Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1465699
MD5: e671a39ffdad8e262a45ef77d97a14f4
SHA1: d451ad059bf52c22ff5de8ed7968991bbc169828
SHA256: d01fe3dbc995e4b5b209631e5ae30b792d88a78676f695127f8a5db9bf59b48c
Tags: exe
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: RedLine {"C2 url": "185.172.128.33:8970", "Bot Id": "YT&TEAM CLOUD", "Authorization Header": "090b1c9b0516faab03d5a79ff2ee3484"}
Multi AV Scanner detection for submitted file
Source: setup.exe ReversingLabs: Detection: 52%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: setup.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log Jump to behavior
Source: setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Template_v123_config.pdbx%2 source: setup.exe
Source: Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\APqfKCWP.pdb source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: PE.pdbH] source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdb source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Template_v123_config.pdb source: setup.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05BCEFF0
Source: C:\Users\user\Desktop\setup.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05BCEFE6

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49711 -> 185.172.128.33:8970
Source: Traffic Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49711 -> 185.172.128.33:8970
Source: Traffic Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.172.128.33:8970 -> 192.168.2.6:49711
Source: Traffic Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.172.128.33:8970 -> 192.168.2.6:49711
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.172.128.33:8970
Yara detected Generic Downloader
Source: Yara match File source: 0.2.setup.exe.4518830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.43b6000.4.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49711 -> 185.172.128.33:8970
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.172.128.33 185.172.128.33
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: setup.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: setup.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: setup.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: setup.exe String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
Source: setup.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0W
Source: setup.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: setup.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: setup.exe String found in binary or memory: http://sharpvectors.codeplex.com/runtime/
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000031DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: setup.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: setup.exe, 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: setup.exe, 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://az700632.vo.msecnd.net/pub
Source: setup.exe String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet
Source: setup.exe String found in binary or memory: https://login.microsoftonline.com/common
Source: setup.exe String found in binary or memory: https://sectigo.com/CPS0
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp6A20.tmp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp6A0F.tmp Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0302B178 0_2_0302B178
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0302B188 0_2_0302B188
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_0302E638 0_2_0302E638
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05B91E88 0_2_05B91E88
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05B91E78 0_2_05B91E78
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA1350 0_2_05BA1350
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA5DBE 0_2_05BA5DBE
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA4898 0_2_05BA4898
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA0006 0_2_05BA0006
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA0040 0_2_05BA0040
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA2B70 0_2_05BA2B70
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA2B60 0_2_05BA2B60
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BA1340 0_2_05BA1340
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BC44E0 0_2_05BC44E0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BCA0A0 0_2_05BCA0A0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BC6098 0_2_05BC6098
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BCDE60 0_2_05BCDE60
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BCCB52 0_2_05BCCB52
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BC44D0 0_2_05BC44D0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BCA08F 0_2_05BCA08F
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_05BCDE4F 0_2_05BCDE4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0136DC74 2_2_0136DC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_069667D8 2_2_069667D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0696A3E8 2_2_0696A3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_06963F50 2_2_06963F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0696A3D8 2_2_0696A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_06966FF8 2_2_06966FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_06966FE8 2_2_06966FE8
PE / OLE file has an invalid certificate
Source: setup.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenamePE.dll& vs setup.exe
Source: setup.exe, 00000000.00000002.2141526814.0000000005A32000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameAPqfKCWP.dll0 vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2129408323.0000000001559000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAPqfKCWP.dll0 vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.00000000047EE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2129820477.0000000003279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs setup.exe
Source: setup.exe, 00000000.00000002.2129820477.0000000003279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs setup.exe
Source: setup.exe, 00000000.00000002.2129820477.0000000003279000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.000000000480B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000000.2123213472.0000000000E16000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTemplate_v123_config.exe0 vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameTemplate_v123_config.exe0 vs setup.exe
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, wmEmS.cs Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, wmEmS.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.setup.exe.4518830.3.raw.unpack, zGLiBpty.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/6@1/1
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Tmp6A0F.tmp Jump to behavior
Source: setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: setup.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2257653819.000000000344C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000003436000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: setup.exe ReversingLabs: Detection: 52%
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscorjit.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: esdsip.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: setup.exe Static file information: File size 3360856 > 1048576
Source: setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x320600
Source: setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Template_v123_config.pdbx%2 source: setup.exe
Source: Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\APqfKCWP.pdb source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: PE.pdbH] source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: PE.pdb source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: Template_v123_config.pdb source: setup.exe

