Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1465699
MD5:	e671a39ffdad8e262a45ef77d97a14f4
SHA1:	d451ad059bf52c22ff5de8ed7968991bbc169828
SHA256:	d01fe3dbc995e4b5b209631e5ae30b792d88a78676f695127f8a5db9bf59b48c
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

setup.exe (PID: 1668 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: E671A39FFDAD8E262A45EF77D97A14F4)

RegAsm.exe (PID: 5876 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.172.128.33:8970", "Bot Id": "YT&TEAM CLOUD", "Authorization Header": "090b1c9b0516faab03d5a79ff2ee3484"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: setup.exe PID: 1668	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: setup.exe PID: 1668	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5876	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5876	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.setup.exe.475f0d0.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.475f0d0.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.47ab100.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.46c7080.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.467b050.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.47ab100.5.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.467b050.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.46c7080.6.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.4518830.3.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.setup.exe.4518830.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.setup.exe.43b6000.4.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.setup.exe.43b6000.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Click to see the 8 entries

Snort Signatures

ET MALWARE Redline Stealer TCP CnC - Id1Response - Source IP: 185.172.128.33 - Destination IP: 192.168.2.6

Timestamp:	07/02/24-00:21:01.164468
SID:	2043234
Source Port:	8970
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer TCP CnC Activity - Source IP: 192.168.2.6 - Destination IP: 185.172.128.33

Timestamp:	07/02/24-00:21:11.236244
SID:	2043231
Source Port:	49711
Destination Port:	8970
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.6 - Destination IP: 185.172.128.33

Timestamp:	07/02/24-00:21:00.973788
SID:	2046045
Source Port:	49711
Destination Port:	8970
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 185.172.128.33 - Destination IP: 192.168.2.6

Timestamp:	07/02/24-00:21:06.414223
SID:	2046056
Source Port:	8970
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "185.172.128.33:8970", "Bot Id": "YT&TEAM CLOUD", "Authorization Header": "090b1c9b0516faab03d5a79ff2ee3484"}

Multi AV Scanner detection for submitted file

Source: setup.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Jump to behavior

Source: setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Template_v123_config.pdbx%2 source: setup.exe
Source:	Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\APqfKCWP.pdb source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PE.pdbH] source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Template_v123_config.pdb source: setup.exe

Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		0_2_05BCEFF0
Source: C:\Users\user\Desktop\setup.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h		0_2_05BCEFE6

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.6:49711 -> 185.172.128.33:8970
Source: Traffic	Snort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.6:49711 -> 185.172.128.33:8970
Source: Traffic	Snort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 185.172.128.33:8970 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 185.172.128.33:8970 -> 192.168.2.6:49711

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.172.128.33:8970

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.setup.exe.4518830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.43b6000.4.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.6:49711 -> 185.172.128.33:8970

Source: Joe Sandbox View

IP Address: 185.172.128.33 185.172.128.33

Source: Joe Sandbox View

ASN Name: NADYMSS-ASRU NADYMSS-ASRU

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	TCP traffic detected without corresponding DNS query: 185.172.128.33
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crt0
Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: setup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: setup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0N
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: setup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: setup.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalG3CodeSigningECCSHA3842021CA1.crl0=
Source: setup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0W
Source: setup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: setup.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: setup.exe	String found in binary or memory: http://sharpvectors.codeplex.com/runtime/
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: setup.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: setup.exe, 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: setup.exe, 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://az700632.vo.msecnd.net/pub
Source: setup.exe	String found in binary or memory: https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet
Source: setup.exe	String found in binary or memory: https://login.microsoftonline.com/common
Source: setup.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6A20.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6A0F.tmp			Jump to dropped file

Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0302B178	0_2_0302B178
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0302B188	0_2_0302B188
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_0302E638	0_2_0302E638
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05B91E88	0_2_05B91E88
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05B91E78	0_2_05B91E78
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA1350	0_2_05BA1350
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA5DBE	0_2_05BA5DBE
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA4898	0_2_05BA4898
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA0006	0_2_05BA0006
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA0040	0_2_05BA0040
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA2B70	0_2_05BA2B70
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA2B60	0_2_05BA2B60
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BA1340	0_2_05BA1340
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BC44E0	0_2_05BC44E0
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BCA0A0	0_2_05BCA0A0
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BC6098	0_2_05BC6098
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BCDE60	0_2_05BCDE60
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BCCB52	0_2_05BCCB52
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BC44D0	0_2_05BC44D0
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BCA08F	0_2_05BCA08F
Source: C:\Users\user\Desktop\setup.exe	Code function: 0_2_05BCDE4F	0_2_05BCDE4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0136DC74	2_2_0136DC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_069667D8	2_2_069667D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0696A3E8	2_2_0696A3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06963F50	2_2_06963F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0696A3D8	2_2_0696A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06966FF8	2_2_06966FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_06966FE8	2_2_06966FE8

Source: setup.exe

Static PE information: invalid certificate

Source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePE.dll& vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamePE.dll& vs setup.exe
Source: setup.exe, 00000000.00000002.2141526814.0000000005A32000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAPqfKCWP.dll0 vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2129408323.0000000001559000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAPqfKCWP.dll0 vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.00000000047EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000002.2129820477.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs setup.exe
Source: setup.exe, 00000000.00000002.2129820477.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs setup.exe
Source: setup.exe, 00000000.00000002.2129820477.0000000003279000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: q,\\StringFileInfo\\040904B0\\OriginalFilename vs setup.exe
Source: setup.exe, 00000000.00000002.2131936682.000000000480B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThere.exe8 vs setup.exe
Source: setup.exe, 00000000.00000000.2123213472.0000000000E16000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTemplate_v123_config.exe0 vs setup.exe
Source: setup.exe	Binary or memory string: OriginalFilenameTemplate_v123_config.exe0 vs setup.exe

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: setup.exe, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, wmEmS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: setup.exe, wmEmS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.setup.exe.4518830.3.raw.unpack, zGLiBpty.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/6@1/1

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp6A0F.tmp

Jump to behavior

Source: setup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: setup.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2257653819.000000000344C000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000003436000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: setup.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mscorjit.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: setup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: setup.exe

Static file information: File size 3360856 > 1048576

Source: setup.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x320600

Source: setup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: setup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: Template_v123_config.pdbx%2 source: setup.exe
Source:	Binary string: C:\Users\teres\AppData\Local\Temp\Report.A66214F7-6635-4084-8609-050NK772Dll\obj\Debug\APqfKCWP.pdb source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: PE.pdbH] source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PE.pdb source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2141453610.0000000005710000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: Template_v123_config.pdb source: setup.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: setup.exe, DyyVDbaRvM1YfIq9il.cs	.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.Ts6ald5q0nxNL(16777454)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.Ts6ald5q0nxNL(16777391)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.Ts6ald5q0nxNL(16777290))})
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: setup.exe

Static PE information: real checksum: 0x33b128 should be: 0x33eef1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0696E060 push es; ret		2_2_0696E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0696ECF2 push eax; ret		2_2_0696ED01

Source: setup.exe, LinuxKeyringAccessor.cs	High entropy of concatenated method names: 'CreateForPersistenceValidation', 'Clear', 'Read', 'Write', 'lRnmIsXi4K', 'N0DnYLv6vODbC33irUI', 'KHl8WgvqFw4OnI9iEOn', 'SY4aULvSJYBYm885D5r', 'IugrItvNZiQUT12FQPu', 'C0HKelVzd0CCWkCs2hP'
Source: setup.exe, DpApiEncryptedFileAccessor.cs	High entropy of concatenated method names: 'Clear', 'CreateForPersistenceValidation', 'Read', 'Write', 'L7Rh4AVChsrBTZjHnlJ', 'aHN9oeVr7pGPuRbUbuE', 'BjQSJEV2mAZ42wcbAFZ', 'HRNTZcVIG4WaUL6ykfb', 'Adlb36VEY0jG4e2llaK', 'UkMQ1XVjy1mCymWaXBY'
Source: setup.exe, MsalCacheStorage.cs	High entropy of concatenated method names: '_003C_002Ecctor_003Eb__17_0', 'AxFArmg82Ns4gOsviJN', 'x5xi58gBwo2jRLAFm09', 'U0R8CCgTmYurrcBmFLa', 'lUrCh4g71GY1npfCd3r', 'Ms2vBmgzmqS641Gu6jG', 'Create', 'ReadData', 'WriteData', 'Clear'
Source: setup.exe, MacKeychainAccessor.cs	High entropy of concatenated method names: 'Clear', 'Read', 'Write', 'CreateForPersistenceValidation', 'ToString', 'uG1GpDvRqNtuhtm9UUX', 'CCHiMXvlclJl22B5Gqo', 'I9hB86v1A7UC5kDihD7', 'grXPdwvseR2okgVQ6tk', 'bbPd76vUW3t8YoLPkiM'
Source: setup.exe, SharedUtilities.cs	High entropy of concatenated method names: '_003C_002Ecctor_003Eb__12_0', 'GD4ZR7dNlASOdUwYldZ', 'rNjBkmdKlrKGsNWBOrQ', 'C4bPPHdhcQqpy2eTIjH', 'JJcKE5dafbc1SXUaCMS', 'JvFHj1dL9DSH3LnDArq', 'IsWindowsPlatform', 'IsMacPlatform', 'IsLinuxPlatform', 'IsMonoPlatform'
Source: setup.exe, CrossPlatLock.cs	High entropy of concatenated method names: 'Dispose', 'y8d5dqkCmOMMYo5fJiq', 'JSdlpkkr5Dijbsx8qMa', 'mALXYSk2aoJtwMFeGCR', 'NHnpB5kI4dB53FA38g5', 'Fh4B3JkMZJBoPYpMb1V', 'qMrOrBkVKODVn47sl8V', 'mKkBtLkv2lVx62DSR93', 'P3SJfVkkUa7wgiLCPG5', 'PcJBIckyTa6VtCoWMvB'
Source: setup.exe, FileAccessor.cs	High entropy of concatenated method names: '_003CRead_003Eb__0', 'Lqp8pZyxWTu032WRdnp', 'Aa1oOEyAhKwPOCwiVCZ', 'C1HIOCypuxDmfqw0Nhw', 'CCeH5WyW7xIQqvh6SKn', 'AyCZPCyus5CE3FCwXe8', 'S2aAl7yYGMrvIt6foKJ', 'yPYX6XyDZ5TJqLdJJDU', 'Clear', 'CreateForPersistenceValidation'
Source: setup.exe, MsalCachePersistenceException.cs	High entropy of concatenated method names: 'bS7Vp2khe0bkWkKsVhE', 'zwZlZOkaft6VbqJcCFj', 'wauE1LkNmpj0ADHP32H', 'skerukkKFqYcTi7g1Y7', 'wx8OWYkLsiC45WBVdX9', 'rUR8Kgkbw0t9HqSn34J'
Source: setup.exe, MsalCacheHelper.cs	High entropy of concatenated method names: '_003CGetAccountIdentifiersNoLockAsync_003Eb__0', 'HFHHhmgnfs5buvhbgEm', 'dcePVZgUuIynH1KyaTg', 'HyIjQ4g3NNR5Mnp7BMl', 'DdRTuHg0PXWRIYeFPMY', 'v7s7GVg5RJIYlTADOe0', 'h0KY0OgRLPSuls7yDg9', 'oTMxwfglLJsFpBbBNcT', 'IlRsdVg15Qw5CfoL0vl', 'Slkw2bgsJbTZa8jNRtG'
Source: setup.exe, TraceSourceLogger.cs	High entropy of concatenated method names: 'LogInformation', 'LogError', 'LogWarning', 'LdTC3CjecK', 'FbVlVwyvMpEeqTKIZBe', 'JwdDMIyM1njdGSJme1Y', 'agHTKmyV88cTOR8iv4c', 'YsQNWjyk6RXaKdft0by', 'hw4agHyygc8eCHemFqZ', 'HmMLbQygPOkuuOLYyJ4'
Source: setup.exe, MacOSKeychain.cs	High entropy of concatenated method names: 'Get', 'AddOrUpdate', 'Remove', 'xPVmMNl2b1', 'oLKmZv22Wq', 'QcDmoYqwO2', 'WpXmABhvgc', 'rpmmfbGxR8', 'Ssp08qyqNL0L0QdA5c8', 'KWqP4dy9scuJYbFej23'
Source: setup.exe, FileIOWithRetries.cs	High entropy of concatenated method names: '_003CDeleteCacheFile_003Eb__0', 'it1gwVyT2GAd4s8Sc0W', 'X0oKjyy8estWGRNjuIF', 'ks96x4yQyYyHkV2c6co', 'eNFwSGyBafF5Q5Ta8XB', 'Q5BnYWy7p64V7Jfy8M4', 'lNuv0fyzvU4Fu5gGSbx', 'M6sOdcg9bkMljr8htXr', 'n4hMaOg6wo7kjyCvewR', '_003CWriteDataToFile_003Eb__0'
Source: setup.exe, DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: 'f0FXDHQW7qZ3oDEiQG3', 'eYveyWQxE5Fm0PVauvD', 'vh65wuQpbjnEZ1k3UbD', 'ce4DmfsmSrOT856tDgfrkMb', 'D4r4O0AxSI', 'cEUYZ3QYdK70RedPZW6', 'xMGsIIQD9NXTfgZ7N9R', 'ko0nodQQNbjDJgKlGOO', 'OLTl6mQBgcx8labgqsx', 'x6lU58QTBC3iCqAHlqq'
Source: setup.exe, CDCWSn7SaPjUwoq2Cc.cs	High entropy of concatenated method names: 'I0aald448W5kE', 'KfG3iIQIWL40Td6WdLQ', 'AlZSFLQM5r4GIZM7OC6', 'OTU1CvQVOTHrFbY5FXJ', 'KwjltxQryTIIpaSG85s', 'Jf4ipPQ27LCF3vty06y', 'kOP6MjQvj40nk1lcxZd', 'gKyNL7Qk59hDbsoQXCp', 'c6j9qPQydywyQhSuhAo', 'BJ9AkrQgdPy79OAfSZm'
Source: setup.exe, SvgObject.cs	High entropy of concatenated method names: 'SetName', 'GetName', 'SetId', 'GetId', 'SetClass', 'GetClass', 'SetType', 'GetType', 'SetTitle', 'GetTitle'
Source: setup.exe, SvgAnimationLayer.cs	High entropy of concatenated method names: 'LoadDiagrams', 'UnloadDiagrams', 'HandleMouseMove', 'HandleMouseDown', 'HandleMouseLeave', 'kF7CP0ef54', 'cxRCBL8hd5', 'k80C2HINZa', 'OULCq2g5lh', 'njhCL0rrsS'
Source: setup.exe, EmbeddedBitmapDataConverter.cs	High entropy of concatenated method names: 'CanConvertFrom', 'CanConvertTo', 'ConvertFrom', 'ConvertTo', 'bWynLodXwNfV4vEDv32', 'YjRV1Od3dXiAlPdHkGg', 'Nm3Qw4dG8pcNGyVmnjb', 'GhwdXAdwmRQbpN9Uwub', 'cu4inQd0mut87EgqkBI', 'IE5MotdnX8iZxAoKd7b'
Source: setup.exe, EmbeddedBitmapSource.cs	High entropy of concatenated method names: 'CopyPixels', 'CloneCore', 'CloneCurrentValueCore', 'GetAsFrozenCore', 'GetCurrentValueAsFrozenCore', 'CreateInstanceCore', 'xKpCGybDDp', 'nCpCmnXmva', 'fIhCCKDrTK', 'zROCuM7BeL'
Source: setup.exe, ZoomPanAnimationHelper.cs	High entropy of concatenated method names: '_003CStartAnimation_003Eb__0', 'EwTbM9AaVTeeBTqQxaF', 'YLUnlAALcO6ei3xQHro', 'ySxZ8LAKBQ767BedUof', 'gWBmYAAh8hkc7ttqJbS', 'eVYWMxAbxmLOb5ESqev', 'WKXdoOAflCQAEebKHxt', 'NoaD0FAZkQZ3w5hk8L3', 'eDFZRWAHTBYSDCJXEW7', 'StartAnimation'
Source: setup.exe, SvgAnimator.cs	High entropy of concatenated method names: 'Start', 'Stop', 'qmTs0hor89Ft9vMAdRX', 'Wpoo9Ho2rv0GmAq9kXH', 'ysLyIyoImadMWbtWfyG', 'FSv21loMiA0FGNEsTq0', 'UNjYkUoVODqkHbs6BFM', 'QBMAkjov7GjhMYg92xg', 'VrnReOokN1tX9xeIKQ1', 'EVTBE6oyOUhfsiwgcG0'
Source: setup.exe, ZoomPanControl.cs	High entropy of concatenated method names: '_003CAnimatedZoomTo_003Eb__0', 'PGKrtPAwbZpdq5hMOnM', 'JND1cSAiQnKET9kCWeh', 'w8dF2nAGvOpoWUGvJS0', '_003CAnimatedZoomPointToViewportCenter_003Eb__0', 'NtrwmmA0Tsdq19Jg1HC', 'VugnxUAnn1uVW17VgoN', 'taGZK6AXP1UilQOWH9g', 'vry719A34sYWExchErQ', 'p8jXW1AUTl9brtxKwWj'
Source: setup.exe, SvgDrawingCanvas.cs	High entropy of concatenated method names: 'LoadDiagrams', 'LoadDiagrams', 'UnloadDiagrams', 'RenderDiagrams', 'RenderDiagrams', 'GetVisualChild', 'MeasureOverride', 'OnMouseDown', 'OnMouseMove', 'OnMouseUp'
Source: setup.exe, Forms.cs	High entropy of concatenated method names: 'Dispose', 'vRF6h5r0eA', 'JwQqnFEQd3xXxF6H7vU', 'lx1gMaEBjZxMZLoyykj', 'KsHl2cEYBw7h1Z357CH', 'PjRMaPEDIHaJgN5aQKh', 'Tl1Pq3ETcxZ4iPiI4BK', 'VtQ4VmE8LDt5wRCsTre', 'XBihvjE7npDj5xjg6mr', 'KWyQJ1EzxnRm74NoL5B'
Source: setup.exe, Telemetry.cs	High entropy of concatenated method names: 'QueueOperationEvent', 'QueueOperationEvent', 'QueueOperationEvent', 'TQWGKWAOAq', 'rmsGRujo2W', 'POHGF0v8ny', 'v88sSTIvvVmw5sgB3bQ', 'uJdtCyIkIrdlkBiPyJv', 'F20tGYIyC85qodp1waq', 'YVBcjRIggZ3wbbOb90P'
Source: setup.exe, ExtensionDownloadManager.cs	High entropy of concatenated method names: '_003CDownloadExtensionsAsync_003Eb__0', 'NxDWeKMorMXUgitwkSE', 'U7HcRmMgg7Q6RvNCL9c', 'B7v1eOMdFGghHUnkvPh', 'kZGVhRMpNFcSfqWVkP1', 'vy7g25MW4OwystWDoYT', 'guKWSTMxWh4wr4aSi2J', 'DULpgJMACCZmQJRhktL', 'wvqG8NMurnbI8NlWcuR', 'DownloadExtensionsAsync'
Source: setup.exe, AutoUpdate.cs	High entropy of concatenated method names: '_003CMain_003Eb__0', 'ynnVX6MS1EDw3FYImS2', 'v9ZpFrMN2i7RgEdxURm', 'gcrcdKM6GKCyweaxdi5', 'ofr1aSMqcxsTj9W2fjH', '_003CUpdateExtensions_003Eb__2', 'zje60xMa6vRmJXbWjvN', 'zx5Im3MLFe1KVWmtJEc', 'FtqgvwMKBRpsqT9FnLG', 'bjIkOuMhcpoeUVOXiXX'
Source: setup.exe, Resources.cs	High entropy of concatenated method names: 'vdMk7A2LSyvvNVlKGLR', 'PWEKQ32b6Mg301ygfeN', 'jS2Gmp2fEL5pK8VDFbt', 'Giq3E22hhFCn2wyeovw', 'k4S1um2a6UMeCqGyYoX', 'udSqse2ZIPmti8IJJNJ', 'qORU0U2HKn8tcNyMORf', 'Vauk8y2ihh26Cb54w9r'
Source: setup.exe, Resources.cs	High entropy of concatenated method names: 'fqXa33x7UpTutEKoMWJ', 'KmUVIoxzxSbCARONVRa', 'hj7E2RxTSp4EFE2ICcg', 'ew7QG3x86obEgqB267j', 'w06Qv0A9NCHhDY8Wp3W', 'yqukxxA6yrUOSBuP5dd'
Source: setup.exe, EventListenerMap.cs	High entropy of concatenated method names: 'SUqp9KnKa0', 'AddEventListener', 'RemoveEventListener', 'FireEvent', 'HasEventListenerNs', 'Lock', 'Unlock', 'cvwYWlDOqse9W6xjopZ', 'gEX0pYDtnuTLhYAel3b', 'oPfuQFDsTSsS42U3tma'
Source: setup.exe, EventTarget.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'JbrP3wDgECrc7d08RwU', 'SIDy4BDklQ7DtlGPVMZ'
Source: setup.exe, CDataSection.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'tdZYOIAjvj7XXke1eYD', 'bKmOvDAC9MYgrDP54Q2'
Source: setup.exe, Attribute.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'DZ0IJGAsXUwtF6wUoh5', 'SJ1VAZAlVR8o5k0OYeC'
Source: setup.exe, SignificantWhitespace.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'HVgdliYyVM3lHP2GIif', 'QaDD9WYgA0cXFj9Rv4o'
Source: setup.exe, DocumentType.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'fAkZkiuQjS8mdZsZ0eS', 'effPDAuBjlPxS5TGG8H'
Source: setup.exe, Text.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'wVUdRxYDEO3yUyLrMrJ', 'bBpUgSYQi54CY1dx9JF'
Source: setup.exe, Declaration.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'u5eqHFAzHaTXcwqk7Qk', 'SLRHSDu93hDBx6bVWW2'
Source: setup.exe, Element.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'OVe71vYfDyabg9AmEHN', 'EB6Y4YYZp25iFwLXekV'
Source: setup.exe, Whitespace.cs	High entropy of concatenated method names: 'AddEventListener', 'RemoveEventListener', 'DispatchEvent', 'AddEventListenerNs', 'RemoveEventListenerNs', 'WillTriggerNs', 'HasEventListenerNs', 'FireEvent', 'sET0ECDNkOwQceDNG9J', 'SHrcDmDKPBPdZZ2fnRQ'
Source: setup.exe, MyProject.cs	High entropy of concatenated method names: 'WYixLETnd', 's1wGXwdhM', 'Equals', 'GetHashCode', 'GetType', 'ToString', 'K4BlYTwf1pBH0elSNl', 'KuEhY7Xb85743psetV', 't3QIXR3fUaJR3Ipkh2', 'P48u8g0RMyish8oRfo'
Source: setup.exe, LibSystem.cs	High entropy of concatenated method names: 'dlopen', 'dlsym', 'GetGlobal', 'WAtINgVfM4mFs4eR0gw', 'QQ3EJLVZ8BWL5c1T1wh', 'N97JXcVL6eksuK6QZDj', 'YckiaLVbUOIPKExViax'
Source: setup.exe, KKr6hZkjvwWjdm9A4Z.cs	High entropy of concatenated method names: 'Ts6ald5q0nxNL', 'JiVald5jQMCpQ', 'AeMk7ZBXafmRMrjVHYv', 'LMbRw0B38CpgAiCfnDg', 'LvuirWB0XkomUWR2c1Z', 'MnCbmQBnTvJk2KHnRKJ', 'iuyfSrBURkhmpBiPXYM'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, fDX9tehJ5EFemhKZwc.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'NvQOxwsIFR', 'QsUuklFoHUiQD', 'MCRoDX9te', 'l5EbFemhK', 'uwcnnhQXJ', 'J3PigtLyh', 'PwdNpFGeB', 'XCj67ZIOy', 'w09DYCs5D'
Source: 0.2.setup.exe.31b4220.1.raw.unpack, zcrmeG4DKc05Qj8A7l.cs	High entropy of concatenated method names: 'Ys7O1WDVbX', 'EIxO3RK2jf', 'ov3OzJmFFU', 'KJS0ILfinW', 'Gtt0O5H9rf', 'Gvj00KAYqN', 'hUG0r1tocH', 'PBb0lrpBsM', 'pGy05VOh0y', 'j3M0RfBB5l'

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: setup.exe PID: 1668, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory allocated: 2F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4F70000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 808			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3860			Jump to behavior

Source: C:\Users\user\Desktop\setup.exe TID: 2144	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2820	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4232	Thread sleep count: 808 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4232	Thread sleep count: 3860 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2544	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\setup.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RegAsm.exe, 00000002.00000002.2266427907.0000000006358000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYY
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003477000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000003411000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.00000000030C8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: HEPEJHGFSOFGLEZHSDPMBOIMSQUUBWBWZKJTRKIEROAEJSPLAA
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RegAsm.exe, 00000002.00000002.2262082665.000000000401E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: RegAsm.exe, 00000002.00000002.2262082665.0000000003FAD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\setup.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EEB008	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Users\user\Desktop\setup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.setup.exe.475f0d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.475f0d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.47ab100.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.46c7080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.467b050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.47ab100.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.467b050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.46c7080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.4518830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.43b6000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setup.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5876, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: setup.exe, 00000000.00000000.2122849516.0000000000AF2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: VXMRSATZQXXMMNWAEJAXXRBKCAMZDJOTGRLXQJBREOKQEKGTGZQKSY
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*`
Source: setup.exe, 00000000.00000002.2129820477.0000000003141000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5876, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.setup.exe.475f0d0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.475f0d0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.47ab100.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.46c7080.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.467b050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.47ab100.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.467b050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.46c7080.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.4518830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.setup.exe.43b6000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: setup.exe PID: 1668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5876, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Install Root Certificate	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
setup.exe	53%	ReversingLabs	ByteCode-MSIL.Trojan.RedlineStealer
setup.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	0%	Avira URL Cloud	safe
https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://schemas.xmlsoap.org/soap/envelope/	0%	URL Reputation	safe
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Avira URL Cloud	safe
http://sharpvectors.codeplex.com/runtime/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/sc	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id9Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id20	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24	0%	Avira URL Cloud	safe
185.172.128.33:8970	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id1Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id21ResponseD	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id12	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id16	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id18	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id19	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id17ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8ResponseD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
15.164.165.52.in-addr.arpa	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.172.128.33:8970	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/AzureAD/microsoft-authentication-extensions-for-dotnet	setup.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6ResponseD	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id4	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://sharpvectors.codeplex.com/runtime/	setup.exe	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.2257653819.0000000002F93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	setup.exe, 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1ResponseD	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id9Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id1Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id21ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id12	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2257653819.0000000002F8B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id14	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id16	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id18	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id19	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id15ResponseD	RegAsm.exe, 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000031DD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	setup.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id17ResponseD	RegAsm.exe, 00000002.00000002.2257653819.00000000033BD000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	RegAsm.exe, 00000002.00000002.2257653819.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id8ResponseD	RegAsm.exe, 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.172.128.33	unknown	Russian Federation		50916	NADYMSS-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465699
Start date and time:	2024-07-02 00:20:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/6@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 113 Number of non-executed functions: 25
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

Time	Type	Description
18:21:07	API Interceptor	24x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.172.128.33	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse
	X8ljh02lU9.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse
	setup.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRAT	Browse
	4TzzRzv0Hs.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse
	KmhrN2q5ZO.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, zgRAT	Browse
	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse
	HO3wesohQb.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	SecuriteInfo.com.Win32.Evo-gen.26431.15713.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	185.172.128.33
	X8ljh02lU9.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	185.172.128.33
	file.exe	Get hash	malicious	RedLine	Browse	185.172.128.33
	35WqOa1tGb.exe	Get hash	malicious	GCleaner, Nymaim	Browse	185.172.128.90
	DXe9Ayi7uC.exe	Get hash	malicious	GCleaner, Nymaim	Browse	185.172.128.69
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	185.172.128.116
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	185.172.128.116
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	185.172.128.116
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	185.172.128.33
	j3KmxDxlLT.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	185.172.128.116

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:20 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.469522369746748
Encrypted:	false
SSDEEP:	48:8Std5TvGK0lRYrnvPdAKRkdAGdAKRFdAKR6P:8SZbF7
MD5:	EA3FBD383F8B0203568B69944F93457E
SHA1:	4462E364303FDBF50BD028D2BB7241697EAAC81F
SHA-256:	F873A72D0B10B8AB0CB86ECD9E9BCBFDA11B1B50804910F666024B20ADC464B0
SHA-512:	C3F04116686CE771FC02961ABE50B1534D48D524AB30744B47C6B175D533F53E0AEC936748D20BC253C49CDC233700624482B2D56C9B88D69FD4E95CF836B81C
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,.......W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
MD5:	0C1110E9B7BBBCB651A0B7568D796468
SHA1:	7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
SHA-256:	112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
SHA-512:	46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1362
Entropy (8bit):	5.342650164635672
Encrypted:	false
SSDEEP:	24:MLU84qpE4KlKDE4KhKiKhuE4UofoJE4r4CeylEE4aP6AE4KIRU:Mgv2HKlYHKh3ouHgJHreylEHMHKoU
MD5:	88842857A642F0B316D14FEE1CD1C820
SHA1:	9164100C7DA76EE281ECB4F02E38A98883BED4BA
SHA-256:	7C93C110A021ACE31ECE4BEBD9A8AEF546D6C4D1AFDE64694C5C0E1CCA36DA04
SHA-512:	97C296976ABA8CBFDCA5772861113C938CB075F947E801143437FE4CDE639FAABA829DFF07A1D1832BF26D691E5C9F3E21279A9BBCAEDBCB85CE6637B6F6E66C
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Temp\Tmp6A0F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp6A20.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.619881024854986
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	setup.exe
File size:	3'360'856 bytes
MD5:	e671a39ffdad8e262a45ef77d97a14f4
SHA1:	d451ad059bf52c22ff5de8ed7968991bbc169828
SHA256:	d01fe3dbc995e4b5b209631e5ae30b792d88a78676f695127f8a5db9bf59b48c
SHA512:	1352b04ffd300060e9abcc2880e53c4957a2b128b006603a20a08793a57b766b6579f5c53325b3fccc57db660fb7f14b93b7259e9fd0e1f2a78c53be026f3a20
SSDEEP:	49152:27vtm1geO0RDX0/BxBL6V2nM5PsKGPGatU8H+f7z0VBeNPswBr:27VmdOMeBvLa2nVKG+aZ20BSP3
TLSH:	DEF5BF0738808E91F5A85737D1DA810847BACF5167C3E73BB478765E66263AB3A0D4CE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~f..................2..........%2.. ...@2...@.. ........................3.....(.3...@................................

File Icon


Icon Hash:	0080987d75787801

Static PE Info

General

Entrypoint:	0x72259e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x667E9108 [Fri Jun 28 10:31:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Global G3 Code Signing ECC SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	30/11/2022 01:00:00 08/01/2026 00:59:59
Subject Chain	CN="MobiSystems, Inc.", O="MobiSystems, Inc.", L=San Diego, S=California, C=US, SERIALNUMBER=2286585, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	4F8B72AE4C273A3C4638902142975641
Thumbprint SHA-1:	1DC9E3CC71898F07B7BF27B24B9B2D4D107D73A3
Thumbprint SHA-256:	D8012F271CA2FDC511D4381F7D9A0C412D3511226CA1151F20FBE4B9F784AF1F
Serial:	01C60E11C04CC982258D28B6CE5F304D

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x322550	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x326000	0xfedc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3326e0	0x2178	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x336000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3224fb	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3205a4	0x320600	80005872f00f60ed81cb084586346f67	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0x324000	0x1e8	0x200	4953f0434c71e6ab7ae25231c4f257a2	False	0.861328125	data	6.624018862309492	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x326000	0xfedc	0x10000	d4d7d4818308a11f35288bce6b7842fe	False	0.6804962158203125	data	6.737286911526343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x336000	0xc	0x200	789b3e2941260625d82021e1013984c1	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "2"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x3261c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	0.47162288930581614
RT_ICON	0x327268	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	0.3867219917012448
RT_ICON	0x329810	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 3779 x 3779 px/m	0.3226854038734058
RT_ICON	0x32da38	0x7e2e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	1.0001547891771407
RT_GROUP_ICON	0x335868	0x3e	data	0.8548387096774194
RT_VERSION	0x3358a8	0x448	data	0.43704379562043794
RT_MANIFEST	0x335cf0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/02/24-00:21:01.164468	TCP	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	8970	49711	185.172.128.33	192.168.2.6
07/02/24-00:21:11.236244	TCP	2043231	ET TROJAN Redline Stealer TCP CnC Activity	49711	8970	192.168.2.6	185.172.128.33
07/02/24-00:21:00.973788	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49711	8970	192.168.2.6	185.172.128.33
07/02/24-00:21:06.414223	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	8970	49711	185.172.128.33	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 00:21:00.288544893 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:00.295943022 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:00.296017885 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:00.304446936 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:00.311671972 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:00.942466021 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:00.973788023 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:00.978611946 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:01.164468050 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:01.205923080 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.209831953 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.214632034 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414222956 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414274931 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414345026 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414407969 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414417982 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.414434910 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414446115 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.414483070 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.414506912 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.510835886 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.565176010 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.634291887 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.639379978 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.826550961 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:06.830811024 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:06.836636066 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.022568941 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.027542114 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:07.032372952 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.218743086 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.223021030 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:07.227911949 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.414938927 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.455781937 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:07.542285919 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:07.549384117 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.783307076 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:07.818811893 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:07.825371981 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.038096905 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.080821037 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:08.095241070 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:08.101828098 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.101953030 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:08.101980925 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.101989985 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.102041960 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:08.103437901 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.103449106 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.103457928 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.103466034 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.104423046 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.104434013 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.104441881 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.104449987 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.108355045 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.108683109 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.108692884 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.109188080 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.386255980 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:08.440179110 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:08.842667103 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:08.851300001 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.037045956 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.080773115 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:09.155806065 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:09.160649061 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.346738100 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.377547026 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:09.382311106 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.567771912 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.571630001 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:09.578788996 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.774732113 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.776757002 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:09.783108950 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.968396902 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:09.970474005 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:09.976449013 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.161890030 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.163002014 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:10.167841911 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.353277922 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.358586073 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:10.363401890 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.548902035 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.552728891 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:10.557609081 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.743134975 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.748555899 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:10.753458977 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.753570080 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:10.753632069 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:11.035903931 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:11.043807983 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:11.049273014 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:11.235296011 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:11.236243963 CEST	49711	8970	192.168.2.6	185.172.128.33
Jul 2, 2024 00:21:11.243554115 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:11.438546896 CEST	8970	49711	185.172.128.33	192.168.2.6
Jul 2, 2024 00:21:11.471925974 CEST	49711	8970	192.168.2.6	185.172.128.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 2, 2024 00:21:18.435538054 CEST	53	55467	1.1.1.1	192.168.2.6
Jul 2, 2024 00:21:31.947217941 CEST	53	55891	162.159.36.2	192.168.2.6
Jul 2, 2024 00:21:32.423532009 CEST	62117	53	192.168.2.6	1.1.1.1
Jul 2, 2024 00:21:32.431566954 CEST	53	62117	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 2, 2024 00:21:32.423532009 CEST	192.168.2.6	1.1.1.1	0x2658	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 2, 2024 00:21:32.431566954 CEST	1.1.1.1	192.168.2.6	0x2658	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	18:20:57
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0xaf0000
File size:	3'360'856 bytes
MD5 hash:	E671A39FFDAD8E262A45EF77D97A14F4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2131936682.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2131936682.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2131936682.000000000470A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2131936682.0000000004145000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2131936682.0000000004253000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:20:58
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xc40000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2255836042.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2257653819.0000000002F18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2257653819.0000000003233000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	1

Executed Functions

Function 05BA1340 Relevance: 80.9, Strings: 64, Instructions: 852
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 05BA1CCF
&, xrefs: 05BA16DB
^, xrefs: 05BA1E34
|;zB, xrefs: 05BA1514
*, xrefs: 05BA20BF
M, xrefs: 05BA1EC8
^, xrefs: 05BA1FFC
+, xrefs: 05BA1E7E
E, xrefs: 05BA206D
Z, xrefs: 05BA1FE2
c, xrefs: 05BA1AF3
$, xrefs: 05BA224A
, xrefs: 05BA15CF
`, xrefs: 05BA21A7
T, xrefs: 05BA229A
C, xrefs: 05BA1CF3
;, xrefs: 05BA16E5
, xrefs: 05BA22B0
8, xrefs: 05BA2129
], xrefs: 05BA1E0C
U, xrefs: 05BA1C14
U, xrefs: 05BA1D74
6, xrefs: 05BA192D
?7'B, xrefs: 05BA1DC2
^, xrefs: 05BA1E2A
S, xrefs: 05BA1A3A
G, xrefs: 05BA1F61
GycB, xrefs: 05BA1B0A
S, xrefs: 05BA21D3
6, xrefs: 05BA1A15
A, xrefs: 05BA174F
3, xrefs: 05BA18BE
:, xrefs: 05BA1655
?, xrefs: 05BA15D9
P, xrefs: 05BA16D1
[, xrefs: 05BA169A
a, xrefs: 05BA2260
I, xrefs: 05BA199B
\, xrefs: 05BA17C3
P, xrefs: 05BA1C5F
C, xrefs: 05BA1EE8
#, xrefs: 05BA209F
!, xrefs: 05BA1603
(, xrefs: 05BA22E6
M, xrefs: 05BA190D
O0}B, xrefs: 05BA16B0
+, xrefs: 05BA21C9
K, xrefs: 05BA1E6A
^, xrefs: 05BA1A30
&, xrefs: 05BA1489
+, xrefs: 05BA1F42
+, xrefs: 05BA1681
M, xrefs: 05BA19C7
V, xrefs: 05BA2195
E, xrefs: 05BA15BC
8, xrefs: 05BA1493
?, xrefs: 05BA1724
jWbB, xrefs: 05BA1D90
T, xrefs: 05BA1A1F
C, xrefs: 05BA14CA
1, xrefs: 05BA1BA4
D, xrefs: 05BA19BD
<, xrefs: 05BA16BA
E, xrefs: 05BA182D

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: eda13db208d8ad399fd12e1dadbe65b7d76d14ed218cc10abb7fcf7a973e1b41
Instruction ID: c03a089d5114b8aa40dc88bab967ac35aa2eac315e3b92363bc508add2003178
Opcode Fuzzy Hash: eda13db208d8ad399fd12e1dadbe65b7d76d14ed218cc10abb7fcf7a973e1b41
Instruction Fuzzy Hash: 68B27EB4E0162A8FEB65CF1ACD4479ABAF6FB88305F0481E9D50CA7250DB795EC58F40

Function 05BCA08F Relevance: 80.8, Strings: 64, Instructions: 849
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 05BCABE5
`, xrefs: 05BCAF28
U, xrefs: 05BCA98C
(, xrefs: 05BCB061
6, xrefs: 05BCA78D
$, xrefs: 05BCAFC5
C, xrefs: 05BCAC63
^, xrefs: 05BCABA5
+, xrefs: 05BCA3FF
|;zB, xrefs: 05BCA292
C, xrefs: 05BCA248
6, xrefs: 05BCA6B7
&, xrefs: 05BCA45C
*, xrefs: 05BCAE3A
T, xrefs: 05BCA797
I, xrefs: 05BCA71F
<, xrefs: 05BCA438
E, xrefs: 05BCADE8
[, xrefs: 05BCAA47
C, xrefs: 05BCAA6B
a, xrefs: 05BCAFDB
, xrefs: 05BCB02B
[, xrefs: 05BCA418
!, xrefs: 05BCA384
P, xrefs: 05BCA9DA
8, xrefs: 05BCAEAA
M, xrefs: 05BCA74B
O0}B, xrefs: 05BCA42E
Z, xrefs: 05BCAD5A
+, xrefs: 05BCAF47
GycB, xrefs: 05BCA87F
jWbB, xrefs: 05BCAB0E
#, xrefs: 05BCAE1A
^, xrefs: 05BCA7AB
E, xrefs: 05BCA5B1
P, xrefs: 05BCA452
M, xrefs: 05BCAC43
?7'B, xrefs: 05BCAB40
V, xrefs: 05BCAF16
3, xrefs: 05BCA642
M, xrefs: 05BCA69A
+, xrefs: 05BCACBA
c, xrefs: 05BCA865
U, xrefs: 05BCAAF2
^, xrefs: 05BCAD74
], xrefs: 05BCAB87
S, xrefs: 05BCAF51
+, xrefs: 05BCABF9
;, xrefs: 05BCA466
&, xrefs: 05BCA204
8, xrefs: 05BCA20E
E, xrefs: 05BCA33D
^, xrefs: 05BCABAF
, xrefs: 05BCA350
G, xrefs: 05BCACDC
\, xrefs: 05BCA547
:, xrefs: 05BCA3D6
?, xrefs: 05BCA35A
T, xrefs: 05BCB015
S, xrefs: 05BCA7B5
1, xrefs: 05BCA91C
?, xrefs: 05BCA4A5
A, xrefs: 05BCA4D3
D, xrefs: 05BCA741

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 879f79bd171cd9a4286bc94cdd952c816b91706f648a609764c622d583b119d0
Instruction ID: de56a1f0415ce0e64c96d41a1d15e16ccb0767b5706e6e327cd8758a1b2a2726
Opcode Fuzzy Hash: 879f79bd171cd9a4286bc94cdd952c816b91706f648a609764c622d583b119d0
Instruction Fuzzy Hash: F4B29FB4D016698FEB64CF2ADD84799BBB2FB88305F1481E9950CAB250D77A5EC5CF00

Function 05BA1350 Relevance: 80.8, Strings: 64, Instructions: 847
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 05BA1CCF
&, xrefs: 05BA16DB
^, xrefs: 05BA1E34
|;zB, xrefs: 05BA1514
*, xrefs: 05BA20BF
M, xrefs: 05BA1EC8
^, xrefs: 05BA1FFC
+, xrefs: 05BA1E7E
E, xrefs: 05BA206D
Z, xrefs: 05BA1FE2
c, xrefs: 05BA1AF3
$, xrefs: 05BA224A
, xrefs: 05BA15CF
`, xrefs: 05BA21A7
T, xrefs: 05BA229A
C, xrefs: 05BA1CF3
;, xrefs: 05BA16E5
, xrefs: 05BA22B0
8, xrefs: 05BA2129
], xrefs: 05BA1E0C
U, xrefs: 05BA1C14
U, xrefs: 05BA1D74
6, xrefs: 05BA192D
?7'B, xrefs: 05BA1DC2
^, xrefs: 05BA1E2A
S, xrefs: 05BA1A3A
G, xrefs: 05BA1F61
GycB, xrefs: 05BA1B0A
S, xrefs: 05BA21D3
6, xrefs: 05BA1A15
A, xrefs: 05BA174F
3, xrefs: 05BA18BE
:, xrefs: 05BA1655
?, xrefs: 05BA15D9
P, xrefs: 05BA16D1
[, xrefs: 05BA169A
a, xrefs: 05BA2260
I, xrefs: 05BA199B
\, xrefs: 05BA17C3
P, xrefs: 05BA1C5F
C, xrefs: 05BA1EE8
#, xrefs: 05BA209F
!, xrefs: 05BA1603
(, xrefs: 05BA22E6
M, xrefs: 05BA190D
O0}B, xrefs: 05BA16B0
+, xrefs: 05BA21C9
K, xrefs: 05BA1E6A
^, xrefs: 05BA1A30
&, xrefs: 05BA1489
+, xrefs: 05BA1F42
+, xrefs: 05BA1681
M, xrefs: 05BA19C7
V, xrefs: 05BA2195
E, xrefs: 05BA15BC
8, xrefs: 05BA1493
?, xrefs: 05BA1724
jWbB, xrefs: 05BA1D90
T, xrefs: 05BA1A1F
C, xrefs: 05BA14CA
1, xrefs: 05BA1BA4
D, xrefs: 05BA19BD
<, xrefs: 05BA16BA
E, xrefs: 05BA182D

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: ca00e9d136462ef326e78e7657fc6666a6e086117995eb7b13e259c5c0b2601d
Instruction ID: ede2ca3d67230e0658e6fc21119cf5776e15619fe967dcc27fe9621be68901a0
Opcode Fuzzy Hash: ca00e9d136462ef326e78e7657fc6666a6e086117995eb7b13e259c5c0b2601d
Instruction Fuzzy Hash: 9BB27EB4E0162A8FEB65CF1ACD4479ABAF6FB88305F0481E9D50CA7250DB795EC58F40

Function 05BCA0A0 Relevance: 80.8, Strings: 64, Instructions: 796
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

K, xrefs: 05BCABE5
`, xrefs: 05BCAF28
U, xrefs: 05BCA98C
(, xrefs: 05BCB061
6, xrefs: 05BCA78D
$, xrefs: 05BCAFC5
C, xrefs: 05BCAC63
^, xrefs: 05BCABA5
+, xrefs: 05BCA3FF
|;zB, xrefs: 05BCA292
C, xrefs: 05BCA248
6, xrefs: 05BCA6B7
&, xrefs: 05BCA45C
*, xrefs: 05BCAE3A
T, xrefs: 05BCA797
I, xrefs: 05BCA71F
<, xrefs: 05BCA438
E, xrefs: 05BCADE8
[, xrefs: 05BCAA47
C, xrefs: 05BCAA6B
a, xrefs: 05BCAFDB
, xrefs: 05BCB02B
[, xrefs: 05BCA418
!, xrefs: 05BCA384
P, xrefs: 05BCA9DA
8, xrefs: 05BCAEAA
M, xrefs: 05BCA74B
O0}B, xrefs: 05BCA42E
Z, xrefs: 05BCAD5A
+, xrefs: 05BCAF47
GycB, xrefs: 05BCA87F
jWbB, xrefs: 05BCAB0E
#, xrefs: 05BCAE1A
^, xrefs: 05BCA7AB
E, xrefs: 05BCA5B1
P, xrefs: 05BCA452
M, xrefs: 05BCAC43
?7'B, xrefs: 05BCAB40
V, xrefs: 05BCAF16
3, xrefs: 05BCA642
M, xrefs: 05BCA69A
+, xrefs: 05BCACBA
c, xrefs: 05BCA865
U, xrefs: 05BCAAF2
^, xrefs: 05BCAD74
], xrefs: 05BCAB87
S, xrefs: 05BCAF51
+, xrefs: 05BCABF9
;, xrefs: 05BCA466
&, xrefs: 05BCA204
8, xrefs: 05BCA20E
E, xrefs: 05BCA33D
^, xrefs: 05BCABAF
, xrefs: 05BCA350
G, xrefs: 05BCACDC
\, xrefs: 05BCA547
:, xrefs: 05BCA3D6
?, xrefs: 05BCA35A
T, xrefs: 05BCB015
S, xrefs: 05BCA7B5
1, xrefs: 05BCA91C
?, xrefs: 05BCA4A5
A, xrefs: 05BCA4D3
D, xrefs: 05BCA741

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 3f668af4c2db968305dc108d2b3f97008e7098aed7f8c826e67f9b8e17a69541
Instruction ID: 796615176327889adbfc808da6e1c97f4109e57a3360afa9590f5f6c49bb7ca3
Opcode Fuzzy Hash: 3f668af4c2db968305dc108d2b3f97008e7098aed7f8c826e67f9b8e17a69541
Instruction Fuzzy Hash: 2CA28EB4D016298FEB64CF2ADD44799BBF6FB88305F1481E9950CAB250EB795EC58F00

Function 05BCCB52 Relevance: 80.8, Strings: 64, Instructions: 787
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[, xrefs: 05BCCF0C
Z, xrefs: 05BCD85D
\, xrefs: 05BCD038
T, xrefs: 05BCDB18
C, xrefs: 05BCCD42
^, xrefs: 05BCD2A8
&, xrefs: 05BCCF50
U, xrefs: 05BCD48F
?7'B, xrefs: 05BCD640
D, xrefs: 05BCD235
E, xrefs: 05BCD8E8
:, xrefs: 05BCCEC7
?, xrefs: 05BCCF99
K, xrefs: 05BCD6E5
G, xrefs: 05BCD7D9
GycB, xrefs: 05BCD37F
I, xrefs: 05BCD213
1, xrefs: 05BCD41F
, xrefs: 05BCCE41
O0}B, xrefs: 05BCCF22
6, xrefs: 05BCD1A5
C, xrefs: 05BCD75D
(, xrefs: 05BCDB64
?, xrefs: 05BCCE4B
+, xrefs: 05BCDA44
#, xrefs: 05BCD91A
3, xrefs: 05BCD130
+, xrefs: 05BCD7B7
!, xrefs: 05BCCE75
P, xrefs: 05BCCF46
U, xrefs: 05BCD5F2
<, xrefs: 05BCCF2C
, xrefs: 05BCDB2E
S, xrefs: 05BCD2B2
a, xrefs: 05BCDADE
+, xrefs: 05BCD6F9
^, xrefs: 05BCD6AF
S, xrefs: 05BCDA4E
P, xrefs: 05BCD4DA
8, xrefs: 05BCD9A4
^, xrefs: 05BCD877
C, xrefs: 05BCD568
&, xrefs: 05BCCCFE
$, xrefs: 05BCDAC8
M, xrefs: 05BCD740
8, xrefs: 05BCCD08
^, xrefs: 05BCD6A5
jWbB, xrefs: 05BCD60E
E, xrefs: 05BCD09C
c, xrefs: 05BCD365
M, xrefs: 05BCD185
A, xrefs: 05BCCFC4
E, xrefs: 05BCCE2B
6, xrefs: 05BCD28A
+, xrefs: 05BCCEF3
[, xrefs: 05BCD547
*, xrefs: 05BCD937
`, xrefs: 05BCDA22
T, xrefs: 05BCD294
V, xrefs: 05BCDA13
], xrefs: 05BCD687
M, xrefs: 05BCD23F
;, xrefs: 05BCCF5A
|;zB, xrefs: 05BCCD89

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 0d1188eec7da1dc2e41fdf9334f4324a9a41e085026d6dc8d3316d5be0725021
Instruction ID: cbaf77be89f200036cff8f0d0d9ad4052f40128c814725ccf17a0c0fbe42b3f0
Opcode Fuzzy Hash: 0d1188eec7da1dc2e41fdf9334f4324a9a41e085026d6dc8d3316d5be0725021
Instruction Fuzzy Hash: EBA291B4D01A698FEB64CF1ACD4479ABBF6FB88305F0481E9950CA7250EB794EC58F04

Function 05BCDE4F Relevance: 80.7, Strings: 64, Instructions: 733
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 05BCE2FC
^, xrefs: 05BCEA1B
T, xrefs: 05BCE5F4
, xrefs: 05BCE1A7
V, xrefs: 05BCED76
(, xrefs: 05BCEEC1
G, xrefs: 05BCEB39
S, xrefs: 05BCE612
6, xrefs: 05BCE5EA
8, xrefs: 05BCE068
C, xrefs: 05BCE09F
P, xrefs: 05BCE843
[, xrefs: 05BCE8B3
#, xrefs: 05BCEC7A
], xrefs: 05BCE9F3
U, xrefs: 05BCE7F5
O0}B, xrefs: 05BCE28B
|;zB, xrefs: 05BCE0E9
^, xrefs: 05BCEBD7
E, xrefs: 05BCE191
&, xrefs: 05BCE05E
+, xrefs: 05BCEDAA
D, xrefs: 05BCE595
6, xrefs: 05BCE508
+, xrefs: 05BCEB1A
\, xrefs: 05BCE398
GycB, xrefs: 05BCE6E8
+, xrefs: 05BCE259
;, xrefs: 05BCE2C0
P, xrefs: 05BCE2AC
*, xrefs: 05BCEC9A
M, xrefs: 05BCEAA6
K, xrefs: 05BCEA4E
E, xrefs: 05BCEC48
[, xrefs: 05BCE275
M, xrefs: 05BCE59F
:, xrefs: 05BCE22D
U, xrefs: 05BCE95B
1, xrefs: 05BCE788
?, xrefs: 05BCE1B1
3, xrefs: 05BCE493
!, xrefs: 05BCE1DB
M, xrefs: 05BCE4E8
C, xrefs: 05BCEAC3
Z, xrefs: 05BCEBBD
jWbB, xrefs: 05BCE977
I, xrefs: 05BCE573
E, xrefs: 05BCE402
`, xrefs: 05BCED88
&, xrefs: 05BCE2B6
C, xrefs: 05BCE8D7
<, xrefs: 05BCE292
^, xrefs: 05BCE608
T, xrefs: 05BCEE75
c, xrefs: 05BCE6CE
^, xrefs: 05BCEA11
S, xrefs: 05BCEDB4
8, xrefs: 05BCED04
?7'B, xrefs: 05BCE9A9
+, xrefs: 05BCEA62
$, xrefs: 05BCEE28
a, xrefs: 05BCEE3E
A, xrefs: 05BCE327
, xrefs: 05BCEE8B

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: d04dcf402dbce003c11cfed724c41285bea45041eec1a80d968e052b01b3c2ee
Instruction ID: 5498340b8f97c0b1a9d8e33868da0b88b3ee6d2002386bf97a4cc6ec366033a8
Opcode Fuzzy Hash: d04dcf402dbce003c11cfed724c41285bea45041eec1a80d968e052b01b3c2ee
Instruction Fuzzy Hash: 00928EB5D01A698BEB64CF1ACD44799BBF6FB88305F0481EAD50CA7250EB794EC58F04

Function 05BCDE60 Relevance: 80.7, Strings: 64, Instructions: 732
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?, xrefs: 05BCE2FC
^, xrefs: 05BCEA1B
T, xrefs: 05BCE5F4
, xrefs: 05BCE1A7
V, xrefs: 05BCED76
(, xrefs: 05BCEEC1
G, xrefs: 05BCEB39
S, xrefs: 05BCE612
6, xrefs: 05BCE5EA
8, xrefs: 05BCE068
C, xrefs: 05BCE09F
P, xrefs: 05BCE843
[, xrefs: 05BCE8B3
#, xrefs: 05BCEC7A
], xrefs: 05BCE9F3
U, xrefs: 05BCE7F5
O0}B, xrefs: 05BCE28B
|;zB, xrefs: 05BCE0E9
^, xrefs: 05BCEBD7
E, xrefs: 05BCE191
&, xrefs: 05BCE05E
+, xrefs: 05BCEDAA
D, xrefs: 05BCE595
6, xrefs: 05BCE508
+, xrefs: 05BCEB1A
\, xrefs: 05BCE398
GycB, xrefs: 05BCE6E8
+, xrefs: 05BCE259
;, xrefs: 05BCE2C0
P, xrefs: 05BCE2AC
*, xrefs: 05BCEC9A
M, xrefs: 05BCEAA6
K, xrefs: 05BCEA4E
E, xrefs: 05BCEC48
[, xrefs: 05BCE275
M, xrefs: 05BCE59F
:, xrefs: 05BCE22D
U, xrefs: 05BCE95B
1, xrefs: 05BCE788
?, xrefs: 05BCE1B1
3, xrefs: 05BCE493
!, xrefs: 05BCE1DB
M, xrefs: 05BCE4E8
C, xrefs: 05BCEAC3
Z, xrefs: 05BCEBBD
jWbB, xrefs: 05BCE977
I, xrefs: 05BCE573
E, xrefs: 05BCE402
`, xrefs: 05BCED88
&, xrefs: 05BCE2B6
C, xrefs: 05BCE8D7
<, xrefs: 05BCE292
^, xrefs: 05BCE608
T, xrefs: 05BCEE75
c, xrefs: 05BCE6CE
^, xrefs: 05BCEA11
S, xrefs: 05BCEDB4
8, xrefs: 05BCED04
?7'B, xrefs: 05BCE9A9
+, xrefs: 05BCEA62
$, xrefs: 05BCEE28
a, xrefs: 05BCEE3E
A, xrefs: 05BCE327
, xrefs: 05BCEE8B

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 9841897fce516a35764aae86bd63fbef4325cb85a2825dc701e89e7e2e7bf340
Instruction ID: fd0f3d9c4965c8b95975c11c50ce1535319f995dc8847778460bd604b9db1758
Opcode Fuzzy Hash: 9841897fce516a35764aae86bd63fbef4325cb85a2825dc701e89e7e2e7bf340
Instruction Fuzzy Hash: F3928DB5D01A698FEB64CF1ACD44799BAF6FB88305F0481EAD50CA7250EB794EC58F04

Function 05B91E88 Relevance: 1.8, Strings: 1, Instructions: 578
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 05B925DC

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 927e54b939b559f9bfb2d1e20897c8718d41866bf23932e6473158eaa23cf3d8
Instruction ID: 908f650f276c53b30e20cb9cd6d5a48e8d8fac2b4a9b8c8a1a6a2fcf741a64e2
Opcode Fuzzy Hash: 927e54b939b559f9bfb2d1e20897c8718d41866bf23932e6473158eaa23cf3d8
Instruction Fuzzy Hash: 0352CE74E012299FDB68DF65C954BDDBBB2FB89300F1081EAD409AB291DB346E85CF50

Function 05BC6098 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

y, xrefs: 05BC66D8

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID: y
API String ID: 0-4225443349
Opcode ID: e4f1f6213095b63294c4ca86f19674df0c7b8601afbd556b9b7ec2c3358fb641
Instruction ID: 4b2bf641e7ed12f4038d4cc5095376a074b52a3d719445a394ca3cd8af9f509e
Opcode Fuzzy Hash: e4f1f6213095b63294c4ca86f19674df0c7b8601afbd556b9b7ec2c3358fb641
Instruction Fuzzy Hash: 5AF12C30A002199FDB14DF69D954EAE7BF6FF88311F1480A9E906A73A1DB34EC41CB95

Function 05BC44E0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5948a6297f02d16259ef7986c9ae1e054e02c6f780d86aaddcf5bc25af373543
Instruction ID: 96c8bcc9680498027432d1266f2ad7a2f27bc0660041843b99ab9c35a4579923
Opcode Fuzzy Hash: 5948a6297f02d16259ef7986c9ae1e054e02c6f780d86aaddcf5bc25af373543
Instruction Fuzzy Hash: A9919E74E002199FDB54DFA9C894B9DBBF2FF89300F1080A9E909AB355DB70A985CF50

Function 05BC44D0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbbcc327d310da8f1cc56057373b72d2a9503ba9ff83fe440173a58520748773
Instruction ID: 7fd4691fd1ea8999ee24269677010c13d4b0a568566ba3e51becf3fd956ce474
Opcode Fuzzy Hash: dbbcc327d310da8f1cc56057373b72d2a9503ba9ff83fe440173a58520748773
Instruction Fuzzy Hash: 5891B174E002199FDB55DFA9D894A9DBBF2FF89300F1080A9E909AB355DB30A985CF50

Function 03023A89 Relevance: 2.6, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-, xrefs: 03023B38
J, xrefs: 03023B67

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID: -$J
API String ID: 0-2822063497
Opcode ID: 3b083f4be7308b018269f4ae518da35edfebad0e490caef1d79a3a577bdf299c
Instruction ID: ddee569e844e27f43a4a235586f2c445e7d69537d704c8dc83bb1947d28ec072
Opcode Fuzzy Hash: 3b083f4be7308b018269f4ae518da35edfebad0e490caef1d79a3a577bdf299c
Instruction Fuzzy Hash: E5318AB8D012288FDB20DFA5D9986D8BBF5BB08304F1480EAE44EA7250DB745EC8DF01

Function 05B90D79 Relevance: 2.0, APIs: 1, Instructions: 527
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(?), ref: 05B91186

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a3eda0338124183a10c007ceb26da16e442b9ce9380dc7bae2e310f1a689a2c4
Instruction ID: c6a37675a8583ae7ef60c6beef206300447999848ed2087116e063ebf98e159d
Opcode Fuzzy Hash: a3eda0338124183a10c007ceb26da16e442b9ce9380dc7bae2e310f1a689a2c4
Instruction Fuzzy Hash: E831DBB5D05219AFDB14CFA9D880A9EFBB1AF49310F24846AE415B7310D734A801CF98

Function 05B919B4 Relevance: 1.8, APIs: 1, Instructions: 327
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05B91C87

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0c4582d5b92b3c6c5307eb66f0e8ce7606c4b90610f79c154547465d66e0f83e
Instruction ID: fa391a2091b56db97da18969664f1db6590666f204d9d8ff77977db791eaa01d
Opcode Fuzzy Hash: 0c4582d5b92b3c6c5307eb66f0e8ce7606c4b90610f79c154547465d66e0f83e
Instruction Fuzzy Hash: 24C12671D0021A8FDF24CFA8C841BEDBBB1BF49300F1095AAD459B7240EB74AA85DF95

Function 05B919C0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05B91C87

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b3acf8851725efc6573d99fa3074a4b01b86069af646128a43d0d0f16be33d77
Instruction ID: a48ccc0ccb3fed3246c4a4210a8be6a31a9daf09159e0447111f8688bfbd01bf
Opcode Fuzzy Hash: b3acf8851725efc6573d99fa3074a4b01b86069af646128a43d0d0f16be33d77
Instruction Fuzzy Hash: 06C11571D0021A9FDF24CFA8C841BEDBBB1BF49300F1095A9E419B7250DB74AA85DF95

Function 05B91588 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05B91663

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: bc2365e24a12c83620a6b64fec054d93ce067b4b294aa9500e08063fd387840c
Instruction ID: f2887d6597eec2956b528c31dabc091af0fc360402d8462d56a999fe74cac780
Opcode Fuzzy Hash: bc2365e24a12c83620a6b64fec054d93ce067b4b294aa9500e08063fd387840c
Instruction Fuzzy Hash: DA41A9B5D052599FDF04CFA9D984ADEFBF1BB49310F24902AE819B7210D734AA41CF68

Function 05B91590 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05B91663

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 050655505e4631cd4898fe2413d5e535f598c757c79d926e75dc606f90176a94
Instruction ID: 4550354bee12979a1d2b42ad9f76ee8f5a7789f6397aa1c29131094c5a62cf03
Opcode Fuzzy Hash: 050655505e4631cd4898fe2413d5e535f598c757c79d926e75dc606f90176a94
Instruction Fuzzy Hash: E641B9B5D052599FDF04CFA9D984ADEFBF1FB49310F24902AE819B7210D734AA41CB68

Function 05B91430 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05B914E2

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c0c30a0b1fabcb30eec8565f2999c1b70a2b13de49617f8ad003003b029948c6
Instruction ID: e8ad868d8e2ced65180a11eb32d6aab9883724b70040e4ea8b4d62fd122949f1
Opcode Fuzzy Hash: c0c30a0b1fabcb30eec8565f2999c1b70a2b13de49617f8ad003003b029948c6
Instruction Fuzzy Hash: 494197B9D042599FDF14CFA9D980ADEFBB1BB49310F10942AE815BB310D735A902CF68

Function 05B91438 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05B914E2

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a25b69c5d7291497803a49073aeed21421d3e9825cf12e11565300af99e06da5
Instruction ID: 783c64592850daabde549949dbe4eb93363458acfe8e5e63e9d165f3ca124aa8
Opcode Fuzzy Hash: a25b69c5d7291497803a49073aeed21421d3e9825cf12e11565300af99e06da5
Instruction Fuzzy Hash: EB3195B9D04259DFCF14CFA9D880A9EFBB1BB49310F20942AE815B7310D735A902CF68

Function 05B91229 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05B912DF

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: daeaee8ad2cdb4970d28064a2e3424dd861564073cbdfbb190bb60b879142ce7
Instruction ID: 43f17b7a7b219156b066e41c0a69b409a09da5ba29375386de739caf5fa53648
Opcode Fuzzy Hash: daeaee8ad2cdb4970d28064a2e3424dd861564073cbdfbb190bb60b879142ce7
Instruction Fuzzy Hash: 0641BAB5D052599FDB14DFA9D884AEEFBF1BB48310F24802AE419B7240D738A945CF98

Function 05B91230 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05B912DF

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 11cbadae09c7b64c3a13054ae9bbf852e54f150e052b02c547cb8358747583c5
Instruction ID: cfc61c7968608ad38b2665d8a6c6856d51637377f0e9813e882c37c7d418709f
Opcode Fuzzy Hash: 11cbadae09c7b64c3a13054ae9bbf852e54f150e052b02c547cb8358747583c5
Instruction Fuzzy Hash: C431BAB5D052599FDB14DFA9D884AEEFBF1BB48310F24802AE419B7240D738A945CF58

Function 05BAFD78 Relevance: 1.6, APIs: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 05BAFE1F

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 047e12abc573dbc9aa3d12eb4500f133c1b7814a9b9c80bce19f98068cdeb65a
Instruction ID: f102fe4c8bc92c00fd32de5ee62a051ae57b1eb5e627b231448787b138780700
Opcode Fuzzy Hash: 047e12abc573dbc9aa3d12eb4500f133c1b7814a9b9c80bce19f98068cdeb65a
Instruction Fuzzy Hash: 3C3178B9D052589FCB10CFA9D580ADEFBB0BB49310F24A06AE818B7310D735A945CF64

Function 05B91108 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05B91186

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 94a4e42775ae880e538222f112c414b2b02d311418c0377752e733fbe56ab826
Instruction ID: 08422a80c906dc8260f0b6c6aaa097cb7274e53aaf066f8393d78322399ec6a1
Opcode Fuzzy Hash: 94a4e42775ae880e538222f112c414b2b02d311418c0377752e733fbe56ab826
Instruction Fuzzy Hash: C331CCB5D01219AFDF14CFA9D880A9EFBB5EF48310F24946AE819B7300C734A801CF98

Function 05BCFEA9 Relevance: 1.3, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05BCFF51

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 113d5d8118de1b00deef872f5142423d2ae0ed71a37bdbd18575f8974b266579
Instruction ID: ded29f671dad3220344c543acd83007dfbd6d98bb1510a218a402d887d6b580c
Opcode Fuzzy Hash: 113d5d8118de1b00deef872f5142423d2ae0ed71a37bdbd18575f8974b266579
Instruction Fuzzy Hash: F33185B9D052589FCB10CFA9D984ADEFBB5FB49310F20906AE818B7310D335A945CF68

Function 030298A3 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

B, xrefs: 030298B5

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID: B
API String ID: 0-1255198513
Opcode ID: 269efd80f1c23ba3cbdd062fe22f2b4dd2f61112210d633fed732daed4d10df0
Instruction ID: 534c248823a4f11a4931af52eca1a86eff76115a76b5d3ef4d86a5354d177c25
Opcode Fuzzy Hash: 269efd80f1c23ba3cbdd062fe22f2b4dd2f61112210d633fed732daed4d10df0
Instruction Fuzzy Hash: EE51DA789012A98FCB25DF65D8845DDBBB2BF48300F1142EAE90AE6350DB354EE4CF41

Function 05BCFEB0 Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 05BCFF51

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c310b0b32a633fba003edee99647635166ca31ba60684620a89f590ec9bfbd4
Instruction ID: 28f4f818b68dbef20d5a4087bb2ebe5a939ba4e1f27f6d6ab8ad5d8492513527
Opcode Fuzzy Hash: 5c310b0b32a633fba003edee99647635166ca31ba60684620a89f590ec9bfbd4
Instruction Fuzzy Hash: 773184B9D05258DFCB10CFA9D980A9EFBB1FB09310F20906AE818B7310D334A945CF68

Function 0151D01C Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129346982.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba15aa778f2c698d9451702c8c508b984ddce517ab729b4993a3b5485090d67a
Instruction ID: f558403a5585277286462d2d922c929a3d9b9368cf00405241cdfd1887c637c1
Opcode Fuzzy Hash: ba15aa778f2c698d9451702c8c508b984ddce517ab729b4993a3b5485090d67a
Instruction Fuzzy Hash: A4210375504244DFEB12DF54D9C8B2ABBB5FB84354F20896DD9090F24AD33AD446CBA2

Function 0151D006 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129346982.000000000151D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0151D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_151d000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12db860873e78ebd7b051cc5e30f6cae8af5c71b32c22a869d8eea99f64a40d9
Instruction ID: a92b17490e6422f9a5e6f007ec87cf439ec24d85d73eace96a04641d9d7defde
Opcode Fuzzy Hash: 12db860873e78ebd7b051cc5e30f6cae8af5c71b32c22a869d8eea99f64a40d9
Instruction Fuzzy Hash: 05217F765093808FDB13CF24D994B16BF71FB86314F2985DAD8448F657C33A981ACB62

Function 0302600E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ed67c46c43557ac186c0944d7ddee02a716dd95047179bab367c252c95e1197
Instruction ID: e9d4d33ea93a83b80d2dcaea6d72cdfc5cac88168b4fb989afdcce79d81db972
Opcode Fuzzy Hash: 4ed67c46c43557ac186c0944d7ddee02a716dd95047179bab367c252c95e1197
Instruction Fuzzy Hash: DBF09274D0A2288FDB64DF14EAA16DABBB1BB44300F1002EAD05EA3241CB305EC4CF05

Function 03024222 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88c0d56c05ae7fc1844c7bd626027ddf484a4a084204329f94d9eddd3e6d6961
Instruction ID: 1fe6d831fd4eef170a5c12b498f338400fd415298ab3569033b7aa4e03a039dc
Opcode Fuzzy Hash: 88c0d56c05ae7fc1844c7bd626027ddf484a4a084204329f94d9eddd3e6d6961
Instruction Fuzzy Hash: 31E0B678A07228CFCB24DF54D9946D97BB1BB19300F1094D6E459A3680CB745FD4CF16

Non-executed Functions

Function 0302E638 Relevance: 81.3, Strings: 64, Instructions: 1305COMMON

Download Yara Rule

Strings

?, xrefs: 0302EE27
;, xrefs: 0302EF33
M, xrefs: 0302F212
+, xrefs: 0302FA17
M, xrefs: 0302F15B
^, xrefs: 0302F844
c, xrefs: 0302F344
|;zB, xrefs: 0302ED62
+, xrefs: 0302F6D2
S, xrefs: 0302F288
^, xrefs: 0302F688
U, xrefs: 0302F5CB
?, xrefs: 0302EF75
T, xrefs: 0302FAE8
K, xrefs: 0302F6BE
!, xrefs: 0302EE51
6, xrefs: 0302F260
a, xrefs: 0302FAB1
&, xrefs: 0302EF29
(, xrefs: 0302FB31
A, xrefs: 0302EF9D
P, xrefs: 0302EF1F
, xrefs: 0302EE1D
T, xrefs: 0302F26A
\, xrefs: 0302F00B
P, xrefs: 0302F4B6
:, xrefs: 0302EE9D
O0}B, xrefs: 0302EEFB
S, xrefs: 0302FA21
I, xrefs: 0302F1E6
#, xrefs: 0302F8E1
V, xrefs: 0302F9E3
3, xrefs: 0302F103
+, xrefs: 0302F790
], xrefs: 0302F660
D, xrefs: 0302F208
*, xrefs: 0302F901
C, xrefs: 0302ED18
^, xrefs: 0302F67E
[, xrefs: 0302EEE5
Z, xrefs: 0302F82A
^, xrefs: 0302F27E
E, xrefs: 0302EE07
C, xrefs: 0302F547
G, xrefs: 0302F7AF
&, xrefs: 0302ECD7
`, xrefs: 0302F9F5
, xrefs: 0302FAFE
C, xrefs: 0302F739
E, xrefs: 0302F8B2
1, xrefs: 0302F3F8
8, xrefs: 0302ECE1
?7'B, xrefs: 0302F619
$, xrefs: 0302FA9B
U, xrefs: 0302F468
8, xrefs: 0302F971
M, xrefs: 0302F719
GycB, xrefs: 0302F35E
+, xrefs: 0302EEC9
[, xrefs: 0302F523
<, xrefs: 0302EF05
E, xrefs: 0302F072
6, xrefs: 0302F17B
jWbB, xrefs: 0302F5E7

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 154b6f329e2fae54c3ba1238f3dbb33eb7a690163a6fed2a2a31f6da01a2791c
Instruction ID: ad1ae193e6eaa1cbc867656707315a8d02596b102049b2ba3fc5073ecced147a
Opcode Fuzzy Hash: 154b6f329e2fae54c3ba1238f3dbb33eb7a690163a6fed2a2a31f6da01a2791c
Instruction Fuzzy Hash: 8CE2E3B4A016298FEB65CF2AC94479ABBF2FB88301F1581E9D409A7350DB759EC1CF44

Function 05BA0006 Relevance: 80.8, Strings: 64, Instructions: 829COMMON

Download Yara Rule

Strings

^, xrefs: 05BA0B5D
\, xrefs: 05BA04F3
&, xrefs: 05BA01AD
3, xrefs: 05BA05EE
M, xrefs: 05BA0BF8
M, xrefs: 05BA0646
C, xrefs: 05BA0C18
E, xrefs: 05BA0D97
c, xrefs: 05BA0820, 05BA001F
6, xrefs: 05BA0745
U, xrefs: 05BA0941
O0}B, xrefs: 05BA03DA
jWbB, xrefs: 05BA0AC3
M, xrefs: 05BA06F7
T, xrefs: 05BA074C
?, xrefs: 05BA0303
+, xrefs: 05BA03A8
U, xrefs: 05BA0AAA
V, xrefs: 05BA0EC5
!, xrefs: 05BA032D
|;zB, xrefs: 05BA023B
K, xrefs: 05BA0B9D
*, xrefs: 05BA0DE6
?7'B, xrefs: 05BA0AF5
?, xrefs: 05BA0454
a, xrefs: 05BA0F87
A, xrefs: 05BA047F
+, xrefs: 05BA0BAE
[, xrefs: 05BA03C4
+, xrefs: 05BA0C72
^, xrefs: 05BA0760
#, xrefs: 05BA0DC6
8, xrefs: 05BA01B7
6, xrefs: 05BA0666
1, xrefs: 05BA08D4
, xrefs: 05BA0FD4
P, xrefs: 05BA098F
T, xrefs: 05BA0FBE
Z, xrefs: 05BA0D15
I, xrefs: 05BA06D1
E, xrefs: 05BA055D
:, xrefs: 05BA037C
`, xrefs: 05BA0ED7
D, xrefs: 05BA06ED
^, xrefs: 05BA0B67
S, xrefs: 05BA076A
E, xrefs: 05BA02E3
(, xrefs: 05BA1007
<, xrefs: 05BA03E4
+, xrefs: 05BA0EF9
^, xrefs: 05BA0D2C
G, xrefs: 05BA0C94
8, xrefs: 05BA0E56
[, xrefs: 05BA09FF
], xrefs: 05BA0B3F
P, xrefs: 05BA03FE
$, xrefs: 05BA0F71
, xrefs: 05BA02F9
GycB, xrefs: 05BA0837
C, xrefs: 05BA0A23
C, xrefs: 05BA01F1
S, xrefs: 05BA0F03
&, xrefs: 05BA0408
;, xrefs: 05BA0412

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 1481092eca58eed19f09e2caaedc7a1b896141957da6a221804e365de0ed7bf7
Instruction ID: 9798f95aed97de613de1f4b5ba952c573c197cd3212a6e5c029b27cfd747fb8e
Opcode Fuzzy Hash: 1481092eca58eed19f09e2caaedc7a1b896141957da6a221804e365de0ed7bf7
Instruction Fuzzy Hash: EDB28FB4D01A698FEB64CF1ACD4479ABAF5FB88305F0581EAD50CA7250DB795EC58F00

Function 05BA0040 Relevance: 80.8, Strings: 64, Instructions: 809COMMON

Download Yara Rule

Strings

^, xrefs: 05BA0B5D
\, xrefs: 05BA04F3
&, xrefs: 05BA01AD
3, xrefs: 05BA05EE
M, xrefs: 05BA0BF8
M, xrefs: 05BA0646
C, xrefs: 05BA0C18
E, xrefs: 05BA0D97
c, xrefs: 05BA0820
6, xrefs: 05BA0745
U, xrefs: 05BA0941
O0}B, xrefs: 05BA03DA
jWbB, xrefs: 05BA0AC3
M, xrefs: 05BA06F7
T, xrefs: 05BA074C
?, xrefs: 05BA0303
+, xrefs: 05BA03A8
U, xrefs: 05BA0AAA
V, xrefs: 05BA0EC5
!, xrefs: 05BA032D
|;zB, xrefs: 05BA023B
K, xrefs: 05BA0B9D
*, xrefs: 05BA0DE6
?7'B, xrefs: 05BA0AF5
?, xrefs: 05BA0454
a, xrefs: 05BA0F87
A, xrefs: 05BA047F
+, xrefs: 05BA0BAE
[, xrefs: 05BA03C4
+, xrefs: 05BA0C72
^, xrefs: 05BA0760
#, xrefs: 05BA0DC6
8, xrefs: 05BA01B7
6, xrefs: 05BA0666
1, xrefs: 05BA08D4
, xrefs: 05BA0FD4
P, xrefs: 05BA098F
T, xrefs: 05BA0FBE
Z, xrefs: 05BA0D15
I, xrefs: 05BA06D1
E, xrefs: 05BA055D
:, xrefs: 05BA037C
`, xrefs: 05BA0ED7
D, xrefs: 05BA06ED
^, xrefs: 05BA0B67
S, xrefs: 05BA076A
E, xrefs: 05BA02E3
(, xrefs: 05BA1007
<, xrefs: 05BA03E4
+, xrefs: 05BA0EF9
^, xrefs: 05BA0D2C
G, xrefs: 05BA0C94
8, xrefs: 05BA0E56
[, xrefs: 05BA09FF
], xrefs: 05BA0B3F
P, xrefs: 05BA03FE
$, xrefs: 05BA0F71
, xrefs: 05BA02F9
GycB, xrefs: 05BA0837
C, xrefs: 05BA0A23
C, xrefs: 05BA01F1
S, xrefs: 05BA0F03
&, xrefs: 05BA0408
;, xrefs: 05BA0412

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID: $ $!$#$$$&$&$($*$+$+$+$+$1$3$6$6$8$8$:$;$<$?$?$?7'B$A$C$C$C$D$E$E$E$G$GycB$I$K$M$M$M$O0}B$P$P$S$S$T$T$U$U$V$Z$[$[$\$]$^$^$^$^$`$a$c$jWbB$|;zB
API String ID: 0-3036647579
Opcode ID: 3d205f27601cd21506975bd722fce44e5629a1c1f9f1c031469ced229fbd23a0
Instruction ID: 6bcdbb8498cbe2160a1ab6bc2d180d19b4b948d28c997d53334f2a849e03a73b
Opcode Fuzzy Hash: 3d205f27601cd21506975bd722fce44e5629a1c1f9f1c031469ced229fbd23a0
Instruction Fuzzy Hash: F1A27FB4D01A698FEB64CF1ACD4479ABAF5FB88305F0481EAD50CA7250EB795EC58F04

Function 05BA4898 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

i, xrefs: 05BA48E3

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID: i
API String ID: 0-3865851505
Opcode ID: e4586eab57a65559615c76d89f83ca31bd6e133178ae1429cde77ffb6b1012ec
Instruction ID: 8a4466868dc9743ae3c146ba04fb37136b38703c0fb9d7779e476fc9052e4fc0
Opcode Fuzzy Hash: e4586eab57a65559615c76d89f83ca31bd6e133178ae1429cde77ffb6b1012ec
Instruction Fuzzy Hash: 05228178D092698FDB65DF29C985AD9BBB2FB48300F0041E9E40DA7250DB356ED1CF40

Function 05BA5DBE Relevance: 1.6, Strings: 1, Instructions: 369COMMON

Download Yara Rule

Strings

H, xrefs: 05BA5E15

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: 20bac059860420b6589178b7986d67b8ffc83ab15249eb11d44b36502eec5b45
Instruction ID: 341918d7d48d3ad64bf509b5427a5aa5eaf4a253dcb526f97c2f39b22613528c
Opcode Fuzzy Hash: 20bac059860420b6589178b7986d67b8ffc83ab15249eb11d44b36502eec5b45
Instruction Fuzzy Hash: A2127278D092298FDB64DF29D985AD9BBB2FB88300F1041E9E50DA7250DB356ED1CF40

Function 05BA2B60 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48434df880e868a4b891aa684d4b618488269aaa8500ebb7234096f850e8c94
Instruction ID: 8c906705fcc8a3ad130a9b3afeb0a64e909ae31fc562b390975e42c1f4f2622f
Opcode Fuzzy Hash: e48434df880e868a4b891aa684d4b618488269aaa8500ebb7234096f850e8c94
Instruction Fuzzy Hash: CB514874E1020A8FDB45DFB9E9516AEBBF2FBC8300F108529D0159B254DB746986CF50

Function 0302B188 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea41577c4ce7727b4fdb29a1b69701accaad1aaa881041d50aa99db082d8cf4
Instruction ID: ec9490c0180c871b60fc73469e29bd433d58739c309afeeb3334c6413440c26d
Opcode Fuzzy Hash: 7ea41577c4ce7727b4fdb29a1b69701accaad1aaa881041d50aa99db082d8cf4
Instruction Fuzzy Hash: 70512C70A0020A8FDB56DFBAE85079EBFF2FF88300F14C529D4659B259DB74594ADB80

Function 0302B178 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af2d3dcb13c30a0e1f766f516c6b0d99849d0483152a946660c13e4d55b76b1
Instruction ID: ea7524ef8e8fd56b4d91599b83d1bec48966d62ffa97b3838f78012842e0afe3
Opcode Fuzzy Hash: 1af2d3dcb13c30a0e1f766f516c6b0d99849d0483152a946660c13e4d55b76b1
Instruction Fuzzy Hash: D1512D70A0020A8FDB46DFBAE85069EBFF2FBC8300F14C529D4659B359DB74594ADB80

Function 05BA2B70 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141764224.0000000005BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5ba0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40e3e4d6732b1dcfc3d1b6bdd7c3bf9607f36fc2f197700ca1a6a12f27b4b21
Instruction ID: ea4dd1999b802fdeb67defdf4278ad93762464bdabef8605f1d988fce6650cda
Opcode Fuzzy Hash: a40e3e4d6732b1dcfc3d1b6bdd7c3bf9607f36fc2f197700ca1a6a12f27b4b21
Instruction Fuzzy Hash: 31513774E1020A8FDB45DFBAE85169EBFF2FBC8300F008529D0159B255DB746986CF50

Function 05BCEFE6 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce99896ceb54c9e6f0819b59c03b15a42fd72a76d74c29cc92fdaa2128ca9e8
Instruction ID: 6ccfefaac65ccee2c0bc81f83eca43b9063e86189d273bc2bbe6ee25a653928e
Opcode Fuzzy Hash: 3ce99896ceb54c9e6f0819b59c03b15a42fd72a76d74c29cc92fdaa2128ca9e8
Instruction Fuzzy Hash: B641EEB4D04248DFDB14CFA9C984BAEBFF2BB49700F2091AAE415AB250D774A845CF48

Function 05BCEFF0 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141806127.0000000005BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05BC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5bc0000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2abbfd347826b0ee476c91aa69c981ad38a33e8a4f34c5d90a958a0c31e31c7
Instruction ID: 29045dcfca46e64e748d50615cb5d407bf13c266d242097eb2ff788db2182d32
Opcode Fuzzy Hash: f2abbfd347826b0ee476c91aa69c981ad38a33e8a4f34c5d90a958a0c31e31c7
Instruction Fuzzy Hash: C141D0B4D04248DFDB14CFA9D984AAEFFF2FB49700F2091A9E415AB250D774A845CF49

Function 05B91E78 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2141736317.0000000005B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b90000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bd6c445a4ae6e9078e56e5dd40bd0b34ea657bef68a3e31501137117eb1f694
Instruction ID: 8225bb1e8dd652fb5f896a973e6efcd1de20bc554e224af37ee018cc927b570e
Opcode Fuzzy Hash: 7bd6c445a4ae6e9078e56e5dd40bd0b34ea657bef68a3e31501137117eb1f694
Instruction Fuzzy Hash: 393185B1D056288BEB28CF66C8143DAFAF2AF85304F04C1EAC44C6A254DB750A89DF51

Function 03023C07 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

ffwB, xrefs: 03023D01
?, xrefs: 03023C67
a, xrefs: 03023C07
, xrefs: 03023C11

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID: $?$a$ffwB
API String ID: 0-1233609132
Opcode ID: 127e08d205b9b27787a76b68ead64c00bf5d746b2d5d4cd060de709aa1e60a24
Instruction ID: f0184b126754a6273d5d6109e2fde074086aded4ba742afffc6f866145bf5dca
Opcode Fuzzy Hash: 127e08d205b9b27787a76b68ead64c00bf5d746b2d5d4cd060de709aa1e60a24
Instruction Fuzzy Hash: A521ABB8D06269CFEB64DF29D9483D8BBF0BB08305F0580EAA45DE6280D7744AD8DF01

Function 0302809F Relevance: 5.0, Strings: 4, Instructions: 39COMMON

Download Yara Rule

Strings

(, xrefs: 030280C3
S, xrefs: 0302815C
-, xrefs: 0302814A
8, xrefs: 03028166

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID: ($-$8$S
API String ID: 0-3270535609
Opcode ID: 7a13b7b7831baa6e92f0a81311716bc8a3ae73a652cf18c4546340f911247427
Instruction ID: dc213a8cd05907dbd4497c81548f6d513a43b182f337b7863364e5888a8d80e4
Opcode Fuzzy Hash: 7a13b7b7831baa6e92f0a81311716bc8a3ae73a652cf18c4546340f911247427
Instruction Fuzzy Hash: 821196B4D453688EEB60CF15C8547D8BAF0FB05305F1585EAD04CA6280DBB94AC4DF41

Function 03029D97 Relevance: 5.0, Strings: 4, Instructions: 22COMMON

Download Yara Rule

Strings

., xrefs: 03029DE2
/, xrefs: 03029DED
[ObB, xrefs: 03029DD8
#, xrefs: 03029DCE

Memory Dump Source

Source File: 00000000.00000002.2129773980.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3020000_setup.jbxd

Similarity

API ID:
String ID: #$.$/$[ObB
API String ID: 0-630930177
Opcode ID: d0786bb275a9fbe2937d27223c64dbc2ee830bb4a360c154e619d9e84ec5b0c9
Instruction ID: 35f2facff88220be2e4751423953a557a6a8a797bdce91cd043b70706ea8b916
Opcode Fuzzy Hash: d0786bb275a9fbe2937d27223c64dbc2ee830bb4a360c154e619d9e84ec5b0c9
Instruction Fuzzy Hash: B7F0F2B4806228CFDB20CF55C9493D8BBB4FB04304F1495EAE09EA2241CBB84AD9CF56

Analysis Process: RegAsm.exePID: 5876, Parent PID: 1668COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	51
Total number of Limit Nodes:	6

Executed Functions

Function 06963F50 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcd50140760d02fff305a36657d2e3be58eb99bb99efff76e9d10f7eb323be9
Instruction ID: 4c8d30422300000c4e28768ad5df841401d3136cd6ee042cff0ab1cb8d0200e0
Opcode Fuzzy Hash: 7bcd50140760d02fff305a36657d2e3be58eb99bb99efff76e9d10f7eb323be9
Instruction Fuzzy Hash: D8128F34F002158FDB54DFA9C454AAEBBF6BF88700B258169E906EB765DB31DC42CB90

Function 069667D8 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c6169d9d646ae5b9d6ef38ab22175f24f2c4616203ac02aac8c011a57ab8dc6
Instruction ID: 04e29ca7f4ec55f07d5b97118a7fd2a3dcaac2cf9d11d3c25048656c76c78017
Opcode Fuzzy Hash: 8c6169d9d646ae5b9d6ef38ab22175f24f2c4616203ac02aac8c011a57ab8dc6
Instruction Fuzzy Hash: D7F1CC30A0030A9FDB55DF69D840B9EBBF6EF88304F148569E505EB2A1DB30ED46CB91

Function 0696A3D8 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc5f5dbbe79e5d1b126252d1c98ddc18c1ef2ba6965df23f00d433ce2e08781
Instruction ID: e479cadba5ad98f9156de78bfe1a760a649593e9b21faebcdce122765de1d890
Opcode Fuzzy Hash: ddc5f5dbbe79e5d1b126252d1c98ddc18c1ef2ba6965df23f00d433ce2e08781
Instruction Fuzzy Hash: FDD1C534D01218CFDB55EFB4D854A9DBBB2FF8A305F1081A9D50AA7294DB325D86CF11

Function 0696A3E8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6b21650a70686556349444ea2e36513cab481af800571aa473b33fc9a135aa0
Instruction ID: 1fffc0b8d86dfd6f504ba97f2bda41c18af9d320c2fb7f9d1d7f84e3fee17a8e
Opcode Fuzzy Hash: a6b21650a70686556349444ea2e36513cab481af800571aa473b33fc9a135aa0
Instruction Fuzzy Hash: E2D1D434D01218CFCB59EFB4D854A9DBBB2FF8A305F1081A9D50AA7294DB329D86CF11

Function 06940598 Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hlPj, xrefs: 0694059C

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID: hlPj
API String ID: 0-2311579558
Opcode ID: 82b33356e247d28af8dd5b53fdc0e061ad07d6b4edf09331e19b79553c882d4c
Instruction ID: af3c6f1cb10c5aa4bfcc993c46dced4db2250179341e341790d1a4e9d22393d0
Opcode Fuzzy Hash: 82b33356e247d28af8dd5b53fdc0e061ad07d6b4edf09331e19b79553c882d4c
Instruction Fuzzy Hash: 4402AC307012158FEB54AF65C854A6D77B6FF89304F10891EEA039B7A1CFB6ED068B91

Function 0136AE30 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0136B086

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a70f99a106eee79c786ff25f71686435a401040240f8be9ecdd1d2e100622926
Instruction ID: 69862a0a7fed90f913caa857689715142ccf4bd7fe4693e9b08cfb71ef1a18c7
Opcode Fuzzy Hash: a70f99a106eee79c786ff25f71686435a401040240f8be9ecdd1d2e100622926
Instruction Fuzzy Hash: FF816AB0A00B058FD724DF69D44179ABBF5FF88308F00892DD54AEBA44D775E84ACB91

Function 01365935 Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013659F1

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5cc1f3ebd2e316d07d287bdeca60978e0396e7cb87c6bcd1f69e604aaccd44b3
Instruction ID: 5fda48ba1bd0bc8e2679a4b86cda00c499603b62fcacb7d6a4a6e1d5473e911e
Opcode Fuzzy Hash: 5cc1f3ebd2e316d07d287bdeca60978e0396e7cb87c6bcd1f69e604aaccd44b3
Instruction Fuzzy Hash: 8B41C1B4C00719CEEB24CFA9C884BDDBBB5BF45704F20816AD508AB255DB755946CF90

Function 01364248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 013659F1

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 99d441a3373ada6ac02077a41d14d5f7e0c45f5b99f74f4d536213b930e6b7f5
Instruction ID: 71887d365ed6cf25d0494a818170d5f315f071934011a166f84b707ceb68248c
Opcode Fuzzy Hash: 99d441a3373ada6ac02077a41d14d5f7e0c45f5b99f74f4d536213b930e6b7f5
Instruction Fuzzy Hash: 4141BF70C0071DCBEB24CFAAC884BDDBBB5BF45714F20816AD508AB255DB756945CF90

Function 0136A858 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B101,00000800,00000000,00000000), ref: 0136B312

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 13bf084633b6f63d00d79eb513c6a64a9984acd9ea677789cefeab58d1ad7175
Instruction ID: bf4158b0b3270da712d3bc7eee672176acbde86a7bb3b1b74c2123601e422b63
Opcode Fuzzy Hash: 13bf084633b6f63d00d79eb513c6a64a9984acd9ea677789cefeab58d1ad7175
Instruction Fuzzy Hash: 8131AFB6808359CFEB01CF99C4407DABFF8EB55314F04805AD554A7201C3789546CFA1

Function 0136C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136D2C6,?,?,?,?,?), ref: 0136D387

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d04f1fa06604c9474ca0fae586070d56efd64f2749ef26bf3e7d22e9791ca06
Instruction ID: cdd67e9b110daa8b6d113a472d1cd3bf61321d9649a1b62a3a30467686d78ed6
Opcode Fuzzy Hash: 0d04f1fa06604c9474ca0fae586070d56efd64f2749ef26bf3e7d22e9791ca06
Instruction Fuzzy Hash: C121E9B5900249DFDB10CF9AD984ADEBFF8EB48314F14841AE958A7310D374A954CFA4

Function 0136D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0136D2C6,?,?,?,?,?), ref: 0136D387

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0eb0e1160c53fc1cec18c0e618d88ba76e604598f045ffc0a17ebdcfc46265bc
Instruction ID: fcd02039338f8d365427e8a6d3c3cf017307c3efcd9d29aa0580e9852ec8fc41
Opcode Fuzzy Hash: 0eb0e1160c53fc1cec18c0e618d88ba76e604598f045ffc0a17ebdcfc46265bc
Instruction Fuzzy Hash: 1221E2B5900259DFDB10CFA9D984ADEBBF4EB48324F24841AE958B7310D378A954CFA4

Function 0136A870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B101,00000800,00000000,00000000), ref: 0136B312

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f7abebdf2a95bacdc057eb107db2330b45566af8b07b2f034e64111d51e0c716
Instruction ID: fd10b0b9665ff621a3c5784fd70dbfc96b0e45813b162fe90d6f95773831b0cf
Opcode Fuzzy Hash: f7abebdf2a95bacdc057eb107db2330b45566af8b07b2f034e64111d51e0c716
Instruction Fuzzy Hash: 481112B69003498FDB10CF9AC844ADEFBF8EB88724F14842EE919A7200C374A545CFA4

Function 0136B2A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0136B101,00000800,00000000,00000000), ref: 0136B312

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 258e87fddb01103437abc1e84e595819893011974f7e5915663eaef886e0f788
Instruction ID: cd46469a6e63b6f72bbcfbd1df131b4556978e64a5fa8c14ede503d38c75e9b7
Opcode Fuzzy Hash: 258e87fddb01103437abc1e84e595819893011974f7e5915663eaef886e0f788
Instruction Fuzzy Hash: 761126B69042498FDB10CFAAC844ADEFFF4EB48724F14841ED969A7300C375A545CFA4

Function 0136B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0136B086

Memory Dump Source

Source File: 00000002.00000002.2257052306.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1360000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4b9eef36106589e120d90fc476d1a284d71385bea4c55c018bc6568868e46d43
Instruction ID: 6a698984ea79651d76c29c63e2831fb8be09d9d32360ee3ae8244e89a2e3c817
Opcode Fuzzy Hash: 4b9eef36106589e120d90fc476d1a284d71385bea4c55c018bc6568868e46d43
Instruction Fuzzy Hash: F31113B5D007498FDB10CF9AC444ADEFBF4AB88724F10841AD968B7214C375A545CFA1

Function 06941BA0 Relevance: 1.4, Instructions: 1446
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2b2f261c57283307465454284dd5cd9c36e7b6b3efc30d4556ca16af8820b87
Instruction ID: c8859945f6e9fa0c6ab780a696253178650c694a8e1061232fbdb3f0ec49e05f
Opcode Fuzzy Hash: e2b2f261c57283307465454284dd5cd9c36e7b6b3efc30d4556ca16af8820b87
Instruction Fuzzy Hash: C7C22C70A001189FDB54DF64C895EEDBBB6FF89700F10449AE60AAB3A1DB719E81CF51

Function 069400D8 Relevance: .7, Instructions: 676
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e8f56c9d55c288e12181b22d9efc4051858cd0d076704829aae5d63c230bdd3
Instruction ID: 13d1741747f6e2c423040bcb718825ab31d6f303bf390dc1d6ec220af4b93b84
Opcode Fuzzy Hash: 5e8f56c9d55c288e12181b22d9efc4051858cd0d076704829aae5d63c230bdd3
Instruction Fuzzy Hash: E5428B3070162A8FDB65AF79D450A6EB7F6FBC5204B008A1DD6039B7A0CFB5ED058B91

Function 06943838 Relevance: .6, Instructions: 636
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ea439b90e3aa5d537c08a107405be701963a6ef7b508d466e1c690b8ba61ac
Instruction ID: 5bf05a48c08213b9c6dc35e3f86723c0bd2d8bd141f95d35d2a81581300bc73f
Opcode Fuzzy Hash: 67ea439b90e3aa5d537c08a107405be701963a6ef7b508d466e1c690b8ba61ac
Instruction Fuzzy Hash: D4421474B002149FDB44DF69C894EAEBBF6BF89704F14809AE606DB3A1DB71ED418B50

Function 06940D80 Relevance: .6, Instructions: 616
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2fdcef43984ba44aea11d61a82f354e31e83a292be57b86bc1a8421e1ede28e
Instruction ID: 1b10f41856675d892152323ffe75d4043dc59d78d63a90de1e83c47f2dd14168
Opcode Fuzzy Hash: e2fdcef43984ba44aea11d61a82f354e31e83a292be57b86bc1a8421e1ede28e
Instruction Fuzzy Hash: F1229130B002059FDB55AB65C854E7EBBF6BF89300B15845AE616CB7A2CF71DC81CB91

Function 069648B8 Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f90020706e004d0388dcc69ef5e5511354a98166698cc6f943b2a5a4f5f27f8
Instruction ID: 52ab8c10f71bcfdd4970d51960df44ad5f4e648a200bda11b244e55d9c76b066
Opcode Fuzzy Hash: 3f90020706e004d0388dcc69ef5e5511354a98166698cc6f943b2a5a4f5f27f8
Instruction Fuzzy Hash: C4325934B007018FDB55DF6AD888A6ABBF6FF89704B2584A9E506CB761DB30EC45CB50

Function 06940610 Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de0fc56841e64c1dda1e79aec65f605b079c7d3ad75a799be32341d386fef4d
Instruction ID: 80f44c99fb157b9803aefa32be731eba5d3e289c8d0e27465d04e058862c3e41
Opcode Fuzzy Hash: 2de0fc56841e64c1dda1e79aec65f605b079c7d3ad75a799be32341d386fef4d
Instruction Fuzzy Hash: 72028C307102158FEB54AF65C854F6D77B6FB89304F10891AEA029B7A1CFB6ED06CB91

Function 06940688 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08fade55f639cca8abde1e195972a530d0a4b67764e2a741349061b68d40a4d
Instruction ID: aa90e3dda0a395f7241f568885c82d3fc6bde6a3bb62a7b8acc408088bf5aa47
Opcode Fuzzy Hash: d08fade55f639cca8abde1e195972a530d0a4b67764e2a741349061b68d40a4d
Instruction Fuzzy Hash: 29E19E30B002149FEB54AB65C894F6D77B6FB89304F10895AEA028B7A1CFB5ED45CB91

Function 06940700 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36156be7a4e41405949b3c6763555bb8efc1fc5e97f46a6671a403a7cb1252fe
Instruction ID: c477ab9ae7082ec8541f98cd54432b5ccc5013a459a3d36e8c85ce26bd1f98e8
Opcode Fuzzy Hash: 36156be7a4e41405949b3c6763555bb8efc1fc5e97f46a6671a403a7cb1252fe
Instruction Fuzzy Hash: 40D17130B002149FEB54AF65C898FA977B6FF89704F10845AEA028B7A1CFB5DD45CB91

Function 069400B8 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c3b9875902fb47981d336ccab6200f964eaeeed36f7a785c32b4c10407cec2
Instruction ID: 71969a6a96e791da3ea95e4d6cddd66d07fccf1d262cef5bc90fbd6c6452d0e2
Opcode Fuzzy Hash: 75c3b9875902fb47981d336ccab6200f964eaeeed36f7a785c32b4c10407cec2
Instruction Fuzzy Hash: 92C17F30B102049FEB44AB65C858FA97BB6FF89704F14845AEA02CB7A1CFB5DD41CB91

Function 06941582 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c271865e2592fc5b6916603153f676fcd17175cc75dd996d32b349eb5c00b26e
Instruction ID: 751949e2620dcfd87a675bba992611be89abebfefb987ef6e9c74352d973237c
Opcode Fuzzy Hash: c271865e2592fc5b6916603153f676fcd17175cc75dd996d32b349eb5c00b26e
Instruction Fuzzy Hash: 16C1E234B042459FDB94AB65C854F3ABBEAEF85304F10885AE6038B7A2DF71DC85C791

Function 069648A8 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05da1f995286076ab2531d327759c27d5b053629dd91ea54d40534b4215b594a
Instruction ID: 4b32e8d3f84e2c444604098b8d9716a955025c625420a7589d7fcb791a529790
Opcode Fuzzy Hash: 05da1f995286076ab2531d327759c27d5b053629dd91ea54d40534b4215b594a
Instruction Fuzzy Hash: E8B16934B00605CFCB54DF7AD598AAABBF6BF88704B2580A9E546DB761DB30EC05CB50

Function 06967D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1508f52d4e307929f91fc2444d40cae77aec5ec9230978e9eb220ad8efab3c0
Instruction ID: a30c721111119a389443d10a5e42e65f8301afebaaa838fccac11c87992f4a01
Opcode Fuzzy Hash: b1508f52d4e307929f91fc2444d40cae77aec5ec9230978e9eb220ad8efab3c0
Instruction Fuzzy Hash: 53512471E003188FDB55CFEAD890BEEBBF5AB88714F248429E419AB654DB749845CB80

Function 069434D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267307005.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d607503d5f587f94d0aaf7b0ef78a7e4c4ee09302eccdb31c386b78cfeac1c4
Instruction ID: 58587c2a43534f231e1a0d3a3885b80bfb15bd6f77c961c00d3222562a5ecff5
Opcode Fuzzy Hash: 4d607503d5f587f94d0aaf7b0ef78a7e4c4ee09302eccdb31c386b78cfeac1c4
Instruction Fuzzy Hash: A4513635B101159FCB44DF69C894DAABBB6EF89310B1180A9E90AEB361DB31EC05CB50

Function 06967D4C Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9827749f720e7ea084dfcc2e8227732cc1ff33c3088af4cecf7550dae993c903
Instruction ID: e1b10ff7f75eb723454c507c427a33d94fb1dcaaade6145c1cc9c7871ed417ec
Opcode Fuzzy Hash: 9827749f720e7ea084dfcc2e8227732cc1ff33c3088af4cecf7550dae993c903
Instruction Fuzzy Hash: D4513670D003599FDB55CFEAD880BEEBBF5AF48708F24842AE415AB650DB749845CF80

Function 069659C8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd4b7c2b9cecf221f814c5bc1530dfaabf271fe8f0ebdcc7579581231321177
Instruction ID: b3cbdbd6fe1ba3f9a23c8afbf0610953dcb5208f937cd7b38169833137c8155e
Opcode Fuzzy Hash: dfd4b7c2b9cecf221f814c5bc1530dfaabf271fe8f0ebdcc7579581231321177
Instruction Fuzzy Hash: 3C414A34A00606CFCB15CF5AC880D6ABBF2FF89314B26C999E555DB661D730F901CB90

Function 06963DE0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 831368995f79e99f41dc3f302a302a865baac91091c067a51ad95a8f3acc652e
Instruction ID: 640bbecb01010f8c31f78552a64810456593c3d0e7eb9aa9368ab295976ce4b1
Opcode Fuzzy Hash: 831368995f79e99f41dc3f302a302a865baac91091c067a51ad95a8f3acc652e
Instruction Fuzzy Hash: 0B313431B053528FC326A738A4145AE7BE6EFCA21031544AFE94ACB781CE30DC0BC7A5

Function 06965579 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9399e0604360a8fa2a484054e3f7b0b216d47a585c592e2a5c083ade5cdc2dcf
Instruction ID: d21b81e45f9f52c2296e8e61cc335d53cc1795ede189d039d3b4a5fb56673ddf
Opcode Fuzzy Hash: 9399e0604360a8fa2a484054e3f7b0b216d47a585c592e2a5c083ade5cdc2dcf
Instruction Fuzzy Hash: 7A318E35B013119FCB55DF34E84896EBBB6BF89301B158469E905DB365CB30DD45CBA0

Function 069684C8 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af175294cd195a4e25fcceb68847411fbeca00005e999031162d6b91084036
Instruction ID: 5e28ccf371b50c432752a034d11cc44f8d9a48331296f43be69c5986a1a9aeae
Opcode Fuzzy Hash: 25af175294cd195a4e25fcceb68847411fbeca00005e999031162d6b91084036
Instruction Fuzzy Hash: BB318D31B012168BCB19EF7DE46456E37E3AFC8210724487AD60ACB3C5EE39DC068B95

Function 0696F920 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea429b9ec87a48bd49c4f412bcaffff01b48106351aa2f899b4a7d36c12b34f9
Instruction ID: 5f659275fb7486b7fa49e76ce81dd74e043bb0ff1dfc4ab69b1a2fd9ad234392
Opcode Fuzzy Hash: ea429b9ec87a48bd49c4f412bcaffff01b48106351aa2f899b4a7d36c12b34f9
Instruction Fuzzy Hash: 52313935B053119FC7067BB9A82859E3FBBFBC621531445AAF606CB395DE308C06C7A2

Function 06965588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db17daadd7a6f60fded2f07ae0ec5789676e65d93bde1a80cefc29a310014ac6
Instruction ID: 0cbdf44d25a75db6c9e585559eeebd38bb403b99acb2fd676deb56d00de5c26b
Opcode Fuzzy Hash: db17daadd7a6f60fded2f07ae0ec5789676e65d93bde1a80cefc29a310014ac6
Instruction Fuzzy Hash: 6B316834B003119FCB55DF39E88896EBBB6BF89300B118469EA05CB365DB31ED41CBA0

Function 069687A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e9534ddd035ce1bb99f26dac6167d19b518e05cace936f159f381333fb4eb2
Instruction ID: a81f07f2d1c5c11e5662470856f2b31e7c98e098498de3846ad1449cad2f9b94
Opcode Fuzzy Hash: 58e9534ddd035ce1bb99f26dac6167d19b518e05cace936f159f381333fb4eb2
Instruction Fuzzy Hash: C741E2B1D01248DFDB54CFAAD950ADEBBF5AF88310F24842AE415BB250DB34A945CF90

Function 06968796 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af5aa91f30433bc59a2c2c6dfa37509e70226215b100f2067d214e616691b79
Instruction ID: d553c27674f32afcae40e4667502fc2566143bf3ccf819666227800038407f42
Opcode Fuzzy Hash: 0af5aa91f30433bc59a2c2c6dfa37509e70226215b100f2067d214e616691b79
Instruction Fuzzy Hash: 063115B1D013489FDB14CFAAD950ADEBBF5AF88310F24842AE425BB250DB349945CFA0

Function 06968A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62709982ebbfafbdd4b2c333112ca37a3d33a8fd29054fbfd8432da15f9f4ab
Instruction ID: d874a046045cd784e32d3f15f4e7cef294d095d13b0f60d9ff337cc047551f79
Opcode Fuzzy Hash: e62709982ebbfafbdd4b2c333112ca37a3d33a8fd29054fbfd8432da15f9f4ab
Instruction Fuzzy Hash: 573108B1D01358DFDB54CFAAD950BDEBBF9AF48310F24841AE415B7240C775A945CBA0

Function 0130D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2256801002.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_130d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14db41ac824b6c592555559926a6193d69eea863889812f4630cc5451120eaf0
Instruction ID: 45fa9cd0446b8229e69f7aa4ab5ce26a8a069e294cf1f15fd94520b8458783eb
Opcode Fuzzy Hash: 14db41ac824b6c592555559926a6193d69eea863889812f4630cc5451120eaf0
Instruction Fuzzy Hash: F5214571100204DFDB02DF84D9C0B66BFE5FB84328F20C56DE9091B286C736E446CBA2

Function 0131D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2256850111.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_131d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f53540fcf9acd03741db93527cdfce9351587727f412e2ee1ca9d0d80838876
Instruction ID: cfea016bf9b27f5dec105025a15f5f09ba867dbd0c5c605a27f093e662a62f4a
Opcode Fuzzy Hash: 1f53540fcf9acd03741db93527cdfce9351587727f412e2ee1ca9d0d80838876
Instruction Fuzzy Hash: 38213475604204EFDB19DF58D9C8B16BB65FB85318F20C56DD90A4B24AC33AD447CA61

Function 06968F42 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d15e1e16e55dc9b930333b15199a1f842cf81273e4309ba6dd3800bac494335f
Instruction ID: fe3d056c70d8d5021cae668cbc3a648968301485d836f09914214e45ae711366
Opcode Fuzzy Hash: d15e1e16e55dc9b930333b15199a1f842cf81273e4309ba6dd3800bac494335f
Instruction Fuzzy Hash: CC214274D0424ADFCF04CFA9D584AEEBBB4FB09311F2041AAE411A7391C7341A82DBA0

Function 06968A8C Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 573abe9030707d8936ce5bad3768454134b3a5615413e0ab0f778b07b27db8bc
Instruction ID: d2e9f0ed11e68ec1f35233429630f720274913188f576633ecf15dcc2fb4174a
Opcode Fuzzy Hash: 573abe9030707d8936ce5bad3768454134b3a5615413e0ab0f778b07b27db8bc
Instruction Fuzzy Hash: 642124B1D013589FDB14CFAAC994BDEBFF9AF48710F24842AE405BB240CB749845CBA4

Function 06966E72 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aad3d24e8c448343c080d2f5faaa491be8fe0b5076281aa08346a57b80124492
Instruction ID: a75737a0e09d9a871cb779b652d4aee7a8d7ee8f1bc6fa243a9e7951ded96d7e
Opcode Fuzzy Hash: aad3d24e8c448343c080d2f5faaa491be8fe0b5076281aa08346a57b80124492
Instruction Fuzzy Hash: C501B9622092D47FC7234ABA5C24CFB3FADD98B155309418BF9D4D6492C0288A52D7B1

Function 0696BC5F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bd10716654578fb68ca08ccad670cc4450723806a11a56fd1c5eeb62ffff911
Instruction ID: 5f765da7f45ad002dd395c16900ecb955ab208b1dba954fc866ad1ee002a4c98
Opcode Fuzzy Hash: 8bd10716654578fb68ca08ccad670cc4450723806a11a56fd1c5eeb62ffff911
Instruction Fuzzy Hash: 8911A9312212025FC786B778A87456E7BE7FEC2244744891DE2078B742CE70AD4787A2

Function 0130D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2256801002.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_130d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0975082927a414f3a70faae16f5f7251334da3a266367595ab6f83674f7d4e0c
Instruction ID: 18f827b993f078da7c0220f1349572dbcae7d2299a50c0f30ea14a0eb1630483
Opcode Fuzzy Hash: 0975082927a414f3a70faae16f5f7251334da3a266367595ab6f83674f7d4e0c
Instruction Fuzzy Hash: 06110372404280CFCB02CF84D9C0B56BFB1FB84328F24C6A9D8090B657C33AE456CBA1

Function 0131D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2256850111.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_131d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5dafeece261ed5f36609df0c38f61fd31d97a5851a4554c05f514f158599941
Instruction ID: b498663dc48bbfa3b034dcea1c3f7151247d2dbe64705cae980ee90fa8bfbd56
Opcode Fuzzy Hash: e5dafeece261ed5f36609df0c38f61fd31d97a5851a4554c05f514f158599941
Instruction Fuzzy Hash: 2411D075504280CFCB16CF54D9C4B15FF61FB45318F24C6A9D8094B65AC33AD44ACB62

Function 0696C499 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e8ff78c3b0e41f15bcb506e0313596f1125cdcf3ff3fd403be1d1d0a05a49b
Instruction ID: b766b44b696ff725289b4d5f5fd3fa1b2f676d115c49440ff431861c6a3ea69d
Opcode Fuzzy Hash: 30e8ff78c3b0e41f15bcb506e0313596f1125cdcf3ff3fd403be1d1d0a05a49b
Instruction Fuzzy Hash: BD01A1352042018FD316FBA9E85465A7BE3FFC6315B108B29D14B8B781CF749D0B8B92

Function 06968350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0130ef29b9b0cc340ca49414d71eacf824c7c3474d2e760b1fb41c024d48821b
Instruction ID: d907b472954b5f63ac85e49cead710bad5cc956df6227a41cf7968cb14744809
Opcode Fuzzy Hash: 0130ef29b9b0cc340ca49414d71eacf824c7c3474d2e760b1fb41c024d48821b
Instruction Fuzzy Hash: 0C018F71B001199FDF10DEAAEC44ABFB7FEFBC8651B14403AE614D3241EB71991587A1

Function 0696ACB8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbc9c4dab6c86fefd31245af69fd54db58058fe3e819976b3a9caee4eee7f740
Instruction ID: 5eced8f0e6f421f8a50e7187436ed07395a0b478fb576bbecdb1221ec9151a56
Opcode Fuzzy Hash: cbc9c4dab6c86fefd31245af69fd54db58058fe3e819976b3a9caee4eee7f740
Instruction Fuzzy Hash: 4FF028367093555FC7636BA96C244EB7FA5D9C6245344409EE283C7652CA648C07C7F1

Function 0696BC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b5372b4263eea3f6dd788dd1836888e0fcf9585bc11377fa5df29c1a18b1c2
Instruction ID: f69b916d662791db330b82e7c1f6c9075b0de5a456aa8c1738fce2813b86a5f9
Opcode Fuzzy Hash: 36b5372b4263eea3f6dd788dd1836888e0fcf9585bc11377fa5df29c1a18b1c2
Instruction Fuzzy Hash: B4015E312211068FC796B7B8A87852E7BE3FEC1254754882CE2078B741DE70BD878796

Function 0696E8B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e2ba2bb5725e2ae58ac20c2fd57f26f262738fd03f8a82781d5c32026ce99d
Instruction ID: dafc4500e6ea6ab76f9feab79f176c35eaec608b96424b15aa900c4809e03798
Opcode Fuzzy Hash: c0e2ba2bb5725e2ae58ac20c2fd57f26f262738fd03f8a82781d5c32026ce99d
Instruction Fuzzy Hash: 2801F9346093049FCB01EFB4D81499A7FBAEF8A20071485E9F501CB762DB32DD06C792

Function 0696C4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8409e353392ebb2e809e23d85c04f138271c9f86ac95123eae858a2f64595af3
Instruction ID: bb4619159f2c87253519e8d8b84b98144ec8097e7362e232be4da7c6b87b322c
Opcode Fuzzy Hash: 8409e353392ebb2e809e23d85c04f138271c9f86ac95123eae858a2f64595af3
Instruction Fuzzy Hash: CA015E35600206CFD325BFA9D45865A7BE3FBC5319B108A2DD14B87784DF75AC0B8B92

Function 06965508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e9ce7ed4f5764110a2d99730eb7ff5186ce19cdcddde96e3426790fa0a57e4a
Instruction ID: b1196dffc603da91c4a11329c1cd121de6da7beb0f4e88ef7431df3ea5003a8c
Opcode Fuzzy Hash: 7e9ce7ed4f5764110a2d99730eb7ff5186ce19cdcddde96e3426790fa0a57e4a
Instruction Fuzzy Hash: 2B018130A11702CFD7A99A3AE508527B7EBBF84305725882DE506C6A54EA71E881CB90

Function 0696B358 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a7584baee8734b3c507cabc79bd9b6fd0af8fc9fd2e60b7a7796af8deff19d
Instruction ID: 7c5990feb30af0a508c50c77a27c2ca5866ec34f1c84ce3fe2797a023972b412
Opcode Fuzzy Hash: 69a7584baee8734b3c507cabc79bd9b6fd0af8fc9fd2e60b7a7796af8deff19d
Instruction Fuzzy Hash: 58018F3490624AEFCB45FBB8E89459CBFB2FF89300B144299E446A7351DB305E47CB92

Function 0696FF51 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f870a8c11f6d3dc96d405f870e90ee75d3430dda75a8909fa1c5c4f48b81f91b
Instruction ID: 091f479279180af4ab9a87a1401b488e35a021d9fca892529e35bbc42f776d06
Opcode Fuzzy Hash: f870a8c11f6d3dc96d405f870e90ee75d3430dda75a8909fa1c5c4f48b81f91b
Instruction Fuzzy Hash: 96016975E042188FDF24CFA9E848AEDBBF5FB8D310F04916AE454B3641CB344845CBA4

Function 0696C170 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d8f18a0ce6ff343dbaac8bd5282fbe5f1430d7b6ec5d924d132b83f826866ec
Instruction ID: dcd050f4b29124d89294994533c994572f4b789f63e24f1a1c08f4cf8acdaa29
Opcode Fuzzy Hash: 3d8f18a0ce6ff343dbaac8bd5282fbe5f1430d7b6ec5d924d132b83f826866ec
Instruction Fuzzy Hash: 5401A235501B409FC311EF66E804592BBF6FF89301700861AE44B82611CB30A90BCFD5

Function 06968F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a81b3874b4bf798a8aef396f15b724354e32b7d6e6a4e6fc98e2bd71cfe575
Instruction ID: 0cf8978f7065ca9746ddf5b6fafc1da8e513c74bbe5d25359b8483e376e1ab6d
Opcode Fuzzy Hash: 09a81b3874b4bf798a8aef396f15b724354e32b7d6e6a4e6fc98e2bd71cfe575
Instruction Fuzzy Hash: 1F01D6B4D0420AEFDB54DFAAD5456EEBBF5BB48301F2085AAE415A3340E7740A41DF90

Function 069654F8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b3cd8908caf1bb892fde1b8fc3f4bd62ab2914ee0b92fa84fabbcf7e32df55
Instruction ID: a03e47c2b76446625be29038ce83c66041fc4507dfba06ac5ed635e3d877f530
Opcode Fuzzy Hash: 06b3cd8908caf1bb892fde1b8fc3f4bd62ab2914ee0b92fa84fabbcf7e32df55
Instruction Fuzzy Hash: D6F046305093428FC762CB22D804AA3BFBBAF81214F09459DF04182D22C771E884CBA0

Function 06963EC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deb6e59c86605257c00930eaedc9220ee41b101fb9673bea3411866ccc98bb9c
Instruction ID: ed4c30919f81146cfe4f5181e1ab6b0f1b33746fa322ef6f1ff2353c8f4fef3c
Opcode Fuzzy Hash: deb6e59c86605257c00930eaedc9220ee41b101fb9673bea3411866ccc98bb9c
Instruction Fuzzy Hash: DDF090303002038FC229E729E4649AF77D7EBC9250310892DD20A8B344EF70EC4B87A5

Function 0696FF60 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b42dab56ffa5cef755fe58205ff916e3b471e657dfb07cb1e2a37e2756214d
Instruction ID: afa3f0067bf626e20a317ac16e84591399a6cbf3babbfc47ab669fe1a0935b5f
Opcode Fuzzy Hash: c1b42dab56ffa5cef755fe58205ff916e3b471e657dfb07cb1e2a37e2756214d
Instruction Fuzzy Hash: C1F04975E002188BCF14DFAAE804AEDBBF9FB8D311F00912AE414B3340CB345844CBA4

Function 0696ADE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2f9c29f7bdd22500353ac3e47107beaf510b127677f923d61308c5746029093
Instruction ID: a0bc3924dea7da0c0e399de544405530b8591365b595116f493b2f147228a336
Opcode Fuzzy Hash: f2f9c29f7bdd22500353ac3e47107beaf510b127677f923d61308c5746029093
Instruction Fuzzy Hash: 4AF0A7352091416FC321776DAC64BDFBEDAEFCA255F404029F20B87283CB65184587B6

Function 0696C110 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9278eea3116c4e8222812479a517049b53690699e802133650a6b2e451191067
Instruction ID: be40bf3243b7f01b5b99b832ba6f837c0a3dc1326417c2c2266bad41430bb5e0
Opcode Fuzzy Hash: 9278eea3116c4e8222812479a517049b53690699e802133650a6b2e451191067
Instruction Fuzzy Hash: C6F096301067D19FC312A769E81469B7FE6DFC2204B04459EE2868B652CA655D0687E2

Function 06966EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed0e8a5f3130843966df46af8f9bc38da93bbf2c61f143b00d49096bd66224b
Instruction ID: 34907530a00df85a88cec51d0c7065623bbe6bb0aa4536eb3c29ad94e379d96c
Opcode Fuzzy Hash: 0ed0e8a5f3130843966df46af8f9bc38da93bbf2c61f143b00d49096bd66224b
Instruction Fuzzy Hash: C8F012622051E87F8B618E9A5C14CFB7FEDDA8E1617094156FE99D2181C429CD21ABB0

Function 069667C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b670a4b65f6ef9a58ce4e8f2243a830b10a9fbd4068df0020d3a26e4a6cd39
Instruction ID: 3b5cde52b505f3145aa494862ce84f86c146d1ada57a9c983fb294d3f4aa5c98
Opcode Fuzzy Hash: d8b670a4b65f6ef9a58ce4e8f2243a830b10a9fbd4068df0020d3a26e4a6cd39
Instruction Fuzzy Hash: 50F0B432B403009FD7208B29EC04F957BEA9B82714F14826AF214CB5F2D2B1D8069780

Function 06968FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58728e476a25d63116813612355f7736dc20f6ad212cb05c00e83be79898155d
Instruction ID: d82295eb793d34b90bcfad7fc6afa9309623913fcbbc4b059bd5d42c18f3be62
Opcode Fuzzy Hash: 58728e476a25d63116813612355f7736dc20f6ad212cb05c00e83be79898155d
Instruction Fuzzy Hash: 7EF0CDB5C08249EFDB00CFA1C9551FEBFB0EB5A201F0042CAF406E7B50E6358A41DB90

Function 06968341 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a065aacd27c98b7f9b6090b0283d1a8603a9c50ffe19d788645d08781c98c278
Instruction ID: af87b464208b64365d9b1487fe699bc99778cf5090b7ebc6a63b219146d12d67
Opcode Fuzzy Hash: a065aacd27c98b7f9b6090b0283d1a8603a9c50ffe19d788645d08781c98c278
Instruction Fuzzy Hash: 55F0E572F101155BCF10DAA9AD49AFF7BEEEB84260B1C0127EA14E3101FB34881A83B1

Function 0696B368 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1205475875ae8f7781c95230fb9c14d7808ba75c2303c4b51a1bdbd3090153a6
Instruction ID: 14a13b4312f8e69902c193f671f2ac89684cf12fe68aba62ee6e50b1440b1d67
Opcode Fuzzy Hash: 1205475875ae8f7781c95230fb9c14d7808ba75c2303c4b51a1bdbd3090153a6
Instruction Fuzzy Hash: 27F04F74E0220AEFCB44FFF9E89455CBBB2FB84200B1445A9D506A7350DF305E46DB51

Function 0696ADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d909531b34a83ab54a2da4772bf1ef4267e056aa8535e7bc5fdb7dabe816ed2e
Instruction ID: e05c57cf618bd4ca11867013527cb8711f814dc3131301e362d99a6fa5c402b4
Opcode Fuzzy Hash: d909531b34a83ab54a2da4772bf1ef4267e056aa8535e7bc5fdb7dabe816ed2e
Instruction Fuzzy Hash: E9E09235305101AFC3117B9AAC58A9FBADAEBC9355B00802CE20FC3246CB666C0647A5

Function 0696C180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 975ea582fcb1d1298cabf1789fd0ecc028853383129c0c8f80e5231c0c70c881
Instruction ID: 358647a7a2436e013f68dc9ee893ae8d2103a9c3ec29234f3a6d1577bde376ed
Opcode Fuzzy Hash: 975ea582fcb1d1298cabf1789fd0ecc028853383129c0c8f80e5231c0c70c881
Instruction Fuzzy Hash: A2F06735901B018FD725EFA6E408512BBF6FB88301700C62AE98B82A10DB71A90BCF85

Function 0696CC38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75edd151de2651030727da263840de7fa39dd6edce0940517c5396f6c544e640
Instruction ID: 0e917e5d7e6fa4ccafc3b6223f94ae5fdf4154fd04ebbabc1597a2d2c85bf008
Opcode Fuzzy Hash: 75edd151de2651030727da263840de7fa39dd6edce0940517c5396f6c544e640
Instruction Fuzzy Hash: BCE04F312167609FCF52FB2EFC10AEA7BA6EB46611B044355F102CB64ACA3409478BE6

Function 0696B500 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e4abe3c7b3d83026957d3d6c98963531c85e52657e4905fbe4f92d58b8c7c9a
Instruction ID: 331b9da0274c8c4f16cd8a39180280a0bd4251a61a79c1229939060d448d89d5
Opcode Fuzzy Hash: 8e4abe3c7b3d83026957d3d6c98963531c85e52657e4905fbe4f92d58b8c7c9a
Instruction Fuzzy Hash: B7F01535D0120CEFCB41EFB4D9489CDBBB9EB44200F1042A6E846E2240EA305B459F92

Function 0696C120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b84a3c6c2810e10509516f64c887f10056d82333f11ee018f13a93f6a3a632
Instruction ID: c1c40463bc47cc8c50c20e39b12cff284a22d238541ceec585b924261459400c
Opcode Fuzzy Hash: 08b84a3c6c2810e10509516f64c887f10056d82333f11ee018f13a93f6a3a632
Instruction Fuzzy Hash: A0E030302007529FC711B76DE85879EBBE6DBD5219F04052DE24687741CAA1AC068792

Function 0696CE88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf06ee2bf928718cad60ec4dfbcccae0a6c5045da5a6ba45458aede76167c51
Instruction ID: 7b64b1ca32c503bfc27dc90083bb39cff3d079ec81c70689cb5a8956c63efbf9
Opcode Fuzzy Hash: cbf06ee2bf928718cad60ec4dfbcccae0a6c5045da5a6ba45458aede76167c51
Instruction Fuzzy Hash: 0AE0D87000B3A1EFDF03F328B8055A93FB5EB026007004295F8418BA45C6304C4387D2

Function 06965698 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958da2b7e7a19e033159fd6c051d71080ae30db4d503a068f681a5d5bce3a339
Instruction ID: 20e580d1c40a62dd4999d2881b463e3f412d24c39750ad0e2512e054682642d3
Opcode Fuzzy Hash: 958da2b7e7a19e033159fd6c051d71080ae30db4d503a068f681a5d5bce3a339
Instruction Fuzzy Hash: 68E04FB211D3504FD3059625F8099C63B99EB62320F558CAEE140CA096EA7DD443CA56

Function 0696E8F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 756dd09f26bd979095173817b35df151cf4350f52c5494597ff740acbd9dd48f
Instruction ID: 5f0d655ef364cad021445f7ab84d51ff86085be8561c3b42ef6a787bea06c840
Opcode Fuzzy Hash: 756dd09f26bd979095173817b35df151cf4350f52c5494597ff740acbd9dd48f
Instruction Fuzzy Hash: 59E0EC79115244AFC7429A58D840C967FBABF5A6113444186F5418F173C72199259BA1

Function 0696F910 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5090a43f8706da515db640fc3a8c2083ba9b9a9d6470f06f876a12e3854da41
Instruction ID: 7fff7abac17240b5fce1a5bfe510ddd89768f8ff78feae5d40aea132041fa41d
Opcode Fuzzy Hash: f5090a43f8706da515db640fc3a8c2083ba9b9a9d6470f06f876a12e3854da41
Instruction Fuzzy Hash: 8AE0CD296057155F8705266D58201F77B9BD6C76113158153F101CB106DA254C0B4391

Function 0696E1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2b6eef0a6c4e0d2c51eccb1b5887aa46889ebcdf346cb4a1af2e5f5a1dcfd50
Instruction ID: 1c7c98969bf7657a2e10ec97135ff02f546ff786903a4d8d3e423c4bbf6a814c
Opcode Fuzzy Hash: c2b6eef0a6c4e0d2c51eccb1b5887aa46889ebcdf346cb4a1af2e5f5a1dcfd50
Instruction Fuzzy Hash: 18E0D871909205EFCB01EBA8E80089D7BF1DB4220072046DAD805D3290D5300F128792

Function 0696AC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 348091abf7d16030283fe0dfb836ae0659ef58164d3d0c1c53ebd2b714c1f38c
Instruction ID: 9016bc3920bdcdbafa1aebcc46a083d50c16376fc2df469f97433d80539c7583
Opcode Fuzzy Hash: 348091abf7d16030283fe0dfb836ae0659ef58164d3d0c1c53ebd2b714c1f38c
Instruction Fuzzy Hash: FFD05E353101299B8B06776DBC184AFBBABEAC9662300402EE70BC3340CF665D0387E5

Function 0696B510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb9f9aa2e1188a49ffd4db0e5e55c7748a71bcaf872cd5799f39622b1b39529
Instruction ID: a6d080f63bf40d297282a30cb884a82f58c00413b0a1e2335efaa95ede07780b
Opcode Fuzzy Hash: 1cb9f9aa2e1188a49ffd4db0e5e55c7748a71bcaf872cd5799f39622b1b39529
Instruction Fuzzy Hash: 78E09A75D0020CEFCB40EFE5D9448DDBBB9EB48200F1082A6D905A3200EB315F55DF81

Function 0696E280 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e78b86ca060e1ea5aa43469e00adce9c523136ac1e4f88ad597e43ee53639871
Instruction ID: 4c95fb58e29b727ae3a7b267b44c13ded648333a47c9dd73cf89a4e71dda6aa6
Opcode Fuzzy Hash: e78b86ca060e1ea5aa43469e00adce9c523136ac1e4f88ad597e43ee53639871
Instruction Fuzzy Hash: 87E0CD30504226CFCB56FB15FD0678977A2FB49708F101204D9121B6A8D7B01A578BC5

Function 0696E210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b55e6a80bf607ed6c3680e8e4beddc8cf547b9e2e087023d6728fac10b9871e
Instruction ID: e316f87ecaa540b7c0a69f9a9dbca256b3e84070b26a8e91593aaf1a29f409a2
Opcode Fuzzy Hash: 4b55e6a80bf607ed6c3680e8e4beddc8cf547b9e2e087023d6728fac10b9871e
Instruction Fuzzy Hash: 96D01771A01209FFCB41EFA8E90095DB7F9EB45204B1085A99609E3300EA316E019B91

Function 0696F8EA Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f5ce6c68743bb16969d7ebed117575eb53c4581ab1dcae0b9064e3c81bb472
Instruction ID: b2558a2a131a369b6122707048c387256e997e38bb4123ba01616de02a8df80d
Opcode Fuzzy Hash: 30f5ce6c68743bb16969d7ebed117575eb53c4581ab1dcae0b9064e3c81bb472
Instruction Fuzzy Hash: D2C01272B111200F4285B7AC74240AE6AD7E6E92A3399402AE60FC7388CEB08C424382

Function 06963721 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c364d92f29e8bb7c90adfc9da44f69fd3cb5ecc0333e0858975f7fdeff8dffb9
Instruction ID: 678cb9c8360ea26dbc660d86e5c943ce9b60ffbe6ca370ada0a107d50a7b65ac
Opcode Fuzzy Hash: c364d92f29e8bb7c90adfc9da44f69fd3cb5ecc0333e0858975f7fdeff8dffb9
Instruction Fuzzy Hash: 6FC09BD351F3805FD30715105C618F21F2555B715430F42C3F9D1E7553D52846265773

Function 0696DFD1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd70acf28079aac0fb96fadba7ba764ab74fd19ae2ad5d9e1de790dff9e5e494
Instruction ID: e135ea07b2feb766e787ace1a1c34606f8a32344bf9aa940f96419dcc817ecb1
Opcode Fuzzy Hash: fd70acf28079aac0fb96fadba7ba764ab74fd19ae2ad5d9e1de790dff9e5e494
Instruction Fuzzy Hash: 4DC04C6158B6905ADB0617648C0D5857F16EB5372071540C6E2418A466D61104068AD6

Non-executed Functions

Function 0696E2C7 Relevance: 46.6, Strings: 37, Instructions: 387COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696E6D0
DFj, xrefs: 0696E5BB
DFj, xrefs: 0696E680
DFj, xrefs: 0696E844
DFj, xrefs: 0696E86F
DFj, xrefs: 0696E7C3
DFj, xrefs: 0696E543
DFj, xrefs: 0696E6F8
DFj, xrefs: 0696E431
DFj, xrefs: 0696E630
DFj, xrefs: 0696E39D
DFj, xrefs: 0696E51B
DFj, xrefs: 0696E4A3
DFj, xrefs: 0696E4CB
DFj, xrefs: 0696E819
DFj, xrefs: 0696E32E
DFj, xrefs: 0696E40C
DFj, xrefs: 0696E7EE
DFj, xrefs: 0696E4F3
DFj, xrefs: 0696E798
DFj, xrefs: 0696E3C2
DFj, xrefs: 0696E6A8
DFj, xrefs: 0696E658
DFj, xrefs: 0696E378
DFj, xrefs: 0696E593
DFj, xrefs: 0696E47B
DFj, xrefs: 0696E720
DFj, xrefs: 0696E748
DFj, xrefs: 0696E456
DFj, xrefs: 0696E309
DFj, xrefs: 0696E2E4
DFj, xrefs: 0696E3E7
DFj, xrefs: 0696E608
DFj, xrefs: 0696E353
DFj, xrefs: 0696E770
DFj, xrefs: 0696E56B
DFj, xrefs: 0696E5E3

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-948655305
Opcode ID: 8cb59ef3be303f55863b15faade5e6419e280791ffb1ceb64e7433d5ed60ed14
Instruction ID: 66d0be5a3aa5386251ae3d7b1bf8d6013cd3780455deef9be79299325826c4dd
Opcode Fuzzy Hash: 8cb59ef3be303f55863b15faade5e6419e280791ffb1ceb64e7433d5ed60ed14
Instruction Fuzzy Hash: D7D19130710712EFD606ABA99C92E6DB2D3BBC6304B40852CD22A0F795DFB1AD1743D6

Function 0696E2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696E6D0
DFj, xrefs: 0696E5BB
DFj, xrefs: 0696E680
DFj, xrefs: 0696E844
DFj, xrefs: 0696E86F
DFj, xrefs: 0696E7C3
DFj, xrefs: 0696E543
DFj, xrefs: 0696E6F8
DFj, xrefs: 0696E431
DFj, xrefs: 0696E630
DFj, xrefs: 0696E39D
DFj, xrefs: 0696E51B
DFj, xrefs: 0696E4A3
DFj, xrefs: 0696E4CB
DFj, xrefs: 0696E819
DFj, xrefs: 0696E32E
DFj, xrefs: 0696E40C
DFj, xrefs: 0696E7EE
DFj, xrefs: 0696E4F3
DFj, xrefs: 0696E798
DFj, xrefs: 0696E3C2
DFj, xrefs: 0696E6A8
DFj, xrefs: 0696E658
DFj, xrefs: 0696E378
DFj, xrefs: 0696E593
DFj, xrefs: 0696E47B
DFj, xrefs: 0696E720
DFj, xrefs: 0696E748
DFj, xrefs: 0696E456
DFj, xrefs: 0696E309
DFj, xrefs: 0696E2E4
DFj, xrefs: 0696E3E7
DFj, xrefs: 0696E608
DFj, xrefs: 0696E353
DFj, xrefs: 0696E770
DFj, xrefs: 0696E56B
DFj, xrefs: 0696E5E3

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-948655305
Opcode ID: 2ea790055ed46b6072cef825dfccb71331f9d5d08f883572a5c3cb53c1c08bb3
Instruction ID: ac5a6a9c93b4760d9ef924abdd489925d51534803df3b080c7d097037ee0918c
Opcode Fuzzy Hash: 2ea790055ed46b6072cef825dfccb71331f9d5d08f883572a5c3cb53c1c08bb3
Instruction Fuzzy Hash: 7FD18030710712EFD606ABA99C92E6DB6D3BBC6304B40852CD22A4F795DFB1AC1743D6

Function 0696CC7F Relevance: 16.4, Strings: 13, Instructions: 152COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696CD7A
DFj, xrefs: 0696CC9C
DFj, xrefs: 0696CE33
DFj, xrefs: 0696CD30
DFj, xrefs: 0696CCC1
DFj, xrefs: 0696CD0B
DFj, xrefs: 0696CCE6
DFj, xrefs: 0696CD55
DFj, xrefs: 0696CD9F
DFj, xrefs: 0696CDC4
DFj, xrefs: 0696CE58
DFj, xrefs: 0696CDE9
DFj, xrefs: 0696CE0E

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-2102174151
Opcode ID: 6e6e50f71c9c796644b42958d11b6995acd525318af8f54acae275fb320926fb
Instruction ID: e659eca8dbd5cb28f388ec415dacf34691ef13005001a1f087a0e565b508c1f3
Opcode Fuzzy Hash: 6e6e50f71c9c796644b42958d11b6995acd525318af8f54acae275fb320926fb
Instruction Fuzzy Hash: 8641C630700712AFD602ABA59C92E6DB693FB86600B40453CD21A4FB96DFB5AD4743D7

Function 0696CC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696CD7A
DFj, xrefs: 0696CC9C
DFj, xrefs: 0696CE33
DFj, xrefs: 0696CD30
DFj, xrefs: 0696CCC1
DFj, xrefs: 0696CD0B
DFj, xrefs: 0696CCE6
DFj, xrefs: 0696CD55
DFj, xrefs: 0696CD9F
DFj, xrefs: 0696CDC4
DFj, xrefs: 0696CE58
DFj, xrefs: 0696CDE9
DFj, xrefs: 0696CE0E

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-2102174151
Opcode ID: 2d7ad56997d4b94a5570ee4144e3dd41e031f840d126f115e5d7eb96874ae3b9
Instruction ID: 97f00c531d307117f1eff6ffb2fdc6398052350e511b13c10421a4234cfd044b
Opcode Fuzzy Hash: 2d7ad56997d4b94a5570ee4144e3dd41e031f840d126f115e5d7eb96874ae3b9
Instruction Fuzzy Hash: 8541A530700712AFD606AFA59C92E6DB693FBC6700B40893CD21A0FB95DFB5AD074396

Function 0696CED1 Relevance: 10.1, Strings: 8, Instructions: 105COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696CFA5
DFj, xrefs: 0696CF11
DFj, xrefs: 0696CF36
DFj, xrefs: 0696CF80
DFj, xrefs: 0696CF5B
DFj, xrefs: 0696CFEF
DFj, xrefs: 0696CEEC
DFj, xrefs: 0696CFCA

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-2578666656
Opcode ID: 7019faa7da783b4d209cd319453f6ccff351d461c824a9df6d9d510439c40c9e
Instruction ID: c70fb7574d9dec0a52b808c957f18ee76ceeaed5b1d78cce389a9aca082e66cc
Opcode Fuzzy Hash: 7019faa7da783b4d209cd319453f6ccff351d461c824a9df6d9d510439c40c9e
Instruction Fuzzy Hash: 9131B631700312AFD6026BA59C92E6DB693FB86300B40457CD21A4FB96CFB5AD4643E6

Function 0696CEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696CFA5
DFj, xrefs: 0696CF11
DFj, xrefs: 0696CF36
DFj, xrefs: 0696CF80
DFj, xrefs: 0696CF5B
DFj, xrefs: 0696CFEF
DFj, xrefs: 0696CEEC
DFj, xrefs: 0696CFCA

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-2578666656
Opcode ID: c031fc7862c47801b38775fa8e6236b3865097c78b61686aa11ec35356fd2947
Instruction ID: 48a35a066f20050bbaf0aca0a87fe780cd06d2833d0651ca748247d3f0a24fcd
Opcode Fuzzy Hash: c031fc7862c47801b38775fa8e6236b3865097c78b61686aa11ec35356fd2947
Instruction Fuzzy Hash: CF21A230710312AFD606AFA59C92E6DB693FBC6704B40853CD22A4FB95CFB5AC4643D6

Function 0696C968 Relevance: 8.8, Strings: 7, Instructions: 89COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696C984
DFj, xrefs: 0696CA7A
DFj, xrefs: 0696C9AD
DFj, xrefs: 0696CA28
DFj, xrefs: 0696C9D6
DFj, xrefs: 0696C9FF
DFj, xrefs: 0696CA51

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-309315082
Opcode ID: efcf3e529b9c93ca62ecaac00c60240bb8a8641d1b9405a17b859803099ed696
Instruction ID: 02475dd9ab19790cf9780e69c89bfde43874e38665c3c86c52570087fdf6d375
Opcode Fuzzy Hash: efcf3e529b9c93ca62ecaac00c60240bb8a8641d1b9405a17b859803099ed696
Instruction Fuzzy Hash: D431A430701253AFD7027BA5DC959AD7B93FB96304700456CE21A9F6E5CEB05D8B8782

Function 0696C978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696C984
DFj, xrefs: 0696CA7A
DFj, xrefs: 0696C9AD
DFj, xrefs: 0696CA28
DFj, xrefs: 0696C9D6
DFj, xrefs: 0696C9FF
DFj, xrefs: 0696CA51

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-309315082
Opcode ID: bb3fc83ef690d385aba31f06af08df4d2cead98cfe7e4530f544ffe5539e01ae
Instruction ID: 712ffdd42baf7dd12c044f58572f9c94664dd0de32da591ce542456c8dc93431
Opcode Fuzzy Hash: bb3fc83ef690d385aba31f06af08df4d2cead98cfe7e4530f544ffe5539e01ae
Instruction Fuzzy Hash: 12218530B00253AFDB057BA5DC9596D7793FB963007004528D21A8F7A4CEB15D8B8786

Function 0696D538 Relevance: 7.6, Strings: 6, Instructions: 83COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696D554
DFj, xrefs: 0696D60D
DFj, xrefs: 0696D579
DFj, xrefs: 0696D5C3
DFj, xrefs: 0696D59E
DFj, xrefs: 0696D5E8

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-3326637079
Opcode ID: 644287147257272d0c59718fdca608ff97ee3dce48466003c4f6b25a6abbd9f6
Instruction ID: cb7fe800d24d3337c2ed25296a8135b69027b9e4ecedfd0f812ebaae581fb3ba
Opcode Fuzzy Hash: 644287147257272d0c59718fdca608ff97ee3dce48466003c4f6b25a6abbd9f6
Instruction Fuzzy Hash: 9721A4317007116FD6026BA59C92EADA693FB86704B40866CD21A4FB96CFB25D1743E2

Function 0696D548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON

Download Yara Rule

Strings

DFj, xrefs: 0696D554
DFj, xrefs: 0696D60D
DFj, xrefs: 0696D579
DFj, xrefs: 0696D5C3
DFj, xrefs: 0696D59E
DFj, xrefs: 0696D5E8

Memory Dump Source

Source File: 00000002.00000002.2267335446.0000000006960000.00000040.00000800.00020000.00000000.sdmp, Offset: 06960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6960000_RegAsm.jbxd

Similarity

API ID:
String ID: DFj$DFj$DFj$DFj$DFj$DFj
API String ID: 0-3326637079
Opcode ID: da73f7460c4d6df83d0e8e95d6bf4a47dea7b123d2c98a10410de9417a0e542b
Instruction ID: f429525dc389b54761c4337922d1f61688ec8eb89b19e8b798631c6db2f92dcf
Opcode Fuzzy Hash: da73f7460c4d6df83d0e8e95d6bf4a47dea7b123d2c98a10410de9417a0e542b
Instruction Fuzzy Hash: 4411A7307002116FD6026BA59C92E6DB693FBC6604B40853CD21A4FB95CFB2AD5643E2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\setup.exe.log

C:\Users\user\AppData\Local\Temp\Tmp6A0F.tmp

C:\Users\user\AppData\Local\Temp\Tmp6A20.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
setup.exe

Function 05BA1340 Relevance: 80.9, Strings: 64, Instructions: 852
COMMON

Function 05BCA08F Relevance: 80.8, Strings: 64, Instructions: 849
COMMON

Function 05BA1350 Relevance: 80.8, Strings: 64, Instructions: 847
COMMON

Function 05BCA0A0 Relevance: 80.8, Strings: 64, Instructions: 796
COMMON

Function 05BCCB52 Relevance: 80.8, Strings: 64, Instructions: 787
COMMON

Function 05BCDE4F Relevance: 80.7, Strings: 64, Instructions: 733
COMMON

Function 05BCDE60 Relevance: 80.7, Strings: 64, Instructions: 732
COMMON

Function 05B91E88 Relevance: 1.8, Strings: 1, Instructions: 578
COMMON

Function 05BC6098 Relevance: 1.7, Strings: 1, Instructions: 438
COMMON

Function 03023A89 Relevance: 2.6, Strings: 2, Instructions: 56
COMMON

Function 05B90D79 Relevance: 2.0, APIs: 1, Instructions: 527
threadCOMMON

Function 05B919B4 Relevance: 1.8, APIs: 1, Instructions: 327
processCOMMON

Function 05B919C0 Relevance: 1.8, APIs: 1, Instructions: 321
processCOMMON

Function 05B91588 Relevance: 1.6, APIs: 1, Instructions: 119
injectionCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre