Edit tour

Windows Analysis Report
Resa Launcher Install.exe

Overview

General Information

Sample name:	Resa Launcher Install.exe
Analysis ID:	1449101
MD5:	0f675d8a82d7e2d9198d1308bcfc2918
SHA1:	c284c27bcee5f0b8b978451f7db76f61ca6748eb
SHA256:	d78698c0ca1ed1aaae2c7fe878cc3d88133f0b7fa2a2430254a9ce44c3ba1949
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	48
Range:	0 - 100

Signatures

Modifies the windows firewall

Sigma detected: Files With System Process Name In Unsuspected Locations

Uses netsh to modify the Windows network and firewall settings

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Modifies existing windows services

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sigma detected: Suspicious Msiexec Execute Arbitrary DLL

Sigma detected: Use NTFS Short Name in Command Line

Uses 32bit PE files

Classification

Process Tree

System is w10x64_ra

Resa Launcher Install.exe (PID: 5160 cmdline: "C:\Users\user\Desktop\Resa Launcher Install.exe" MD5: 0F675D8A82D7E2D9198D1308BCFC2918)

resa launcher install.exe (PID: 2992 cmdline: ".\resa launcher install.exe" /m="C:\Users\user\Desktop\RESALA~1.EXE" /k="" MD5: E0F092BC83227D52E442F13BB3CDE076)

Crystal 8.5 for W11.exe (PID: 5632 cmdline: "C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe" MD5: 5FF1538ECAA93249B16928FC93717B5F)

crystal 8.5 for w11.exe (PID: 6940 cmdline: ".\crystal 8.5 for w11.exe" /m="C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe" /k="" MD5: A67A337BC7C5734284BC8362A9E98D96)

netsh.exe (PID: 5896 cmdline: netsh.exe advfirewall firewall delete rule name="RESA SMART - Resa Launcher" dir=in program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6464 cmdline: netsh.exe advfirewall firewall add rule name="RESA SMART - Resa Launcher" dir=in action=allow program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 6440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 640 cmdline: netsh.exe advfirewall firewall delete rule name="RESA SMART - Pay Item" dir=in program="C:\ResaApps\Business_Services\PSmartEDM2016.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3972 cmdline: netsh.exe advfirewall firewall add rule name="RESA SMART - Pay Item" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartEDM2016.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 5152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6348 cmdline: netsh.exe advfirewall firewall delete rule name="RESA SMART - Pay Execute" dir=in program="C:\ResaApps\Business_Services\PSmartPayExecute.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1960 cmdline: netsh.exe advfirewall firewall add rule name="RESA SMART - Pay Execute" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartPayExecute.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 2496 cmdline: netsh.exe advfirewall firewall delete rule name="RESA SMART - Portal Security" dir=in program="C:\ResaApps\Security\PPortalSecurity.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 2568 cmdline: netsh.exe advfirewall firewall add rule name="RESA SMART - Portal Security" dir=in action=allow program="C:\ResaApps\Security\PPortalSecurity.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 880 cmdline: netsh.exe advfirewall firewall delete rule name="RESA SMART - GL Dist" dir=in program="C:\ResaApps\Business_Services\PSmartGLDist.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 1668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3660 cmdline: netsh.exe advfirewall firewall add rule name="RESA SMART - GL Dist" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartGLDist.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7136 cmdline: netsh.exe advfirewall firewall delete rule name="RESA SMART - Polyplot" dir=in program="C:\ResaApps\PolySQL2012\PolySQL2012.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

netsh.exe (PID: 2840 cmdline: netsh.exe advfirewall firewall add rule name="RESA SMART - Polyplot" dir=in action=allow program="C:\ResaApps\PolySQL2012\PolySQL2012.exe" profile=domain,private,public remoteip=206.57.134.17 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 3544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MpCmdRun.exe (PID: 2496 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 2436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ResaLauncher.exe (PID: 880 cmdline: "C:\ResaApps\ResaLauncher.exe" MD5: 2C9822A0EA14B7168C3C452D5A63D8B2)

msiexec.exe (PID: 7000 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7060 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding E2E9E6F1A4A811C9F8F15AD92AE1CD0D MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 740 cmdline: C:\Windows\System32\MsiExec.exe -Embedding C18FBB39C7C886C04DDEAA7AB7F510F7 MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 3132 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding F207125D6A77848B38F0009DC23DCA58 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 1252 cmdline: C:\Windows\System32\MsiExec.exe -Embedding 8D29AC948328D58A797351E205CB6026 E Global\MSI0000 MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D3B57FF48BB51AE555ECBEB4FBA10E6E MD5: 9D09DC1EDA745A5F87553048E57620CF)

msiexec.exe (PID: 7136 cmdline: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll" MD5: 9D09DC1EDA745A5F87553048E57620CF)

conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ResaLauncher.exe (PID: 3964 cmdline: "C:\ResaApps\ResaLauncher.exe" MD5: 2C9822A0EA14B7168C3C452D5A63D8B2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\resa launcher install.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\{34298CBE-CEDC-4FE1-85C1-841B00345C2F}\crystal 8.5 for w11.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\resa launcher install.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\{34298CBE-CEDC-4FE1-85C1-841B00345C2F}\crystal 8.5 for w11.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\ProgramData\mia533A.tmp\resa launcher install.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.1192269828.0000000000401000.00000020.00000001.01000000.00000005.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Resa Launcher Install.exe, ProcessId: 5160, TargetFilename: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe

Sigma detected: Suspicious Msiexec Execute Arbitrary DLL

Source: Process started

Author: frack113: Data: Command: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll", CommandLine: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msiexec.exe, NewProcessName: C:\Windows\SysWOW64\msiexec.exe, OriginalFileName: C:\Windows\SysWOW64\msiexec.exe, ParentCommandLine: C:\Windows\system32\msiexec.exe /V, ParentImage: C:\Windows\System32\msiexec.exe, ParentProcessId: 7000, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll", ProcessId: 7136, ProcessName: msiexec.exe

Sigma detected: Use NTFS Short Name in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: Command: ".\resa launcher install.exe" /m="C:\Users\user\Desktop\RESALA~1.EXE" /k="", CommandLine: ".\resa launcher install.exe" /m="C:\Users\user\Desktop\RESALA~1.EXE" /k="", CommandLine|base64offset|contains: r, Image: C:\ProgramData\mia533A.tmp\resa launcher install.exe, NewProcessName: C:\ProgramData\mia533A.tmp\resa launcher install.exe, OriginalFileName: C:\ProgramData\mia533A.tmp\resa launcher install.exe, ParentCommandLine: "C:\Users\user\Desktop\Resa Launcher Install.exe", ParentImage: C:\Users\user\Desktop\Resa Launcher Install.exe, ParentProcessId: 5160, ParentProcessName: Resa Launcher Install.exe, ProcessCommandLine: ".\resa launcher install.exe" /m="C:\Users\user\Desktop\RESALA~1.EXE" /k="", ProcessId: 2992, ProcessName: resa launcher install.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Compliance

