Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:setup.exe
Analysis ID:1465684
MD5:1b898df684811054d405e9c31fddd80a
SHA1:9a322fd8e07427ce716f0dd9210ff563091e32de
SHA256:7386925178799b6b5a78e550ab756eedb61bb62adc8db66623f4a60dff30fe92
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • setup.exe (PID: 6868 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 1B898DF684811054D405E9C31FDDD80A)
    • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": "141.94.188.138:46419", "Bot Id": "pon"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
      • 0xdd0:$a3: Software\Valve\SteamLogin Data
      • 0x16874:$a4: get_ScannedWallets
      • 0x153ce:$a5: get_ScanTelegram
      • 0x163f4:$a6: get_ScanGeckoBrowsersPaths
      • 0x13fcc:$a7: <Processes>k__BackingField
      • 0x11c52:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
      • 0x13906:$a9: <ScanFTP>k__BackingField
      00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_RedLineStealer_3d9371fdunknownunknown
      • 0x16f90:$a1: get_encrypted_key
      • 0x1635f:$a2: get_PassedPaths
      • 0x14913:$a3: ChromeGetLocalName
      • 0x167ad:$a4: GetBrowsers
      • 0xdd0:$a5: Software\Valve\SteamLogin Data
      • 0x510:$a6: %appdata%\
      • 0x15e59:$a7: ScanPasswords
      00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1331c:$u7: RunPE
      • 0x16e59:$u8: DownloadAndEx
      • 0x12e0:$pat14: , CommandLine:
      • 0x161f4:$v2_1: ListOfProcesses
      • 0x13578:$v2_2: get_ScanVPN
      • 0x13655:$v2_2: get_ScanFTP
      • 0x143b2:$v2_2: get_ScanDiscord
      • 0x153b2:$v2_2: get_ScanSteam
      • 0x153ce:$v2_2: get_ScanTelegram
      • 0x1547f:$v2_2: get_ScanScreen
      • 0x163bc:$v2_2: get_ScanChromeBrowsersPaths
      • 0x163f4:$v2_2: get_ScanGeckoBrowsersPaths
      • 0x1678b:$v2_2: get_ScanBrowsers
      • 0x16874:$v2_2: get_ScannedWallets
      • 0x168c8:$v2_2: get_ScanWallets
      • 0x168e8:$v2_3: GetArguments
      • 0x14c3b:$v2_4: VerifyUpdate
      • 0x16cce:$v2_5: VerifyScanRequest
      • 0x1626a:$v2_6: GetUpdates
      • 0x1985d:$v2_6: GetUpdates
      • 0x15de0:$v4_3: base64str
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.setup.exe.3dc6ae0.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        0.2.setup.exe.3dc6ae0.1.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
        • 0x14a74:$a4: get_ScannedWallets
        • 0x135ce:$a5: get_ScanTelegram
        • 0x145f4:$a6: get_ScanGeckoBrowsersPaths
        • 0x121cc:$a7: <Processes>k__BackingField
        • 0xfe52:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
        • 0x11b06:$a9: <ScanFTP>k__BackingField
        0.2.setup.exe.3dc6ae0.1.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1151c:$u7: RunPE
        • 0x15059:$u8: DownloadAndEx
        • 0x143f4:$v2_1: ListOfProcesses
        • 0x11778:$v2_2: get_ScanVPN
        • 0x11855:$v2_2: get_ScanFTP
        • 0x125b2:$v2_2: get_ScanDiscord
        • 0x135b2:$v2_2: get_ScanSteam
        • 0x135ce:$v2_2: get_ScanTelegram
        • 0x1367f:$v2_2: get_ScanScreen
        • 0x145bc:$v2_2: get_ScanChromeBrowsersPaths
        • 0x145f4:$v2_2: get_ScanGeckoBrowsersPaths
        • 0x1498b:$v2_2: get_ScanBrowsers
        • 0x14a74:$v2_2: get_ScannedWallets
        • 0x14ac8:$v2_2: get_ScanWallets
        • 0x14ae8:$v2_3: GetArguments
        • 0x12e3b:$v2_4: VerifyUpdate
        • 0x14ece:$v2_5: VerifyScanRequest
        • 0x1446a:$v2_6: GetUpdates
        • 0x17a5d:$v2_6: GetUpdates
        • 0x13fe0:$v4_3: base64str
        • 0x1513d:$v4_4: stringKey
        0.2.setup.exe.53b0000.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0.2.setup.exe.53b0000.3.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x14a74:$a4: get_ScannedWallets
          • 0x135ce:$a5: get_ScanTelegram
          • 0x145f4:$a6: get_ScanGeckoBrowsersPaths
          • 0x121cc:$a7: <Processes>k__BackingField
          • 0xfe52:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x11b06:$a9: <ScanFTP>k__BackingField
          Click to see the 31 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: setup.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "141.94.188.138:46419", "Bot Id": "pon"}
          Multi AV Scanner detection for submitted file
          Source: setup.exeReversingLabs: Detection: 60%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
          Machine Learning detection for sample
          Source: setup.exeJoe Sandbox ML: detected
          Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: setup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb9 source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899543825.00000000055FF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbd source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 141.94.188.138:46419
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 141.94.188.138:46419
          Source: Joe Sandbox ViewIP Address: 141.94.188.138 141.94.188.138
          Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: unknownTCP traffic detected without corresponding DNS query: 141.94.188.138
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequence
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponse
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-rx/wsrm/200702/fault
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk/p_sha1
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512#BinarySecret
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Renew
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issueh
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Renew
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Cancel
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Renew
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Aborted
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Commit
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Committed
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Completion
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Durable2PC
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepare
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepared
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/ReadOnly
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Replay
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Rollback
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/Volatile2PC
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wsat/2006/06/fault
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContext
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponse
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Register
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponse
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-tx/wscoor/2006/06/fault
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmd
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyD
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
          Source: setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/8
          Source: setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/ConfirmLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/ConfirmResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitDisplayLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitDisplayResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/InitResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartBrowsersLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartBrowsersResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartColdWalletsLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartColdWalletsResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDefendersLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDefendersResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDiscordLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartDiscordResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartFtpConnectionsLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartFtpConnectionsResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartHardwaresLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartHardwaresResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledBrowsersLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledBrowsersResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledSoftwaresLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartInstalledSoftwaresResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartLanguagesLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartLanguagesResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartNordVPNLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartNordVPNResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartOpenVPNLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartOpenVPNResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProcessesLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProcessesResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProtonVPNLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartProtonVPNResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartScannedFilesLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartScannedFilesResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartSteamFilesLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartSteamFilesResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartTelegramFilesLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/PartTelegramFilesResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
          Source: setup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponseX
          Source: setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/h
          Source: setup.exe, 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
          Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd Author: unknown
          Source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
          .NET source code contains very large strings
          Source: setup.exe, Option.csLong String: Length: 151576
          Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_05263F300_2_05263F30
          Source: C:\Users\user\Desktop\setup.exeCode function: 0_2_05263F200_2_05263F20
          Source: setup.exe, 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOverpaints.exe4 vs setup.exe
          Source: setup.exe, 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOverpaints.exe4 vs setup.exe
          Source: setup.exe, 00000000.00000002.2897450427.0000000000E9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs setup.exe
          Source: setup.exe, 00000000.00000000.1642969891.0000000000918000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs setup.exe
          Source: setup.exeBinary or memory string: OriginalFilenameRegAsm.exeT vs setup.exe
          Source: setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
          Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_3d9371fd reference_sample = 0ec522dfd9307772bf8b600a8b91fd6facd0bf4090c2b386afd20e955b25206a, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 2d7ff7894b267ba37a2d376b022bae45c4948ef3a70b1af986e7492949b5ae23, id = 3d9371fd-c094-40fc-baf8-f0e9e9a54ff9, last_modified = 2022-04-12
          Source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
          Source: 0.2.setup.exe.3d8f290.2.raw.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
          Source: 0.2.setup.exe.53b0000.3.raw.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
          Source: 0.2.setup.exe.3daaec0.0.raw.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
          Source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, BrEx.csBase64 encoded string: 'ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbg=='
          Source: classification engineClassification label: mal96.troj.winEXE@2/0@0/1
          Source: C:\Users\user\Desktop\setup.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_03
          Source: setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: setup.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: setup.exeReversingLabs: Detection: 60%
          Source: unknownProcess created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
          Source: C:\Users\user\Desktop\setup.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\setup.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: acgenral.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: setup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: setup.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb9 source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899543825.00000000055FF000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdbd source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\setup.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\setup.exeMemory allocated: 2C90000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\setup.exeMemory allocated: 4C90000 memory reserve | memory write watchJump to behavior
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: setup.exe, 00000000.00000002.2897450427.0000000000F05000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWWa
          Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
          Source: C:\Users\user\Desktop\setup.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Users\user\Desktop\setup.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\setup.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected RedLine Stealer
          Source: Yara matchFile source: 0.2.setup.exe.3dc6ae0.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.53b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3daaec0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3dc6ae0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.53b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3d8f290.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3daaec0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.setup.exe.3d8f290.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: setup.exe PID: 6868, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          Process Injection          		1
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory1
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
          Process Injection          		Security Account Manager12
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading          		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          setup.exe61%ReversingLabsByteCode-MSIL.Trojan.RelineStealer
          setup.exe100%AviraHEUR/AGEN.1310137
          setup.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponse0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/fault0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/CheckConnectResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponse0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/ConfirmResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartInstalledBrowsersLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartDiscordLR0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponse0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wscoor/2006/060%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/SetEnvironmentResponseX0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/GetUpdatesResponseX0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartLanguagesLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartInstalledSoftwaresResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Cancel0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartLanguagesResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancel0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/GetUpdatesLR0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartColdWalletsLR0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/fault0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKey0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgement0%Avira URL Cloudsafe
          http://schemas.datacontract.org/2004/07/0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA10%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Replay0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/h0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Aborted0%Avira URL Cloudsafe
          https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancel0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContext0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/InitDisplayLR0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponse0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dk0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Volatile2PC0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Prepared0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartScannedFilesResponseX0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartDefendersResponseX0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartHardwaresLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartScannedFilesLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartHardwaresResponseX0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartProtonVPNLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartTelegramFilesLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartNordVPNLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/InitDisplayResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartTelegramFilesResponseX0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartProcessesResponseX0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartInstalledSoftwaresLR0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Durable2PC0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/ReadOnly0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/CheckConnectLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartInstalledBrowsersResponseX0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartOpenVPNResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/fault0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancel0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequence0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-secureconversation/2005120%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartProcessesLR0%Avira URL Cloudsafe
          http://tempuri.org/80%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequested0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/EnvironmentSettingsLR0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartColdWalletsResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponse0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartProtonVPNResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Completion0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartSteamFilesLR0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Register0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/InitLR0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartSteamFilesResponseX0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Commit0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2004/08/addressing/fault0%Avira URL Cloudsafe
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Renew0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/VerifyUpdateLR0%Avira URL Cloudsafe
          http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey0%Avira URL Cloudsafe
          http://tempuri.org/Endpoint/PartFtpConnectionsLR0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequenceResponsesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identitysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinalsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/faultsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/CheckConnectResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequenceResponsesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/CloseSequenceResponsesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartInstalledBrowsersLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/ConfirmResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartDiscordLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCTsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/SetEnvironmentResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/GetUpdatesResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartLanguagesResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartLanguagesLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartInstalledSoftwaresResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Cancelsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Cancelsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issuesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/GetUpdatesLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issuesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequencesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinalsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartColdWalletsLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/faultsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCTsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKeysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/AsymmetricKeysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearersetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/SequenceAcknowledgementsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.datacontract.org/2004/07/setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Replaysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Abortedsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/hsetup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://api.ip.sb/geoip%USERPEnvironmentROFILE%setup.exe, 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/Cancelsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/InitDisplayLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/CreateCoordinationContextResponsesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegosetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/dksetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renewsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Preparedsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Volatile2PCsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressingsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://tempuri.org/Endpoint/PartScannedFilesResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartDefendersResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartHardwaresLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issuesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartScannedFilesLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartHardwaresResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartTelegramFilesLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartProtonVPNLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartNordVPNLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancelsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/InitDisplayResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust/Noncesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnssetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartProcessesResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartTelegramFilesResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequencesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust/Renewsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartInstalledSoftwaresLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Durable2PCsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sctsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/ReadOnlysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/CheckConnectLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartInstalledBrowsersResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartOpenVPNResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/faultsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT/Cancelsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/8setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/TerminateSequencesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartProcessesLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/soap/envelope/setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://docs.oasis-open.org/ws-rx/wsrm/200702/AckRequestedsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trustsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://tempuri.org/Endpoint/EnvironmentSettingsLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartColdWalletsResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartProtonVPNResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/RegisterResponsesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wscoor/2006/06/Registersetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/InitLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Completionsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartSteamFilesLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issuesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponsesetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartSteamFilesResponseXsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKeysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-tx/wsat/2006/06/Commitsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/PartFtpConnectionsLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tempuri.org/Endpoint/VerifyUpdateLRsetup.exe, 00000000.00000002.2898257234.0000000002DE1000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E97000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2898257234.0000000002E42000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKeysetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/SCT/Renewsetup.exe, 00000000.00000002.2898257234.0000000002C91000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          141.94.188.138
          		unknownGermany
          		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1465684
          Start date and time:2024-07-02 00:10:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 59s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:setup.exe
          Detection:MAL
          Classification:mal96.troj.winEXE@2/0@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 61
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: setup.exe

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          141.94.188.138P4ci8kzzCS.exeGet hashmaliciousUnknownBrowse
            dMP72tpVfm.exeGet hashmaliciousRedLineBrowse
              2pk95s5cp8.exeGet hashmaliciousRedLineBrowse
                PvDxVI8pnQ.exeGet hashmaliciousRedLineBrowse
                  5b0d0BO1GN.exeGet hashmaliciousRedLineBrowse
                    569vj51Zrs.exeGet hashmaliciousRedLineBrowse
                      Loader.exeGet hashmaliciousRedLine XmrigBrowse
                        rWdOgpdk5S.exeGet hashmaliciousBitCoin Miner RedLineBrowse
                          kqlzJ6RHp3.exeGet hashmaliciousPhoenix Miner RedLineBrowse
                            SecuriteInfo.com.Variant.Razy.934040.7155.exeGet hashmaliciousBitCoin Miner RedLineBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              DFNVereinzurFoerderungeinesDeutschenForschungsnetzese16bfcGvz5N.elfGet hashmaliciousUnknownBrowse
                              • 141.36.163.13
                              NiAsQEhh9p.elfGet hashmaliciousMiraiBrowse
                              • 130.149.161.102
                              BNd5XPrLzR.elfGet hashmaliciousMirai, MoobotBrowse
                              • 141.74.62.234
                              QewpDKdeRJ.elfGet hashmaliciousMirai, MoobotBrowse
                              • 141.57.210.92
                              BviOG97ArX.elfGet hashmaliciousMirai, MoobotBrowse
                              • 139.6.26.156
                              DCwYFBy6z7.elfGet hashmaliciousMirai, MoobotBrowse
                              • 141.46.56.218
                              owONvNMYXu.elfGet hashmaliciousMiraiBrowse
                              • 193.175.239.107
                              NgAzrOQSgK.elfGet hashmaliciousMiraiBrowse
                              • 141.94.8.194
                              botx.mips.elfGet hashmaliciousMiraiBrowse
                              • 130.149.196.41
                              botx.arm6.elfGet hashmaliciousMiraiBrowse
                              • 141.41.112.213

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):4.4333444163827895
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:setup.exe
                              File size:420'864 bytes
                              MD5:1b898df684811054d405e9c31fddd80a
                              SHA1:9a322fd8e07427ce716f0dd9210ff563091e32de
                              SHA256:7386925178799b6b5a78e550ab756eedb61bb62adc8db66623f4a60dff30fe92
                              SHA512:c154faa686a30957718af46ab2150b1241d783025505b53adac9667af7e9d45ed4f08f22ffc6c45d0c9c47f070f427c5467600839aa94a3718719b7ec80e9be5
                              SSDEEP:6144:ir2uImjz71CmoNwemgkFfsQzGtvSiFsbHTYTS2wvp8GIUnl2:+Wmf7poNweTkFkQzkvSrDWS2wvp8enk
                              TLSH:77943A242AEA5019F1F3AF755AE47C96892FBE232A02945D10913F4B3633E80DDD15FE
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..T..........^r... ........@.. ....................................`................................

                              File Icon

                              Icon Hash:1862606d71614638

                              Static PE Info

                              General

                              Entrypoint:0x45725e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows cui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x5DDA3CC8 [Sun Nov 24 08:18:16 2019 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x572100x4b.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x580000x11210.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x6a0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x552640x5540010a0f0b862ca7658f5c9902ef43bfac0False0.47189447397360706data4.334177045687271IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x580000x112100x114009d59e5121f47b10bbbbe9da069aa3a30False0.04787986865942029data2.434935814406297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x6a0000xc0x20053c8b9f8ba43f37d8f4671ea00c69661False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x581400x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.03247367798414764
                              RT_GROUP_ICON0x689680x14data1.15
                              RT_VERSION0x6897c0x400dataEnglishUnited States0.4521484375
                              RT_MANIFEST0x68d7c0x494exported SGML document, ASCII textEnglishUnited States0.39334470989761094

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jul 2, 2024 00:10:57.726102114 CEST4973046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:10:57.734750986 CEST4641949730141.94.188.138192.168.2.4
                              Jul 2, 2024 00:10:57.734946966 CEST4973046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:10:57.748236895 CEST4973046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:10:57.753906012 CEST4641949730141.94.188.138192.168.2.4
                              Jul 2, 2024 00:11:19.137522936 CEST4641949730141.94.188.138192.168.2.4
                              Jul 2, 2024 00:11:19.137595892 CEST4973046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:19.332036972 CEST4973046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:24.428381920 CEST4973746419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:24.433247089 CEST4641949737141.94.188.138192.168.2.4
                              Jul 2, 2024 00:11:24.435444117 CEST4973746419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:24.435740948 CEST4973746419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:24.440557957 CEST4641949737141.94.188.138192.168.2.4
                              Jul 2, 2024 00:11:45.825390100 CEST4641949737141.94.188.138192.168.2.4
                              Jul 2, 2024 00:11:45.825541019 CEST4973746419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:45.825870991 CEST4973746419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:50.833225965 CEST4973846419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:50.838202000 CEST4641949738141.94.188.138192.168.2.4
                              Jul 2, 2024 00:11:50.838295937 CEST4973846419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:50.838628054 CEST4973846419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:11:50.843353033 CEST4641949738141.94.188.138192.168.2.4
                              Jul 2, 2024 00:12:12.214536905 CEST4641949738141.94.188.138192.168.2.4
                              Jul 2, 2024 00:12:12.214721918 CEST4973846419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:12.214876890 CEST4973846419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:17.224348068 CEST4974046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:17.231038094 CEST4641949740141.94.188.138192.168.2.4
                              Jul 2, 2024 00:12:17.231144905 CEST4974046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:17.234318018 CEST4974046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:17.241029978 CEST4641949740141.94.188.138192.168.2.4
                              Jul 2, 2024 00:12:38.620222092 CEST4641949740141.94.188.138192.168.2.4
                              Jul 2, 2024 00:12:38.620346069 CEST4974046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:38.620582104 CEST4974046419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:43.630600929 CEST4974146419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:43.640567064 CEST4641949741141.94.188.138192.168.2.4
                              Jul 2, 2024 00:12:43.640835047 CEST4974146419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:43.641325951 CEST4974146419192.168.2.4141.94.188.138
                              Jul 2, 2024 00:12:43.648879051 CEST4641949741141.94.188.138192.168.2.4

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:18:10:56
                              Start date:01/07/2024
                              Path:C:\Users\user\Desktop\setup.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\setup.exe"
                              Imagebase:0x8b0000
                              File size:420'864 bytes
                              MD5 hash:1B898DF684811054D405E9C31FDDD80A
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                              • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2899290245.00000000053B0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: Windows_Trojan_RedLineStealer_3d9371fd, Description: unknown, Source: 00000000.00000002.2898610137.0000000003C91000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:1
                              Start time:18:10:56
                              Start date:01/07/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:20.3%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:16
                                Total number of Limit Nodes:0
                                execution_graph 24711 1071178 24715 10711d8 24711->24715 24720 10711e8 24711->24720 24712 1071191 24716 107120a 24715->24716 24725 10715f0 24716->24725 24729 10715f8 24716->24729 24717 107124e 24717->24712 24721 107120a 24720->24721 24723 10715f0 GetConsoleWindow 24721->24723 24724 10715f8 GetConsoleWindow 24721->24724 24722 107124e 24722->24712 24723->24722 24724->24722 24726 1071636 GetConsoleWindow 24725->24726 24728 1071666 24726->24728 24728->24717 24730 1071636 GetConsoleWindow 24729->24730 24732 1071666 24730->24732 24732->24717

                                Executed Functions

                                Function 05263F30 Relevance: 6.2, Strings: 1, Instructions: 4951COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: 45_q
                                • API String ID: 0-1720489888
                                • Opcode ID: 5e675b6861d3a738efad15f40f25a6a208ead22306994d03baec08db6f61444e
                                • Instruction ID: e7c7eb2c44df832773cfe55705176436d46155dcc2697fa62cee995f0fa46c30
                                • Opcode Fuzzy Hash: 5e675b6861d3a738efad15f40f25a6a208ead22306994d03baec08db6f61444e
                                • Instruction Fuzzy Hash: D2A31D31E90B1B95EB209B60CC91BD5F371AF99700F60C746B6587A5C4EBB0BAC5CB84
                                Function 05263F20 Relevance: 6.2, Strings: 1, Instructions: 4924COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: 45_q
                                • API String ID: 0-1720489888
                                • Opcode ID: 0b20501476d93923e7be4e0113445e6a4821389db48e4a49c02100b88ffaa6ab
                                • Instruction ID: b75ee30994006993446bb4e2163b39854504ab75d3754083396b02b31c01670e
                                • Opcode Fuzzy Hash: 0b20501476d93923e7be4e0113445e6a4821389db48e4a49c02100b88ffaa6ab
                                • Instruction Fuzzy Hash: 95A31D31E90B1B95EB209B60CC91BD5F371AF99700F60C746B6587A5C4EBB0BAC5CB84
                                Function 010715F0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2426 10715f0-1071664 GetConsoleWindow 2429 1071666-107166c 2426->2429 2430 107166d-1071692 2426->2430 2429->2430
                                APIs
                                • GetConsoleWindow.KERNELBASE ref: 01071657
                                Memory Dump Source
                                • Source File: 00000000.00000002.2897833944.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1070000_setup.jbxd
                                Similarity
                                • API ID: ConsoleWindow
                                • String ID:
                                • API String ID: 2863861424-0
                                • Opcode ID: 5b5535fdf88e5b73014f8040a1b8e79784eae914053b2f1b3d080ea2472bb960
                                • Instruction ID: 01ed4b181084badcb693bb687c46fc7e9b414907fe972bb31c80d1468477a807
                                • Opcode Fuzzy Hash: 5b5535fdf88e5b73014f8040a1b8e79784eae914053b2f1b3d080ea2472bb960
                                • Instruction Fuzzy Hash: E51166B0D003098FCB20DFAAC4457DEFBF4EF88324F20881AC059A7280D734A944CB94
                                Function 010715F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2434 10715f8-1071664 GetConsoleWindow 2437 1071666-107166c 2434->2437 2438 107166d-1071692 2434->2438 2437->2438
                                APIs
                                • GetConsoleWindow.KERNELBASE ref: 01071657
                                Memory Dump Source
                                • Source File: 00000000.00000002.2897833944.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1070000_setup.jbxd
                                Similarity
                                • API ID: ConsoleWindow
                                • String ID:
                                • API String ID: 2863861424-0
                                • Opcode ID: 504f4bc2572c679e8b11dcd20e35d1d5d94dc400991b29ff4c1623396766d25b
                                • Instruction ID: 75867ba749eae07a685e0a5f2a85a5a0448504eea413e64e9a284ea9443ef9a8
                                • Opcode Fuzzy Hash: 504f4bc2572c679e8b11dcd20e35d1d5d94dc400991b29ff4c1623396766d25b
                                • Instruction Fuzzy Hash: 131136B1D003098FCB14DFAAC4457DEFBF4EB88324F24841AC559A7240CB34A544CB94
                                Function 0526A0B8 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2442 526a0b8-526a0ff 2447 526a104-526a11a 2442->2447 2449 526a126-526a128 2447->2449 2450 526a11c 2447->2450 2453 526a12f-526a135 2449->2453 2451 526a11e-526a124 2450->2451 2452 526a12a 2450->2452 2451->2449 2451->2452 2452->2453 2454 526a137 2453->2454 2455 526a13e-526a143 call 526a298 2453->2455 2454->2455 2456 526a149-526a16b 2455->2456 2458 526a19c-526a1d0 2456->2458 2459 526a16d-526a186 2456->2459 2468 526a1f2-526a1f9 2458->2468 2469 526a1d2 2458->2469 2460 526a18e-526a190 2459->2460 2461 526a188 2459->2461 2460->2447 2463 526a195-526a197 2461->2463 2464 526a18a-526a18c 2461->2464 2463->2447 2464->2460 2464->2463 2470 526a1d5-526a1db 2469->2470 2471 526a1fc-526a228 2470->2471 2472 526a1dd-526a1e7 2470->2472 2475 526a261-526a296 2471->2475 2476 526a22a-526a260 2471->2476 2472->2471 2473 526a1e9-526a1f0 2472->2473 2473->2468 2473->2470
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'^q
                                • API String ID: 0-1614139903
                                • Opcode ID: 19a322d661d90c251eeeabc5bd82ce6777da48a8641497de1f3312e7ab299c18
                                • Instruction ID: 9e1746a2bf4729a690e89ff7f76fccb860b5df08ee529be7e10baac9ba71e4de
                                • Opcode Fuzzy Hash: 19a322d661d90c251eeeabc5bd82ce6777da48a8641497de1f3312e7ab299c18
                                • Instruction Fuzzy Hash: 9E519031B106169FC714DF69C88096EFBF5FF84320B55866AE41DEB391DB70AC818B94
                                Function 0526A0AA Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2486 526a0aa-526a0ff 2492 526a104-526a11a 2486->2492 2494 526a126-526a128 2492->2494 2495 526a11c 2492->2495 2498 526a12f-526a135 2494->2498 2496 526a11e-526a124 2495->2496 2497 526a12a 2495->2497 2496->2494 2496->2497 2497->2498 2499 526a137 2498->2499 2500 526a13e-526a143 call 526a298 2498->2500 2499->2500 2501 526a149-526a16b 2500->2501 2503 526a19c-526a1d0 2501->2503 2504 526a16d-526a186 2501->2504 2513 526a1f2-526a1f9 2503->2513 2514 526a1d2 2503->2514 2505 526a18e-526a190 2504->2505 2506 526a188 2504->2506 2505->2492 2508 526a195-526a197 2506->2508 2509 526a18a-526a18c 2506->2509 2508->2492 2509->2505 2509->2508 2515 526a1d5-526a1db 2514->2515 2516 526a1fc-526a228 2515->2516 2517 526a1dd-526a1e7 2515->2517 2520 526a261-526a296 2516->2520 2521 526a22a-526a260 2516->2521 2517->2516 2518 526a1e9-526a1f0 2517->2518 2518->2513 2518->2515
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4'^q
                                • API String ID: 0-1614139903
                                • Opcode ID: 8082937559aa04701330a42eb2391acdc75b79592b9cc6de01c50750a8e899d4
                                • Instruction ID: 7c251ca2eb63e5b1bce5c59a6b627ef387d1b20c4e49976176466fba8364348c
                                • Opcode Fuzzy Hash: 8082937559aa04701330a42eb2391acdc75b79592b9cc6de01c50750a8e899d4
                                • Instruction Fuzzy Hash: DD217170A10616DFCB08DF68C48096EFBB5FF48310F508669E469EB381DB70A985CBD0
                                Function 0526EB08 Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 040293baeb9fbe3403667552cb34674ec40cd8bc63e4cc90be9f9869947e00db
                                • Instruction ID: dd8bb1a26e3b2e323e1c232b4d8db34b7056e04ca4586f76774d83d4f2fd555a
                                • Opcode Fuzzy Hash: 040293baeb9fbe3403667552cb34674ec40cd8bc63e4cc90be9f9869947e00db
                                • Instruction Fuzzy Hash: B6D11775A002199FCF14DFA9D8849AEBBF6FF8C350F148569E909A7314EA30DD52CB90
                                Function 0526DFB8 Relevance: .2, Instructions: 243COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09eab5b234ce006936a64ea287caf9e7298743231e2699d41a2a9d1bea016a2d
                                • Instruction ID: 2b76610c972b2b7151ddf12717cae04f5fafebd5f5aa9580028f3a95e006e2f5
                                • Opcode Fuzzy Hash: 09eab5b234ce006936a64ea287caf9e7298743231e2699d41a2a9d1bea016a2d
                                • Instruction Fuzzy Hash: 66A18338B10219CFCB05DF68D894AAEB7B6FF89300B158159E909AF365DB31ED45CB81
                                Function 05260E20 Relevance: .2, Instructions: 234COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11fc4a074a0c45164ed0a2f69c2c5e6f4c90234b4182394dbfc4470f9bf4d56e
                                • Instruction ID: bb564fbb758ceff54bf51013a3bc96bb105ba49ca69ef65f57185ee1c19a9e12
                                • Opcode Fuzzy Hash: 11fc4a074a0c45164ed0a2f69c2c5e6f4c90234b4182394dbfc4470f9bf4d56e
                                • Instruction Fuzzy Hash: CF914B75B102159FCB44DF68D885AAE7BF2FF88310B148569E81ADB392DB34EC42DB50
                                Function 05260848 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d557499795a17fa68c63a5344d28714c2b94370938d13f416f38896de31007ea
                                • Instruction ID: 3e6fbae90f67981d7005f55ae20a98077085e0c9911666d0ab9f723afd75168a
                                • Opcode Fuzzy Hash: d557499795a17fa68c63a5344d28714c2b94370938d13f416f38896de31007ea
                                • Instruction Fuzzy Hash: BD51AF74B102059FDB14DB78D898A6EBBF6EF88310B148429E94AD7345EF30EC42DB91
                                Function 05269B00 Relevance: .1, Instructions: 138COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60fdcf50f6f1404a53a005100556a0b87c8d3a359202dc6ffaebec87b1a12a33
                                • Instruction ID: dd54246b6a838c4065e81c60935e0ca80ecbf2c5c666bd70d37f6286e0430f59
                                • Opcode Fuzzy Hash: 60fdcf50f6f1404a53a005100556a0b87c8d3a359202dc6ffaebec87b1a12a33
                                • Instruction Fuzzy Hash: B04106357102056BC704ABB9A81567EBBE6EFC8750F14842AE909DB381DE35CC45D7A1
                                Function 0526A518 Relevance: .1, Instructions: 128COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3468d29eccb865d85808f3fab9e877cce2017899fd20aa519a99fe8ccd939324
                                • Instruction ID: 8ab08c2015c791f9e1fb8f3848d840bded5d346a2b1be751c052d956d4ef30f2
                                • Opcode Fuzzy Hash: 3468d29eccb865d85808f3fab9e877cce2017899fd20aa519a99fe8ccd939324
                                • Instruction Fuzzy Hash: FD513A75A10215EFCB14DF68C584AADBBB6BF88314F558069D80ABB351DB70EC82CF90
                                Function 0526F6F8 Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f0f8d87cd62698d41e79b1813958b91d20b5a2c6bc550d6aa7bc30849a6cb8e7
                                • Instruction ID: 1e955b4601af44536b8391de87083816d2544a904a59c7ba3a248ea46a1b85d5
                                • Opcode Fuzzy Hash: f0f8d87cd62698d41e79b1813958b91d20b5a2c6bc550d6aa7bc30849a6cb8e7
                                • Instruction Fuzzy Hash: E141A0743003559FCB15DF28D884A9E7BE6EF98311B008929F549CB365DF70EC458B90
                                Function 0526DFAA Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d341e8de2d17ea67c3bc5441eee8f9d76ad734ec32c1ab4e4e871f00efb4c75
                                • Instruction ID: 5135cb3ee139667030d15a326fe46d5afd9d20a3ce1c7d1d93b565f9a2c3ccfe
                                • Opcode Fuzzy Hash: 2d341e8de2d17ea67c3bc5441eee8f9d76ad734ec32c1ab4e4e871f00efb4c75
                                • Instruction Fuzzy Hash: 1041AD38620219CFCB14DF58C584EAABBF6FF89300B158298E909AF365D731ED85CB41
                                Function 0526CD10 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b9b1d356258175864a3b26e7a71151346dd8e781bca15bd2a60ed400d13bba8
                                • Instruction ID: dc640504c353794f40323f9a8139f5ed79211e5b6ad9ab63e21e9af5a3ee6b56
                                • Opcode Fuzzy Hash: 8b9b1d356258175864a3b26e7a71151346dd8e781bca15bd2a60ed400d13bba8
                                • Instruction Fuzzy Hash: D9416035B102558BCB18AB69D4586AEBBF2AF8C310F554179E445EB390DF35DC81CB90
                                Function 0526C243 Relevance: .1, Instructions: 111COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4198897145f50731e49495bb3edb6aef1a59bffb3409c00cec138185432c0e02
                                • Instruction ID: 5494d24b14c20ff5229a0cae613cb7f1076a9a6122dd00fa2e393fdc6fd83b9e
                                • Opcode Fuzzy Hash: 4198897145f50731e49495bb3edb6aef1a59bffb3409c00cec138185432c0e02
                                • Instruction Fuzzy Hash: 6D31C4313103129FC715EF29D8946AABBE2FF85715B144469E886CB351DF70EC86C790
                                Function 0526AF37 Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e13f3e595cd44847d9ca369ff467461fa008a43ca3ba74732b89903d18e70cb7
                                • Instruction ID: 9f5fa1bf05329dc83c70bab12d088d18667d84658fc09cd57115b0c90aa3c1bd
                                • Opcode Fuzzy Hash: e13f3e595cd44847d9ca369ff467461fa008a43ca3ba74732b89903d18e70cb7
                                • Instruction Fuzzy Hash: 6731F4757102118FCB05AB7CD855B6E7BE7EFC9750B150129F40AEB381DF288C0287A2
                                Function 0526F248 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d8a15e82b6a543cfd700923a45f5e567a843d6d621a717e69675ef28b9c4f3e
                                • Instruction ID: d35b9872b12f9bc31de68c4bd29ca5fe615f2c4e520a1ef2df0084a211e76aa8
                                • Opcode Fuzzy Hash: 5d8a15e82b6a543cfd700923a45f5e567a843d6d621a717e69675ef28b9c4f3e
                                • Instruction Fuzzy Hash: 2A3139765142905FC701EB7CE8A1AEA7FF4EF89321F08006AEAD9CB312D525D846C794
                                Function 0526C288 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7ab11d5dc2e86e56f37efb130c4e88e9f5825e885f0180d57216c1b25a12544
                                • Instruction ID: 422a97c57d002191fcaf569d5ee17a441e9061dc573f24b1fdd3861c8ef4e917
                                • Opcode Fuzzy Hash: c7ab11d5dc2e86e56f37efb130c4e88e9f5825e885f0180d57216c1b25a12544
                                • Instruction Fuzzy Hash: E93182353107129FC718EF29D488A2AB7E6FFC86517148929E846D7354DF70EC82CB90
                                Function 0526C23F Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c3d0a72d7b52a71b11c119cb2f213369374444a7ff0b69c14228722a64accbd4
                                • Instruction ID: e8576741184425486e3eb13016958f4adb3a3429bbe6c47c273566d0f60a00ce
                                • Opcode Fuzzy Hash: c3d0a72d7b52a71b11c119cb2f213369374444a7ff0b69c14228722a64accbd4
                                • Instruction Fuzzy Hash: F73182353247128FC718EF69D48866AB7E6FF882117148929E887D7354DF70EC82CB50
                                Function 0526F4B0 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc0612a5de45cc0ae036fd19113ac3f8c79bf361eb37f5a22ff640820f88c889
                                • Instruction ID: f2f626deb8d1064dd76d2034d2abc662723dc73dc288c56a871fb7b33cb9ba94
                                • Opcode Fuzzy Hash: dc0612a5de45cc0ae036fd19113ac3f8c79bf361eb37f5a22ff640820f88c889
                                • Instruction Fuzzy Hash: F8317A75A142098FDB14DFA8D584AEEBBF2EF48310F144065E415AB3A5CB74AD85CBA0
                                Function 0526C780 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 084e8f728f5c3a5ac719132bfb16b79725f288f30c6454677c9a1b016a08a65d
                                • Instruction ID: 44ec77d580726053c38b9cc1d51f8f6f5d11293fc68b54d2f512065014ea317f
                                • Opcode Fuzzy Hash: 084e8f728f5c3a5ac719132bfb16b79725f288f30c6454677c9a1b016a08a65d
                                • Instruction Fuzzy Hash: DB316E746002159FCB04DF69D8849DDBBF6FF89315B248199E809AB366DB35ED02CBA0
                                Function 05262EF8 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bfe7c5338554d0dbf2f20eff1b7313b50b707ce5596bb99589b34d5ac4e1267
                                • Instruction ID: c80827b18d4fcb78d8266102651c9a0d87efebc7b17a5e091fb39ea9196c8ca3
                                • Opcode Fuzzy Hash: 3bfe7c5338554d0dbf2f20eff1b7313b50b707ce5596bb99589b34d5ac4e1267
                                • Instruction Fuzzy Hash: BD31683471020BCFCB15EB69D948A6E7BA6FF88205B404529E40A9B395EB70ED81CB91
                                Function 05262EE8 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f446fb11b564c7915bc9e41272fb91fed2c2469b8c2f6918f69376601504e8f
                                • Instruction ID: fe4288bb435ef50f5a19c6031f07e4faa443006d031da08ff5b4c5ccb395e1b8
                                • Opcode Fuzzy Hash: 2f446fb11b564c7915bc9e41272fb91fed2c2469b8c2f6918f69376601504e8f
                                • Instruction Fuzzy Hash: 9631EE34714207CFCB05EB68D554A6E7BB2FF84205B40452AF00AEB286EB30DD84CB80
                                Function 0526C790 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 84afad3d5ce46b0bc6452ee326e6e9bf35f9e01323232aa6da35b947a2ea827d
                                • Instruction ID: 252205895c8de60a043c80425308aea740e0898114c3f98170d3ef32f496dee9
                                • Opcode Fuzzy Hash: 84afad3d5ce46b0bc6452ee326e6e9bf35f9e01323232aa6da35b947a2ea827d
                                • Instruction Fuzzy Hash: 38314C746002099FCB04DF69D4848DDBBF6FF89314B208199E909AB325DB35ED02CFA0
                                Function 05260818 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9b49dec15bab13dfd3858e31c9b593137d6fa1d640a9257f7b7762051efff155
                                • Instruction ID: b2eb265bbbd8ec977e6bf6c06c328f5e2c512934aaa61cce1fa7d1889a387593
                                • Opcode Fuzzy Hash: 9b49dec15bab13dfd3858e31c9b593137d6fa1d640a9257f7b7762051efff155
                                • Instruction Fuzzy Hash: 8D219271B153055FCB11DB69C894AAFBBF5EF86610B04805AD809DB341EB30EC45C7A1
                                Function 0526A298 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ea6bc3c29e78d0959900b46eadb8a85d1e8ea38d0047f608b1e4bf09190fbd0
                                • Instruction ID: c003919349d37eef159a1bc1c0ea61d3d249bdc06d2320527320b923d9164907
                                • Opcode Fuzzy Hash: 4ea6bc3c29e78d0959900b46eadb8a85d1e8ea38d0047f608b1e4bf09190fbd0
                                • Instruction Fuzzy Hash: 4D2137703102118FC714EF6DD494A5AB7E6AF9C3147908969E14ECF326EB21E8828B80
                                Function 0526F2E0 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34ef8090fed33027296b51a8e5125f4b9c5371b1bc20cb7412611d5cad616da5
                                • Instruction ID: 26c32e18d38e4f3fb0ef4368331f1422afbe8e19bb893930e901896003da718e
                                • Opcode Fuzzy Hash: 34ef8090fed33027296b51a8e5125f4b9c5371b1bc20cb7412611d5cad616da5
                                • Instruction Fuzzy Hash: A5216F353006509FD7159B69E498D7ABBE9FF88320714442EF94A87361CA36DC41CB50
                                Function 0526F5D2 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28e839c440a44c8c5b28f5607cb8976fcc4a3bd6514d68f60d8d187b4ad36b4a
                                • Instruction ID: 979efd50799ac4e6cd4ff003331295fa483fb13c78e160401db83ba971d63fd0
                                • Opcode Fuzzy Hash: 28e839c440a44c8c5b28f5607cb8976fcc4a3bd6514d68f60d8d187b4ad36b4a
                                • Instruction Fuzzy Hash: 2E115BB5A002159FCB04DFA8C585ADEFBF5FF88310B15852AE91CE7315DB34A906CBA0
                                Function 0526F5E0 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4042edfc717d368677a47187e145b703189a2a565a1e15905b5bca9a68200329
                                • Instruction ID: 2751fcc049b945a0f1b539c76120345847ad7bde2f3dc286c2b83033d521c1fc
                                • Opcode Fuzzy Hash: 4042edfc717d368677a47187e145b703189a2a565a1e15905b5bca9a68200329
                                • Instruction Fuzzy Hash: A0116DB4A002059FCB04EFA8C4819DEFBF5FF88310B11852AE91CE7311DB30A906CBA0
                                Function 05269AD0 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8cb3d915efaa3ae52d8c41a7497dd27be24b2ea752b92ea4f0561d21f5e0bb50
                                • Instruction ID: 8d2533dbfeba6d3846643b354d19341cefc2cb376a38fa20f5d1a0947faa19f9
                                • Opcode Fuzzy Hash: 8cb3d915efaa3ae52d8c41a7497dd27be24b2ea752b92ea4f0561d21f5e0bb50
                                • Instruction Fuzzy Hash: 2601DF7221C3842FC7024A64AC552DA7F38EFA2160F099096E999DB552DA38888AC761
                                Function 0526AEB1 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a2854584099d1fab2196550244ac8fd2eb99bffb87a406064981304e32538a5
                                • Instruction ID: 8ee1ee84d384cc7398b480cfc0fc5ac66ca9dbed0497240e7ba43498c8fb7818
                                • Opcode Fuzzy Hash: 3a2854584099d1fab2196550244ac8fd2eb99bffb87a406064981304e32538a5
                                • Instruction Fuzzy Hash: 1801F771B103119BDB25DB74E84577D77E2FF80612F04593DE405A7680DF35D8868780
                                Function 0526CC88 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9206714683280154a95aba9b7fa25a2a2b9eba24faf19b3a1d6d234aebe8221d
                                • Instruction ID: ae9fcb40b6dda72b23aba3db57ac6609643d8de424372b1a7b4ff2978e8e771f
                                • Opcode Fuzzy Hash: 9206714683280154a95aba9b7fa25a2a2b9eba24faf19b3a1d6d234aebe8221d
                                • Instruction Fuzzy Hash: 1101F4327003095F8718EB79985456BBBE7FFC92507044439F509D7341DF71AC029798
                                Function 0526AEC0 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f22cc6f5ef8f7b103f8fd3cc9e526f96bc31a887790d41523408112deaf1063c
                                • Instruction ID: 467ffe047d815fd3c67b0db02455576eea8e4b122763d8217ea85134a64bf715
                                • Opcode Fuzzy Hash: f22cc6f5ef8f7b103f8fd3cc9e526f96bc31a887790d41523408112deaf1063c
                                • Instruction Fuzzy Hash: 2E01D171B00316ABDB25AA75E84466E7BE7EFC0612B04583DE409AB280DF75E8858BD0
                                Function 0526FC60 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bef155de5345284c092d6af56d2db074a93adbba406e79794af7a5e901bde383
                                • Instruction ID: 0c51b0ea80d315caccd4de716800cbc9eac71084bcd06710a28b74fbb6c374f6
                                • Opcode Fuzzy Hash: bef155de5345284c092d6af56d2db074a93adbba406e79794af7a5e901bde383
                                • Instruction Fuzzy Hash: AA018136200209AFCB05CF54EC89A9E7FB6FBC8321B10852AF94687361CB74DC12DB60
                                Function 0526CC78 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6774c7562b8fd2ec29fffdcd42921c85b54027f0c1ba5f3c11d6eb4ed1e196a0
                                • Instruction ID: e51c41ce0bb0670fff3f725636f03763620071f72a97ac82f95ceff1828850a7
                                • Opcode Fuzzy Hash: 6774c7562b8fd2ec29fffdcd42921c85b54027f0c1ba5f3c11d6eb4ed1e196a0
                                • Instruction Fuzzy Hash: CCF0F4327083556FC305EB299C5496ABFE6EF89210704402AE549C7652DFB5AC06C794
                                Function 05262A41 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6915e183405c4cd53798316cdde71a80c7262d415722ae7e7ebc8317f66fa3b
                                • Instruction ID: cb400aef790de35a081217407908c24f70be6660f7641aab0b4e1981e1563246
                                • Opcode Fuzzy Hash: d6915e183405c4cd53798316cdde71a80c7262d415722ae7e7ebc8317f66fa3b
                                • Instruction Fuzzy Hash: 5501B1BD9242AACEDB21DBA4D9087FE7FB1FF45301F058866C001A6195CBBC5D85CB61
                                Function 05262A50 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1440a529060dc98034196f659913a6b43dafbf4c10e068ce220efe9e641daf8f
                                • Instruction ID: d75f183741d1b76258f318ce19eb81400f1696651c52c067c24ccd534a263b19
                                • Opcode Fuzzy Hash: 1440a529060dc98034196f659913a6b43dafbf4c10e068ce220efe9e641daf8f
                                • Instruction Fuzzy Hash: 43017C7DA1429ADEDF20DBA5D8087AEBBB5BF44301F008426D415A6284DFB81D84CBA1
                                Function 05263E30 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2acfd83ed62a166ff6601981213d9c78006984105f33469711dc074e60459d78
                                • Instruction ID: 6f958dd0551780a85f7c8d445949696c7801c757795b27fd55a80c3bddaa468e
                                • Opcode Fuzzy Hash: 2acfd83ed62a166ff6601981213d9c78006984105f33469711dc074e60459d78
                                • Instruction Fuzzy Hash: E101A270E6830ADFE710EF68D41A76F7FB0AF01704F104859D459A76C2DBB44685CBA2
                                Function 0526FC70 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a31e9e0ede763549ddf003dd3264aa463964231e7ddb330066665c8fbe574971
                                • Instruction ID: 31f98d86de76f77438c03a9ae74d499f68d3d1ef7cc92509c219b88c295adc84
                                • Opcode Fuzzy Hash: a31e9e0ede763549ddf003dd3264aa463964231e7ddb330066665c8fbe574971
                                • Instruction Fuzzy Hash: EFF0F935200258AFCB15DF69E889C9A7FAAFBC8721B00842AF94687361CE70DC51DB60
                                Function 052695DF Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 644fd7279621fad4552ab0e7980fe026ba44627e9ef392a824fb43fb369f88be
                                • Instruction ID: c8d091480fc278b8c50dd433b05d2dfc1f49141d545777befa7fada8c128d99a
                                • Opcode Fuzzy Hash: 644fd7279621fad4552ab0e7980fe026ba44627e9ef392a824fb43fb369f88be
                                • Instruction Fuzzy Hash: DEF0E93242434D9FC300BB78D84599DBFB8FF51304F498267D0899A513EE34A49ACB92
                                Function 0526CD00 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2a6c60240384675e8c61dddc581e6f19e2a535075131a9ba26187230a413bec
                                • Instruction ID: 54cb65fa7f389f41c6b6c7b73aa6641cc72ad9e51e389bcd823eefe6c128fec7
                                • Opcode Fuzzy Hash: b2a6c60240384675e8c61dddc581e6f19e2a535075131a9ba26187230a413bec
                                • Instruction Fuzzy Hash: 50E061337087610B871556273C998B7EF9A5DC5169309817BF44CD7151DD38CC428270
                                Function 0526A481 Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99acbae290415efd34ecb4432c987515cdbd1f4ddcfd2d76839f93ed367be11d
                                • Instruction ID: c024a091aac28875deb7fa86d3da504e2b0c32e83abbb745a0b939dfb8964232
                                • Opcode Fuzzy Hash: 99acbae290415efd34ecb4432c987515cdbd1f4ddcfd2d76839f93ed367be11d
                                • Instruction Fuzzy Hash: 77F0ED70E0420CEFCB44EFA8D44569CBBB6EF84300F4086A9E449B7750DA391A498B45
                                Function 0526A438 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3606315cffdbf95dc596262ef65be7400cc21bafe59f7db996f9bef57903c4a4
                                • Instruction ID: 53cf430944d1afb595b6ef37821a681767822d96e65722b0b3a5ff98a162b9c8
                                • Opcode Fuzzy Hash: 3606315cffdbf95dc596262ef65be7400cc21bafe59f7db996f9bef57903c4a4
                                • Instruction Fuzzy Hash: 07E01A71320210CBC7148B28D849A9577A6EF8D224B558859A4468B751CB79DC438B80
                                Function 0526A370 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e10f87c9cc1ba64ce31ea598a2b6e1a71a3423fc2d85c365ab79f37d35936dc
                                • Instruction ID: 6d1a48df0bb5aa24a560d440e52c5c11fa133d4004ca4306f1d86d047879d9f4
                                • Opcode Fuzzy Hash: 8e10f87c9cc1ba64ce31ea598a2b6e1a71a3423fc2d85c365ab79f37d35936dc
                                • Instruction Fuzzy Hash: E3E0E5B5E0520CAFCB44EFA9E44569DBFF5EB58340F0081AAD808E3300EA389A428B44
                                Function 052629F8 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ae93050329f9b4d288bf17c9190573eb178dbd1fba80eaa82e0b3d41ced69f3
                                • Instruction ID: 3220b36eedb7018de30d2c0204588b977df2fd0ef7eee1ede026ae8fe3e82271
                                • Opcode Fuzzy Hash: 2ae93050329f9b4d288bf17c9190573eb178dbd1fba80eaa82e0b3d41ced69f3
                                • Instruction Fuzzy Hash: 93E08C39324214FBC3246BB0F80E1893F68EF46236345906AF407CA681CF7DCC818BA2
                                Function 05269A81 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e7a4cbc76a2c4e3e72619eef1467e3b13feae41713051c4e6cb6f8fbf43a0e7
                                • Instruction ID: 169dc4de72844388e11b00872077ef207e75e74f60033ac76e5b8a9ab4ccba38
                                • Opcode Fuzzy Hash: 1e7a4cbc76a2c4e3e72619eef1467e3b13feae41713051c4e6cb6f8fbf43a0e7
                                • Instruction Fuzzy Hash: 53E09A712007608FC714DBA8C9489AA7FE4DF8430AB04899AF04BCB3A2DA74EC408B40
                                Function 05269A48 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f69eb9b4375c21f575616a604c28964a8cb838b6c8853ce2e72dd40788ff4d04
                                • Instruction ID: faac35d20e05774414be62c25fc03c41a28bbb14b99a0c7edd2b27836536f589
                                • Opcode Fuzzy Hash: f69eb9b4375c21f575616a604c28964a8cb838b6c8853ce2e72dd40788ff4d04
                                • Instruction Fuzzy Hash: A7E02B312106208FC7005A28E4847C977DCEF4C331F204196F506CB731DA68DC828BC0
                                Function 0526A490 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8f9e09687cb602f7b82a0ad75becb781156c6ad2d9e93c0428e53b40d1d10b7
                                • Instruction ID: 3755381ec1f32f5f80cbca4c35ed47caa85256aba750426bdfe9ba4ce1f87e9a
                                • Opcode Fuzzy Hash: a8f9e09687cb602f7b82a0ad75becb781156c6ad2d9e93c0428e53b40d1d10b7
                                • Instruction Fuzzy Hash: 4BE01270E0420CAFCB48EFA8E44149CBBF5EB84300F0089A9E809A7350EA342A098F85
                                Function 05262A08 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 303b04aff9f6a28849775fbd0d87500c9b26b03b01f5942f835ef6632b1ebfae
                                • Instruction ID: 099d27e0c9773a4d0082285d3e1f6c5ed1cec0439e14aef88c3bd022707c52fb
                                • Opcode Fuzzy Hash: 303b04aff9f6a28849775fbd0d87500c9b26b03b01f5942f835ef6632b1ebfae
                                • Instruction Fuzzy Hash: BBD0173A324214EB8734ABB4B40D0993F6CEE45276304506AF40AC6680CF7A8C80CB91
                                Function 0526A380 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db503c7c772453472d2cc76cf6e917c5b4b620d846492ef20e63ecb090faebe8
                                • Instruction ID: ab71b2d1a5d8a35fa04b14f95f7925c3521aad5d6fdd55bc32bedc8588151088
                                • Opcode Fuzzy Hash: db503c7c772453472d2cc76cf6e917c5b4b620d846492ef20e63ecb090faebe8
                                • Instruction Fuzzy Hash: 72E00274E05208AFCB44EFA9E54559DFFF5AB88300F1081AAD819E3351EA349A55CF85
                                Function 05262910 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab91581342086156c2017937c4420893407df83873d1906c128f1308a80b16c4
                                • Instruction ID: 099c74a95e822343a082a5f8bc86394093aae796e64b151c6a70bbfedf54c7bc
                                • Opcode Fuzzy Hash: ab91581342086156c2017937c4420893407df83873d1906c128f1308a80b16c4
                                • Instruction Fuzzy Hash: 48D0A73A222105EBDB322A20F94A3E53F68FF95311F94D011E08ACD581DE48C4434291
                                Function 05269610 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2bec2fee2a46fe080f782989b58dfeccf336c32e064a334ed660db071acba755
                                • Instruction ID: 8d3eeb47966f610bd83eeff7eb6891f2b62cd1b6b28d3555f9edc5702f71989c
                                • Opcode Fuzzy Hash: 2bec2fee2a46fe080f782989b58dfeccf336c32e064a334ed660db071acba755
                                • Instruction Fuzzy Hash: 60D0A73145430C9FC300BB68D88179C7F74FF54314F449225E4496A501EE64E49BC781
                                Function 0526A3B9 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aa24d2c5dded6c838b0adfc2e0c23b621cdf59ca0d695185fd196d723345a2b6
                                • Instruction ID: 0d63b7a3608778bce409242b7b124817df348866fa9ced402577566adbf4a5f5
                                • Opcode Fuzzy Hash: aa24d2c5dded6c838b0adfc2e0c23b621cdf59ca0d695185fd196d723345a2b6
                                • Instruction Fuzzy Hash: FBD0A77290420967C724DE9EC8013DE73AFDBA1240F4006A59809D7200EE719B1587D7
                                Function 052695B1 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 037f9e95e30b4e155dac7278d30f61a87e9bef81262bba6df9f0c8f3dcecf387
                                • Instruction ID: 4ed85ef4c576e43fcf22b0b195e8d9a1e5f6ad7ab0c3371922e4b874de8d35a2
                                • Opcode Fuzzy Hash: 037f9e95e30b4e155dac7278d30f61a87e9bef81262bba6df9f0c8f3dcecf387
                                • Instruction Fuzzy Hash: 0AD0A73245030C9FCB14FB64D8816DCB778FB50314F415229D48667510EF28A9AFCB92
                                Function 05269A58 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d287a556caed266d697d8821a25d9db9a07922307c9c2a3f459ecc8bd4a9e9a0
                                • Instruction ID: 28a94561226a536b5209cd8f6cb714c7805bb98c26bcdc59cc2f47353da816d2
                                • Opcode Fuzzy Hash: d287a556caed266d697d8821a25d9db9a07922307c9c2a3f459ecc8bd4a9e9a0
                                • Instruction Fuzzy Hash: 2FD0C931221A248FC705AB6CF4488997BEDEF4962631045AAF61ACB375DEA5AC448BC4
                                Function 0526A3C8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7460736f33c84b167676449f6748579e90b7a25170c1958f0fb3ebe7e4243853
                                • Instruction ID: 6d16b4098b8784fc01620ad5285cfe82a32ee6c39d87a960c88692e2d344b28d
                                • Opcode Fuzzy Hash: 7460736f33c84b167676449f6748579e90b7a25170c1958f0fb3ebe7e4243853
                                • Instruction Fuzzy Hash: EEC08C71A0430DAB8B14EEEA88004AEB7EEDB82100B0047AA9C0EC3200EE715F1046E7
                                Function 05262920 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee0cf8fe6b0f10b89393fb07904d72ad0d0c28e1d717cfcefb988e8a719b0c6b
                                • Instruction ID: 58d0b1c91c96c201809f13f16746d1732c4c65fce0e53089cc0280cb3b22056a
                                • Opcode Fuzzy Hash: ee0cf8fe6b0f10b89393fb07904d72ad0d0c28e1d717cfcefb988e8a719b0c6b
                                • Instruction Fuzzy Hash: FEC08C343259089BDB201BA07A0D3263B4CEF80205B804060F40ECD080DE6488008511
                                Function 052695F0 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fc36eef8aede059289b0b568df65351570d55a484c8705144f33b54ccfa96ec
                                • Instruction ID: b4cc289d5a5ecec8fee7b80a7c8ffdee454f26fab32a28b91106ba17cebe3c61
                                • Opcode Fuzzy Hash: 2fc36eef8aede059289b0b568df65351570d55a484c8705144f33b54ccfa96ec
                                • Instruction Fuzzy Hash: F4C0123241070D8EC700BBA8E884898BFB8AB15300B00822AE4452A211EF30A1A9DF92
                                Function 052695C0 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9232ef2f4a96cba94a7406212d898b3a02780def3e6863741a3a25fada7c37ed
                                • Instruction ID: 5d07585b552f594a8c0331239c96d092ff6f62ce45c905d30fdde37425684982
                                • Opcode Fuzzy Hash: 9232ef2f4a96cba94a7406212d898b3a02780def3e6863741a3a25fada7c37ed
                                • Instruction Fuzzy Hash: 8DC0123141070C8EC740BB68D4448987B78AB15201B405119D4451A110EF20A5D9DB91
                                Function 05269620 Relevance: .0, Instructions: 10COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2899233841.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5260000_setup.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 366736735fdb8115c9f9f4d1f08f265fa2164d01878d4cf323c6a0ad0503cba4
                                • Instruction ID: 4d2c1acb5fd402ecf758e8c4e2250d29883ae8eb60f6b834190c63321b880297
                                • Opcode Fuzzy Hash: 366736735fdb8115c9f9f4d1f08f265fa2164d01878d4cf323c6a0ad0503cba4
                                • Instruction Fuzzy Hash: FCC0123141070CCEC700BBA8E844899BFB8BB15301F00822AE4496A110FF20A1A9DB91