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs .Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.Ts6ald5q0nxNL(16777454)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.Ts6ald5q0nxNL(16777391)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.Ts6ald5q0nxNL(16777290))})
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
PE file contains an invalid checksum
Source: setup.exe Static PE information: real checksum: 0x33b128 should be: 0x33eef1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0696E060 push es; ret 2_2_0696E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0696ECF2 push eax; ret 2_2_0696ED01
Source: setup.exe, LinuxKeyringAccessor.cs High entropy of concatenated method names: 'CreateForPersistenceValidation', 'Clear', 'Read', 'Write', 'lRnmIsXi4K', 'N0DnYLv6vODbC33irUI', 'KHl8WgvqFw4OnI9iEOn', 'SY4aULvSJYBYm885D5r', 'IugrItvNZiQUT12FQPu', 'C0HKelVzd0CCWkCs2hP'
Source: setup.exe, DpApiEncryptedFileAccessor.cs High entropy of concatenated method names: 'Clear', 'CreateForPersistenceValidation', 'Read', 'Write', 'L7Rh4AVChsrBTZjHnlJ', 'aHN9oeVr7pGPuRbUbuE', 'BjQSJEV2mAZ42wcbAFZ', 'HRNTZcVIG4WaUL6ykfb', 'Adlb36VEY0jG4e2llaK', 'UkMQ1XVjy1mCymWaXBY'
Source: setup.exe, MsalCacheStorage.cs High entropy of concatenated method names: '_003C_002Ecctor_003Eb__17_0', 'AxFArmg82Ns4gOsviJN', 'x5xi58gBwo2jRLAFm09', 'U0R8CCgTmYurrcBmFLa', 'lUrCh4g71GY1npfCd3r', 'Ms2vBmgzmqS641Gu6jG', 'Create', 'ReadData', 'WriteData', 'Clear'
Source: setup.exe, MacKeychainAccessor.cs High entropy of concatenated method names: 'Clear', 'Read', 'Write', 'CreateForPersistenceValidation', 'ToString', 'uG1GpDvRqNtuhtm9UUX', 'CCHiMXvlclJl22B5Gqo', 'I9hB86v1A7UC5kDihD7', 'grXPdwvseR2okgVQ6tk', 'bbPd76vUW3t8YoLPkiM'
Source: setup.exe, SharedUtilities.cs High entropy of concatenated method names: '_003C_002Ecctor_003Eb__12_0', 'GD4ZR7dNlASOdUwYldZ', 'rNjBkmdKlrKGsNWBOrQ', 'C4bPPHdhcQqpy2eTIjH', 'JJcKE5dafbc1SXUaCMS', 'JvFHj1dL9DSH3LnDArq', 'IsWindowsPlatform', 'IsMacPlatform', 'IsLinuxPlatform', 'IsMonoPlatform'
Source: setup.exe, CrossPlatLock.cs High entropy of concatenated method names: 'Dispose', 'y8d5dqkCmOMMYo5fJiq', 'JSdlpkkr5Dijbsx8qMa', 'mALXYSk2aoJtwMFeGCR', 'NHnpB5kI4dB53FA38g5', 'Fh4B3JkMZJBoPYpMb1V', 'qMrOrBkVKODVn47sl8V', 'mKkBtLkv2lVx62DSR93', 'P3SJfVkkUa7wgiLCPG5', 'PcJBIckyTa6VtCoWMvB'
Source: setup.exe, FileAccessor.cs High entropy of concatenated method names: '_003CRead_003Eb__0', 'Lqp8pZyxWTu032WRdnp', 'Aa1oOEyAhKwPOCwiVCZ', 'C1HIOCypuxDmfqw0Nhw', 'CCeH5WyW7xIQqvh6SKn', 'AyCZPCyus5CE3FCwXe8', 'S2aAl7yYGMrvIt6foKJ', 'yPYX6XyDZ5TJqLdJJDU', 'Clear', 'CreateForPersistenceValidation'
Source: setup.exe, MsalCachePersistenceException.cs High entropy of concatenated method names: 'bS7Vp2khe0bkWkKsVhE', 'zwZlZOkaft6VbqJcCFj', 'wauE1LkNmpj0ADHP32H', 'skerukkKFqYcTi7g1Y7', 'wx8OWYkLsiC45WBVdX9', 'rUR8Kgkbw0t9HqSn34J'
Source: setup.exe, MsalCacheHelper.cs High entropy of concatenated method names: '_003CGetAccountIdentifiersNoLockAsync_003Eb__0', 'HFHHhmgnfs5buvhbgEm', 'dcePVZgUuIynH1KyaTg', 'HyIjQ4g3NNR5Mnp7BMl', 'DdRTuHg0PXWRIYeFPMY', 'v7s7GVg5RJIYlTADOe0', 'h0KY0OgRLPSuls7yDg9', 'oTMxwfglLJsFpBbBNcT', 'IlRsdVg15Qw5CfoL0vl', 'Slkw2bgsJbTZa8jNRtG'
Source: setup.exe, TraceSourceLogger.cs High entropy of concatenated method names: 'LogInformation', 'LogError', 'LogWarning', 'LdTC3CjecK', 'FbVlVwyvMpEeqTKIZBe', 'JwdDMIyM1njdGSJme1Y', 'agHTKmyV88cTOR8iv4c', 'YsQNWjyk6RXaKdft0by', 'hw4agHyygc8eCHemFqZ', 'HmMLbQygPOkuuOLYyJ4'
Source: setup.exe, MacOSKeychain.cs High entropy of concatenated method names: 'Get', 'AddOrUpdate', 'Remove', 'xPVmMNl2b1', 'oLKmZv22Wq', 'QcDmoYqwO2', 'WpXmABhvgc', 'rpmmfbGxR8', 'Ssp08qyqNL0L0QdA5c8', 'KWqP4dy9scuJYbFej23'
Source: setup.exe, FileIOWithRetries.cs High entropy of concatenated method names: '_003CDeleteCacheFile_003Eb__0', 'it1gwVyT2GAd4s8Sc0W', 'X0oKjyy8estWGRNjuIF', 'ks96x4yQyYyHkV2c6co', 'eNFwSGyBafF5Q5Ta8XB', 'Q5BnYWy7p64V7Jfy8M4', 'lNuv0fyzvU4Fu5gGSbx', 'M6sOdcg9bkMljr8htXr', 'n4hMaOg6wo7kjyCvewR', '_003CWriteDataToFile_003Eb__0'
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: 'f0FXDHQW7qZ3oDEiQG3', 'eYveyWQxE5Fm0PVauvD', 'vh65wuQpbjnEZ1k3UbD', 'ce4DmfsmSrOT856tDgfrkMb', 'D4r4O0AxSI', 'cEUYZ3QYdK70RedPZW6', 'xMGsIIQD9NXTfgZ7N9R', 'ko0nodQQNbjDJgKlGOO', 'OLTl6mQBgcx8labgqsx', 'x6lU58QTBC3iCqAHlqq'
Source: setup.exe, CDCWSn7SaPjUwoq2Cc.cs High entropy of concatenated method names: 'I0aald448W5kE', 'KfG3iIQIWL40Td6WdLQ', 'AlZSFLQM5r4GIZM7OC6', 'OTU1CvQVOTHrFbY5FXJ', 'KwjltxQryTIIpaSG85s', 'Jf4ipPQ27LCF3vty06y', 'kOP6MjQvj40nk1lcxZd', 'gKyNL7Qk59hDbsoQXCp', 'c6j9qPQydywyQhSuhAo', 'BJ9AkrQgdPy79OAfSZm'
Source: setup.exe, SvgObject.cs High entropy of concatenated method names: 'SetName', 'GetName', 'SetId', 'GetId', 'SetClass', 'GetClass', 'SetType', 'GetType', 'SetTitle', 'GetTitle'
Source: setup.exe, SvgAnimationLayer.cs High entropy of concatenated method names: 'LoadDiagrams', 'UnloadDiagrams', 'HandleMouseMove', 'HandleMouseDown', 'HandleMouseLeave', 'kF7CP0ef54', 'cxRCBL8hd5', 'k80C2HINZa', 'OULCq2g5lh', 'njhCL0rrsS'
Source: setup.exe, EmbeddedBitmapDataConverter.cs High entropy of concatenated method names: 'CanConvertFrom', 'CanConvertTo', 'ConvertFrom', 'ConvertTo', 'bWynLodXwNfV4vEDv32', 'YjRV1Od3dXiAlPdHkGg', 'Nm3Qw4dG8pcNGyVmnjb', 'GhwdXAdwmRQbpN9Uwub', 'cu4inQd0mut87EgqkBI', 'IE5MotdnX8iZxAoKd7b'
Source: setup.exe, EmbeddedBitmapSource.cs High entropy of concatenated method names: 'CopyPixels', 'CloneCore', 'CloneCurrentValueCore', 'GetAsFrozenCore', 'GetCurrentValueAsFrozenCore', 'CreateInstanceCore', 'xKpCGybDDp', 'nCpCmnXmva', 'fIhCCKDrTK', 'zROCuM7BeL'
Source: setup.exe, ZoomPanAnimationHelper.cs High entropy of concatenated method names: '_003CStartAnimation_003Eb__0', 'EwTbM9AaVTeeBTqQxaF', 'YLUnlAALcO6ei3xQHro', 'ySxZ8LAKBQ767BedUof', 'gWBmYAAh8hkc7ttqJbS', 'eVYWMxAbxmLOb5ESqev', 'WKXdoOAflCQAEebKHxt', 'NoaD0FAZkQZ3w5hk8L3', 'eDFZRWAHTBYSDCJXEW7', 'StartAnimation'
Source: setup.exe, SvgAnimator.cs High entropy of concatenated method names: 'Start', 'Stop', 'qmTs0hor89Ft9vMAdRX', 'Wpoo9Ho2rv0GmAq9kXH', 'ysLyIyoImadMWbtWfyG', 'FSv21loMiA0FGNEsTq0', 'UNjYkUoVODqkHbs6BFM', 'QBMAkjov7GjhMYg92xg', 'VrnReOokN1tX9xeIKQ1', 'EVTBE6oyOUhfsiwgcG0'
Source: setup.exe, ZoomPanControl.cs High entropy of concatenated method names: '_003CAnimatedZoomTo_003Eb__0', 'PGKrtPAwbZpdq5hMOnM', 'JND1cSAiQnKET9kCWeh', 'w8dF2nAGvOpoWUGvJS0', '_003CAnimatedZoomPointToViewportCenter_003Eb__0', 'NtrwmmA0Tsdq19Jg1HC', 'VugnxUAnn1uVW17VgoN', 'taGZK6AXP1UilQOWH9g', 'vry719A34sYWExchErQ', 'p8jXW1AUTl9brtxKwWj'
Source: setup.exe, SvgDrawingCanvas.cs High entropy of concatenated method names: 'LoadDiagrams', 'LoadDiagrams', 'UnloadDiagrams', 'RenderDiagrams', 'RenderDiagrams', 'GetVisualChild', 'MeasureOverride', 'OnMouseDown', 'OnMouseMove', 'OnMouseUp'
Source: setup.exe, Forms.cs High entropy of concatenated method names: 'Dispose', 'vRF6h5r0eA', 'JwQqnFEQd3xXxF6H7vU', 'lx1gMaEBjZxMZLoyykj', 'KsHl2cEYBw7h1Z357CH', 'PjRMaPEDIHaJgN5aQKh', 'Tl1Pq3ETcxZ4iPiI4BK', 'VtQ4VmE8LDt5wRCsTre', 'XBihvjE7npDj5xjg6mr', 'KWyQJ1EzxnRm74NoL5B'
Source: setup.exe, Telemetry.cs High entropy of concatenated method names: 'QueueOperationEvent', 'QueueOperationEvent', 'QueueOperationEvent', 'TQWGKWAOAq', 'rmsGRujo2W', 'POHGF0v8ny', 'v88sSTIvvVmw5sgB3bQ', 'uJdtCyIkIrdlkBiPyJv', 'F20tGYIyC85qodp1waq', 'YVBcjRIggZ3wbbOb90P'
Source: setup.exe, ExtensionDownloadManager.cs High entropy of concatenated method names: '_003CDownloadExtensionsAsync_003Eb__0', 'NxDWeKMorMXUgitwkSE', 'U7HcRmMgg7Q6RvNCL9c', 'B7v1eOMdFGghHUnkvPh', 'kZGVhRMpNFcSfqWVkP1', 'vy7g25MW4OwystWDoYT', 'guKWSTMxWh4wr4aSi2J', 'DULpgJMACCZmQJRhktL', 'wvqG8NMurnbI8NlWcuR', 'DownloadExtensionsAsync'
Source: setup.exe, AutoUpdate.cs High entropy of concatenated method names: '_003CMain_003Eb__0', 'ynnVX6MS1EDw3FYImS2', 'v9ZpFrMN2i7RgEdxURm', 'gcrcdKM6GKCyweaxdi5', 'ofr1aSMqcxsTj9W2fjH', '_003CUpdateExtensions_003Eb__2', 'zje60xMa6vRmJXbWjvN', 'zx5Im3MLFe1KVWmtJEc', 'FtqgvwMKBRpsqT9FnLG', 'bjIkOuMhcpoeUVOXiXX'
Source: setup.exe, Resources.cs High entropy of concatenated method names: 'vdMk7A2LSyvvNVlKGLR', 'PWEKQ32b6Mg301ygfeN', 'jS2Gmp2fEL5pK8VDFbt', 'Giq3E22hhFCn2wyeovw', 'k4S1um2a6UMeCqGyYoX', 'udSqse2ZIPmti8IJJNJ', 'qORU0U2HKn8tcNyMORf', 'Vauk8y2ihh26Cb54w9r'
Source: setup.exe, Resources.cs High entropy of concatenated method names: 'fqXa33x7UpTutEKoMWJ', 'KmUVIoxzxSbCARONVRa', 'hj7E2RxTSp4EFE2ICcg', 'ew7QG3x86obEgqB267j', 'w06Qv0A9NCHhDY8Wp3W', 'yqukxxA6yrUOSBuP5dd'
Source: setup.exe, EventListenerMap.cs High entropy of concatenated method names: 'SUqp9KnKa0', 'AddEventListener', 'RemoveEventListener', 'FireEvent', 'HasEventListenerNs', 'Lock', 'Unlock', 'cvwYWlDOqse9W6xjopZ', 'gEX0pYDtnuTLhYAel3b', 'oPfuQFDsTSsS42U3tma'
Source: setup.exe, EventTarget.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'JbrP3wDgECrc7d08RwU', 'SIDy4BDklQ7DtlGPVMZ'
Source: setup.exe, CDataSection.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'tdZYOIAjvj7XXke1eYD', 'bKmOvDAC9MYgrDP54Q2'
Source: setup.exe, Attribute.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'DZ0IJGAsXUwtF6wUoh5', 'SJ1VAZAlVR8o5k0OYeC'
Source: setup.exe, SignificantWhitespace.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'HVgdliYyVM3lHP2GIif', 'QaDD9WYgA0cXFj9Rv4o'
Source: setup.exe, DocumentType.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'fAkZkiuQjS8mdZsZ0eS', 'effPDAuBjlPxS5TGG8H'
Source: setup.exe, Text.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'wVUdRxYDEO3yUyLrMrJ', 'bBpUgSYQi54CY1dx9JF'
Source: setup.exe, Declaration.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'u5eqHFAzHaTXcwqk7Qk', 'SLRHSDu93hDBx6bVWW2'
Source: setup.exe, Element.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'OVe71vYfDyabg9AmEHN', 'EB6Y4YYZp25iFwLXekV'
Source: setup.exe, Whitespace.cs High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'sET0ECDNkOwQceDNG9J', 'SHrcDmDKPBPdZZ2fnRQ'
Source: setup.exe, MyProject.cs High entropy of concatenated method names: 'WYixLETnd', 's1wGXwdhM', 'Equals', 'GetHashCode', 'GetType', 'ToString', 'K4BlYTwf1pBH0elSNl', 'KuEhY7Xb85743psetV', 't3QIXR3fUaJR3Ipkh2', 'P48u8g0RMyish8oRfo'
Source: setup.exe, LibSystem.cs High entropy of concatenated method names: 'dlopen', 'dlsym', 'GetGlobal', 'WAtINgVfM4mFs4eR0gw', 'QQ3EJLVZ8BWL5c1T1wh', 'N97JXcVL6eksuK6QZDj', 'YckiaLVbUOIPKExViax'
Source: setup.exe, KKr6hZkjvwWjdm9A4Z.cs High entropy of concatenated method names: 'Ts6ald5q0nxNL', 'JiVald5jQMCpQ', 'AeMk7ZBXafmRMrjVHYv', 'LMbRw0B38CpgAiCfnDg', 'LvuirWB0XkomUWR2c1Z', 'MnCbmQBnTvJk2KHnRKJ', 'iuyfSrBURkhmpBiPXYM'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, zcrmeG4DKc05Qj8A7l.cs High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'

Persistence and Installation Behavior
barindex
Installs new ROOT certificates
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: setup.exe PID: 1668, type: MEMORYSTR
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\setup.exe Memory allocated: 2F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory allocated: 3140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory allocated: 2F50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 1360000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: 4F70000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\setup.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 808 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 3860 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\setup.exe TID: 2144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2820 Thread sleep time: -16602069666338586s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4232 Thread sleep count: 808 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4232 Thread sleep count: 3860 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2544 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\setup.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegAsm.exe, 00000002.00000002.2266427907.0000000006358000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYY
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003477000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000003411000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: HEPEJHGFSOFGLEZHSDPMBOIMSQUUBWBWZKJTRKIEROAEJSPLAA
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\setup.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\setup.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\setup.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\setup.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000 Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EEB008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\Desktop\setup.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.setup.exe.475f0d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.475f0d0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.47ab100.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.46c7080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.467b050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.47ab100.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.467b050.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.46c7080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.4518830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.43b6000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 1668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5876, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: setup.exe, 00000000.00000000.2122849516.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: VXMRSATZQXXMMNWAEJAXXRBKCAMZDJOTGRLXQJBREOKQEKGTGZQKSY
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*`
Source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5876, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.2.setup.exe.475f0d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.475f0d0.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.47ab100.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.46c7080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.467b050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.47ab100.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.467b050.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.46c7080.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.4518830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.setup.exe.43b6000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: setup.exe PID: 1668, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5876, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465699 Sample: setup.exe Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 17 15.164.165.52.in-addr.arpa 2->17 21 Snort IDS alert for network traffic 2->21 23 Found malware configuration 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 7 other signatures 2->27 7 setup.exe 3 2->7         started        signatures3 process4 file5 15 C:\Users\user\AppData\Local\...\setup.exe.log, ASCII 7->15 dropped 29 Found many strings related to Crypto-Wallets (likely being stolen) 7->29 31 Writes to foreign memory regions 7->31 33 Allocates memory in foreign processes 7->33 35 Injects a PE file into a foreign processes 7->35 11 RegAsm.exe 6 24 7->11         started        signatures6 process7 dnsIp8 19 185.172.128.33, 49711, 8970 NADYMSS-ASRU Russian Federation 11->19 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->37 39 Installs new ROOT certificates 11->39 41 Found many strings related to Crypto-Wallets (likely being stolen) 11->41 43 3 other signatures 11->43 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.172.128.33
 unknown Russian Federation
50916 NADYMSS-ASRU true

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
185.172.128.33:8970 true
  • Avira URL Cloud: safe
 unknown