Uses 32bit PE files

Source: Resa Launcher Install.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Include
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Include\sqlncli.h
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x64
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x64\sqlncli11.lib
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x86
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x86\sqlncli11.lib
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\License Terms
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\KeyFile
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\KeyFile\1033
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\KeyFile\1033\sqlncli_keyfile.dll

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt

PE / OLE file has a valid certificate

Source: Resa Launcher Install.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Spreading

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\System32\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Networking

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.17:49720 -> 206.57.141.42:1433

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: portal.resa.net

System Summary

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c0a.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D24.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9DA2.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{D19A7273-0D14-44C3-95A2-2FBB862BA70E}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E20.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9E50.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9EBE.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\crpe32.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\exlate32.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\barcode.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_pdf.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\CRXF_RTF.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Crxlat32.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bact.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bact3.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bbde.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bbtrv.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bxbse.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ctbtrv.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2iract.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2iract3.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ixbse.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\P2ldb2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\P2LIFMX.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2lodbc.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2lora7.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\P2lsql.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\P2lsyb10.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2molap.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sacl.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sdb2.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sexsr.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sfs.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sifmx.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2smapi.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2smcube.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2smsiis.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sNote.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2solap.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2soledb.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sora7.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2soutlk.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2srepl.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ssql.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ssyb10.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2strack.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2swblg.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2DAPP.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2DDISK.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2DMAPI.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dnotes.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dpost.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dvim.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FCR.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fdif.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FHTML.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fodbc.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2frdef.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2frec.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FRTF.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FSEPV.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FTEXT.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fwks.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FWORDW.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2FXLS.DLL
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fxml.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2l2000.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lbcode.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lcom.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2ldts.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lexch.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lfinra.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lsamp1.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u25dts.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u252000.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c0d.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c0d.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c0e.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBB9E.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBBFC.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBC1D.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{49D665A2-4C2A-476E-9AB8-FCC425F526FC}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBC8B.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBCDA.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBD39.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\1033
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\1033\s11ch_sqlncli.chm
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\1033
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\1033\s11ch_sqlncli.chm
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\sqlncli11.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\sqlncli11.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\1033\sqlnclir11.rll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\1033\sqlnclir11.rll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\system32\msvcr100.dll
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c11.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c11.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{49D665A2-4C2A-476E-9AB8-FCC425F526FC}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{49D665A2-4C2A-476E-9AB8-FCC425F526FC}\ARPIco
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0F3.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC142.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c12.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC598.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC5E8.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{7F9E06BB-5B40-4E0F-91B1-6A37A71A3390}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC617.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC638.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC658.tmp
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c15.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\649c15.msi

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI9D24.tmp

Uses 32bit PE files

Source: Resa Launcher Install.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal52.evad.winEXE@60/217@1/4

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Microsoft SQL Server

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

File created: C:\Users\user\AppData\Local\IIIQF

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:2436:120:WilError_03

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

File created: C:\Users\user\AppData\Local\Temp\mia1

Source: Yara match	File source: 00000002.00000000.1192269828.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\resa launcher install.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\{34298CBE-CEDC-4FE1-85C1-841B00345C2F}\crystal 8.5 for w11.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\resa launcher install.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\{34298CBE-CEDC-4FE1-85C1-841B00345C2F}\crystal 8.5 for w11.exe, type: DROPPED
Source: Yara match	File source: C:\ProgramData\mia533A.tmp\resa launcher install.exe, type: DROPPED

Source: Resa Launcher Install.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ResaApps\ResaLauncher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ResaApps\ResaLauncher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ResaApps\ResaLauncher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ResaApps\ResaLauncher.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\Resa Launcher Install.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\Resa Launcher Install.exe

File read: C:\Users\user\Desktop\Resa Launcher Install.exe

Source: unknown	Process created: C:\Users\user\Desktop\Resa Launcher Install.exe "C:\Users\user\Desktop\Resa Launcher Install.exe"
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Process created: C:\ProgramData\mia533A.tmp\resa launcher install.exe ".\resa launcher install.exe" /m="C:\Users\user\Desktop\RESALA~1.EXE" /k=""
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe "C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe"
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Process created: C:\ProgramData\mia533A.tmp\resa launcher install.exe ".\resa launcher install.exe" /m="C:\Users\user\Desktop\RESALA~1.EXE" /k=""
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Process created: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe ".\crystal 8.5 for w11.exe" /m="C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe" /k=""
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe "C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E2E9E6F1A4A811C9F8F15AD92AE1CD0D
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding C18FBB39C7C886C04DDEAA7AB7F510F7
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F207125D6A77848B38F0009DC23DCA58 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 8D29AC948328D58A797351E205CB6026 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D3B57FF48BB51AE555ECBEB4FBA10E6E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll"
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Resa Launcher" dir=in program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Resa Launcher" dir=in action=allow program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Pay Item" dir=in program="C:\ResaApps\Business_Services\PSmartEDM2016.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Pay Item" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartEDM2016.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Pay Execute" dir=in program="C:\ResaApps\Business_Services\PSmartPayExecute.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Pay Execute" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartPayExecute.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Portal Security" dir=in program="C:\ResaApps\Security\PPortalSecurity.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Portal Security" dir=in action=allow program="C:\ResaApps\Security\PPortalSecurity.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - GL Dist" dir=in program="C:\ResaApps\Business_Services\PSmartGLDist.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - GL Dist" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartGLDist.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Polyplot" dir=in program="C:\ResaApps\PolySQL2012\PolySQL2012.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Polyplot" dir=in action=allow program="C:\ResaApps\PolySQL2012\PolySQL2012.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Resa Launcher" dir=in program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Resa Launcher" dir=in action=allow program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Pay Item" dir=in program="C:\ResaApps\Business_Services\PSmartEDM2016.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Pay Item" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartEDM2016.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Pay Execute" dir=in program="C:\ResaApps\Business_Services\PSmartPayExecute.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Pay Execute" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartPayExecute.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Portal Security" dir=in program="C:\ResaApps\Security\PPortalSecurity.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Portal Security" dir=in action=allow program="C:\ResaApps\Security\PPortalSecurity.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - GL Dist" dir=in program="C:\ResaApps\Business_Services\PSmartGLDist.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - GL Dist" dir=in action=allow program="C:\ResaApps\Business_Services\PSmartGLDist.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll"
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall add rule name="RESA SMART - Polyplot" dir=in action=allow program="C:\ResaApps\PolySQL2012\PolySQL2012.exe" profile=domain,private,public remoteip=206.57.134.17
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Process created: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe ".\crystal 8.5 for w11.exe" /m="C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe" /k=""
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding E2E9E6F1A4A811C9F8F15AD92AE1CD0D
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding C18FBB39C7C886C04DDEAA7AB7F510F7
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F207125D6A77848B38F0009DC23DCA58 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding 8D29AC948328D58A797351E205CB6026 E Global\MSI0000
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D3B57FF48BB51AE555ECBEB4FBA10E6E
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll"
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\ResaApps\ResaLauncher.exe "C:\ResaApps\ResaLauncher.exe"
Source: unknown	Process created: C:\ResaApps\ResaLauncher.exe "C:\ResaApps\ResaLauncher.exe"

Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: mpr.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: sfc.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: mpr.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: sfc.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: version.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: winmm.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: wtsapi32.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: winsta.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: olepro32.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: wldp.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: propsys.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: profapi.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: srclient.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: spp.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: vssapi.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: vsstrace.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: msi.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: edputil.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: netutils.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: slc.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: userenv.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: sppc.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: mpr.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: sfc.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: wldp.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: profapi.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: srpapi.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: wkscli.dll
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: aclayers.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: mpr.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: sfc.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: sfc_os.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: version.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: winmm.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: wtsapi32.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: winsta.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: olepro32.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: wldp.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: propsys.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: profapi.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: dwmapi.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: srclient.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: spp.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: vssapi.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: vsstrace.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: textshaping.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: textinputframework.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: coreuicomponents.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: coremessaging.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: msi.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: explorerframe.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: srpapi.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: tsappcmp.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: netapi32.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: wkscli.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: netutils.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: linkinfo.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: cscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: apphelp.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: aclayers.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: mpr.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sfc.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sfc_os.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: winmm.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: oleacc.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: version.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: oledlg.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wsock32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: uxtheme.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wtsapi32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: winsta.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: riched20.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: usp10.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msls31.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msdart.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: textshaping.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: textinputframework.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: coreuicomponents.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: coremessaging.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: ntmarta.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wintypes.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wintypes.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wintypes.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: dpapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: comsvcs.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sqlncli11.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msvcr100.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: netapi32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: netbios.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: cryptbase.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: secur32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sspicli.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: kerberos.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msasn1.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msv1_0.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: ntlmshared.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: cryptdll.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: ntdsapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: dsparse.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: logoncli.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: netutils.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: clusapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: dnsapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: iphlpapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: resutils.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: security.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: schannel.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: mswsock.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: rasadhlp.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: fwpuclnt.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: duser.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: xmllite.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: atlthunk.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: apphelp.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: aclayers.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: mpr.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sfc.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sfc_os.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: winmm.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: oleacc.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: version.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: oledlg.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wsock32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: uxtheme.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wtsapi32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: winsta.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: riched20.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: usp10.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msls31.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msdart.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: textshaping.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: textinputframework.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: coreuicomponents.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: coremessaging.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: ntmarta.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wintypes.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wintypes.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: wintypes.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: dpapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: comsvcs.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sqlncli11.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msvcr100.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: netapi32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: netbios.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: cryptbase.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: secur32.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: sspicli.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: kerberos.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msasn1.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: msv1_0.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: ntlmshared.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: cryptdll.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: ntdsapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: dsparse.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: logoncli.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: netutils.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: clusapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: dnsapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: iphlpapi.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: resutils.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: security.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: schannel.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: mswsock.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: rasadhlp.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: fwpuclnt.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: duser.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: xmllite.dll
Source: C:\ResaApps\ResaLauncher.exe	Section loaded: atlthunk.dll

Source: C:\Users\user\Desktop\Resa Launcher Install.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: C:\ResaApps\ResaLauncher.exe

File written: C:\ResaApps\ResaLauncher.INI

Reads the Windows registered owner settings

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Executable creates window controls seldom found in malware

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

Window found: window name: TButton

Creates a directory in C:\Program Files

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Include
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Include\sqlncli.h
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x64
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x64\sqlncli11.lib
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x86
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x86\sqlncli11.lib
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\License Terms
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\KeyFile
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\KeyFile\1033
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\Microsoft SQL Server\110\KeyFile\1033\sqlncli_keyfile.dll

PE / OLE file has a valid certificate

Source: Resa Launcher Install.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: Resa Launcher Install.exe

Static file information: File size 19256760 > 1048576

Uses new MSVCR Dlls

Source: C:\Windows\System32\msiexec.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Persistence and Installation Behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\U2FTEXT.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\2C228EC0\DF9D80D2\p2iract.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\mia.lib	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sexsr.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\7BFE20FE\DF9D80D2\U2FHTML.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\2750471D\DF9D80D2\p2smapi.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\D98EF2E2\DF9D80D2\u2frec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msi.dll	Jump to dropped file
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	File created: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\p2soledb.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\5D8AC0F0\91B5C31C\TaxControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBC1D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\u2dnotes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\P2lsyb10.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\OFFLINE\883718\F91E300C\exlate32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\p2solap.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\78AE16CB\DF9D80D2\u2fdif.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\469BDAEB\DF9D80D2\U2FRTF.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2soutlk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\mFileBagEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\AdvFirewallIDEPlugIn.dll\AdvFirewallEXEPlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\A601C89B\DF9D80D2\p2bbtrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Microsoft SQL Server\110\KeyFile\1033\sqlncli_keyfile.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC142.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2srepl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\u252000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\14DD1572\DF9D80D2\p2ssyb10.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\p2sNote.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\u2lsamp1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Crxlat32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ssql.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC638.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sora7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\A6F269F2\DF9D80D2\u2ldts.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\AdvFirewallEXEPlugIn.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\9182ED79\DF9D80D2\u2dvim.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\704854D2\DF9D80D2\p2bact3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D24.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sifmx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\CRXF_RTF.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\unicode\update.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\sqlncli11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	File created: C:\Users\user\AppData\Local\IIIQF\7z.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\CC4A9AB7\DF9D80D2\p2sfs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\P2ldb2.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mWinRunExec.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\58D51985\DF9D80D2\u25dts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\4042563B\DF9D80D2\U2FWORDW.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\p2ixbse.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\E0F6211\DF9D80D2\p2molap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2DAPP.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lcom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2iract3.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\FBE04383\DF9D80D2\p2lodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\u2lexch.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBBFC.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBB9E.tmp	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\B3D6BDF9\DF9D80D2\barcode.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2lora7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\u2lfinra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\OFFLINE\8B01F5B2\F91E300C\crpe32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\P2LIFMX.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\A3E37DC2\DF9D80D2\p2smsiis.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\40A7F605\DF9D80D2\U2FXLS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_pdf.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\9FBC96CE\DF9D80D2\U2DDISK.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\p2bxbse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\E8FB99B2\DF9D80D2\u2fxml.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\1041948F\DF9D80D2\p2sacl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\p2swblg.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\31097DAF\DF9D80D2\u2fwks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\ResaApps\CrystalFiles\u2lbcode.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bbde.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ctbtrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dpost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\70A680E\DF9D80D2\U2FSEPV.DLL	Jump to dropped file
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	File created: C:\ProgramData\{34298CBE-CEDC-4FE1-85C1-841B00345C2F}\crystal 8.5 for w11.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2l2000.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\E64120EF\DF9D80D2\U2FCR.DLL	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	File created: C:\Users\user\AppData\Local\Temp\mia1\mFileBagEXE.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\8E3B9392\DF9D80D2\P2lsql.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\64572BA6\DF9D80D2\p2bact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sdb2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2frdef.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\13BF4A53\DF9D80D2\U2DMAPI.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\sqlncli11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\607A9F5C\988B0B4D\ResaLauncher.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\598D777F\DF9D80D2\p2smcube.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\D7C8AF63\DF9D80D2\p2strack.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\CC4A9AB7\DF9D80D2\p2sfs.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\2C228EC0\DF9D80D2\p2iract.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\mia.lib	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\58D51985\DF9D80D2\u25dts.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\7BFE20FE\DF9D80D2\U2FHTML.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\2750471D\DF9D80D2\p2smapi.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\D98EF2E2\DF9D80D2\u2frec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\4042563B\DF9D80D2\U2FWORDW.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\5D8AC0F0\91B5C31C\TaxControls.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\E0F6211\DF9D80D2\p2molap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\FBE04383\DF9D80D2\p2lodbc.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\OFFLINE\883718\F91E300C\exlate32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\78AE16CB\DF9D80D2\u2fdif.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\B3D6BDF9\DF9D80D2\barcode.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\469BDAEB\DF9D80D2\U2FRTF.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\OFFLINE\8B01F5B2\F91E300C\crpe32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\A3E37DC2\DF9D80D2\p2smsiis.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\imagehlp.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\mFileBagEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\AdvFirewallIDEPlugIn.dll\AdvFirewallEXEPlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\40A7F605\DF9D80D2\U2FXLS.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\A601C89B\DF9D80D2\p2bbtrv.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\9FBC96CE\DF9D80D2\U2DDISK.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\14DD1572\DF9D80D2\p2ssyb10.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\E8FB99B2\DF9D80D2\u2fxml.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\1041948F\DF9D80D2\p2sacl.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\31097DAF\DF9D80D2\u2fwks.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\A6F269F2\DF9D80D2\u2ldts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\70A680E\DF9D80D2\U2FSEPV.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\9182ED79\DF9D80D2\u2dvim.dll	Jump to dropped file
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	File created: C:\ProgramData\{34298CBE-CEDC-4FE1-85C1-841B00345C2F}\crystal 8.5 for w11.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\E64120EF\DF9D80D2\U2FCR.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\704854D2\DF9D80D2\p2bact3.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\8E3B9392\DF9D80D2\P2lsql.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\64572BA6\DF9D80D2\p2bact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\unicode\update.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\13BF4A53\DF9D80D2\U2DMAPI.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\data\OFFLINE\607A9F5C\988B0B4D\ResaLauncher.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\598D777F\DF9D80D2\p2smcube.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	File created: C:\ProgramData\mia7875.tmp\data\Default\D7C8AF63\DF9D80D2\p2strack.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\crxf_pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sexsr.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC142.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2srepl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBC1D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\U2DAPP.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2lcom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2iract3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\Crxlat32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC0F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2fodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ssql.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC638.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sora7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2bbde.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2ctbtrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2dpost.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2l2000.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBBFC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI9D24.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIBB9E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2lora7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sifmx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2soutlk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\p2sdb2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Crystal\u2frdef.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\sqlncli11.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\sqlncli11.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\Resa Launcher Install.exe	File created: C:\ProgramData\mia533A.tmp\mia.lib	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\SysWOW64\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\System32\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file

Creates license or readme file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt

Boot Survival

Modifies existing windows services

Source: C:\Windows\System32\msiexec.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\SQLNCLI11.1

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ResaApps\ResaLauncher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ResaApps\ResaLauncher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ResaApps\ResaLauncher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\ResaApps\ResaLauncher.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\U2FTEXT.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\2C228EC0\DF9D80D2\p2iract.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2sexsr.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\7BFE20FE\DF9D80D2\U2FHTML.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\2750471D\DF9D80D2\p2smapi.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\D98EF2E2\DF9D80D2\u2frec.dll	Jump to dropped file
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia2\mMSIExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\p2soledb.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\5D8AC0F0\91B5C31C\TaxControls.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBC1D.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\u2dnotes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\P2lsyb10.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\OFFLINE\883718\F91E300C\exlate32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\p2solap.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\78AE16CB\DF9D80D2\u2fdif.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\469BDAEB\DF9D80D2\U2FRTF.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\mWinRunExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2soutlk.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\1033\sqlnclir11.rll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\mFileBagEXE.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\AdvFirewallIDEPlugIn.dll\AdvFirewallEXEPlugIn.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\usp10.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\A601C89B\DF9D80D2\p2bbtrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\Microsoft SQL Server\110\KeyFile\1033\sqlncli_keyfile.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC142.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2srepl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\u252000.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\14DD1572\DF9D80D2\p2ssyb10.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mMSIExec.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\p2sNote.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\u2lsamp1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\Crxlat32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2ssql.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC638.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2sora7.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\riched20.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\A6F269F2\DF9D80D2\u2ldts.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\AdvFirewallEXEPlugIn.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\9182ED79\DF9D80D2\u2dvim.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\704854D2\DF9D80D2\p2bact3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI9D24.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcr100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\CRXF_RTF.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2sifmx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\unicode\update.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\sqlncli11.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\IIIQF\7z.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\CC4A9AB7\DF9D80D2\p2sfs.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\P2ldb2.dll	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mWinRunExec.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\58D51985\DF9D80D2\u25dts.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msls31.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\4042563B\DF9D80D2\U2FWORDW.DLL	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\p2ixbse.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\E0F6211\DF9D80D2\p2molap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\U2DAPP.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2lcom.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2iract3.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\FBE04383\DF9D80D2\p2lodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\u2lexch.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBBFC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIBB9E.tmp	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\B3D6BDF9\DF9D80D2\barcode.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2lora7.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\u2lfinra.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\$PatchCache$\Managed\2A566D94A2C4E674A98BCF4C525F62CF\11.0.2100\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\OFFLINE\8B01F5B2\F91E300C\crpe32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\P2LIFMX.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\A3E37DC2\DF9D80D2\p2smsiis.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\40A7F605\DF9D80D2\U2FXLS.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\crxf_pdf.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\9FBC96CE\DF9D80D2\U2DDISK.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\p2bxbse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\shfolder.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\E8FB99B2\DF9D80D2\u2fxml.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\1041948F\DF9D80D2\p2sacl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC0F3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2fodbc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\p2swblg.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\31097DAF\DF9D80D2\u2fwks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\ResaApps\CrystalFiles\u2lbcode.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2bbde.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2ctbtrv.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2dpost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\70A680E\DF9D80D2\U2FSEPV.DLL	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2l2000.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\E64120EF\DF9D80D2\U2FCR.DLL	Jump to dropped file
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mia1\mFileBagEXE.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\8E3B9392\DF9D80D2\P2lsql.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\64572BA6\DF9D80D2\p2bact.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\u2frdef.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Crystal\p2sdb2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\sqlncli11.dll	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\13BF4A53\DF9D80D2\U2DMAPI.DLL	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\598D777F\DF9D80D2\p2smcube.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Resa Launcher Install.exe	Dropped PE file which has not been started: C:\ProgramData\mia533A.tmp\data\OFFLINE\607A9F5C\988B0B4D\ResaLauncher.exe	Jump to dropped file
Source: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe	Dropped PE file which has not been started: C:\ProgramData\mia7875.tmp\data\Default\D7C8AF63\DF9D80D2\p2strack.dll	Jump to dropped file

Queries keyboard layouts

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809
Source: C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

Creates a process in suspended mode (likely to inject code)

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe	Process created: C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe "C:\Users\user\AppData\Local\Temp\mia1\fb0\Crystal 8.5 for W11.exe"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\syswow64\MsiExec.exe" /Y "C:\ResaApps\Business_Services\TaxControls\TaxControls.dll"

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh.exe advfirewall firewall delete rule name="RESA SMART - Resa Launcher" dir=in program="C:\ResaApps\ResaLauncher.exe" profile=domain,private,public remoteip=206.57.134.17

Uses netsh to modify the Windows network and firewall settings

Source: C:\ProgramData\mia533A.tmp\resa launcher install.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	33 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	2 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	11 Peripheral Device Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner
C:\ProgramData\mia533A.tmp\mia.lib	0%	ReversingLabs
C:\Users\user\AppData\Local\IIIQF\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\mia1\AdvFirewallEXEPlugIn.dll	6%	ReversingLabs
C:\Users\user\AppData\Local\Temp\mia1\mFileBagEXE.dll	0%	ReversingLabs
C:\Program Files\Microsoft SQL Server\110\KeyFile\1033\sqlncli_keyfile.dll	0%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
portal.resa.net	206.57.141.42	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
206.57.141.42	portal.resa.net	United States		393581	WAYNENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1449101
Start date and time:	2024-05-29 18:29:33 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	58
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Resa Launcher Install.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@60/217@1/4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: Resa Launcher Install.exe

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	142198
Entropy (8bit):	4.8636486681530595
Encrypted:	false
SSDEEP:
MD5:	0A641594A73B9B91228863C5B57FDE4E
SHA1:	DE9C9436D3399B88DFDCDAAD32A40B94347903B5
SHA-256:	80466A9E6BD1C71464FF12A91DF2E747B066FEB613105CCA5B25FBF313A7A005
SHA-512:	29B49CBB5790C27A3A8BA1D12E77A9E4C80F946D6DE8D7D6855B6E3019F41AB7D31821C66DE81870F8396A2D2EBE56B1F17B1476B80D09ECC2591241A3C0A71C
Malicious:	false
Reputation:	unknown
Preview:	...@IXOS.@.....@.c.X.@.....@.....@.....@.....@.....@......&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}..Crystal 8.5 for W11..crystal 8.5 for w11.msi.@.....@.....@.....@........\PROGRA~3\mia7875.tmp\&.{34298CBE-CEDC-4FE1-85C1-841B00345C2F}.....@.....@.....@.....@.......@.....@.....@.......@......Crystal 8.5 for W11......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3ADD4FAA-1C8F-4DA8-BBBB-26CA4343830B}&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}.@......&.{FC238125-ED70-4322-B4B7-719B36409CE9}&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}.@......&.{2CFC096A-175E-45AD-99AC-D32E7946A853}&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}.@......&.{B4FAA560-15A4-4DE3-B326-1E5EEED915C4}&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}.@......&.{426DB683-838A-4493-BCE9-796514F8751D}&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}.@......&.{61218C32-63B7-44CC-9531-0DE156E43C49}&.{D19A7273-0D14-44C3-95A2-2FBB862BA70E}.@......&.{8770B2C3-5

Process:	C:\Users\user\Desktop\Resa Launcher Install.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	342096
Entropy (8bit):	6.531489968907709
Encrypted:	false
SSDEEP:
MD5:	4930A47E0762174D96B47249F8913261
SHA1:	4FF9A34E738D9F74EA5EAAB09E38BA3F7759120F
SHA-256:	B3E5A5F4F0DEC5AFF7B8BDB824AD47F9204DAABC875BCF4E7344538243D474EA
SHA-512:	575FC7A72EB33E6319FA77031A19720AA372F5A9E8CCB167D8CABB9B4B7BFA5BFD94940E2C5664E566EAD01A3ECE3AE03BDAEE9BB646592453AB80A008C05483
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f...5...5...5...5...5...5...5l..5...5...5...5..5...5...59..5..5...5l..5...5<..5...5l..5...5Rich...5........................PE..L......V...........!.....0..........Os.......@....V..........................0......................................0...................p...............P(......t7...................................................@..(............................text....(.......0.................. ..`.rdata...O...@...P...@..............@..@.data....a.......P..................@....rsrc...p...........................@..@.reloc...C.......P..................@..B........................................................................................................................................................................................................................................................................................................

Process:	C:\ProgramData\{FF44E8D3-41BA-4ACE-9A65-4CDAFDBA82FC}\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	165968
Entropy (8bit):	6.174405424812059
Encrypted:	false
SSDEEP:
MD5:	7D8C2F20B3342CC2452230EFBFE8F982
SHA1:	7144C8A06FC1154BDC92DF2770487FF1788D1223
SHA-256:	AB45F9BC0BB75DC27769D71F96F9C42A1F83E4DA8C12E424CB83C5EDB243FDC2
SHA-512:	5613500A86F290FC26689ECE4E756C24B412CBE36FB08FF3BF32820E1D0F3CAC8C9B8A3C363547DE264B17E8066A94F8CF7F49D769D0C093D56C51C5086729BA
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u_A...A...A.......D.......J..............W...A...B...#...H...A...2.......n.......@.......@...RichA...........PE..L.....{:...........!................:..............@............................................................................x.... ..h?...........`..P(...`..8....................................................................................text...%}.......................... ..`.rdata...$.......0..................@..@.data....X.......@..................@....rsrc...h?... ...@..................@..@.reloc..z....`... ...@..............@..BP .:8...P .:E...P .:O.....};Z...P .:g...P .:q...........KERNEL32.dll.NTDLL.DLL.USER32.dll.COMCTL32.dll.GDI32.dll.ADVAPI32.dll...........................................................................................................................................................................................

Process:	C:\ProgramData\mia7875.tmp\crystal 8.5 for w11.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	240
Entropy (8bit):	5.170379201408242
Encrypted:	false
SSDEEP:
MD5:	D36D6E3A6AA5C5CEE2DADEED6BA7AE9A
SHA1:	AE7E343DEE2A5F939A3F588244A2E2EF6568FCC6
SHA-256:	FFE1B7019C080224003F1E36F72DEC496677486DF4B8444B251E9F348197BA0D
SHA-512:	FDB596DC5B3B347EF8A31DF9A1F6F97F68B76D9A6B7096EB592B33F834F8566B742F15C78059A03142BB14CA17887B56D0E82E65584C52B46045A0EBA3A7C26C
Malicious:	false
Reputation:	unknown
Preview:	MYAH-PREDEF-COMPONENT..$..TRUE..$..$..$..$..MYAH-PREDEF-COMPONENT..23318464..$..C:\ResaApps ..TRUE..Crystal 8.5 for W11..C:\PROGRA~3\mia7875.tmp\data\..MYAH64WOW..Win32..OVERRIDECACHE....NATIVE_ENGINE..FALSE..ANAPPLYINSTALLWASCALLED..TRUE..

Process:	C:\ResaApps\ResaLauncher.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.7225059102772766
Encrypted:	false
SSDEEP:
MD5:	F6266207953D0C31150114602E557F8C
SHA1:	47FEC6C4D4A5E9C6E94C7E8C95541042D008E438
SHA-256:	08D55B66CA64D642F01FAD2A3F822A3470B8344E71B55C728E5A1D43F9DE58C3
SHA-512:	5982AABD449C33DE70BF6810EFF4887BC3B64F0BDF65C822257405E04BC00F5AA2C409DF7800F385352003491032FF23B2A2347FF53A7BCBF3C8CF389BE62FEA
Malicious:	false
Reputation:	unknown
Preview:	..[AppOptions]..LEA=?????..

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.246703230844766
Encrypted:	false
SSDEEP:
MD5:	4B36006AE20DB6ADBFEDBA36D035E048
SHA1:	8B4582C81960115BF10752222F43CB6B5AF61190
SHA-256:	AD46C261AC1F56387496C5EC681329959A4AC18696CC78C84CBCD0D38CA4580E
SHA-512:	8815A4FB808A929595F3A3F41D4C1C3F0293C2C9465401F9D263E64F4C50B0CA0940EDB584284C4297C960C18B5B8E6C29DBF3A8587245DB2594AD23BE3D6D65
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 2.9. .. 2.0.2.4. .1.2.:.3.1.:.2.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.073210744553412
Encrypted:	false
SSDEEP:
MD5:	656D246C6CE9A47F07EC793B6BB27F07
SHA1:	0C098838274F64DBB02500A68B855E6703DDDAF1
SHA-256:	77429FFF9C65F96BC190C4C14916423F0196A2A570970A095285364743172AF4
SHA-512:	9E47C89948CF63770F5E59B793B8625364C9F9B679B80B9CD821ABC9866C0BC23608AEEE9794AC45E547FF11BBD47DA7BDA640D72218507EE2FA9382A9419476
Malicious:	false
Reputation:	unknown
Preview:	..No rules match the specified criteria.....

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995416882704876
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Resa Launcher Install.exe
File size:	19'256'760 bytes
MD5:	0f675d8a82d7e2d9198d1308bcfc2918
SHA1:	c284c27bcee5f0b8b978451f7db76f61ca6748eb
SHA256:	d78698c0ca1ed1aaae2c7fe878cc3d88133f0b7fa2a2430254a9ce44c3ba1949
SHA512:	4cb352e11d8f4ee9ffdaeb75e8f377c39cd7ce82d781f38a01c86b5ec8a96f9cb19b79a606637e2f7a2833af84bea3bd21a7e1daddaddf8f2495b336c4b0894f
SSDEEP:	393216:H2hvuGZfr8bwN3SLav40ml7i5IbYjvlZsZ5teX4:Wv5LN5ms55NZ34
TLSH:	22173390A3FA80A4F8B73BB12E795669063FBD615B75D4DB8308051E8E727D0AC74327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ew..............\|.......\|.......\|........t.......b..............\|.......V.......\|......Rich............................PE..L..

Entrypoint:	0x422c58
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x62E46D6B [Fri Jul 29 23:29:47 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	b48671fed9d5ca4906417d42fcdb066b

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/01/2024 01:00:00 24/01/2025 00:59:59
Subject Chain	CN=Wayne Regional Educational Service Agency, O=Wayne Regional Educational Service Agency, L=Wayne, S=Michigan, C=US
Version:	3
Thumbprint MD5:	36F748804F5A743F035FE4B1AA23A49B
Thumbprint SHA-1:	3BAE0DE2F7B626409FE864AB57AD522E0C6A1C3B
Thumbprint SHA-256:	0E3176DBE92C6E19AF318705C307B8A0E01690549EC1BE5B72DB1DB873F027F5
Serial:	01B58B4815DB021609F43354AB97BA78

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3a5d8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45000	0x1aba0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x125ad68	0x2850
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x35200	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x284	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x302ed	0x30400	2038b7d87842b64c67b899ba5e78dc0d	False	0.5152303270725389	data	6.494109860999288	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0x93e8	0x9400	9065fae2bc62d08ab84e542ac170dd32	False	0.34588788006756754	data	4.655429443140589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3c000	0x8400	0x2400	3b1c2c3bd274b21289a8012d58d091b2	False	0.2587890625	data	4.215578104820278	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x45000	0x1aba0	0x1ac00	bf1e463adbdd2c91a8e4ae558e65e78f	False	0.09867844626168225	data	3.8678528068197666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x45d14	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.35261194029850745
RT_ICON	0x46bbc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.36236462093862815
RT_ICON	0x47464	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3302023121387283
RT_ICON	0x479cc	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27842323651452283
RT_ICON	0x49f74	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3557692307692308
RT_ICON	0x4b01c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4512411347517731
RT_DIALOG	0x4b484	0x1d8	data			0.5720338983050848
RT_DIALOG	0x4b65c	0x1be	data			0.5605381165919282
RT_DIALOG	0x4b81c	0x54	data			0.7619047619047619
RT_STRING	0x4b870	0x4a4	data	Arabic	Saudi Arabia	0.28703703703703703
RT_STRING	0x4bd14	0x4a4	data	Catalan	Spain	0.28703703703703703
RT_STRING	0x4c1b8	0x4a4	data	Chinese	Taiwan	0.28703703703703703
RT_STRING	0x4c65c	0x4a4	data	Czech	Czech Republic	0.28703703703703703
RT_STRING	0x4cb00	0x4a4	data	Danish	Denmark	0.28703703703703703
RT_STRING	0x4cfa4	0x4a4	data	German	Germany	0.28703703703703703
RT_STRING	0x4d448	0x4a4	data	Greek	Greece	0.28703703703703703
RT_STRING	0x4d8ec	0x4a4	data	English	United States	0.28703703703703703
RT_STRING	0x4dd90	0x4a4	data	Finnish	Finland	0.28703703703703703
RT_STRING	0x4e234	0x4a4	data	French	France	0.28703703703703703
RT_STRING	0x4e6d8	0x4a4	data	Hebrew	Israel	0.28703703703703703
RT_STRING	0x4eb7c	0x4a4	data	Hungarian	Hungary	0.28703703703703703
RT_STRING	0x4f020	0x4a4	data	Italian	Italy	0.28703703703703703
RT_STRING	0x4f4c4	0x4a4	data	Japanese	Japan	0.28703703703703703
RT_STRING	0x4f968	0x4a4	data	Korean	North Korea	0.28703703703703703
RT_STRING	0x4f968	0x4a4	data	Korean	South Korea	0.28703703703703703
RT_STRING	0x4fe0c	0x4a4	data	Dutch	Netherlands	0.28703703703703703
RT_STRING	0x502b0	0x4a4	data	Norwegian	Norway	0.28703703703703703
RT_STRING	0x50754	0x4a4	data	Polish	Poland	0.28703703703703703
RT_STRING	0x50bf8	0x4a4	data	Portuguese	Brazil	0.28703703703703703
RT_STRING	0x5109c	0x4a4	data	Romanian	Romania	0.28703703703703703
RT_STRING	0x51540	0x4a4	data	Russian	Russia	0.28703703703703703
RT_STRING	0x519e4	0x4a4	data	Croatian	Croatia	0.28703703703703703
RT_STRING	0x51e88	0x4a4	data	Slovak	Slovakia	0.28703703703703703
RT_STRING	0x5232c	0x4a4	data	Swedish	Sweden	0.28703703703703703
RT_STRING	0x527d0	0x4a4	data	Thai	Thailand	0.28703703703703703
RT_STRING	0x52c74	0x4a4	data	Turkish	Turkey	0.28703703703703703
RT_STRING	0x53118	0x4a4	data	Slovenian	Slovenia	0.28703703703703703
RT_STRING	0x535bc	0x4a4	data	Estonian	Estonia	0.28703703703703703
RT_STRING	0x53a60	0x4a4	data	Latvian	Lativa	0.28703703703703703
RT_STRING	0x53f04	0x4a4	data	Lithuanian	Lithuania	0.28703703703703703
RT_STRING	0x543a8	0x4a4	data	Vietnamese	Vietnam	0.28703703703703703
RT_STRING	0x5484c	0x4a4	data	Basque	France	0.28703703703703703
RT_STRING	0x5484c	0x4a4	data	Basque	Spain	0.28703703703703703
RT_STRING	0x54cf0	0x4a4	data	Chinese	China	0.28703703703703703
RT_STRING	0x55194	0x4a4	data	Portuguese	Portugal	0.28703703703703703
RT_STRING	0x55638	0x4a4	data			0.28703703703703703
RT_STRING	0x55adc	0x2f2	data	Arabic	Saudi Arabia	0.42572944297082227
RT_STRING	0x55dd0	0x2f2	data	Catalan	Spain	0.42572944297082227
RT_STRING	0x560c4	0x2f2	data	Chinese	Taiwan	0.42572944297082227
RT_STRING	0x563b8	0x2f2	data	Czech	Czech Republic	0.42572944297082227
RT_STRING	0x566ac	0x2f2	data	Danish	Denmark	0.42572944297082227
RT_STRING	0x569a0	0x2f2	data	German	Germany	0.42572944297082227
RT_STRING	0x56c94	0x2f2	data	Greek	Greece	0.42572944297082227
RT_STRING	0x56f88	0x2f2	data	English	United States	0.42572944297082227
RT_STRING	0x5727c	0x2f2	data	Finnish	Finland	0.42572944297082227
RT_STRING	0x57570	0x2f2	data	French	France	0.42572944297082227
RT_STRING	0x57864	0x2f2	data	Hebrew	Israel	0.42572944297082227
RT_STRING	0x57b58	0x2f2	data	Hungarian	Hungary	0.42572944297082227
RT_STRING	0x57e4c	0x2f2	data	Italian	Italy	0.42572944297082227
RT_STRING	0x58140	0x2f2	data	Japanese	Japan	0.42572944297082227
RT_STRING	0x58434	0x2f2	data	Korean	North Korea	0.42572944297082227
RT_STRING	0x58434	0x2f2	data	Korean	South Korea	0.42572944297082227
RT_STRING	0x58728	0x2f2	data	Dutch	Netherlands	0.42572944297082227
RT_STRING	0x58a1c	0x2f2	data	Norwegian	Norway	0.42572944297082227
RT_STRING	0x58d10	0x2f2	data	Polish	Poland	0.42572944297082227
RT_STRING	0x59004	0x2f2	data	Portuguese	Brazil	0.42572944297082227
RT_STRING	0x592f8	0x2f2	data	Romanian	Romania	0.42572944297082227
RT_STRING	0x595ec	0x2f2	data	Russian	Russia	0.42572944297082227
RT_STRING	0x598e0	0x2f2	data	Croatian	Croatia	0.42572944297082227
RT_STRING	0x59bd4	0x2f2	data	Slovak	Slovakia	0.42572944297082227
RT_STRING	0x59ec8	0x2f2	data	Swedish	Sweden	0.42572944297082227
RT_STRING	0x5a1bc	0x2f2	data	Thai	Thailand	0.42572944297082227
RT_STRING	0x5a4b0	0x2f2	data	Turkish	Turkey	0.42572944297082227
RT_STRING	0x5a7a4	0x2f2	data	Slovenian	Slovenia	0.42572944297082227
RT_STRING	0x5aa98	0x2f2	data	Estonian	Estonia	0.42572944297082227
RT_STRING	0x5ad8c	0x2f2	data	Latvian	Lativa	0.42572944297082227
RT_STRING	0x5b080	0x2f2	data	Lithuanian	Lithuania	0.42572944297082227
RT_STRING	0x5b374	0x2f2	data	Vietnamese	Vietnam	0.42572944297082227
RT_STRING	0x5b668	0x2f2	data	Basque	France	0.42572944297082227
RT_STRING	0x5b668	0x2f2	data	Basque	Spain	0.42572944297082227
RT_STRING	0x5b95c	0x2f2	data	Chinese	China	0.42572944297082227
RT_STRING	0x5bc50	0x2f2	data	Portuguese	Portugal	0.42572944297082227
RT_STRING	0x5bf44	0x2f2	data			0.42572944297082227
RT_STRING	0x5c238	0x106	data	Arabic	Saudi Arabia	0.5076335877862596
RT_STRING	0x5c340	0x106	data	Catalan	Spain	0.5076335877862596
RT_STRING	0x5c448	0x106	data	Chinese	Taiwan	0.5076335877862596
RT_STRING	0x5c550	0x106	data	Czech	Czech Republic	0.5076335877862596
RT_STRING	0x5c658	0x106	data	Danish	Denmark	0.5076335877862596
RT_STRING	0x5c760	0x106	data	German	Germany	0.5076335877862596
RT_STRING	0x5c868	0x106	data	Greek	Greece	0.5076335877862596
RT_STRING	0x5c970	0x106	data	English	United States	0.5076335877862596
RT_STRING	0x5ca78	0x106	data	Finnish	Finland	0.5076335877862596
RT_STRING	0x5cb80	0x106	data	French	France	0.5076335877862596
RT_STRING	0x5cc88	0x106	data	Hebrew	Israel	0.5076335877862596
RT_STRING	0x5cd90	0x106	data	Hungarian	Hungary	0.5076335877862596
RT_STRING	0x5ce98	0x106	data	Italian	Italy	0.5076335877862596
RT_STRING	0x5cfa0	0x106	data	Japanese	Japan	0.5076335877862596
RT_STRING	0x5d0a8	0x106	data	Korean	North Korea	0.5076335877862596
RT_STRING	0x5d0a8	0x106	data	Korean	South Korea	0.5076335877862596
RT_STRING	0x5d1b0	0x106	data	Dutch	Netherlands	0.5076335877862596
RT_STRING	0x5d2b8	0x106	data	Norwegian	Norway	0.5076335877862596
RT_STRING	0x5d3c0	0x106	data	Polish	Poland	0.5076335877862596
RT_STRING	0x5d4c8	0x106	data	Portuguese	Brazil	0.5076335877862596
RT_STRING	0x5d5d0	0x106	data	Romanian	Romania	0.5076335877862596
RT_STRING	0x5d6d8	0x106	data	Russian	Russia	0.5076335877862596
RT_STRING	0x5d7e0	0x106	data	Croatian	Croatia	0.5076335877862596
RT_STRING	0x5d8e8	0x106	data	Slovak	Slovakia	0.5076335877862596
RT_STRING	0x5d9f0	0x106	data	Swedish	Sweden	0.5076335877862596
RT_STRING	0x5daf8	0x106	data	Thai	Thailand	0.5076335877862596
RT_STRING	0x5dc00	0x106	data	Turkish	Turkey	0.5076335877862596
RT_STRING	0x5dd08	0x106	data	Slovenian	Slovenia	0.5076335877862596
RT_STRING	0x5de10	0x106	data	Estonian	Estonia	0.5076335877862596
RT_STRING	0x5df18	0x106	data	Latvian	Lativa	0.5076335877862596
RT_STRING	0x5e020	0x106	data	Lithuanian	Lithuania	0.5076335877862596
RT_STRING	0x5e128	0x106	data	Vietnamese	Vietnam	0.5076335877862596
RT_STRING	0x5e230	0x106	data	Basque	France	0.5076335877862596
RT_STRING	0x5e230	0x106	data	Basque	Spain	0.5076335877862596
RT_STRING	0x5e338	0x106	data	Chinese	China	0.5076335877862596
RT_STRING	0x5e440	0x106	data	Portuguese	Portugal	0.5076335877862596
RT_STRING	0x5e548	0x106	data			0.5076335877862596
RT_GROUP_ICON	0x5e650	0x5a	data	English	United States	0.7
RT_VERSION	0x5e6ac	0x1084	data	English	United States	0.1000473036896878
RT_MANIFEST	0x5f730	0x470	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4507042253521127

DLL	Import
KERNEL32.dll	GetLastError, ResetEvent, CreateEventW, CloseHandle, MultiByteToWideChar, WideCharToMultiByte, FreeLibrary, LoadLibraryW, GetModuleFileNameW, FormatMessageW, LocalFree, GetWindowsDirectoryW, CreateFileW, SetFileTime, SetFileAttributesW, RemoveDirectoryW, CreateDirectoryW, GetFileInformationByHandle, DeleteFileW, GetShortPathNameW, GetFullPathNameW, lstrlenW, GetCurrentDirectoryW, GetTempFileNameW, FindClose, FindFirstFileW, FindNextFileW, GetFileSize, SetFilePointer, ReadFile, WriteFile, SetEndOfFile, DeleteCriticalSection, GetStdHandle, EnterCriticalSection, LeaveCriticalSection, WaitForMultipleObjects, GetCurrentProcessId, InitializeCriticalSection, QueryPerformanceCounter, GetTickCount, Sleep, LocalAlloc, GetProcAddress, SetCurrentDirectoryW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, SetThreadUILanguage, SetThreadLocale, GetVersion, GetCommandLineW, CreateProcessW, GetExitCodeProcess, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LCMapStringW, LCMapStringA, GetStringTypeW, GetStringTypeA, GetConsoleMode, GetConsoleCP, GetLocaleInfoA, IsValidCodePage, GetOEMCP, RaiseException, GetACP, GetCPInfo, LoadLibraryA, RtlUnwind, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, WaitForSingleObject, SetEvent, GetVersionExW, VirtualAlloc, GetCurrentThreadId, VirtualFree, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, HeapSize, InterlockedDecrement, SetLastError, InterlockedIncrement, TlsFree, TlsSetValue, TlsAlloc, HeapFree, HeapAlloc, ExitThread, CreateThread, HeapReAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, GetModuleHandleW, ExitProcess, GetModuleFileNameA, TlsGetValue
USER32.dll	SetForegroundWindow, CharUpperW, GetWindowRect, DestroyWindow, RegisterWindowMessageW, AdjustWindowRect, LoadImageW, LoadIconW, KillTimer, SetTimer, EndDialog, IsDlgButtonChecked, SetDlgItemTextW, GetDlgItem, SetWindowTextW, GetWindowTextW, GetWindowTextLengthW, LoadStringW, DialogBoxParamW, CreateDialogParamW, SystemParametersInfoW, PeekMessageW, GetDesktopWindow, MessageBoxW, SendMessageW, GetWindowLongW, SetWindowLongW, ShowWindow, MoveWindow, PostMessageW
GDI32.dll	GetObjectW
ADVAPI32.dll	RegSetValueExW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetFolderPathW, ShellExecuteExW
ole32.dll	CoInitializeEx, CoInitialize, CoCreateInstance
OLEAUT32.dll	SysAllocStringLen, SysFreeString, VariantClear, SysAllocString

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Resa Launcher Install.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Config.Msi\649c0c.rbs

C:\Config.Msi\649c10.rbs

C:\Config.Msi\649c14.rbs

C:\Program Files (x86)\Microsoft SQL Server\110\License Terms\License_SQLNCLI_ENU.txt

C:\Program Files\Microsoft SQL Server\110\KeyFile\1033\sqlncli_keyfile.dll

C:\Program Files\Microsoft SQL Server\110\SDK\Include\sqlncli.h

C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x64\sqlncli11.lib

C:\Program Files\Microsoft SQL Server\110\SDK\Lib\x86\sqlncli11.lib

C:\ProgramData\mia533A.tmp\data\OFFLINE\5D8AC0F0\91B5C31C\TaxControls.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\607A9F5C\988B0B4D\ResaLauncher.exe

C:\ProgramData\mia533A.tmp\data\OFFLINE\851024AE\356DA8CB\ResaScannerHelper.exe

C:\ProgramData\mia533A.tmp\data\OFFLINE\AdvFirewallIDEPlugIn.dll\AdvFirewallEXEPlugIn.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\F82E73DF\548C85B\ResaReportView.exe

C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\485E7F52\Crystal 8.5 for W11.exe

C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\AB71956E\sqlncli.msi

C:\ProgramData\mia533A.tmp\data\OFFLINE\mFileBagIDE.dll\mFileBagEXE.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mMSI.dll\mMSIExec.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\cabinet.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\imagehlp.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\instmsi.msi

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msi.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiexec.exe

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msihnd.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msiinst.exe

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msimain.sdb

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msimsg.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msisip.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\msls31.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\mspatcha.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\riched20.dll

C:\ProgramData\mia533A.tmp\data\OFFLINE\mWinRun.dll\ansi\sdbapi.dll

Windows Analysis Report
Resa Launcher Install.exe

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre