B.00000002.3086206375.000000001ECA2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: C:\Git\LiteDB\LiteDB\obj\Release\net40\LiteDB.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3302804112.0000000029C02000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Input\obj\Release.NoXaml\Telerik.Windows.Controls.Input.pdbtg source: SaasAntTransactions.exe, 0000000B.00000002.3088836623.000000001EDC2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Core\Data\obj\Release.NoXaml\Telerik.Windows.Data.pdb source: SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3086206375.000000001ECA2000.00000002.00000001.01000000.00000019.sdmp
Source:	Binary string: C:\Users\Josh\Projects\CsvHelper\src\CsvHelper\bin\release\net40\CsvHelper.pdb\I source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: regsip.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006723000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\DeveloperTooling_Agent8\_work\89\s\Controls\Navigation\obj\Release.NoXaml\Telerik.Windows.Controls.Navigation.pdb source: SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb source: SaasAntTransactions.exe, 0000000B.00000002.3305370011.0000000029E02000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: gacutil.pdb, AH/@ source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight (NET4)\obj\Release\GalaSoft.MvvmLight.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: msi_l.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007C9E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\_oss\common-logging\src\Common.Logging\obj\Release\Common.Logging.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation.PortableClassLibrary\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087769472.000000001ED32000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: imagehlp.pdbMZ source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msi.pdbh source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007F9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Windows.Shell.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3127083082.0000000020482000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: SaasAntTransactions.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: MsiInst.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006B10000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GalaSoft\mydotnet\MVVMLight\source\GalaSoft.MvvmLight\GalaSoft.MvvmLight.Extras (NET4)\obj\Release\GalaSoft.MvvmLight.Extras.pdbpj source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: gacutlrc.pdb source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_1001D844 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_1001D844

Uses code obfuscation techniques (call, push, ret)

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10013130 push ecx; mov dword ptr [esp], ecx	2_2_10013131
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001D2C0 push eax; ret	2_2_1001D2EE
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_10018EB0 push eax; ret	2_2_10018ECE
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D287AE9 push ecx; ret	2_2_6D287AFC
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1E7E20C4 push ebp; iretd	11_2_1E7E20C5
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EB83BE0 push es; retn 0000h	11_2_1EB83BEB
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1ED46933 push ebx; retf	11_2_1ED46936
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EF290F9 push es; iretd	11_2_1EF2946B
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EF2946C push es; iretd	11_2_1EF2946B
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EF2946C push es; retf 0002h	11_2_1EF294A5
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Code function: 11_2_1EF294A8 push es; retf 0002h	11_2_1EF294A5

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.Extras.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A38D2E8\F3574DDF\Telerik.Windows.Documents.Spreadsheet.FormatProviders.Pdf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C8694C4A\F3574DDF\Telerik.Windows.Zip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\NPOI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D0DC5192\F3574DDF\Microsoft.Windows.Shell.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AA301B57\F3574DDF\Telerik.Windows.Controls.VirtualGrid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\79EF4496\F3574DDF\GalaSoft.MvvmLight.Extras.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\661E908A\F3574DDF\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\80CC9BA\88DA6A7B\SaasAntTransactions.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\ExcelNumberFormat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Themes.Windows7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\CC802F8F\F3574DDF\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Renci.SshNet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\2639F99\F3574DDF\Telerik.Windows.Controls.Charting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Interop.QBXMLRP2Lib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C9CFA174\F3574DDF\System.Net.Http.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\901C7C89\F3574DDF\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\4625E0D0\F3574DDF\SgmlReaderDll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Chart.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\4AD6D99\F3574DDF\Telerik.Windows.Controls.Chart.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\cabinet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.WebRequest.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\905D63D6\F3574DDF\Telerik.Windows.Documents.Spreadsheet.FormatProviders.OpenXml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\905D6215\F3574DDF\Telerik.Windows.Controls.Navigation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Charting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Quartz.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\shfolder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.ConversationalUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\sdbapiU.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D3571AAB\F3574DDF\Telerik.Windows.Themes.Windows7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\FCC6B9D7\F3574DDF\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\A04D6C1D\F3574DDF\log4net.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\52098B21\F3574DDF\CsvHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1A97511A\F3574DDF\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.DataServices.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.VirtualGrid.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\CB29EF87\F3574DDF\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msisip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\log4net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\59E0FAE8\F3574DDF\ExcelDataReader.DataSet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D5A26372\F3574DDF\Telerik.Windows.Controls.GridView.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A99F5AE\F3574DDF\NLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\7703EBBF\F3574DDF\Common.Logging.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\SgmlReaderDll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\41283706\F3574DDF\Telerik.Windows.Documents.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\32755537\F3574DDF\Telerik.Windows.Controls.DataServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Input.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\92A72B5F\F3574DDF\Telerik.Windows.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\F6E1FDBA\F3574DDF\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Spreadsheet.FormatProviders.Pdf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1A3ADFB4\F3574DDF\NPOI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\3D4D0848\F3574DDF\Telerik.Windows.Documents.Spreadsheet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI22D0.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\BE04B6CA\F3574DDF\System.Net.Http.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EB13BCBE\F3574DDF\System.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AAB28644\F3574DDF\Telerik.Windows.Controls.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\E832CDA\A31F71D2\Interop.QBXMLRP2Lib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\85CA11D2\F3574DDF\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\7AA45FEF\F3574DDF\Common.Logging.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\B788C7C3\F3574DDF\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\LiteDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\B35D72DF\F3574DDF\Telerik.Windows.Controls.Input.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mDown.dll\mDownExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.GridView.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msls31.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\NLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\mia.lib	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 44212c.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1B03632E\F3574DDF\Telerik.Windows.Controls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI237E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\DA156853\F3574DDF\OFXSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Spreadsheet.FormatProviders.OpenXml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\DotNetZip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI234E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A02C8CD\F3574DDF\Telerik.Windows.Controls.GridView.Export.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2233.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\SaasAntTransactions-Setup.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\OFXSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C86575FB\F3574DDF\Renci.SshNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Spreadsheet.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\Users\user\AppData\Local\IIIQF\7z.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Navigation.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EDD15B9F\F3574DDF\Telerik.Windows.Controls.ConversationalUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EEE19DB2\F3574DDF\LiteDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\F8ED8800\F3574DDF\Quartz.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\5A32B2FE\F3574DDF\ExcelNumberFormat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AA35C740\F3574DDF\System.Net.Http.WebRequest.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\63ADD426\F3574DDF\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.GridView.Export.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Windows.Shell.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\CsvHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.DataSet.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\32755537\F3574DDF\Telerik.Windows.Controls.DataServices.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\92A72B5F\F3574DDF\Telerik.Windows.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A38D2E8\F3574DDF\Telerik.Windows.Documents.Spreadsheet.FormatProviders.Pdf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C8694C4A\F3574DDF\Telerik.Windows.Zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\F6E1FDBA\F3574DDF\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1A3ADFB4\F3574DDF\NPOI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D0DC5192\F3574DDF\Microsoft.Windows.Shell.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\3D4D0848\F3574DDF\Telerik.Windows.Documents.Spreadsheet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AA301B57\F3574DDF\Telerik.Windows.Controls.VirtualGrid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\79EF4496\F3574DDF\GalaSoft.MvvmLight.Extras.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EB13BCBE\F3574DDF\System.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\BE04B6CA\F3574DDF\System.Net.Http.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\661E908A\F3574DDF\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\80CC9BA\88DA6A7B\SaasAntTransactions.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AAB28644\F3574DDF\Telerik.Windows.Controls.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\E832CDA\A31F71D2\Interop.QBXMLRP2Lib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\CC802F8F\F3574DDF\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\7AA45FEF\F3574DDF\Common.Logging.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\85CA11D2\F3574DDF\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\2639F99\F3574DDF\Telerik.Windows.Controls.Charting.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\B788C7C3\F3574DDF\ExcelDataReader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C9CFA174\F3574DDF\System.Net.Http.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\901C7C89\F3574DDF\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mDown.dll\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\B35D72DF\F3574DDF\Telerik.Windows.Controls.Input.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msls31.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\4625E0D0\F3574DDF\SgmlReaderDll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\4AD6D99\F3574DDF\Telerik.Windows.Controls.Chart.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1B03632E\F3574DDF\Telerik.Windows.Controls.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\DA156853\F3574DDF\OFXSharp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\905D63D6\F3574DDF\Telerik.Windows.Documents.Spreadsheet.FormatProviders.OpenXml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\905D6215\F3574DDF\Telerik.Windows.Controls.Navigation.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A02C8CD\F3574DDF\Telerik.Windows.Controls.GridView.Export.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\shfolder.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\SaasAntTransactions-Setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\sdbapiU.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C86575FB\F3574DDF\Renci.SshNet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D3571AAB\F3574DDF\Telerik.Windows.Themes.Windows7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\FCC6B9D7\F3574DDF\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EDD15B9F\F3574DDF\Telerik.Windows.Controls.ConversationalUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EEE19DB2\F3574DDF\LiteDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\A04D6C1D\F3574DDF\log4net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\52098B21\F3574DDF\CsvHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1A97511A\F3574DDF\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\mia.lib	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\CB29EF87\F3574DDF\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msisip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\F8ED8800\F3574DDF\Quartz.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\5A32B2FE\F3574DDF\ExcelNumberFormat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\59E0FAE8\F3574DDF\ExcelDataReader.DataSet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D5A26372\F3574DDF\Telerik.Windows.Controls.GridView.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A99F5AE\F3574DDF\NLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AA35C740\F3574DDF\System.Net.Http.WebRequest.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\63ADD426\F3574DDF\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\7703EBBF\F3574DDF\Common.Logging.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\data\OFFLINE\41283706\F3574DDF\Telerik.Windows.Documents.Core.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2233.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI22D0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI237E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI234E.tmp	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	File created: C:\ProgramData\miaB83E.tmp\mia.lib			Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File created: C:\ProgramData\{C8F3C76B-9135-4D81-AF4D-D3B6D839248C}\mia.lib			Jump to dropped file

Creates license or readme file

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

File created: C:\Users\user\AppData\Local\Temp\mia1\license.rtf

Jump to behavior

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Window found: window name: Progman

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\msiexec.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaasAnt Transactions

Jump to behavior

Hooking and other Techniques for Hiding and Protection

May use the Tor software to hide its network traffic

Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: torConnect

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Code function: 11_2_1ED2489D rdtsc

11_2_1ED2489D

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Window / User API: threadDelayed 1131	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Window / User API: threadDelayed 7815	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Window / User API: windowPlacementGot 471	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.Extras.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A38D2E8\F3574DDF\Telerik.Windows.Documents.Spreadsheet.FormatProviders.Pdf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C8694C4A\F3574DDF\Telerik.Windows.Zip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\NPOI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D0DC5192\F3574DDF\Microsoft.Windows.Shell.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AA301B57\F3574DDF\Telerik.Windows.Controls.VirtualGrid.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\79EF4496\F3574DDF\GalaSoft.MvvmLight.Extras.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\661E908A\F3574DDF\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\ExcelNumberFormat.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Themes.Windows7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Renci.SshNet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\CC802F8F\F3574DDF\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\2639F99\F3574DDF\Telerik.Windows.Controls.Charting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Interop.QBXMLRP2Lib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C9CFA174\F3574DDF\System.Net.Http.Primitives.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\901C7C89\F3574DDF\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Data.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\4625E0D0\F3574DDF\SgmlReaderDll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Chart.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\4AD6D99\F3574DDF\Telerik.Windows.Controls.Chart.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\cabinet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.WebRequest.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\905D63D6\F3574DDF\Telerik.Windows.Documents.Spreadsheet.FormatProviders.OpenXml.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\905D6215\F3574DDF\Telerik.Windows.Controls.Navigation.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msimsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Charting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Quartz.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\shfolder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.ConversationalUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\sdbapiU.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\imagehlp.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D3571AAB\F3574DDF\Telerik.Windows.Themes.Windows7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\FCC6B9D7\F3574DDF\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Windows.Interactivity.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\A04D6C1D\F3574DDF\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.IO.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\52098B21\F3574DDF\CsvHelper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1A97511A\F3574DDF\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.DataServices.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.VirtualGrid.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Zip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\CB29EF87\F3574DDF\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msisip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\log4net.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\59E0FAE8\F3574DDF\ExcelDataReader.DataSet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\D5A26372\F3574DDF\Telerik.Windows.Controls.GridView.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A99F5AE\F3574DDF\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\SgmlReaderDll.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\7703EBBF\F3574DDF\Common.Logging.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\41283706\F3574DDF\Telerik.Windows.Documents.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\32755537\F3574DDF\Telerik.Windows.Controls.DataServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Input.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\92A72B5F\F3574DDF\Telerik.Windows.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\F6E1FDBA\F3574DDF\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Spreadsheet.FormatProviders.Pdf.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1A3ADFB4\F3574DDF\NPOI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\3D4D0848\F3574DDF\Telerik.Windows.Documents.Spreadsheet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\BE04B6CA\F3574DDF\System.Net.Http.Extensions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EB13BCBE\F3574DDF\System.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AAB28644\F3574DDF\Telerik.Windows.Controls.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\E832CDA\A31F71D2\Interop.QBXMLRP2Lib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\85CA11D2\F3574DDF\System.Runtime.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\7AA45FEF\F3574DDF\Common.Logging.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\B788C7C3\F3574DDF\ExcelDataReader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\LiteDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mDown.dll\mDownExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\B35D72DF\F3574DDF\Telerik.Windows.Controls.Input.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msihnd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.GridView.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\NLog.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 44212c.rbf (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\1B03632E\F3574DDF\Telerik.Windows.Controls.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\unicode\msiinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI237E.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\DA156853\F3574DDF\OFXSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Spreadsheet.FormatProviders.OpenXml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\DotNetZip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\6A02C8CD\F3574DDF\Telerik.Windows.Controls.GridView.Export.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\OFXSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Data.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\C86575FB\F3574DDF\Renci.SshNet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Documents.Spreadsheet.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Navigation.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EDD15B9F\F3574DDF\Telerik.Windows.Controls.ConversationalUI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\EEE19DB2\F3574DDF\LiteDB.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\F8ED8800\F3574DDF\Quartz.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\5A32B2FE\F3574DDF\ExcelNumberFormat.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\AA35C740\F3574DDF\System.Net.Http.WebRequest.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe	Dropped PE file which has not been started: C:\ProgramData\miaB83E.tmp\data\OFFLINE\63ADD426\F3574DDF\GalaSoft.MvvmLight.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.GridView.Export.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Windows.Shell.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\CsvHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Practices.ServiceLocation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.DataSet.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_2-37285

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59847s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59724s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59601s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59486s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59362s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59235s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59124s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -59012s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58898s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58788s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58674s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58549s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58422s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58312s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58202s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -58100s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe TID: 3480	Thread sleep time: -57978s >= -30000s	Jump to behavior

Queries keyboard layouts

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809			Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D282A30 _memset,FindFirstFileW,LoadLibraryW,FindClose,FindResourceW,LoadLibraryW,		2_2_6D282A30
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D272470 FindClose,FindFirstFileW,FindFirstFileW,		2_2_6D272470

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_10001B41 GetSystemInfo,

2_2_10001B41

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59847	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59724	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59601	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59486	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59362	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59235	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59124	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 59012	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58898	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58788	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58674	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58549	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58422	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58312	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58202	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 58100	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Thread delayed: delay time: 57978	Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	File opened: C:\Users\user\AppData	Jump to behavior

Source: SaasAntTransactions.exe, 0000000B.00000002.3308387851.0000000029F11000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

API call chain: ExitProcess graph end node

graph_2-37070

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Code function: 11_2_1ED2489D rdtsc

11_2_1ED2489D

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_6D285A8A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_6D285A8A

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_1001D844 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_1001D844

Enables debug privileges

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001B723 SetUnhandledExceptionFilter,	2_2_1001B723
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_1001B735 SetUnhandledExceptionFilter,	2_2_1001B735
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D286CD8 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D286CD8
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D285A8A _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D285A8A
Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe	Code function: 2_2_6D2851C7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D2851C7

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: SaasAntTransactions-Setup.exe, 00000002.00000003.2154651438.0000000005E30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager WindowaIconWindowClass.0C:\Program Files (x86)\SaasAnt Transactions\Data
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progmanadvapi32.dllCreateProcessWithTokenW
Source: SaasAntTransactions-Setup.exe, 00000002.00000003.2154651438.0000000005E30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Progman UIClassionAreaIconWindowClass.0
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ProgmanU
Source: SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndU

Language, Device and Operating System Detection

Contains functionality to query locales information (e.g. system language)

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: GetLocaleInfoA,

2_2_6D28DEDB

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Themes.Windows7.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Chart.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Input.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.ConversationalUI.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.GridView.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Navigation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.VirtualGrid.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Practices.ServiceLocation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.Extras.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\LiteDB.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Windows.Shell.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Program Files (x86)\SaasAnt Transactions\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemData\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemData.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXmlLinq\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXmlLinq.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_6D27B9C0 GetLastError,__CxxThrowException@8,GetSystemTime,SystemTimeToFileTime,GetLastError,GetLastError,LoadLibraryW,GetProcAddress,GetLastError,FreeLibrary,GetLastError,SetCurrentDirectoryW,FreeLibrary,GetLastError,FreeLibrary,

2_2_6D27B9C0

Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe

Code function: 2_2_10019EFC GetVersion,GetCommandLineA,

2_2_10019EFC

Source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.SaasAntTransactions-Setup (1).exe.76fb132.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe, type: DROPPED

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.SaasAntTransactions-Setup (1).exe.76fb132.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\miaB83E.tmp\data\OFFLINE\67A3EB0F\A9118E7B\SaasAntTransactionsConsole.exe, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
1 Replication Through Removable Media	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	2 Native API	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Encrypted Channel	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	2 Process Injection	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Multi-hop Proxy			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	57 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	3 Non-Application Layer Protocol			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Search Order Hijacking	LSA Secrets	1 Query Registry	SSH	Keylogging	Scheduled Transfer	4 Application Layer Protocol			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	441 Security Software Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	1 Proxy			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	32 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	241 Virtualization/Sandbox Evasion	Proc Filesystem	241 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	2 System Owner/User Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SaasAntTransactions-Setup (1).exe	14%	Virustotal		Browse
SaasAntTransactions-Setup (1).exe	9%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
44212c.rbf (copy)	9%	ReversingLabs
44212c.rbf (copy)	11%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.Core.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.Core.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\CsvHelper.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\CsvHelper.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\DotNetZip.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\DotNetZip.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.DataSet.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.DataSet.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\ExcelDataReader.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\ExcelNumberFormat.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\ExcelNumberFormat.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.Extras.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.Extras.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\GalaSoft.MvvmLight.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\ICSharpCode.SharpZipLib.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\Interop.QBXMLRP2Lib.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Interop.QBXMLRP2Lib.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\LiteDB.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\LiteDB.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Practices.ServiceLocation.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Practices.ServiceLocation.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Windows.Shell.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Microsoft.Windows.Shell.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\NLog.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\NLog.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\NPOI.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\NPOI.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Newtonsoft.Json.dll	0%	Virustotal	Browse
C:\Program Files (x86)\SaasAnt Transactions\OFXSharp.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Quartz.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Renci.SshNet.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactionsConsole.exe	9%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\SgmlReaderDll.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.IO.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.Extensions.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.Primitives.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.WebRequest.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Net.Http.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Runtime.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Threading.Tasks.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\System.Windows.Interactivity.dll	0%	ReversingLabs
C:\Program Files (x86)\SaasAnt Transactions\Telerik.Windows.Controls.Chart.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://foo/bar/controls/onboardingcontrol.bamll	0%	Avira URL Cloud	safe
http://defaultcontainer/SaasAntTransactions;component/controls/onboardingcontrol.xamll	0%	Avira URL Cloud	safe
http://www.telerik.com-TelerikWebUI	0%	Avira URL Cloud	safe
http://www.telerik.co	0%	Avira URL Cloud	safe
http://www.installaware.comz	0%	Avira URL Cloud	safe
http://www.installaware.com/InstallAware	0%	Avira URL Cloud	safe
HTTP://WWW.MYWEBSITE.COM/DEFAULT.7ZIPA$;	0%	Avira URL Cloud	safe
http://www.galasoft.ch/s/dialogmessage.	0%	Avira URL Cloud	safe
http://www.telerik.co	0%	Virustotal		Browse
http://www.galasoft.ch/mvvmlight	0%	Avira URL Cloud	safe
http://www.mywebsite.com/Microsoft	0%	Avira URL Cloud	safe
http://www.installaware.com/	0%	Avira URL Cloud	safe
http://www.installaware.com/InstallAware	1%	Virustotal		Browse
http://www.telerik.comhttp://www.telerik.comTelerikWebUI	0%	Avira URL Cloud	safe
http://foo/controls/onboardingcontrol.xaml	0%	Avira URL Cloud	safe
http://www.galasoft.ch/mvvmlight	0%	Virustotal		Browse
http://www.mywebsite.com/Default.7zip	0%	Avira URL Cloud	safe
http://www.galasoft.ch4	0%	Avira URL Cloud	safe
http://www.installaware.com/buydirect.aspopen	0%	Avira URL Cloud	safe
http://www.telerik.comhttp://www.telerik.comApache	0%	Avira URL Cloud	safe
http://www.apache.or	0%	Avira URL Cloud	safe
http://www.mywebsite.com/Default.7zip	0%	Virustotal		Browse
http://www.galasoft.ch	0%	Avira URL Cloud	safe
http://www.galasoft.chN	0%	Avira URL Cloud	safe
http://www.galasoft.ch/s/dialogmessage.	0%	Virustotal		Browse
http://www.installaware.com/	0%	Virustotal		Browse
http://www.installaware.com/buydirect.aspopen	1%	Virustotal		Browse
http://www.installaware.com/x2/	0%	Avira URL Cloud	safe
http://foo/bar/controls/onboardingcontrol.baml	0%	Avira URL Cloud	safe
http://www.mywebsite.com/Microsoft	0%	Virustotal		Browse
http://www.galasoft.ch	0%	Virustotal		Browse
http://www.installaware.com/x2/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
saasant.com	45.76.164.236	true	false		high
desktop.saasant.com	45.76.164.236	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://desktop.saasant.com/dt-service/installation/updateInfo?app=1&version=3.1.3.0&out=JSON	false		high
https://saasant.com/dt-service/installation/installed	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://saasant.com/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	false		high
https://www.saasant.com/request-demo.html	SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.	SaasAntTransactions.exe	false		high
https://portal.saasant.com/blog/privacy-policy/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.apache.org/licenses/LICEN	SaasAntTransactions.exe	false		high
http://www.apache.org/licenses/LICENSE-2.0.htm	SaasAntTransactions.exe	false		high
http://defaultcontainer/SaasAntTransactions;component/controls/onboardingcontrol.xamll	SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://desktop.saasant.com/quickbooks-desktop-login/login.html	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
https://www.saasant.com/chat.html	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.installaware.comz	SaasAntTransactions-Setup (1).exe, 00000000.00000000.1722063412.0000000000445000.00000002.00000001.01000000.00000003.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1801971771.000000000080F000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	false		high
http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.RadialMenu	SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp	false		high
https://www.saasant.com	SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.telerik.com/2008/xaml/presentation&Telerik.Windows.Controls.LayoutControl	SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp	false		high
https://go.mikogo.com/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.RadialMenuV	SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp	false		high
http://schemas.telerik.com/2008/xaml/compile	SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003060000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3120537686.000000001F962000.00000002.00000001.01000000.0000001D.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3073876070.000000001E7E2000.00000002.00000001.01000000.00000015.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3103729702.000000001F2E2000.00000002.00000001.01000000.00000017.sdmp	false		high
http://schemas.telerik.com/2008/xaml/presentation	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3103729702.000000001F2E2000.00000002.00000001.01000000.00000017.sdmp	false		high
https://demos.telerik.com/xaml-sdkbrowser/SDKSamplesBrowser.application5	SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/).	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	false		high
http://netcommon.sourceforge.net/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://saasant.com/dt-service/installation/updateInfo?app=1&desc=$TITLE$&version=$VERSION$&out=MIA	SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://support.saasant.com/support/solutions/articles/14000096467-how-to-use-lookup-in-saasant-tran	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://foo/bar/controls/onboardingcontrol.bamll	SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.telerik.com-TelerikWebUI	SaasAntTransactions.exe, 0000000B.00000002.3124251402.000000001FBA2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://netcommon.sourceforge.net/B	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.telerik.co	SaasAntTransactions.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.installaware.com/InstallAware	SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licen	SaasAntTransactions.exe	false		high
http://www.apache.org/licenses/LICENSE-2.0.htmlhttp://www.apache.org/licenses/LICENSE-2.0.htmlVersio	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
https://demos.telerik.com/xaml-sdkbrowser/SDKSamplesBrowser.application	SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
https://portal.saasant.com/blog/terms-and-conditions/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	SaasAntTransactions.exe, 0000000B.00000002.3046273465.000000000ECD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://logging.apache.org/log4ne	SaasAntTransactions.exe	false		high
https://desktop.saasant.com/dt-service/installation/crashReport	SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://support.saasant.com/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.0000000002982000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0RobotoLight	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
https://identity.telerik.com/v2/oauth/telerik/token&uri:client.licenser	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://schemas.telerik.com/2008/xaml/presentation%Telerik.Windows.Controls.TreeListView	SaasAntTransactions.exe, 0000000B.00000002.3111007097.000000001F642000.00000002.00000001.01000000.0000001C.sdmp	false		high
http://saasant.com/az	SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.0000000002982000.00000004.00001000.00020000.00000000.sdmp	false		high
HTTP://WWW.MYWEBSITE.COM/DEFAULT.7ZIPA$;	SaasAntTransactions-Setup.exe, 00000002.00000003.2157723436.000000000338B000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.galasoft.ch/s/dialogmessage.	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.Primitives	SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.galasoft.ch/mvvmlight	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003046000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/encoding/	SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000007A27000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3057520372.000000001BEF2000.00000002.00000001.01000000.00000013.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	SaasAntTransactions.exe, 0000000B.00000002.3124251402.000000001FBA2000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.mywebsite.com/Microsoft	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://saasant.com/dt-service/license/register	SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://portal.saasant.com/blog/security-policy/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.apache.org/l	SaasAntTransactions.exe	false		high
http://standards.iso.org/iso/19770/-2/2008/schema.xsd	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://desktop.apps.com/apps/232752#	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.telerik.com/purchase.aspx?utm_source=trial&utm_medium=dsk&utm_campaign=WPF	SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
https://support.saasant.com/support/solutions/14000073957	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.011k	SaasAntTransactions.exe, 0000000B.00000002.3067183260.000000001C84F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://desktop.saasant.com	SaasAntTransactions.exe, 0000000B.00000002.3018293075.0000000006D7E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://desktop.saasant.com/dt-service/installation/updateInfo?app=APP_ID&version=VERSION&out=JSON	SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.installaware.com/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.0000000006E97000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.000000000078C000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.0000000000418000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.saasant.com/app-saasant-transactions-quickbooks-desktop.html#planList	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://schemas.telerik.com/2008/xaml/presentation#Telerik.Windows.Controls.PrimitivesV	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.telerik.comhttp://www.telerik.comTelerikWebUI	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
https://www.saasant.com/chat.html?ServicePack=No	SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3046273465.000000000ECD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0RobotoMedium	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://foo/controls/onboardingcontrol.xaml	SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.telerik.com	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.mywebsite.com/Default.7zip	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.00000000028EE000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2075522871.000000000665E000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.2155131713.00000000035DB000.00000004.00001000.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FF8E0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.galasoft.ch4	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp	false	Avira URL Cloud: safe	unknown
https://saasant.com	SaasAntTransactions.exe, 0000000B.00000002.3037588109.000000000ACD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.installaware.com/buydirect.aspopen	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.000000000078C000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0Robo	SaasAntTransactions.exe	false		high
https://dle.telerik.com/metrics/v1/events/callhome	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
http://www.codeplex.com/DotNetZip	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://identity.telerik.com/v2/oauth/telerik/token	SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false		high
https://www.saasant.com/report-issue.html?File=	SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://portal.saasant.com	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000000.2145737898.00000000008E6000.00000002.00000001.01000000.00000011.sdmp	false		high
http://www.telerik.comhttp://www.telerik.comApache	SaasAntTransactions.exe, 0000000B.00000002.3092093524.000000001EF22000.00000002.00000001.01000000.00000016.sdmp	false	Avira URL Cloud: safe	unknown
HTTPS://SAASANT.COM/DT-SERVICE/INSTALLATION/UPDATEINFO?APP=1&DESC=$TITLE$&VERSION=$VERSION$&OUT=MIA	SaasAntTransactions-Setup.exe, 00000002.00000003.2159937356.00000000028A0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.apache.or	SaasAntTransactions.exe	false	Avira URL Cloud: safe	unknown
http://www.galasoft.ch	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, SaasAntTransactions.exe, 0000000B.00000002.3087908547.000000001ED42000.00000002.00000001.01000000.00000021.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087570744.000000001ED22000.00000002.00000001.01000000.0000001F.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3088007794.000000001ED48000.00000002.00000001.01000000.00000021.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://desktop.saasant.com/dt-service/installation/releaseNotes?app=APP_ID&version=VERSION&out=JSON	SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galasoft.chN	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions.exe, 0000000B.00000002.3087703824.000000001ED2A000.00000002.00000001.01000000.0000001F.sdmp	false	Avira URL Cloud: safe	unknown
https://desktop.saasant.com/dt-service/conversion/conversion&File	SaasAntTransactions.exe, 0000000B.00000002.3049581161.0000000014CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0Robot	SaasAntTransactions.exe	false		high
http://www.installaware.com/x2/	SaasAntTransactions-Setup (1).exe, 00000000.00000003.1784923265.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000000.1798730636.000000000078C000.00000020.00000001.01000000.00000005.sdmp, SaasAntTransactions-Setup.exe, 00000002.00000003.1805485220.00000000FFC6B000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://foo/bar/controls/onboardingcontrol.baml	SaasAntTransactions.exe, 0000000B.00000002.2973722160.0000000003B47000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.76.164.236	saasant.com	United States		20473	AS-CHOOPAUS	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1367779
Start date and time:	2023-12-28 19:53:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SaasAntTransactions-Setup (1).exe
Detection:	MAL
Classification:	mal46.troj.evad.winEXE@7/1366@2/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 69 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SaasAntTransactions-Setup (1).exe, PID 5364 because there are no executed function
Execution Graph export aborted for target SaasAntTransactions.exe, PID 2452 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:55:01	API Interceptor	10x Sleep call for process: SaasAntTransactions-Setup.exe modified
19:55:05	API Interceptor	1234277x Sleep call for process: SaasAntTransactions.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	887OOdJ3rV.elf	Get hash	malicious	Mirai	Browse	45.77.227.106
	$RVQLQNQ.crdownload	Get hash	malicious	Unknown	Browse	45.63.109.237
	gdbhUbyHV7.elf	Get hash	malicious	Mirai	Browse	8.6.8.220
	y6RDe2Qj7S.exe	Get hash	malicious	Unknown	Browse	66.42.108.166
	java.exe	Get hash	malicious	Tinba	Browse	45.77.249.79
	https://jspen.co/#JTNDJTczJTYzJTcyJTY5JTcwJTc0JTIwJTczJTcyJTYzJTNEJTIyJTY4JTc0JTc0JTcwJTczJTNBJTJGJTJGJTYxJTcwJTcwJTczJTY1JTZFJTY0JTY3JTcyJTY5JTY0JTM5JTMzJTM4JTM3JTJFJTYxJTdBJTc1JTcyJTY1JTY2JTY0JTJFJTZFJTY1JTc0JTJGJTc1JTcwJTY0JTYxJTc0JTY1JTczJTJFJTZBJTczJTIyJTNFJTIwJTNDJTJGJTczJTYzJTcyJTY5JTcwJTc0JTNF	Get hash	malicious	Unknown	Browse	66.42.84.244
	file.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	155.138.149.238
	cum.z.dll	Get hash	malicious	PikaBot	Browse	107.191.56.230
	TransferiXX103XXDMT231151342.docx.doc	Get hash	malicious	Unknown	Browse	149.28.109.84
	TransferiXX103XXDMT231151342.docx.doc	Get hash	malicious	Unknown	Browse	149.28.109.84
	Y3b5c7qTOT.exe	Get hash	malicious	Gurcu Stealer	Browse	104.238.189.120
	https://storage.googleapis.com/fedexfr/hreflj.html#?Z289MSZzMT0xNzYyOTM4JnMyPTM3NjI4MTYzOSZzMz1HTEI=	Get hash	malicious	Phisher	Browse	66.42.117.113
	XEXPJu3n0v.exe	Get hash	malicious	BazaLoader	Browse	216.128.135.246
	XEXPJu3n0v.exe	Get hash	malicious	BazaLoader	Browse	216.128.135.246
	Qzb.js	Get hash	malicious	Unknown	Browse	45.77.85.150
	Qzb.js	Get hash	malicious	Unknown	Browse	45.77.85.150
	https://freelancerden.com/zinv3z/?74937581	Get hash	malicious	Unknown	Browse	45.77.85.150
	Notevu.js	Get hash	malicious	Unknown	Browse	45.77.85.150
	Notevu.js	Get hash	malicious	Unknown	Browse	45.77.85.150
	Oom.js	Get hash	malicious	Unknown	Browse	45.77.85.150

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	file.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse	45.76.164.236
	AlteryxDownload_Test.exe	Get hash	malicious	Unknown	Browse	45.76.164.236
	AlteryxDownload_Test.exe	Get hash	malicious	Unknown	Browse	45.76.164.236
	prenuptial agreement cheating clause 88020.js	Get hash	malicious	Unknown	Browse	45.76.164.236
	SecuriteInfo.com.Win32.RansomX-gen.29384.16358.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	45.76.164.236
	C7e8AncaYu.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	45.76.164.236
	IMG-662466100.vbs	Get hash	malicious	XWorm	Browse	45.76.164.236
	confirmation.vbs	Get hash	malicious	Redline Clipper	Browse	45.76.164.236
	IMG5527735001.vbs	Get hash	malicious	XWorm	Browse	45.76.164.236
	Gbm1OTFacv.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse	45.76.164.236
	wl4ESZQ0ZH.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse	45.76.164.236
	https://ppt.cc/fNWanx	Get hash	malicious	Phisher	Browse	45.76.164.236
	algo.hta	Get hash	malicious	Remcos	Browse	45.76.164.236
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	45.76.164.236
	support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	45.76.164.236
	uVQLD8YVk6.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse	45.76.164.236
	W73PCbSH71.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse	45.76.164.236
	b7ThScyoHi.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse	45.76.164.236
	PEeR32pvuF.exe	Get hash	malicious	RisePro Stealer, SmokeLoader, Vidar	Browse	45.76.164.236
	support.client.exe	Get hash	malicious	ScreenConnect Tool	Browse	45.76.164.236

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\SaasAnt Transactions\DotNetZip.dll	T5Kc39s36e.bin	Get hash	malicious	Unknown	Browse
	SyncroInstaller.msi	Get hash	malicious	Unknown	Browse
	SyncroSetup-next_gi-42605.exe	Get hash	malicious	Unknown	Browse
	http://www.edi-texteditor.com/EdiSetup.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.dll	ShareGate.18.0.2.msi	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.Core.dll	ShareGate.18.0.2.msi	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2212856
Entropy (8bit):	7.984882716563244
Encrypted:	false
SSDEEP:	49152:xkQTAfvy2l5gF8yChTk90rxraCvj2yzo96yvDii8wma/tMrUzXlpeAPjsm3rG:xafvpjgFQTZxjgiilKrmHeQso
MD5:	D4D3CC4AE87C1D4CC794AD864B211E3B
SHA1:	0FDD5672DBF1533C537F76844B2756DAA1BA9FAE
SHA-256:	A02B86F93D6CF2277723C1B78FDA5F119D40D156CA672CB272A1E9C3F6B573AF
SHA-512:	C3D064B98CE3F375755A3B54ED2062CD445B0E6DB37E6A22F99ECA86B1AF7FA5270A4230616F8863149DC0813CCC4BE1676D138E9DBDECE8B2E8F215983D0DA8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9% Antivirus: Virustotal, Detection: 11%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~..................ue....PE..L...t..P..........#................./.............@...........................!.......!.........................................P....`...q............!..1..............................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc....q...`...r... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5605720
Entropy (8bit):	6.462629310060085
Encrypted:	false
SSDEEP:	98304:+F/bhwf+r5KT19iMvK1fucWXbBJ2Z3H2L7K13icjqsNTUOJ:+nwf+rMoMS1furLWHNFF
MD5:	41C67C2E7C85536894C9E348DA79EC9F
SHA1:	E9D198342373D581166DC97A28329448052FD637
SHA-256:	E4D21DA4A6E9A9BC18E51E949814E9ED19EF9057BAD161A6DF90B2608EE8452F
SHA-512:	20C0D57385D58D9ADA3AAB2F43FB4E9120DB1293FF90A61F3953F9E20C0FCFCDC0DB1E1A5EC50195DD3ABF8D2DAFCB8BC934A3DFD9EEFBB2CDB819F612CAA9FE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe, Author: Joe Security
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...%.R[.................\|9..&.......E9.......9...@...........................W.....o.U..........@........................... <..U....@.(...........`WU..1....<...............................<....................../<.......<......................text.....8.......8................. ..`.itext........8.......8............. ..`.data...0.....9.......9.............@....bss....$.....:......r:..................idata...U... <..V...r:.............@....didata.......<.......:.............@....tls....P.....<.......:..................rdata........<.......:.............@..@.reloc...1....<.......:.............@..B.rsrc...(.....@.......:.............@..@.............@V......VT.............@..@........................................................

Entrypoint:	0x422a48
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5ACD1957 [Tue Apr 10 20:06:47 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b48671fed9d5ca4906417d42fcdb066b

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	06/10/2021 17:40:37 02/01/2025 13:18:14
Subject Chain	CN=SAASANT INFOTECH PRIVATE LIMITED, O=SAASANT INFOTECH PRIVATE LIMITED, STREET="1111/5, Noble Centre, Avinashi Road P.N. Palayam", L=Coimbatore, S=Tamil Nadu, C=IN, OID.1.3.6.1.4.1.311.60.2.1.2=Tamil Nadu, OID.1.3.6.1.4.1.311.60.2.1.3=IN, SERIALNUMBER=U72900TZ2015PTC034415, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	E48967BD99E17FF67FD86BEE34C3E0FE
Thumbprint SHA-1:	5C8FDB0874827DCA171FA3C5CA537375C8CC1A32
Thumbprint SHA-256:	1D2AABC902C8DABC74FEEAA1B060E550A0FD19BDABE4647F5A5683C2CDE3AF39
Serial:	16EAABC48ADF8C6A34A23D96

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a538	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45000	0x32dec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe703f0	0x31f8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x351a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x284	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3008d	0x30200	False	0.5151582792207792	data	6.495190538344969	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0x9348	0x9400	False	0.34438344594594594	data	4.653884166908034	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3c000	0x8400	0x2400	False	0.2585720486111111	data	4.213670913347177	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45000	0x32dec	0x32e00	False	0.1877351428132678	data	4.201251641961609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x45d14	0x53a2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9979915927136852
RT_ICON	0x4b0b8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.10349875783745416
RT_ICON	0x5b8e0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.16568256967406708
RT_ICON	0x5fb08	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.20446058091286307
RT_ICON	0x620b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.25609756097560976
RT_ICON	0x63158	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.3829787234042553
RT_DIALOG	0x635c0	0x1d8	data			0.5720338983050848
RT_DIALOG	0x63798	0x1be	data			0.5605381165919282
RT_DIALOG	0x63958	0x54	data			0.7619047619047619
RT_STRING	0x639ac	0x4a4	data	Arabic	Saudi Arabia	0.28703703703703703
RT_STRING	0x63e50	0x4a4	data	Catalan	Spain	0.28703703703703703
RT_STRING	0x642f4	0x4a4	data	Chinese	Taiwan	0.28703703703703703
RT_STRING	0x64798	0x4a4	data	Czech	Czech Republic	0.28703703703703703
RT_STRING	0x64c3c	0x4a4	data	Danish	Denmark	0.28703703703703703
RT_STRING	0x650e0	0x4a4	data	German	Germany	0.28703703703703703
RT_STRING	0x65584	0x4a4	data	Greek	Greece	0.28703703703703703
RT_STRING	0x65a28	0x4a4	data	English	United States	0.28703703703703703
RT_STRING	0x65ecc	0x4a4	data	Finnish	Finland	0.28703703703703703
RT_STRING	0x66370	0x4a4	data	French	France	0.28703703703703703
RT_STRING	0x66814	0x4a4	data	Hebrew	Israel	0.28703703703703703
RT_STRING	0x66cb8	0x4a4	data	Hungarian	Hungary	0.28703703703703703
RT_STRING	0x6715c	0x4a4	data	Italian	Italy	0.28703703703703703
RT_STRING	0x67600	0x4a4	data	Japanese	Japan	0.28703703703703703
RT_STRING	0x67aa4	0x4a4	data	Korean	North Korea	0.28703703703703703
RT_STRING	0x67aa4	0x4a4	data	Korean	South Korea	0.28703703703703703
RT_STRING	0x67f48	0x4a4	data	Dutch	Netherlands	0.28703703703703703
RT_STRING	0x683ec	0x4a4	data	Norwegian	Norway	0.28703703703703703
RT_STRING	0x68890	0x4a4	data	Polish	Poland	0.28703703703703703
RT_STRING	0x68d34	0x4a4	data	Portuguese	Brazil	0.28703703703703703
RT_STRING	0x691d8	0x4a4	data	Romanian	Romania	0.28703703703703703
RT_STRING	0x6967c	0x4a4	data	Russian	Russia	0.28703703703703703
RT_STRING	0x69b20	0x4a4	data	Croatian	Croatia	0.28703703703703703
RT_STRING	0x69fc4	0x4a4	data	Slovak	Slovakia	0.28703703703703703
RT_STRING	0x6a468	0x4a4	data	Swedish	Sweden	0.28703703703703703
RT_STRING	0x6a90c	0x4a4	data	Thai	Thailand	0.28703703703703703
RT_STRING	0x6adb0	0x4a4	data	Turkish	Turkey	0.28703703703703703
RT_STRING	0x6b254	0x4a4	data	Slovenian	Slovenia	0.28703703703703703
RT_STRING	0x6b6f8	0x4a4	data	Estonian	Estonia	0.28703703703703703
RT_STRING	0x6bb9c	0x4a4	data	Latvian	Lativa	0.28703703703703703
RT_STRING	0x6c040	0x4a4	data	Lithuanian	Lithuania	0.28703703703703703
RT_STRING	0x6c4e4	0x4a4	data	Vietnamese	Vietnam	0.28703703703703703
RT_STRING	0x6c988	0x4a4	data	Basque	France	0.28703703703703703
RT_STRING	0x6c988	0x4a4	data	Basque	Spain	0.28703703703703703
RT_STRING	0x6ce2c	0x4a4	data	Chinese	China	0.28703703703703703
RT_STRING	0x6d2d0	0x4a4	data	Portuguese	Portugal	0.28703703703703703
RT_STRING	0x6d774	0x4a4	data			0.28703703703703703
RT_STRING	0x6dc18	0x2f2	data	Arabic	Saudi Arabia	0.42572944297082227
RT_STRING	0x6df0c	0x2f2	data	Catalan	Spain	0.42572944297082227
RT_STRING	0x6e200	0x2f2	data	Chinese	Taiwan	0.42572944297082227
RT_STRING	0x6e4f4	0x2f2	data	Czech	Czech Republic	0.42572944297082227
RT_STRING	0x6e7e8	0x2f2	data	Danish	Denmark	0.42572944297082227
RT_STRING	0x6eadc	0x2f2	data	German	Germany	0.42572944297082227
RT_STRING	0x6edd0	0x2f2	data	Greek	Greece	0.42572944297082227
RT_STRING	0x6f0c4	0x2f2	data	English	United States	0.42572944297082227
RT_STRING	0x6f3b8	0x2f2	data	Finnish	Finland	0.42572944297082227
RT_STRING	0x6f6ac	0x2f2	data	French	France	0.42572944297082227
RT_STRING	0x6f9a0	0x2f2	data	Hebrew	Israel	0.42572944297082227
RT_STRING	0x6fc94	0x2f2	data	Hungarian	Hungary	0.42572944297082227
RT_STRING	0x6ff88	0x2f2	data	Italian	Italy	0.42572944297082227
RT_STRING	0x7027c	0x2f2	data	Japanese	Japan	0.42572944297082227
RT_STRING	0x70570	0x2f2	data	Korean	North Korea	0.42572944297082227
RT_STRING	0x70570	0x2f2	data	Korean	South Korea	0.42572944297082227
RT_STRING	0x70864	0x2f2	data	Dutch	Netherlands	0.42572944297082227
RT_STRING	0x70b58	0x2f2	data	Norwegian	Norway	0.42572944297082227
RT_STRING	0x70e4c	0x2f2	data	Polish	Poland	0.42572944297082227
RT_STRING	0x71140	0x2f2	data	Portuguese	Brazil	0.42572944297082227
RT_STRING	0x71434	0x2f2	data	Romanian	Romania	0.42572944297082227
RT_STRING	0x71728	0x2f2	data	Russian	Russia	0.42572944297082227
RT_STRING	0x71a1c	0x2f2	data	Croatian	Croatia	0.42572944297082227
RT_STRING	0x71d10	0x2f2	data	Slovak	Slovakia	0.42572944297082227
RT_STRING	0x72004	0x2f2	data	Swedish	Sweden	0.42572944297082227
RT_STRING	0x722f8	0x2f2	data	Thai	Thailand	0.42572944297082227
RT_STRING	0x725ec	0x2f2	data	Turkish	Turkey	0.42572944297082227
RT_STRING	0x728e0	0x2f2	data	Slovenian	Slovenia	0.42572944297082227
RT_STRING	0x72bd4	0x2f2	data	Estonian	Estonia	0.42572944297082227
RT_STRING	0x72ec8	0x2f2	data	Latvian	Lativa	0.42572944297082227
RT_STRING	0x731bc	0x2f2	data	Lithuanian	Lithuania	0.42572944297082227
RT_STRING	0x734b0	0x2f2	data	Vietnamese	Vietnam	0.42572944297082227
RT_STRING	0x737a4	0x2f2	data	Basque	France	0.42572944297082227
RT_STRING	0x737a4	0x2f2	data	Basque	Spain	0.42572944297082227
RT_STRING	0x73a98	0x2f2	data	Chinese	China	0.42572944297082227
RT_STRING	0x73d8c	0x2f2	data	Portuguese	Portugal	0.42572944297082227
RT_STRING	0x74080	0x2f2	data			0.42572944297082227
RT_STRING	0x74374	0x106	data	Arabic	Saudi Arabia	0.5076335877862596
RT_STRING	0x7447c	0x106	data	Catalan	Spain	0.5076335877862596
RT_STRING	0x74584	0x106	data	Chinese	Taiwan	0.5076335877862596
RT_STRING	0x7468c	0x106	data	Czech	Czech Republic	0.5076335877862596
RT_STRING	0x74794	0x106	data	Danish	Denmark	0.5076335877862596
RT_STRING	0x7489c	0x106	data	German	Germany	0.5076335877862596
RT_STRING	0x749a4	0x106	data	Greek	Greece	0.5076335877862596
RT_STRING	0x74aac	0x106	data	English	United States	0.5076335877862596
RT_STRING	0x74bb4	0x106	data	Finnish	Finland	0.5076335877862596
RT_STRING	0x74cbc	0x106	data	French	France	0.5076335877862596
RT_STRING	0x74dc4	0x106	data	Hebrew	Israel	0.5076335877862596
RT_STRING	0x74ecc	0x106	data	Hungarian	Hungary	0.5076335877862596
RT_STRING	0x74fd4	0x106	data	Italian	Italy	0.5076335877862596
RT_STRING	0x750dc	0x106	data	Japanese	Japan	0.5076335877862596
RT_STRING	0x751e4	0x106	data	Korean	North Korea	0.5076335877862596
RT_STRING	0x751e4	0x106	data	Korean	South Korea	0.5076335877862596
RT_STRING	0x752ec	0x106	data	Dutch	Netherlands	0.5076335877862596
RT_STRING	0x753f4	0x106	data	Norwegian	Norway	0.5076335877862596
RT_STRING	0x754fc	0x106	data	Polish	Poland	0.5076335877862596
RT_STRING	0x75604	0x106	data	Portuguese	Brazil	0.5076335877862596
RT_STRING	0x7570c	0x106	data	Romanian	Romania	0.5076335877862596
RT_STRING	0x75814	0x106	data	Russian	Russia	0.5076335877862596
RT_STRING	0x7591c	0x106	data	Croatian	Croatia	0.5076335877862596
RT_STRING	0x75a24	0x106	data	Slovak	Slovakia	0.5076335877862596
RT_STRING	0x75b2c	0x106	data	Swedish	Sweden	0.5076335877862596
RT_STRING	0x75c34	0x106	data	Thai	Thailand	0.5076335877862596
RT_STRING	0x75d3c	0x106	data	Turkish	Turkey	0.5076335877862596
RT_STRING	0x75e44	0x106	data	Slovenian	Slovenia	0.5076335877862596
RT_STRING	0x75f4c	0x106	data	Estonian	Estonia	0.5076335877862596
RT_STRING	0x76054	0x106	data	Latvian	Lativa	0.5076335877862596
RT_STRING	0x7615c	0x106	data	Lithuanian	Lithuania	0.5076335877862596
RT_STRING	0x76264	0x106	data	Vietnamese	Vietnam	0.5076335877862596
RT_STRING	0x7636c	0x106	data	Basque	France	0.5076335877862596
RT_STRING	0x7636c	0x106	data	Basque	Spain	0.5076335877862596
RT_STRING	0x76474	0x106	data	Chinese	China	0.5076335877862596
RT_STRING	0x7657c	0x106	data	Portuguese	Portugal	0.5076335877862596
RT_STRING	0x76684	0x106	data			0.5076335877862596
RT_GROUP_ICON	0x7678c	0x5a	data	English	United States	0.7666666666666667
RT_VERSION	0x767e8	0x1084	data	English	United States	0.09981078524124881
RT_MANIFEST	0x7786c	0x57d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4462633451957295

DLL	Import
KERNEL32.dll	GetLastError, ResetEvent, CreateEventW, CloseHandle, MultiByteToWideChar, WideCharToMultiByte, FreeLibrary, LoadLibraryW, GetModuleFileNameW, FormatMessageW, LocalFree, GetWindowsDirectoryW, CreateFileW, SetFileTime, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryW, GetFileInformationByHandle, DeleteFileW, GetShortPathNameW, GetFullPathNameW, lstrlenW, GetCurrentDirectoryW, GetTempFileNameW, FindClose, FindFirstFileW, FindNextFileW, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, DeleteCriticalSection, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetCurrentProcessId, InitializeCriticalSection, QueryPerformanceCounter, GetTickCount, Sleep, LocalAlloc, GetProcAddress, SetCurrentDirectoryW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, SetThreadUILanguage, SetThreadLocale, GetVersion, GetCommandLineW, CreateProcessW, GetExitCodeProcess, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetLocaleInfoA, IsValidCodePage, GetOEMCP, RaiseException, GetACP, GetCPInfo, LoadLibraryA, RtlUnwind, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, WaitForSingleObject, SetEvent, GetVersionExW, VirtualAlloc, GetCurrentThreadId, VirtualFree, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, HeapSize, InterlockedDecrement, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, HeapFree, HeapAlloc, ExitThread, CreateThread, HeapReAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, GetModuleHandleW, ExitProcess, GetModuleFileNameA, TlsGetValue
USER32.dll	SetForegroundWindow, CharUpperW, GetWindowRect, DestroyWindow, RegisterWindowMessageW, AdjustWindowRect, LoadImageW, LoadIconW, KillTimer, SetTimer, EndDialog, IsDlgButtonChecked, SetDlgItemTextW, GetDlgItem, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, LoadStringW, DialogBoxParamW, CreateDialogParamW, SystemParametersInfoW, PeekMessageW, GetDesktopWindow, MessageBoxW, SendMessageW, GetWindowLongW, SetWindowLongW, ShowWindow, MoveWindow, PostMessageW
GDI32.dll	GetObjectW
ADVAPI32.dll	RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoInitializeEx, CoInitialize, CoCreateInstance
OLEAUT32.dll	SysAllocStringLen, SysFreeString, VariantClear, SysAllocString

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2023 19:55:10.111198902 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.111233950 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.111309052 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.123948097 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.123964071 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.628417015 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.628509045 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.633738041 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.633752108 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.634414911 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.679889917 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.736951113 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.780750036 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.901155949 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:10.906445026 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:10.906483889 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:11.110486984 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:11.110558033 CET	443	49726	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:11.110626936 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:11.129242897 CET	49726	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:39.862035990 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:39.862078905 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:39.862155914 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:39.862999916 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:39.863010883 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.361516953 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.361762047 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:40.363512039 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:40.363521099 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.363768101 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.365326881 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:40.412736893 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.535749912 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.535809040 CET	443	49728	45.76.164.236	192.168.2.16
Dec 28, 2023 19:55:40.535850048 CET	49728	443	192.168.2.16	45.76.164.236
Dec 28, 2023 19:55:40.536811113 CET	49728	443	192.168.2.16	45.76.164.236

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 28, 2023 19:55:09.921627045 CET	64673	53	192.168.2.16	1.1.1.1
Dec 28, 2023 19:55:10.100653887 CET	53	64673	1.1.1.1	192.168.2.16
Dec 28, 2023 19:55:39.684801102 CET	60076	53	192.168.2.16	1.1.1.1
Dec 28, 2023 19:55:39.861040115 CET	53	60076	1.1.1.1	192.168.2.16

Timestamp	Bytes transferred	Direction	Data
2023-12-28 18:55:10 UTC	211	OUT	POST /dt-service/installation/installed HTTP/1.1 Accept: application/json Content-Type: application/json; charset=utf-8 Host: saasant.com Content-Length: 366 Expect: 100-continue Connection: Keep-Alive
2023-12-28 18:55:10 UTC	25	IN	HTTP/1.1 100 Continue
2023-12-28 18:55:10 UTC	366	OUT	Data Raw: 7b 22 63 6f 6d 70 75 74 65 72 49 64 22 3a 22 35 41 35 33 2d 39 45 46 37 2d 31 34 45 35 2d 45 39 30 30 2d 30 33 41 45 22 2c 22 68 61 72 64 77 61 72 65 49 64 22 3a 22 35 41 35 33 2d 39 45 46 37 2d 31 34 45 35 2d 45 39 30 30 2d 30 33 41 45 22 2c 22 65 78 70 69 72 65 64 41 74 22 3a 6e 75 6c 6c 2c 22 65 64 69 74 69 6f 6e 22 3a 22 33 2e 31 2e 33 2e 30 22 2c 22 61 70 70 22 3a 22 31 22 2c 22 6f 73 22 3a 22 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 2d 31 30 2e 30 2e 31 39 30 34 35 22 2c 22 70 72 6f 63 65 73 73 6f 72 22 3a 22 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 22 2c 22 6e 65 74 76 65 72 73 69 6f 6e 22 3a 22 34 2e 36 2e 32 20 6f 72 20 6c 61 74 65 72 22 2c 22 Data Ascii: {"computerId":"5A53-9EF7-14E5-E900-03AE","hardwareId":"5A53-9EF7-14E5-E900-03AE","expiredAt":null,"edition":"3.1.3.0","app":"1","os":"Microsoft Windows 10 Pro-10.0.19045","processor":"Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz","netversion":"4.6.2 or later","
2023-12-28 18:55:11 UTC	772	IN	HTTP/1.1 200 OK Date: Thu, 28 Dec 2023 18:55:11 GMT Content-Type: application/json; charset=utf-8 Content-Length: 15 Connection: close Vary: X-HTTP-Method-Override, Accept-Encoding Access-Control-Allow-Origin: Access-Control-Allow-Credentials: Access-Control-Allow-Methods: Access-Control-Allow-Headers: Access-Control-Expose-Headers: ETag: W/"f-KOwe7l9ASePE8hNQacHSyA" set-cookie: saasant.did=s%3AoP-jlmxgBqm4HyZO-r-JSo1yZi2XN8QM.UQt2%2FNoEot0VfVEzY9tvOrhBpAzdsUed%2BujNxYGJ7ik; Domain=.saasant.com; Path=/; Expires=Fri, 29 Dec 2023 18:55:10 GMT; HttpOnly; Secure Server: 1.2.3 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, no-transform {"status":true}

Timestamp	Bytes transferred	Direction	Data
2023-12-28 18:55:40 UTC	160	OUT	GET /dt-service/installation/updateInfo?app=1&version=3.1.3.0&out=JSON HTTP/1.1 Accept: application/json Host: desktop.saasant.com Connection: Keep-Alive
2023-12-28 18:55:40 UTC	635	IN	HTTP/1.1 200 OK Date: Thu, 28 Dec 2023 18:55:40 GMT Transfer-Encoding: chunked Connection: close Access-Control-Allow-Origin: Access-Control-Allow-Credentials: Access-Control-Allow-Methods: Access-Control-Allow-Headers: Access-Control-Expose-Headers: set-cookie: saasant.did=s%3A1HxihlsngC_N_JNs1_FPIt5YM1bOeHm8.jlb%2FjGpsjWu3a%2F00zCCCoEzPZgrjqcSn13C8idGZDGA; Domain=.saasant.com; Path=/; Expires=Fri, 29 Dec 2023 18:55:40 GMT; HttpOnly; Secure Server: 1.2.3 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff Cache-Control: no-cache, no-store, max-age=0, no-transform
2023-12-28 18:55:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	19:54:21
Start date:	28/12/2023
Path:	C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\SaasAntTransactions-Setup (1).exe
Imagebase:	0x400000
File size:	15'152'616 bytes
MD5 hash:	B11F2737286C7D5DEF40591018967A9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1784923265.00000000076C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	19:54:29
Start date:	28/12/2023
Path:	C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe
Wow64 process (32bit):	true
Commandline:	.\SaasAntTransactions-Setup.exe /m="C:\Users\user\Desktop\SAASAN~1.EXE" /k=""
Imagebase:	0x400000
File size:	5'605'720 bytes
MD5 hash:	41C67C2E7C85536894C9E348DA79EC9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000002.00000000.1798730636.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\ProgramData\miaB83E.tmp\SaasAntTransactions-Setup.exe, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	19:54:48
Start date:	28/12/2023
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff7d91f0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	19:54:49
Start date:	28/12/2023
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 65C17165B9D6E452AFEA89C327EA4A92
Imagebase:	0xb90000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	11
Start time:	19:55:04
Start date:	28/12/2023
Path:	C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\SaasAnt Transactions\SaasAntTransactions.exe"
Imagebase:	0x580000
File size:	3'788'792 bytes
MD5 hash:	0F6452633C2790B06B482D15C47B5D0A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	28

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SaasAntTransactions-Setup (1).exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

44212c.rbf (copy)

C:\Config.Msi\44212b.rbs

C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.Core.dll

C:\Program Files (x86)\SaasAnt Transactions\Common.Logging.dll

C:\Program Files (x86)\SaasAnt Transactions\CsvHelper.dll

C:\Program Files (x86)\SaasAnt Transactions\Data\DepententMandatory\Credit Memo.properties

C:\Program Files (x86)\SaasAnt Transactions\Data\DepententMandatory\Estimate.properties

C:\Program Files (x86)\SaasAnt Transactions\Data\DepententMandatory\Invoice.properties

C:\Program Files (x86)\SaasAnt Transactions\Data\DepententMandatory\Sales Order.properties

C:\Program Files (x86)\SaasAnt Transactions\Data\DepententMandatory\Sales Receipt.properties

C:\Program Files (x86)\SaasAnt Transactions\Data\importantfields.properties

C:\Program Files (x86)\SaasAnt Transactions\Data\mandatoryfields.properties

Windows Analysis Report
SaasAntTransactions-Setup (1).exe

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre