Edit tour

Windows Analysis Report
RDM_Root_Cert_Update_Windows.exe

Overview

General Information

Sample name:	RDM_Root_Cert_Update_Windows.exe
Analysis ID:	1500639
MD5:	d4b2995d38da119e5b0db2cb90778224
SHA1:	2570198aafaf5d6f394ffd6e7e741c2316510ee0
SHA256:	05a6215fbf82c755b73dcfa297f229bf5b88c879b4a7a2edf680ebd97a4580ad
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Installs new ROOT certificates

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Creates a process in suspended mode (likely to inject code)

Dropped file seen in connection with other malware

Drops PE files

Drops certificate files (DER)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses net.exe to stop services

Classification

Process Tree

System is w10x64

RDM_Root_Cert_Update_Windows.exe (PID: 5844 cmdline: "C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe" MD5: D4B2995D38DA119E5B0DB2CB90778224)

RDM_Root_Cert_Update_Windows.tmp (PID: 5900 cmdline: "C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe" MD5: A5388235BBD3513D95A2A5C172A55680)

RDM_ROOTCERTIFICATE.exe (PID: 6204 cmdline: "C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT MD5: 5DAEC5D62A1B06418E5EAE25B7857748)

RDM_ROOTCERTIFICATE.tmp (PID: 6400 cmdline: "C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp" /SL5="$2047A,1902883,887296,C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT MD5: 05CB53C8116FA798AB00B737F7B94015)

cmd.exe (PID: 6164 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7056 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo 1 " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

certmgr.exe (PID: 2820 cmdline: CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root MD5: 5D077A0CDD077C014EEDB768FEB249BA)

certmgr.exe (PID: 5632 cmdline: CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root MD5: 5D077A0CDD077C014EEDB768FEB249BA)

certmgr.exe (PID: 5344 cmdline: "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/CertMgr.exe" -add -c RDM_RootCA.pem -s -r localmachine Root MD5: 5D077A0CDD077C014EEDB768FEB249BA)

conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 320 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1784 cmdline: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

certutil.exe (PID: 3116 cmdline: certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\." -i "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem" MD5: 0DDA4F16AE041578B4E250AE12E06EB1)

certutil.exe (PID: 6392 cmdline: "C:\Windows\system32/certutil.exe" f p rdm736 importpfx "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx" MD5: 0DDA4F16AE041578B4E250AE12E06EB1)

conhost.exe (PID: 4720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net.exe (PID: 3784 cmdline: "C:\Windows\system32\net.exe" stop "RDMAppweb" MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 7064 cmdline: C:\Windows\system32\net1 stop "RDMAppweb" MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 7056 cmdline: "C:\Windows\system32\net.exe" stop "Embedthis Rdmappweb" MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5604 cmdline: C:\Windows\system32\net1 stop "Embedthis Rdmappweb" MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6392 cmdline: "C:\Windows\system32\net.exe" start "RDMAppweb" MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3504 cmdline: C:\Windows\system32\net1 start "RDMAppweb" MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

net.exe (PID: 6720 cmdline: "C:\Windows\system32\net.exe" start "Embedthis Rdmappweb" MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 3292 cmdline: C:\Windows\system32\net1 start "Embedthis Rdmappweb" MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cleanup

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat"", CommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp" /SL5="$2047A,1902883,887296,C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT, ParentImage: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp, ParentProcessId: 6400, ParentProcessName: RDM_ROOTCERTIFICATE.tmp, ProcessCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat"", ProcessId: 6164, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", CommandLine: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 320, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*", ProcessId: 1784, ProcessName: cmd.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "C:\Windows\system32\net.exe" stop "RDMAppweb", CommandLine: "C:\Windows\system32\net.exe" stop "RDMAppweb", CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp, ParentProcessId: 5900, ParentProcessName: RDM_Root_Cert_Update_Windows.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" stop "RDMAppweb", ProcessId: 3784, ProcessName: net.exe

Sigma detected: Start Windows Service Via Net.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\system32\net.exe" start "RDMAppweb", CommandLine: "C:\Windows\system32\net.exe" start "RDMAppweb", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp, ParentProcessId: 5900, ParentProcessName: RDM_Root_Cert_Update_Windows.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" start "RDMAppweb", ProcessId: 6392, ProcessName: net.exe

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\system32\net.exe" stop "RDMAppweb", CommandLine: "C:\Windows\system32\net.exe" stop "RDMAppweb", CommandLine|base64offset|contains: ), Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp, ParentProcessId: 5900, ParentProcessName: RDM_Root_Cert_Update_Windows.tmp, ProcessCommandLine: "C:\Windows\system32\net.exe" stop "RDMAppweb", ProcessId: 3784, ProcessName: net.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_0100197F CryptMsgClose,CertCloseStore,	8_2_0100197F
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01001AD0 GetModuleHandleA,CryptInitOIDFunctionSet,CryptInstallOIDFunctionAddress,CryptRegisterOIDInfo,	8_2_01001AD0
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01006F21 CryptDecodeObject,printf,	8_2_01006F21
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_0100812A CryptFindOIDInfo,	8_2_0100812A
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01007E5A CryptFindOIDInfo,	8_2_01007E5A
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01001965 CryptMsgClose,CertCloseStore,	8_2_01001965
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01008168 CryptFindOIDInfo,	8_2_01008168
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_0100826B CryptDecodeObject,CryptDecodeObject,CryptDecodeObject,	8_2_0100826B
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01008186 CryptMsgGetParam,CryptMsgGetParam,CryptMsgGetParam,	8_2_01008186
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_010052A5 CertOpenStore,CryptSIPRetrieveSubjectGuid,CryptSIPLoad,CertOpenStore,CryptMsgOpenToDecode,CertCloseStore,CryptMsgUpdate,CertCloseStore,CryptMsgClose,	8_2_010052A5
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01006FB3 CryptDecodeObject,printf,	8_2_01006FB3
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_010018CB CryptMsgClose,CertCloseStore,	8_2_010018CB
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_010050E8 CryptMsgGetAndVerifySigner,CertFreeCTLContext,	8_2_010050E8
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_010076EB CryptDecodeObject,printf,printf,printf,	8_2_010076EB
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_010037EC strtok,strtok,CryptEncodeObject,CryptEncodeObject,CryptEncodeObject,CertEnumCertificatesInStore,CertEnumCertificatesInStore,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertSetCertificateContextProperty,CertEnumCertificatesInStore,CertFreeCTLContext,	8_2_010037EC
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_01007FF1 CryptGetOIDFunctionAddress,wprintf,CryptFreeOIDFunctionAddress,	8_2_01007FF1
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Code function: 8_2_010045F3 CryptHashPublicKeyInfo,CryptReleaseContext,CertGetCertificateContextProperty,printf,printf,printf,CertGetPublicKeyLength,printf,printf,printf,	8_2_010045F3

Source: RDM_Root_Cert_Update_Windows.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-PMF5D.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-K76D6.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Directory created: C:\Program Files\Mozilla Firefox\is-PGH5D.tmp	Jump to behavior

Source: RDM_Root_Cert_Update_Windows.exe

Static PE information: certificate valid

Source: RDM_Root_Cert_Update_Windows.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\	Jump to behavior

Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/SecureCertificateServices.crl09
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.geotrust.com/crls/globalca1.crl0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com0%
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com0-
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com0/
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com05
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.entrust.net0D
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://ocsp.pki.gva.es0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.certifikat.dk/repository0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.chambersign.org1
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.disig.sk/ca0f
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.firmaprofesional.com0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-8I24T.tmp.4.dr, is-MK9CH.tmp.4.dr, is-U7N00.tmp.4.dr	String found in binary or memory: http://www.mozilla.org/MPL/
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-8I24T.tmp.4.dr, is-MK9CH.tmp.4.dr, is-U7N00.tmp.4.dr	String found in binary or memory: http://www.mozilla.org/MPL/Copyright
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.phreedom.org/md5)
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.phreedom.org/md5)0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.phreedom.org/md5)MD5
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.pki.gva.es/cps0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.quovadis.bm0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2123504985.0000000003490000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2145776607.0000000000D33000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rdmcorp.com
Source: RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2174784142.0000000002343000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOTCERTIFICATE.exe, 00000003.00000003.2148199999.0000000002343000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rdmcorp.comQ64
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.sk.ee/cps/0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.valicert.com/1
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: https://secure.comodo.com/CPS0
Source: is-SJL0P.tmp.4.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066414940.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066792410.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.tmp, 00000001.00000000.2068157919.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RDM_ROOTCERTIFICATE.tmp.3.dr, RDM_Root_Cert_Update_Windows.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: is-SJL0P.tmp.4.dr	String found in binary or memory: https://www.netlock.hu/docs/
Source: is-SJL0P.tmp.4.dr	String found in binary or memory: https://www.netlock.net/docs
Source: RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066414940.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066792410.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.tmp, 00000001.00000000.2068157919.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RDM_ROOTCERTIFICATE.tmp.3.dr, RDM_Root_Cert_Update_Windows.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx (copy)			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-1QMJT.tmp			Jump to dropped file

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe (copy) 8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D

Source: RDM_Root_Cert_Update_Windows.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: RDM_ROOTCERTIFICATE.tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066792410.000000007FE30000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs RDM_Root_Cert_Update_Windows.exe
Source: RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066414940.00000000026A4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs RDM_Root_Cert_Update_Windows.exe
Source: RDM_Root_Cert_Update_Windows.exe, 00000000.00000000.2064795778.00000000004DF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs RDM_Root_Cert_Update_Windows.exe
Source: RDM_Root_Cert_Update_Windows.exe	Binary or memory string: OriginalFileName vs RDM_Root_Cert_Update_Windows.exe

Source: RDM_Root_Cert_Update_Windows.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: sus26.winEXE@49/59@0/0

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

File created: C:\Program Files (x86)\RDM Corporation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

File created: C:\Users\user\AppData\Local\Programs

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03

Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe

File created: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat""

Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: SELECT ALL * FROM %s WHERE %s;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: UPDATE sqlite_master SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-M356P.tmp.4.dr	Binary or memory string: SELECT ALL * FROM %s;
Source: RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000005142000.00000004.00001000.00020000.00000000.sdmp, is-LTALL.tmp.4.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: RDM_Root_Cert_Update_Windows.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe

File read: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe "C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe"
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp "C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe "C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp "C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp" /SL5="$2047A,1902883,887296,C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 1 "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/CertMgr.exe" -add -c RDM_RootCA.pem -s -r localmachine Root
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\.default"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\." -i "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem"
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32/certutil.exe" f p rdm736 importpfx "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx"
Source: C:\Windows\SysWOW64\certutil.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop "RDMAppweb"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "RDMAppweb"
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop "Embedthis Rdmappweb"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Embedthis Rdmappweb"
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" start "RDMAppweb"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "RDMAppweb"
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" start "Embedthis Rdmappweb"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Embedthis Rdmappweb"
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp "C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe "C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop "RDMAppweb"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 1 "	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32/certutil.exe" f p rdm736 importpfx "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" start "Embedthis Rdmappweb"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Process created: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp "C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp" /SL5="$2047A,1902883,887296,C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/CertMgr.exe" -add -c RDM_RootCA.pem -s -r localmachine Root	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem""	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process created: C:\Windows\SysWOW64\certutil.exe "C:\Windows\system32/certutil.exe" f p rdm736 importpfx "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 1 "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\.default"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\." -i "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "RDMAppweb"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Embedthis Rdmappweb"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "RDMAppweb"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Embedthis Rdmappweb"	Jump to behavior

Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certenroll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Window found: window name: TMainForm

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Automated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Automated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Automated click: Next

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-PMF5D.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Directory created: C:\Program Files\Mozilla Firefox\defaults\pref\is-K76D6.tmp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Directory created: C:\Program Files\Mozilla Firefox\is-PGH5D.tmp	Jump to behavior

Source: RDM_Root_Cert_Update_Windows.exe

Static PE information: certificate valid

Source: RDM_Root_Cert_Update_Windows.exe

Static file information: File size 3838992 > 1048576

Source: RDM_Root_Cert_Update_Windows.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: RDM_Root_Cert_Update_Windows.exe	Static PE information: section name: .didata
Source: RDM_Root_Cert_Update_Windows.tmp.0.dr	Static PE information: section name: .didata
Source: is-N0SQK.tmp.1.dr	Static PE information: section name: .didata
Source: RDM_ROOTCERTIFICATE.tmp.3.dr	Static PE information: section name: .didata

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CAFAC3A697F2F0A9D66F8F1DC86BEE6AD15E425C Blob	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssckbi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-SJL0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-AUFQA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-U7N00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libnspr4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	File created: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-T2GKH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-QG9HH.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	File created: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nss3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssdbm3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplds4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8C4S6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-K24N6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\softokn3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplc4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssutil3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-MK9CH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\is-N0SQK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8I24T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-3KPG9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\freebl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-LTALL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-PBG95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\smime3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\ssl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-M356P.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" stop "RDMAppweb"

Source: C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssckbi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-SJL0P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-AUFQA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-U7N00.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libnspr4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-T2GKH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-QG9HH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nss3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssdbm3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplds4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8C4S6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-K24N6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\softokn3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssutil3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplc4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-MK9CH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8I24T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\freebl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-3KPG9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-LTALL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\smime3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\ssl3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-M356P.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe

API coverage: 8.5 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\	Jump to behavior

Source: RDM_Root_Cert_Update_Windows.exe

Binary or memory string: QeMU5

Source: C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo 1 "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\.default"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\." -i "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "RDMAppweb"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 stop "Embedthis Rdmappweb"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "RDMAppweb"	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Embedthis Rdmappweb"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe

Code function: 8_2_010082F1 GetSystemTime,SystemTimeToFileTime,CompareFileTime,

8_2_010082F1

Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe

Code function: 8_2_0100877A GetVersionExA,

8_2_0100877A

Source: C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	3 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Service Execution	1 Scripting	11 Process Injection	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Install Root Certificate	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	4 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RDM_Root_Cert_Update_Windows.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\freebl3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-3KPG9.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8C4S6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8I24T.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-AUFQA.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-K24N6.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-LTALL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-M356P.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-MK9CH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-PBG95.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-QG9HH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-SJL0P.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-T2GKH.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-U7N00.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libnspr4.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplc4.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplds4.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nss3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssckbi.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssdbm3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssutil3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\smime3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\softokn3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\sqlite3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\ssl3.dll (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\is-N0SQK.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.firmaprofesional.com/cps0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://repository.swisssign.com/0	0%	URL Reputation	safe
http://crl.securetrust.com/SGCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl0	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	Avira URL Cloud	safe
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.rdmcorp.comQ64	0%	Avira URL Cloud	safe
http://www.quovadisglobal.com/cps0	0%	URL Reputation	safe
http://www.certifikat.dk/repository0	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	Avira URL Cloud	safe
https://www.innosetup.com/	0%	URL Reputation	safe
http://www.phreedom.org/md5)MD5	0%	Avira URL Cloud	safe
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	Avira URL Cloud	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	Avira URL Cloud	safe
http://www.e-szigno.hu/RootCA.crt0	0%	Avira URL Cloud	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	Avira URL Cloud	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
https://www.catcert.net/verarrel05	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://www.e-szigno.hu/SZSZ/0	0%	Avira URL Cloud	safe
http://www.sk.ee/cps/0	0%	Avira URL Cloud	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://www.valicert.com/1	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersignroot.html0	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)	0%	Avira URL Cloud	safe
http://ocsp.pki.gva.es0	0%	Avira URL Cloud	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe
http://www.rdmcorp.com	0%	Avira URL Cloud	safe
http://crl.oces.certifikat.dk/oces.crl0	0%	Avira URL Cloud	safe
http://crl.pki.wellsfargo.com/wsprca.crl0	0%	Avira URL Cloud	safe
http://www.certicamara.com/dpc/0Z	0%	Avira URL Cloud	safe
https://rca.e-szigno.hu/ocsp0-	0%	Avira URL Cloud	safe
https://www.netlock.hu/docs/	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	Avira URL Cloud	safe
http://acedicom.edicomgroup.com/doc0	0%	Avira URL Cloud	safe
http://www.entrust.net/CRL/net1.crl0	0%	Avira URL Cloud	safe
http://www.disig.sk/ca0f	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	Avira URL Cloud	safe
http://www.sk.ee/juur/crl/0	0%	Avira URL Cloud	safe
http://www.e-szigno.hu/RootCA.crl	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	Avira URL Cloud	safe
http://www.pki.gva.es/cps0	0%	Avira URL Cloud	safe
http://www.firmaprofesional.com0	0%	Avira URL Cloud	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	Avira URL Cloud	safe
http://www.pki.gva.es/cps0%	0%	Avira URL Cloud	safe
http://www.wellsfargo.com/certpolicy0	0%	Avira URL Cloud	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	Avira URL Cloud	safe
http://www.phreedom.org/md5)0	0%	Avira URL Cloud	safe
https://www.netlock.net/docs	0%	Avira URL Cloud	safe
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	RDM_Root_Cert_Update_Windows.exe, is-N0SQK.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.rdmcorp.comQ64	RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2174784142.0000000002343000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOTCERTIFICATE.exe, 00000003.00000003.2148199999.0000000002343000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certifikat.dk/repository0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com/cps0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://crl.securetrust.com/SGCA.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.phreedom.org/md5)MD5	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.e-szigno.hu/RootCA.crt0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
https://www.remobjects.com/ps	RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066414940.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066792410.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.tmp, 00000001.00000000.2068157919.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RDM_ROOTCERTIFICATE.tmp.3.dr, RDM_Root_Cert_Update_Windows.tmp.0.dr	false	URL Reputation: safe	unknown
https://www.innosetup.com/	RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066414940.00000000025A0000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.exe, 00000000.00000003.2066792410.000000007FB30000.00000004.00001000.00020000.00000000.sdmp, RDM_Root_Cert_Update_Windows.tmp, 00000001.00000000.2068157919.0000000000401000.00000020.00000001.01000000.00000004.sdmp, RDM_ROOTCERTIFICATE.tmp.3.dr, RDM_Root_Cert_Update_Windows.tmp.0.dr	false	URL Reputation: safe	unknown
http://www.sk.ee/cps/0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.valicert.com/1	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.e-szigno.hu/SZSZ/0	is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://ocsp.entrust.net0D	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://cps.chambersign.org/cps/chambersignroot.html0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://ocsp.pki.gva.es0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.rdmcorp.com	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2123504985.0000000003490000.00000004.00001000.00020000.00000000.sdmp, RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2145776607.0000000000D33000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.oces.certifikat.dk/oces.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.certicamara.com/dpc/0Z	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://rca.e-szigno.hu/ocsp0-	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://www.netlock.hu/docs/	is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://acedicom.edicomgroup.com/doc0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.entrust.net/CRL/net1.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.disig.sk/ca0f	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.e-szigno.hu/RootCA.crl	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.sk.ee/juur/crl/0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel05	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.quovadis.bm0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.firmaprofesional.com0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.pki.gva.es/cps0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.pki.gva.es/cps0%	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.wellsfargo.com/certpolicy0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
https://secure.comodo.com/CPS0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown
https://www.netlock.net/docs	is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.phreedom.org/md5)0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/2048ca.crl0	RDM_ROOTCERTIFICATE.tmp, 00000004.00000003.2144186096.0000000004F60000.00000004.00001000.00020000.00000000.sdmp, is-SJL0P.tmp.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500639
Start date and time:	2024-08-28 18:57:25 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RDM_Root_Cert_Update_Windows.exe
Detection:	SUS
Classification:	sus26.winEXE@49/59@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 10 Number of non-executed functions: 55
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: RDM_Root_Cert_Update_Windows.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\freebl3.dll (copy)	TouchEn_nxKey_32bit.exe	Get hash	malicious	Unknown	Browse
	TZCRangerRemote_v2.2.2.3_Installer_x64.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_Installer_32bit.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_Installer_32bit.exe	Get hash	malicious	Unknown	Browse
	TouchEn_nxKey_Installer_32bit.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware.KillAV.6KOMSE@gen.22946.22832.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware.KillAV.6KOMSE@gen.22946.22832.exe	Get hash	malicious	Unknown	Browse
	SCWSConSetup_1.0.1.65_ver.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe (copy)	I3GSvcManager.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.BScope.Trojan.Downloader.22056.5372.exe	Get hash	malicious	Unknown	Browse
	I3GSvcManager.exe	Get hash	malicious	Unknown	Browse
	I3GSvcManager.exe	Get hash	malicious	Unknown	Browse
	Kit_Carteurope_1.7.0.exe	Get hash	malicious	Unknown	Browse
	I3GSvcManager.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.493835447768373
Encrypted:	false
SSDEEP:	3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
MD5:	9556062A739F56D168C1581A11192A17
SHA1:	81EE37E3990A004B9F50CBE99D512A5A5247AA90
SHA-256:	D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
SHA-512:	57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
Malicious:	false
Preview:	/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

C:\Program Files\Mozilla Firefox\defaults\pref\is-K76D6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.4385634049235
Encrypted:	false
SSDEEP:	3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
MD5:	30573ACFC9586271A3F800A10C284479
SHA1:	9CC1A1329258379698A04C33DC5D62E9CE8E06FD
SHA-256:	30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
SHA-512:	4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
Malicious:	false
Preview:	pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

C:\Program Files\Mozilla Firefox\defaults\pref\is-PMF5D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.493835447768373
Encrypted:	false
SSDEEP:	3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
MD5:	9556062A739F56D168C1581A11192A17
SHA1:	81EE37E3990A004B9F50CBE99D512A5A5247AA90
SHA-256:	D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
SHA-512:	57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
Malicious:	false
Preview:	/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.4385634049235
Encrypted:	false
SSDEEP:	3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
MD5:	30573ACFC9586271A3F800A10C284479
SHA1:	9CC1A1329258379698A04C33DC5D62E9CE8E06FD
SHA-256:	30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
SHA-512:	4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
Malicious:	false
Preview:	pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

C:\Program Files\Mozilla Firefox\is-PGH5D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.503434386188784
Encrypted:	false
SSDEEP:	3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
MD5:	E40A3D559E4B85251943E071CD036D90
SHA1:	10FC58DF075108C912589F7954244A807776A0FB
SHA-256:	E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
SHA-512:	07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
Malicious:	false
Preview:	//..lockPref("security.enterprise_roots.enabled", true);

C:\Program Files\Mozilla Firefox\umbrella.cfg (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.503434386188784
Encrypted:	false
SSDEEP:	3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
MD5:	E40A3D559E4B85251943E071CD036D90
SHA1:	10FC58DF075108C912589F7954244A807776A0FB
SHA-256:	E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
SHA-512:	07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
Malicious:	false
Preview:	//..lockPref("security.enterprise_roots.enabled", true);

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\901deee3b5b74cb155b513ccd57a4a2e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\certutil.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f624068db13c5397a4560b17ec912efa_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\SysWOW64\certutil.exe
File Type:	data
Category:	dropped
Size (bytes):	2271
Entropy (8bit):	7.644791740204127
Encrypted:	false
SSDEEP:	48:dSwTdnQwCBU8mrX0kb443ShIlxnz1DcOUQA7/WWp8Ad:dSsdnJCBnmrXE4iWF5cJNnj
MD5:	10D9BB0149661E5ABBFCC8C9C26D502A
SHA1:	F29DE4021C931CFFAD341E86F9AEFDDF40992E08
SHA-256:	0F782079588B990762BF4535D8D4693D50963FE99A8577486E49BDF70A873A06
SHA-512:	B0EF51E08E444BC08A18186F0A0A2C3EF92699C57EE8A4312B3D1170D7EE9A15B0A95D16CF1193F8FFACD4DD9E8519226244A9AC7668983C505C093792645413
Malicious:	false
Preview:	........;...............P...............RDM Localhost Service-aab96529-14af-4a48-8def-dfb9a374fcd8.....................RSA1................M...r....m....(.q..F\|........o.@A..1.@hD..y.e...).w..^......#.5X;.$.G....%f.^t^...f...7.H..6 ..0 ........]............P...V.....>.3W..l.s.X..=(.....0.....0.F4..6.....yC...\|...&]j.<.,X....I< K.l%uC......).r..4.....H..M^.!.nU.....Ge..V.........................z..O.......t..@..O.!..."}P....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...&.G!..*..v=......n.c..n.....j............. ...'.\.&...r.f...}.e.].....R$..m.P...v^i.j.RW...p..]....0kh.;...... .Z.g.......hU.+1........0.]0i6...f:u a.m._...H.F..;-<..%0..a.:....c.?bRZ......j..j..u.#W...Y.x..0...O..F[.F.b...9...mA~...F.:&.%.8..F...2...'......b.u.I1.OL........\|9..!["r...7.6 ..u..\........y....}].K.S9...+...S2P.#....'...A4s......$...S0$.....0......./BL;/.}EY...<.T.i..@@.%....w....)M;.xO.D%Dj.>.H.KF.:.O...)y.t..t.+...r.;ru....0`.P$.....8..P.\|...

C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

Download File

Process:	C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3218944
Entropy (8bit):	6.344016161695555
Encrypted:	false
SSDEEP:	49152:6EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV63338F:K92bz2Eb6pd7B6bAGx7M333K
MD5:	A5388235BBD3513D95A2A5C172A55680
SHA1:	E9BEB5AE74748344085EFC937D8B5ACFCF194E7B
SHA-256:	109DFA3633727AEE046973A9D59DFD493C4F4EDFA50BCBCC37999C4BF020550F
SHA-512:	68E6111FFEB231668914C66D2A09BC21F5FC616767284AF699919AE98B09082C0F89D567CF6CB33B087C5F0C59B4CE813836CD12EEC62E54AA10A584EC4FD970
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................2...........@......@....................-......p-.29....-.L.....................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...L.....-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\AddCert.bat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	236
Entropy (8bit):	5.232996410780511
Encrypted:	false
SSDEEP:	6:rFHGxQ61kH7HE9bwe9hc1axKsyGpeJ/nleB/H7HE9bkgjqY1axKs5v:r026ebH279hc14KsyNJ/nAB/bH2714Ks
MD5:	0A7F6C64EEF31DDB78A7EA184A1E526C
SHA1:	222BB7F9444AE8124EAE1F243DCEA4436A32D3AD
SHA-256:	FDCDD7E21E9CCEDACB8BFC166FD945F2CB08979682BD15E70A88BBAAC48714EA
SHA-512:	A9C38DE565354EAF5ADBB714A409056DAF73E7B2F1CCFE4D26D91C687351CE29A8DEA34DA73FC829F0852A5A5E0839A7E4D4AA68802607AA55974F538A5EA5E4
Malicious:	false
Preview:	FOR /F "tokens=" %%A IN ('dir /B "%APPDATA%\Mozilla\Firefox\Profiles\.default*"') DO set FIREFOX_PROFILE_DIR=%%A..certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\." -i %1..

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM.ico (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	99678
Entropy (8bit):	2.399880160860077
Encrypted:	false
SSDEEP:	384:ckeXhftI9DRRRQwXF6jI2PmdFUMUaaS8FPm0AjaP:ZexftsDRRRPSP
MD5:	C6B1F4998CA0242B1EB448C9694EFF20
SHA1:	D002E4878B16AFD33885553F3507BA2BC23E2179
SHA-256:	15C5C4D9FC4E4FCD10D130A558D4F89931340B40EB6FAECB0BCE1FB5CCCC1CAB
SHA-512:	902117AA14D95A3493D4DB341CE1DCBCF07D8ADA9DF8E4B29100C5FC7D8E732245D9512AE378C9BF2EAA2AEA9B371F089D0BCDD66B71B1EEF84D931874E8528A
Malicious:	false
Preview:	............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@...................................................................................................................................................................................................................................................................................................................................................uW....Y....wY..y[..uW..uW..wZ....n....uW.....}`........Y..f..uW....Y...x.uW....p.uW....H...=.uW....I.uW.....uW....O...Y..f..uW..}a..x[...f.....uW.........vX..wY..uW...._..k..}a....R..f..uW....C....y\..{^..uW.........vX..x[..uW...i......}a...i...f..uW...n$...\.vX...i..uW...u...m".vY....[.uW..uW........M.uW...f...w1..w1..w1...N.....w1..w1...@........w1..z6.........w1...D...........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PEM certificate
Category:	dropped
Size (bytes):	1452
Entropy (8bit):	5.903783238657704
Encrypted:	false
SSDEEP:	24:LrcM4PB8jfzTKpfU7Kjp9oBePz72nNk7Kj/Xno0fOIJLc/3j2KQo60xHBeBGNbSh:LrcXPCjfzmpfU7MoBePz72nNk7Ao0rLt
MD5:	5236FC957397FB2700DC025C29543CB5
SHA1:	18B222ED28C757645D6986E92E2317839A7A6C6D
SHA-256:	60DB73E7D89E86F33E26E735CD9D37BFC6A097790200E9A32A4AFE7B80CF3F4A
SHA-512:	F3A6DA5BA7130984EDCAF323A42BF3D5B99A6BFED01F4893F215918210F4573B287E2E3F26FA384D013BC2EE7C993592541B99614A0F733DC3FCEF3D1F5C10E7
Malicious:	false
Preview:	-----BEGIN CERTIFICATE-----.MIIEAzCCAusCFGsVDWHO9qoFY2Z2rm9tvBPBsr+yMA0GCSqGSIb3DQEBCwUAMIG8.MQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJs.b28xGDAWBgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0g.Zm9yIEludGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2.aWNlIFJvb3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wIBcN.MjExMTI2MDEyNjE4WhgPMjA1NjExMTcwMTI2MThaMIG8MQswCQYDVQQGEwJDQTEQ.MA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAWBgNVBAoMD1JE.TSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIEludGVybmFsIElu.dHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJvb3QxIjAgBgkq.hkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wggEiMA0GCSqGSIb3DQEBAQUA.A4IBDwAwggEKAoIBAQDnTUJ19cJ2FQi1jQkDljQwn9Mr84flRNWJxaf4qfKLQZEY.0MiHk310N6jlfbVvAAIdm0elbAyIvY9wf6FHR3DYWZ/rMNAFgoZ4bLrBTsvRvtLx.NvKK8Zb4qz2lLgtFCgqfNjp4X1sjEWFtpQGBur8olbFAibgQ5cxJ6OaCaT8qiH37.s/yNVv2SnVL0BpUPPjmPpv/NOTPNHgQ/4ZVWjNYxk3jCEOYTYSmvHNwKTGvUZjSY.R8fEKMuraKWsX0zPoKvW8vX0a7UfExt0AlIzWogDEAblduX2gA/MxQfDN1ekvO

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	59664
Entropy (8bit):	5.552981290836808
Encrypted:	false
SSDEEP:	1536:/RQvLjWiALqLkHbp7m8GYT3WXs39i4zv:/Vz2Lk71m8Ge3WXs1
MD5:	5D077A0CDD077C014EEDB768FEB249BA
SHA1:	EA2C62D69A1F6B9D643FE16319EC7632C9533B3F
SHA-256:	8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
SHA-512:	71BF48DCB6916A810F63710968894B431357AA694AA169067F567CC82B8E4EE732F581AFB85B256E5C5A9D15A8B7B5746FA6A8B4127B273FEB5B0E03E91B607A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: I3GSvcManager.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.BScope.Trojan.Downloader.22056.5372.exe, Detection: malicious, Browse Filename: I3GSvcManager.exe, Detection: malicious, Browse Filename: I3GSvcManager.exe, Detection: malicious, Browse Filename: Kit_Carteurope_1.7.0.exe, Detection: malicious, Browse Filename: I3GSvcManager.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.}h.}h.}hh.nh.}h.\|h..}h...h.}h.{h.}h.}h..}hRich.}h................PE..L....B.5.....................l............................................... ..........................................................0W..................................................................@........................................text............................... ..`.data...............................@....rsrc...0W.......X..................@..@.0248...c,.5C....[.5P....[.5]......5i...b,.5u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certremoval.bat (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.304898083502664
Encrypted:	false
SSDEEP:	3:jWrxTAoV6VGa/IhgZGZNRRo/XOxTAoV6VGa/IhgZGZNRRoa:iRA3sa/0hA+A3sa/0hn
MD5:	E8C0E44371C4EDCC8908173BB91CA75C
SHA1:	5479F75580E366CBB2BB03B15C1518CEBDFC5CB0
SHA-256:	30AA7A6E165232DCA4B1B3ADF8C74BEA54A29686F8802C6DE92075EF53B5C1AA
SHA-512:	3AD2442EA854B2C7B1620A6E679ED36110A0F30023CF12552DE28C70E3E883F859C114D5A14CEC4280564AD280204FA549F7F5680CEFAFFF8A2857E16AC36B7D
Malicious:	false
Preview:	echo 1 \| CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root..CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root....

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\firefox-windows-truststore.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.493835447768373
Encrypted:	false
SSDEEP:	3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
MD5:	9556062A739F56D168C1581A11192A17
SHA1:	81EE37E3990A004B9F50CBE99D512A5A5247AA90
SHA-256:	D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
SHA-512:	57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
Malicious:	false
Preview:	/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\freebl3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	222208
Entropy (8bit):	6.697487951906348
Encrypted:	false
SSDEEP:	6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
MD5:	269BEB631B580C6D54DB45B5573B1DE5
SHA1:	64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
SHA-256:	FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
SHA-512:	649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: TouchEn_nxKey_32bit.exe, Detection: malicious, Browse Filename: TZCRangerRemote_v2.2.2.3_Installer_x64.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen21.30206.14092.30541.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_Installer_32bit.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_Installer_32bit.exe, Detection: malicious, Browse Filename: TouchEn_nxKey_Installer_32bit.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware.KillAV.6KOMSE@gen.22946.22832.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware.KillAV.6KOMSE@gen.22946.22832.exe, Detection: malicious, Browse Filename: SCWSConSetup_1.0.1.65_ver.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-1QMJT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	data
Category:	dropped
Size (bytes):	2685
Entropy (8bit):	7.881499470740637
Encrypted:	false
SSDEEP:	48:R5t7MR3RzOzFv1Zbiyp8wST7kLxC7XPYgT7a0FSpczbVn0q+dBzl:N7MzCpjiyp8wNczPYSe8SuR0/BJ
MD5:	CB24F524AB36239CDA47EBEB8CBD6EDB
SHA1:	4CDC6226288F2D5868C48457F124569ECB91608F
SHA-256:	7EE7F861AF655E38B08FC3112E0B19C518673251478B2DD44C2580659FE402F0
SHA-512:	C1BA2485C5900BBE5B0A7AEEA8856EE77DE8D1544F2F71EFFCA80F3E8DD49B01C309AD3163740263F027AB66ECBDB679B8609AC601D33F98670E406C4C6604B0
Malicious:	false
Preview:	0..y...0..?...H.........0...,0..(0......H..........0......0......H......0....H.......0...=......[..........R^b...o...VY..<...".NR.FTS[Fd.W.8..= rY.......p./.^..1..0U/...i....[Q.@.KLPg.....<...m.....:/Z.....O7}....y5.Y..\..).W.E.G.....#.$._.O.......,.t..+:.....wX.....G!RYM.1i..........G!.S.uX.].S30.M.......Y.d..':......{Z.^W....&..n....A.4.>...F.:A ...ah..m.I..b....s:.........6.y.xH3t!0.dT.N)...nE.......~r..!......=..YQ..n..nlr.z[..0.P.\E_...4...U..y:.._56O\C..4.5&.J...+.... /..............^..l3..+_:....#.<,........f,.L/".'...QA...1J'9>...........xM..Gz...Ih.4F.R.q...%.J.......oTS.W6C..L#...K\.r7...de.B..)Go...I..w...5..B.Z.s1KmU...Y.x).......2gp@..uI..#......3.Hv.5.?..-X.a.........W....=B>...]:..H..c...B.......czdNc.v..?..xP..R...I.(T...CpI.<.H>.a.....R..}R.._v..w....L...X..4=....nX.xn....mn.yfG...lV....xE.$...._.-.....P..Xq3Y)=..yvD........7..2.3...O...N.55h..f.."y.h.`.~M...E..B....l~~.S\|... 4.h...3..G.o.G.;.`.Tr..M..8.B.....+u.#C.....

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-3KPG9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	6.240650542976671
Encrypted:	false
SSDEEP:	1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
MD5:	A5C670EDF4411BF7F132F4280026137B
SHA1:	C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
SHA-256:	ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
SHA-512:	ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-514DN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.4385634049235
Encrypted:	false
SSDEEP:	3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
MD5:	30573ACFC9586271A3F800A10C284479
SHA1:	9CC1A1329258379698A04C33DC5D62E9CE8E06FD
SHA-256:	30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
SHA-512:	4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
Malicious:	false
Preview:	pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-7LAUR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	236
Entropy (8bit):	5.232996410780511
Encrypted:	false
SSDEEP:	6:rFHGxQ61kH7HE9bwe9hc1axKsyGpeJ/nleB/H7HE9bkgjqY1axKs5v:r026ebH279hc14KsyNJ/nAB/bH2714Ks
MD5:	0A7F6C64EEF31DDB78A7EA184A1E526C
SHA1:	222BB7F9444AE8124EAE1F243DCEA4436A32D3AD
SHA-256:	FDCDD7E21E9CCEDACB8BFC166FD945F2CB08979682BD15E70A88BBAAC48714EA
SHA-512:	A9C38DE565354EAF5ADBB714A409056DAF73E7B2F1CCFE4D26D91C687351CE29A8DEA34DA73FC829F0852A5A5E0839A7E4D4AA68802607AA55974F538A5EA5E4
Malicious:	false
Preview:	FOR /F "tokens=" %%A IN ('dir /B "%APPDATA%\Mozilla\Firefox\Profiles\.default*"') DO set FIREFOX_PROFILE_DIR=%%A..certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\." -i %1..

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8C4S6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.44977499578729
Encrypted:	false
SSDEEP:	1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
MD5:	C26E940B474728E728CAFE5912BA418A
SHA1:	7256E378A419F8D87DE71835E6AD12FAADAAAF73
SHA-256:	1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
SHA-512:	BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8I24T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.794541181301596
Encrypted:	false
SSDEEP:	192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
MD5:	1FAE68B740F18290B98B2F9E23313CC2
SHA1:	FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
SHA-256:	751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
SHA-512:	5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-AUFQA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108544
Entropy (8bit):	6.45689405407938
Encrypted:	false
SSDEEP:	3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
MD5:	051652BA7CA426846E936BC5AA3F39F3
SHA1:	0012007876DDE3A2D764249AD86BC428300FE91E
SHA-256:	8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
SHA-512:	005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-G38J5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.503434386188784
Encrypted:	false
SSDEEP:	3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
MD5:	E40A3D559E4B85251943E071CD036D90
SHA1:	10FC58DF075108C912589F7954244A807776A0FB
SHA-256:	E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
SHA-512:	07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
Malicious:	false
Preview:	//..lockPref("security.enterprise_roots.enabled", true);

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-GIC48.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PEM certificate
Category:	dropped
Size (bytes):	1452
Entropy (8bit):	5.903783238657704
Encrypted:	false
SSDEEP:	24:LrcM4PB8jfzTKpfU7Kjp9oBePz72nNk7Kj/Xno0fOIJLc/3j2KQo60xHBeBGNbSh:LrcXPCjfzmpfU7MoBePz72nNk7Ao0rLt
MD5:	5236FC957397FB2700DC025C29543CB5
SHA1:	18B222ED28C757645D6986E92E2317839A7A6C6D
SHA-256:	60DB73E7D89E86F33E26E735CD9D37BFC6A097790200E9A32A4AFE7B80CF3F4A
SHA-512:	F3A6DA5BA7130984EDCAF323A42BF3D5B99A6BFED01F4893F215918210F4573B287E2E3F26FA384D013BC2EE7C993592541B99614A0F733DC3FCEF3D1F5C10E7
Malicious:	false
Preview:	-----BEGIN CERTIFICATE-----.MIIEAzCCAusCFGsVDWHO9qoFY2Z2rm9tvBPBsr+yMA0GCSqGSIb3DQEBCwUAMIG8.MQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJs.b28xGDAWBgNVBAoMD1JETSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0g.Zm9yIEludGVybmFsIEludHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2.aWNlIFJvb3QxIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wIBcN.MjExMTI2MDEyNjE4WhgPMjA1NjExMTcwMTI2MThaMIG8MQswCQYDVQQGEwJDQTEQ.MA4GA1UECAwHT250YXJpbzERMA8GA1UEBwwIV2F0ZXJsb28xGDAWBgNVBAoMD1JE.TSBDb3Jwb3JhdGlvbjEwMC4GA1UECwwnRGV2aWNlIC0gZm9yIEludGVybmFsIElu.dHJhbmV0IHVzZSBPbmx5MRgwFgYDVQQDDA9SRE0gRGV2aWNlIFJvb3QxIjAgBgkq.hkiG9w0BCQEWE3N1cHBvcnRAcmRtY29ycC5jb20wggEiMA0GCSqGSIb3DQEBAQUA.A4IBDwAwggEKAoIBAQDnTUJ19cJ2FQi1jQkDljQwn9Mr84flRNWJxaf4qfKLQZEY.0MiHk310N6jlfbVvAAIdm0elbAyIvY9wf6FHR3DYWZ/rMNAFgoZ4bLrBTsvRvtLx.NvKK8Zb4qz2lLgtFCgqfNjp4X1sjEWFtpQGBur8olbFAibgQ5cxJ6OaCaT8qiH37.s/yNVv2SnVL0BpUPPjmPpv/NOTPNHgQ/4ZVWjNYxk3jCEOYTYSmvHNwKTGvUZjSY.R8fEKMuraKWsX0zPoKvW8vX0a7UfExt0AlIzWogDEAblduX2gA/MxQfDN1ekvO

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-K24N6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	190976
Entropy (8bit):	6.662915165682162
Encrypted:	false
SSDEEP:	3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
MD5:	717DBDF0E1F616EA8A038259E273C530
SHA1:	926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
SHA-256:	E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
SHA-512:	C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-LTALL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	423936
Entropy (8bit):	6.751461394308889
Encrypted:	false
SSDEEP:	6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
MD5:	B58848A28A1EFB85677E344DB1FD67E6
SHA1:	DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
SHA-256:	00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
SHA-512:	762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-M356P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172544
Entropy (8bit):	6.496240878001019
Encrypted:	false
SSDEEP:	3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
MD5:	2AB31C9401870ADB4E9D88B5A6837ABF
SHA1:	4F0FDD699E63F614D79ED6E47EF61938117D3B7A
SHA-256:	22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
SHA-512:	BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!........x.......3.......@............................................@.................................<...................................\|...................................x...@............@...............................text....(......................... ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-MK9CH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	199680
Entropy (8bit):	6.678065290017203
Encrypted:	false
SSDEEP:	3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
MD5:	6E84AF2875700285309DD29294365C6A
SHA1:	FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
SHA-256:	1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
SHA-512:	0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-NCL0U.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	143
Entropy (8bit):	4.304898083502664
Encrypted:	false
SSDEEP:	3:jWrxTAoV6VGa/IhgZGZNRRo/XOxTAoV6VGa/IhgZGZNRRoa:iRA3sa/0hA+A3sa/0hn
MD5:	E8C0E44371C4EDCC8908173BB91CA75C
SHA1:	5479F75580E366CBB2BB03B15C1518CEBDFC5CB0
SHA-256:	30AA7A6E165232DCA4B1B3ADF8C74BEA54A29686F8802C6DE92075EF53B5C1AA
SHA-512:	3AD2442EA854B2C7B1620A6E679ED36110A0F30023CF12552DE28C70E3E883F859C114D5A14CEC4280564AD280204FA549F7F5680CEFAFFF8A2857E16AC36B7D
Malicious:	false
Preview:	echo 1 \| CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root..CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root....

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-PBG95.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	59664
Entropy (8bit):	5.552981290836808
Encrypted:	false
SSDEEP:	1536:/RQvLjWiALqLkHbp7m8GYT3WXs39i4zv:/Vz2Lk71m8Ge3WXs1
MD5:	5D077A0CDD077C014EEDB768FEB249BA
SHA1:	EA2C62D69A1F6B9D643FE16319EC7632C9533B3F
SHA-256:	8A830C48C4D78159DD80F4DAD81C0BEBBF9314710026B1A2EF0FFDDDCB24B83D
SHA-512:	71BF48DCB6916A810F63710968894B431357AA694AA169067F567CC82B8E4EE732F581AFB85B256E5C5A9D15A8B7B5746FA6A8B4127B273FEB5B0E03E91B607A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;.}h.}h.}hh.nh.}h.\|h..}h...h.}h.{h.}h.}h..}hRich.}h................PE..L....B.5.....................l............................................... ..........................................................0W..................................................................@........................................text............................... ..`.data...............................@....rsrc...0W.......X..................@..@.0248...c,.5C....[.5P....[.5]......5i...b,.5u...........MSVCRT.dll.ADVAPI32.dll.KERNEL32.dll.CRYPT32.dll.CRYPTUI.dll.USER32.dll.........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-QG9HH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	6.523188898405281
Encrypted:	false
SSDEEP:	24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
MD5:	A1C4628D184B6AB25550B1CE74F44792
SHA1:	C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
SHA-256:	3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
SHA-512:	07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-RQ7D5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	103
Entropy (8bit):	4.493835447768373
Encrypted:	false
SSDEEP:	3:URZqeeLfCXdQFiFyy6HAe+WA6nWZmrXpn:Ui5LKuFiFr6HAe+WfWErZn
MD5:	9556062A739F56D168C1581A11192A17
SHA1:	81EE37E3990A004B9F50CBE99D512A5A5247AA90
SHA-256:	D151A50870503A2D394E3FFD65E2C0DAED043AE1E54C974E80AF811C7A60C78E
SHA-512:	57AB815C4F4F4F7C96D05A714F6CFEBD3DF47EC5C5E8363E07C3180E05BBECB03A472690EDE29BB8690B2E2C0570B5512338B13710E031DE8622D68667031D92
Malicious:	false
Preview:	/* Enable experimental Windows trust store support */..pref("security.enterprise_roots.enabled", true);

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-SJL0P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	6.863300763286356
Encrypted:	false
SSDEEP:	6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
MD5:	D1243817A1B22B855DE0852CF5B53BF5
SHA1:	C64F4851A2FCFE8D1E4A5B5743498870B676755E
SHA-256:	93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
SHA-512:	59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-T2GKH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	222208
Entropy (8bit):	6.697487951906348
Encrypted:	false
SSDEEP:	6144:ScTE2XtnPcWNo4eT4hs8LP71DRIUqqDL67PXGHrIrH:lTE2XtNrLP71Dyxqn6jI
MD5:	269BEB631B580C6D54DB45B5573B1DE5
SHA1:	64050C1159C2BCFC0E75DA407EF0098AD2DE17C8
SHA-256:	FFC7558A61A4E6546CF095BDEABEA19F05247A0DAA02DCA20EA3605E7FC62C77
SHA-512:	649CD40F3E02C2F2711F56AA21F39CCBDA9108143D4766A9728C9AD98F329D5F64F77090DF769C55B66AB48FB9AA4A380944EBE54F2C450F96CF76E5A6ADD31E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[x.5+.5+.5+..+.5+..+.5+..+.5+..+.5+.4+..5+..+.5+..+.5+..+.5+..+.5+Rich.5+................PE..L....A.O...........!.....\...J.......f.......p............................................@..........................U..O...,M..x...............................,...................................hL..@............p..x............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....F...`.......F..............@....rsrc................H..............@..@.reloc..x............L..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-TG1GQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	MS Windows icon resource - 5 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	99678
Entropy (8bit):	2.399880160860077
Encrypted:	false
SSDEEP:	384:ckeXhftI9DRRRQwXF6jI2PmdFUMUaaS8FPm0AjaP:ZexftsDRRRPSP
MD5:	C6B1F4998CA0242B1EB448C9694EFF20
SHA1:	D002E4878B16AFD33885553F3507BA2BC23E2179
SHA-256:	15C5C4D9FC4E4FCD10D130A558D4F89931340B40EB6FAECB0BCE1FB5CCCC1CAB
SHA-512:	902117AA14D95A3493D4DB341CE1DCBCF07D8ADA9DF8E4B29100C5FC7D8E732245D9512AE378C9BF2EAA2AEA9B371F089D0BCDD66B71B1EEF84D931874E8528A
Malicious:	false
Preview:	............ .h...V... .... .........00.... ..%..f...@@.... .(B...;........ .(...6}..(....... ..... .....@...................................................................................................................................................................................................................................................................................................................................................uW....Y....wY..y[..uW..uW..wZ....n....uW.....}`........Y..f..uW....Y...x.uW....p.uW....H...=.uW....I.uW.....uW....O...Y..f..uW..}a..x[...f.....uW.........vX..wY..uW...._..k..}a....R..f..uW....C....y\..{^..uW.........vX..x[..uW...i......}a...i...f..uW...n$...\.vX...i..uW...u...m".vY....[.uW..uW........M.uW...f...w1..w1..w1...N.....w1..w1...@........w1..z6.........w1...D...........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-U7N00.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.576295270591411
Encrypted:	false
SSDEEP:	192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
MD5:	9AE76DB13972553A5DE5BDD07B1B654D
SHA1:	0C4508EB6F13B9B178237CCC4DA759BFF10AF658
SHA-256:	38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
SHA-512:	DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libnspr4.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	199680
Entropy (8bit):	6.678065290017203
Encrypted:	false
SSDEEP:	3072:/zcwXcVnDhH5YI6KkEK7207EmrRelzafK+AnF4xH6dVHwpXpE92jDBSRYO6s0eEw:TUDF5YTyBJuF6DHwpXpfSRYO6Z
MD5:	6E84AF2875700285309DD29294365C6A
SHA1:	FC3CB3B2A704250FC36010E2AB495CDC5E7378A9
SHA-256:	1C158E680749E642E55F721F60A71314E26E03E785CD92E560BF650B83C4C3C8
SHA-512:	0ADD9479B2FD631BAFC617C787BCA331E915EDC6A29DD72269B6A24490EC1C85E677698E07944F5FF3BD8D849D3D20ACE61A194A044C697FEFCF992C6F05E747
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Wp.6...6...6..-x...6...@...6...@...6...@...6...N...6...6..m6...@...6...@...6...@...6...@...6..Rich.6..........PE..L...lA.O...........!.....^...........h.......p...............................p............@..............................+..<...x....0.......................@..."..................................X...@............p..`............................text....].......^.................. ..`.rdata...s...p...t...b..............@..@.data...P(..........................@....tls......... ......................@....rsrc........0......................@..@.reloc...&...@...(..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplc4.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	5.794541181301596
Encrypted:	false
SSDEEP:	192:y39iNAtUyE7ioVwAFzuh+pOWo1v26wJMnnnLIQBIc3X7PVlD6QHS6CV+:mRUyZoVwAFzusie6wcZxrPVlpHS6c+
MD5:	1FAE68B740F18290B98B2F9E23313CC2
SHA1:	FA3545DC8DB38B3B27F1009E1D61DC2949DF3878
SHA-256:	751C2156DC00525668DD990D99F7F61C257951C3FAD01C0EE6359FCDFF69F933
SHA-512:	5386AAD83C76C625E2D64439B2B25BDA8D0F8B1EB9344B58306883B66675D1F1E98E3189C1BC29CD4B2C98A9D4A594761488AAE04D3748BBA5775A51425B11EC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......vx..2...2...2...;aS.0...]o^.3...]ok.0...]o\.7...2.......]oj.(...]o[.3...]oZ.3...]o].3...Rich2...................PE..L...oA.O...........!.................'.......0...............................p............@......................... 8.......3..P....P.......................`.......................................3..@............0...............................text...T........................... ..`.rdata.......0......."..............@..@.data........@......................@....rsrc........P.......0..............@..@.reloc.......`.......4..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\libplds4.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.576295270591411
Encrypted:	false
SSDEEP:	192:y8/u6mEWZYr/YDmJrFirLPAxHU413X7PVlD63YlFfP:1/uHE6Yr/Y+h0AlU4prPVlZlFfP
MD5:	9AE76DB13972553A5DE5BDD07B1B654D
SHA1:	0C4508EB6F13B9B178237CCC4DA759BFF10AF658
SHA-256:	38A906373419501966DAF6EC19CA2F8DB7B29609128AE5CB424D2AA511652C29
SHA-512:	DB6FD98A2B27DD7622F10491BBA08793D26AB59016D6862168AAD278644F737DDDBD312A690DED5091D5E999DC3C3518FD95B200124BE8349829E5CE6685CF4B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g......j......_......h............^......o......n......i....Rich............................PE..L...mA.O...........!.................".......0...............................p............@.........................P6......l2..P....P.......................`.......................................1..@............0...............................text............................... ..`.rdata..R....0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc..(....`.......,..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\local-settings.js (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.4385634049235
Encrypted:	false
SSDEEP:	3:iDVDuE8Lxm0wf9sDuE8LzLpFw6XFn:iDVDopDoNjXF
MD5:	30573ACFC9586271A3F800A10C284479
SHA1:	9CC1A1329258379698A04C33DC5D62E9CE8E06FD
SHA-256:	30B9CF8F9760BCD38617A3878D43FC19E981C6DD13D6400C2A19D2ECAB746CB5
SHA-512:	4A6DF4E50D8C04AD9E65A9D183D4C8B723FCB50E1E786018010A33CEE2B4F73296045864FFFB526D887579BEC8EC5C4CA5353127FB07E632B18C5B4684719015
Malicious:	false
Preview:	pref("general.config.obscure_value", 0);..pref("general.config.filename", "umbrella.cfg");

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nss3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	798720
Entropy (8bit):	6.523188898405281
Encrypted:	false
SSDEEP:	24576:uN/cDx/LcwkjTGAq8f54Y6ifuGJk3c8IXRvg/W68IALE/ZcaFL4FzS17BAw:6ci+m9LEazS1
MD5:	A1C4628D184B6AB25550B1CE74F44792
SHA1:	C2C447FD2FDA68C0EC44B3529A2550D2E2A8C3BC
SHA-256:	3F997D3F1674DE9FD119F275638861BC229352F12C70536D8C83A70FCC370847
SHA-512:	07737AC24C91645D9B4D376327B84CB0B470CECBAD60920D7EE0E9B11EF4EEB8EE68FB38BF74B5D1F8817D104CECC65E461950242D940E8FF9CA64CE9D3FFBB7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..............T.......Y......l.......[..............m.T.....\.......].......Z.....Rich............PE..L....A.O...........!.....2..........V;.......P...............................p............@..........................z..zb...Z..................................TS..................................0Z..@............P...............................text...^0.......2.................. ..`.rdata.......P.......6..............@..@.data...............................@....rsrc...............................@..@.reloc...\.......^..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssckbi.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	370176
Entropy (8bit):	6.863300763286356
Encrypted:	false
SSDEEP:	6144:eeP90QTcdMTWfpUwFygo5zUM38ME/Hs3nXHkUX:eA/TcWTWfpf0gmzY03nXHkUX
MD5:	D1243817A1B22B855DE0852CF5B53BF5
SHA1:	C64F4851A2FCFE8D1E4A5B5743498870B676755E
SHA-256:	93E99CFBA00348BE3A102DC9F41ACD39BBA91D7F4E0149A9EA6C53FCC50ADAEE
SHA-512:	59ABD87F8DA58F0F4D8D3919A84B2E4FA853AA0E76DBFEA3BC011E21267909ED7C3BB42A714F030773767329A8D3DA0810E789AB5A061BC0E4452159849C4CC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??fs{^. {^. {^. r&. y^. .(. z^. .(. y^. .(. r^. {^. C^. .(. R^. .(. z^. .(. z^. .(. z^. Rich{^. ................PE..L....A.O...........!......................................................................@..........................6..P...L1..x...............................t,...................................0..@............................................text............................... ..`.rdata..07.......8..................@..@.data....T...@...R... ..............@....rsrc................r..............@..@.reloc.../.......0...v..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssdbm3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	108544
Entropy (8bit):	6.45689405407938
Encrypted:	false
SSDEEP:	3072:ES2ipxnUGhrFxZHkZvmYHG+iI2iV6nu+ZfX6AKVqzzF+:ES2ipxUSwv/m+1rAKVqz5
MD5:	051652BA7CA426846E936BC5AA3F39F3
SHA1:	0012007876DDE3A2D764249AD86BC428300FE91E
SHA-256:	8ECA993570FA55E8FE8F417143EEA8128A58472E23074CBD2E6AF4D3BB0F0D9A
SHA-512:	005B22BD5A4CCA9930C5ECA95AF01FC034BB496F4E599CAC3F20B0B9CE0957B4DB685B8E47977E5B289DC5CF1C8A81F4DD7434D0347E41D008E2C8F7F12006F0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[...R...Y.......S...4...Z...4...Y...4...P...[......4./.z...4...Z...4...Z...4...Z...Rich[...........................PE..L....A.O...........!.....n...:.......w....................................................@............................................................................................................@...............D............................text....l.......n.................. ..`.rdata...............r..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\nssutil3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.44977499578729
Encrypted:	false
SSDEEP:	1536:W3Hq5zbjpPQ4Y0epuuwCbDz5xAFKL8kycL7:gHQxPQfGuz5uFKL8kyu7
MD5:	C26E940B474728E728CAFE5912BA418A
SHA1:	7256E378A419F8D87DE71835E6AD12FAADAAAF73
SHA-256:	1AF1AC51A92B36DE8D85D1F572369815404912908C3A489A6CD7CA2350C2A93D
SHA-512:	BD8673FACD416C8F2EB9A45C4DEEF50E53D0BC41E6B3941FC20CDA8E2D88267205526DADB44BD89869BD333BF7D6F8DB589C95997E1F3322F7A66A09D562B1DF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................`....C.k.....m.....X.....o...........Y.....h.....i.....n....Rich...........PE..L....A.O...........!................p.....................................................@..........................O.......F..x...................................................................0F..@...............l............................text...~........................... ..`.rdata..............................@..@.data........p.......Z..............@....rsrc................\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	data
Category:	dropped
Size (bytes):	2685
Entropy (8bit):	7.881499470740637
Encrypted:	false
SSDEEP:	48:R5t7MR3RzOzFv1Zbiyp8wST7kLxC7XPYgT7a0FSpczbVn0q+dBzl:N7MzCpjiyp8wNczPYSe8SuR0/BJ
MD5:	CB24F524AB36239CDA47EBEB8CBD6EDB
SHA1:	4CDC6226288F2D5868C48457F124569ECB91608F
SHA-256:	7EE7F861AF655E38B08FC3112E0B19C518673251478B2DD44C2580659FE402F0
SHA-512:	C1BA2485C5900BBE5B0A7AEEA8856EE77DE8D1544F2F71EFFCA80F3E8DD49B01C309AD3163740263F027AB66ECBDB679B8609AC601D33F98670E406C4C6604B0
Malicious:	false
Preview:	0..y...0..?...H.........0...,0..(0......H..........0......0......H......0....H.......0...=......[..........R^b...o...VY..<...".NR.FTS[Fd.W.8..= rY.......p./.^..1..0U/...i....[Q.@.KLPg.....<...m.....:/Z.....O7}....y5.Y..\..).W.E.G.....#.$._.O.......,.t..+:.....wX.....G!RYM.1i..........G!.S.uX.].S30.M.......Y.d..':......{Z.^W....&..n....A.4.>...F.:A ...ah..m.I..b....s:.........6.y.xH3t!0.dT.N)...nE.......~r..!......=..YQ..n..nlr.z[..0.P.\E_...4...U..y:.._56O\C..4.5&.J...+.... /..............^..l3..+_:....#.<,........f,.L/".'...QA...1J'9>...........xM..Gz...Ih.4F.R.q...%.J.......oTS.W6C..L#...K\.r7...de.B..)Go...I..w...5..B.Z.s1KmU...Y.x).......2gp@..uI..#......3.Hv.5.?..-X.a.........W....=B>...]:..H..c...B.......czdNc.v..?..xP..R...I.(T...CpI.<.H>.a.....R..}R.._v..w....L...X..4=....nX.xn....mn.yfG...lV....xE.$...._.-.....P..Xq3Y)=..yvD........7..2.3...O...N.55h..f.."y.h.`.~M...E..B....l~~.S\|... 4.h...3..G.o.G.;.`.Tr..M..8.B.....+u.#C.....

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\smime3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97792
Entropy (8bit):	6.240650542976671
Encrypted:	false
SSDEEP:	1536:xtTRGG7+CF7k9QTPHkis9rGDE9tJ7kdsolb5XpIKz1TpNs6IRcgAGEFDGSs1f8b6:xGG6CF7k9QbHkCE9tJ7kdsW5Xh5s6IRV
MD5:	A5C670EDF4411BF7F132F4280026137B
SHA1:	C0E3CBDDE7D3CEBF41A193EECA96A11CE2B6DA58
SHA-256:	ABA2732C7A016730E94E645DD04E8FAFCC173FC2E5E2AAC01A1C0C66EAD1983E
SHA-512:	ACFCDE89A968D81363AE1CD599A6A362B047AE207722FEA8541577AC609BC5FEFB2231ED946E13F0B4B3BCD56B947C13837C1B9E360D521EC7D580BEFCBB0F46
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.?...4.k.Y...7.k.Y...4.k.Y...;.k.6.j..k.Y.....k.Y..7.k.Y..7.k.Y...7.k.Rich6.k.........................PE..L....A.O...........!.........j...............0............................................@.........................Pj..v...\N.......................................................................M..@............0...............................text............................... ..`.rdata...S...0...T..................@..@.data...h............l..............@....rsrc................n..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\softokn3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	172544
Entropy (8bit):	6.496240878001019
Encrypted:	false
SSDEEP:	3072:KfHTwBGo4uYvGG3byHhQNP4IP/zsu9zvKwMNJ+Z/9tRpK:KsGTudG3GHhMz3SNY9R
MD5:	2AB31C9401870ADB4E9D88B5A6837ABF
SHA1:	4F0FDD699E63F614D79ED6E47EF61938117D3B7A
SHA-256:	22ECECE561510F77B100CFF8109E5ED492C34707B7B14E0774AAA9CA813DE4AD
SHA-512:	BC58C4DA15E902351F1F161E9D8C1EE4D10ACEB5EDA7DEF4B4454CADF4CD9F437118BA9D63F25F4F0A5694E9D34A4DEF33D40AD51EFB1CDEBB6F02A81C481871
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.e./.6./.6./.6.W.6./.6;a.6./.6.Y.6./.6.Y36./.6.Y.6./.6./.61/.6.Y26./.6.Y.6./.6.Y.6./.6.Y.6./.6Rich./.6................PE..L....A.O...........!........x.......3.......@............................................@.................................<...................................\|...................................x...@............@...............................text....(......................... ..`.rdata...O...@...P..................@..@.data................~..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\sqlite3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	423936
Entropy (8bit):	6.751461394308889
Encrypted:	false
SSDEEP:	6144:Cf41DoFqNI3Cm39XWYJkW07RlqHYOE1o2exosU8iZEJKvncrghAvLWDKnADA3/AF:DD76rrQ7ngYLo2MliPSghmLYk3/n
MD5:	B58848A28A1EFB85677E344DB1FD67E6
SHA1:	DAD48E2B2B3B936EFC15AC2C5F9099B7A1749976
SHA-256:	00DB98AB4D50E9B26ECD193BFAD6569E1DD395DB14246F8C233FEBBA93965F7A
SHA-512:	762B3BD7F1F1A5C3ACCDE8C36406B9BEADD4270C570EB95A05935C1F7731513938AE5E99950C648B1EACDD2A85F002319B78B7E4EA9577C72335A2FA54796B13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,J..h+.Yh+.Yh+.YaS0Yj+.Y.]?Yk+.Yh+.Y&+.Y.]=Yd+.Y.].Yj+.Y.].Yf+.Y.]8Yi+.Y.]>Yi+.YRichh+.Y........................PE..L....A.O...........!......................................................................@..........................J.......C..<...............................@&..................................@B..@...............@............................text............................... ..`.rdata..............................@..@.data........`.......D..............@....reloc..Z(.......*...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\ssl3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	190976
Entropy (8bit):	6.662915165682162
Encrypted:	false
SSDEEP:	3072:82ya/vPWqodwFYAjkiV6vnjBr/WPUShgk04YZEnhacoAX8+FeHbnGmgjZzpTBfRP:j7JoiVGj+hIWNmKFpTBJ8B
MD5:	717DBDF0E1F616EA8A038259E273C530
SHA1:	926CE8EC8F79B62202ED487C5FB0C3E1A18F5F70
SHA-256:	E3227EA4C39F5B44F685EEA13D9F6663945E46B12CABE5D29DAEF28B6EEF1A9B
SHA-512:	C09BF38AC93C350DFD0638BEEDD40FBCC9435A06B0013D214F57B181C1B4292E4B8A8310DB2DB48200BCFED872BC656EA92A207ACB6F7B344E3F134226C2AB3F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Af......................jq......jq=.....jq..............jq<.5...jq......jq......jq......Rich............................PE..L....A.O...........!.................".......0............................... ............@.........................p...j.......................................l......................................@............0...............................text............................... ..`.rdata......0......................@..@.data...<...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\umbrella.cfg (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	56
Entropy (8bit):	4.503434386188784
Encrypted:	false
SSDEEP:	3:RBkAe+WA6nWZmrXpn:rkAe+WfWErZn
MD5:	E40A3D559E4B85251943E071CD036D90
SHA1:	10FC58DF075108C912589F7954244A807776A0FB
SHA-256:	E179CA82C741D7D4842E42BC339C0E2C9BEFA1A5EFFE33D69D6821B3121FECCA
SHA-512:	07CC337D7EB364FC78B0B36ACBE9F89B85D932B3D616B8EDFB5F12214ECD17853ECAC4725CAE929CCE8A803D868FC3F5A5AD4D394554BB4783B0CCAFEA981959
Malicious:	false
Preview:	//..lockPref("security.enterprise_roots.enabled", true);

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3218944
Entropy (8bit):	6.344016460665066
Encrypted:	false
SSDEEP:	49152:6EA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV633385:K92bz2Eb6pd7B6bAGx7M333e
MD5:	05CB53C8116FA798AB00B737F7B94015
SHA1:	BC5F54566CA4A156030372CEFEAD56540FB3D9FF
SHA-256:	41355B9DE8550C19DE59BA6555BAC91BCCA1529F0EABFF8C239A7B151F4012EB
SHA-512:	66E96ACA190FD2069C6E24B37EDE8F38D1B0E3D11696E93AD09E0EBDF3E8809D49D0C9B0E5C68F479E88F6440302E07A1D5327BE489D1095DAD0746657ACDEAE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................2...........@......@....................-......p-.29....-.L.....................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc...L.....-.......-.............@..@..............1.......0.............@..@........................................................

C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2752392
Entropy (8bit):	7.69362175399761
Encrypted:	false
SSDEEP:	49152:iqe3f6ECWVVX/QSJKYkljNXONfDevXUCH+s+U0WBAW:7SiE3ROj0CEqvV0CAW
MD5:	5DAEC5D62A1B06418E5EAE25B7857748
SHA1:	8A56F34F6A62B6EE1489AB2DFFF643BC5DC22276
SHA-256:	9F395107A54B5393D98B7AA5D4A039D32BE780E691CACF75EF7D4CE58D074D83
SHA-512:	10B3AF9C90B875294EF606EB471E1E30A7A8DB56FAB2874F6EF32D33D088C97E4802A4980B196AA419BD0DDDC568F13C5453E822A190E5165C96C4E7E2CF0CB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...6.......^.......p....@..........................`......h1*...@......@...................@....... ..6....p..T.............).p1...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...T....p......................@..@....................................@..@........................................................

C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\is-N0SQK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2752392
Entropy (8bit):	7.69362175399761
Encrypted:	false
SSDEEP:	49152:iqe3f6ECWVVX/QSJKYkljNXONfDevXUCH+s+U0WBAW:7SiE3ROj0CEqvV0CAW
MD5:	5DAEC5D62A1B06418E5EAE25B7857748
SHA1:	8A56F34F6A62B6EE1489AB2DFFF643BC5DC22276
SHA-256:	9F395107A54B5393D98B7AA5D4A039D32BE780E691CACF75EF7D4CE58D074D83
SHA-512:	10B3AF9C90B875294EF606EB471E1E30A7A8DB56FAB2874F6EF32D33D088C97E4802A4980B196AA419BD0DDDC568F13C5453E822A190E5165C96C4E7E2CF0CB1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...'..`.................P...6.......^.......p....@..........................`......h1*...@......@...................@....... ..6....p..T.............).p1...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc...T....p......................@..@....................................@..@........................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	19
Entropy (8bit):	3.5110854081804286
Encrypted:	false
SSDEEP:	3:RoHQGQB5:RZGU5
MD5:	E3AC0178A28CF8E44D82A62FAE2290D7
SHA1:	C0F1C66E831ADD5EA81B19BFA0E85D1D2CA192BA
SHA-256:	2C61108AC0158F555B0632F5658D79D502B0929F2090848A7DEB77158667D43C
SHA-512:	F7C2290526630DEF784459621007F389D720034D3BCE1EFF9B761C7A959061FDB465B9D239290EB543E7B0CFB41682361D0400459621F8756A8A09782F33693A
Malicious:	false
Preview:	CertMgr Succeeded..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.817721379244328
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	RDM_Root_Cert_Update_Windows.exe
File size:	3'838'992 bytes
MD5:	d4b2995d38da119e5b0db2cb90778224
SHA1:	2570198aafaf5d6f394ffd6e7e741c2316510ee0
SHA256:	05a6215fbf82c755b73dcfa297f229bf5b88c879b4a7a2edf680ebd97a4580ad
SHA512:	a611e1fbd0b9997e395f1b829e4b08f833cf5d70e9e846c7eb81d8faeef9fee4af11fc43f4f47776692595ed880eda6b7fd68210cc381984fb70ccf75d680366
SSDEEP:	98304:uSiKiNyE3pWHFowVGfO1xW8zjoix6b8/CEqvV0CAe:/KyE5WHFowQsxVwzE/cH
TLSH:	CD06F13BB298753EC45A0B364573A220587BBEA1BC1A8C1E5BF0381DDF760B11E3B655
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	54525a4a525e5600

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5a594319a0d69dbc452e748bcf05892e

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/03/2024 22:00:39 27/03/2025 22:00:39
Subject Chain	E=certadmin@deluxe.com, CN=Deluxe Corporation, O=Deluxe Corporation, L=Shoreview, S=Minnesota, C=US
Version:	3
Thumbprint MD5:	BEF0171825682D9817D1C9940167515E
Thumbprint SHA-1:	DB6FF586745306742F40BE5C5A9A1CFB5CA60DFF
Thumbprint SHA-256:	33443DC874D3E0CD8D3D0076DCA011CF28A961E83940EC357D8D2FCF87DCD4BF
Serial:	7D9B3C2EFCA6B8143D0373D7

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B10F0h
call 00007FE394E4C875h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007FE394EEEF9Fh
call 00007FE394EEEAF2h
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FE394E622E8h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007FE394E47467h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004237A4h]
call 00007FE394E6334Fh
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FE394EEF027h
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FE394EF560Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007FE394E63C44h
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xf36	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x1e754	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3a62b8	0x3158
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22e4	0x244	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb361c	0xb3800	ad6e46e3a3acdb533eb6a077f6d065af	False	0.3448639341051532	data	6.356058204328091	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	d40fc822339d01f2abcc5493ac101c94	False	0.544921875	data	5.972750055221053	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	4c195d5591f6d61265df08a3733de3a2	False	0.36097935267857145	data	5.044400562007734	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xf36	0x1000	a73d686f1e8b9bb06ec767721135e397	False	0.3681640625	data	4.8987046479600425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	41b8ce23dd243d14beebc71771885c89	False	0.345703125	data	2.7563628682496506	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	37c1a5c63717831863e018c0f51dabb7	False	0.2578125	data	1.8722228665884297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x1e754	0x1e800	b71fbe8719fa2368d3fd04dcc632bcea	False	0.22003073770491804	data	3.605316662907013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7528	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	English	United States	0.42021276595744683
RT_ICON	0xc7990	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	English	United States	0.2804878048780488
RT_ICON	0xc8a38	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	English	United States	0.2024896265560166
RT_ICON	0xcafe0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	English	United States	0.1614903164855928
RT_ICON	0xcf208	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	English	United States	0.08491068259789424
RT_ICON	0xdfa30	0x2db4	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9390598290598291
RT_STRING	0xe27e4	0x360	data			0.34375
RT_STRING	0xe2b44	0x260	data			0.3256578947368421
RT_STRING	0xe2da4	0x45c	data			0.4068100358422939
RT_STRING	0xe3200	0x40c	data			0.3754826254826255
RT_STRING	0xe360c	0x2d4	data			0.39226519337016574
RT_STRING	0xe38e0	0xb8	data			0.6467391304347826
RT_STRING	0xe3998	0x9c	data			0.6410256410256411
RT_STRING	0xe3a34	0x374	data			0.4230769230769231
RT_STRING	0xe3da8	0x398	data			0.3358695652173913
RT_STRING	0xe4140	0x368	data			0.3795871559633027
RT_STRING	0xe44a8	0x2a4	data			0.4275147928994083
RT_RCDATA	0xe474c	0x10	data			1.5
RT_RCDATA	0xe475c	0x2c4	data			0.6384180790960452
RT_RCDATA	0xe4a20	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0xe4a4c	0x5a	data	English	United States	0.7444444444444445
RT_VERSION	0xe4aa8	0x584	data	English	United States	0.27124645892351273
RT_MANIFEST	0xe502c	0x726	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4005464480874317

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x454060
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	12:58:18
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe"
Imagebase:	0x400000
File size:	3'838'992 bytes
MD5 hash:	D4B2995D38DA119E5B0DB2CB90778224
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:58:18
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp" /SL5="$10476,2990719,887296,C:\Users\user\Desktop\RDM_Root_Cert_Update_Windows.exe"
Imagebase:	0x400000
File size:	3'218'944 bytes
MD5 hash:	A5388235BBD3513D95A2A5C172A55680
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:58:23
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT
Imagebase:	0x400000
File size:	2'752'392 bytes
MD5 hash:	5DAEC5D62A1B06418E5EAE25B7857748
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:58:23
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-SC2V1.tmp\RDM_ROOTCERTIFICATE.tmp" /SL5="$2047A,1902883,887296,C:\Users\user\AppData\Local\Temp\is-SU9Q0.tmp\RDM_ROOTCERTIFICATE.exe" /VERYSILENT
Imagebase:	0x400000
File size:	3'218'944 bytes
MD5 hash:	05CB53C8116FA798AB00B737F7B94015
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/certremoval.bat""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /S /D /c" echo 1 "
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe
Wow64 process (32bit):	true
Commandline:	CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root
Imagebase:	0x1000000
File size:	59'664 bytes
MD5 hash:	5D077A0CDD077C014EEDB768FEB249BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe
Wow64 process (32bit):	true
Commandline:	CertMgr.exe -del -c -n "RDM Device Root" -s -r localMachine Root
Imagebase:	0x1000000
File size:	59'664 bytes
MD5 hash:	5D077A0CDD077C014EEDB768FEB249BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/CertMgr.exe" -add -c RDM_RootCA.pem -s -r localmachine Root
Imagebase:	0x1000000
File size:	59'664 bytes
MD5 hash:	5D077A0CDD077C014EEDB768FEB249BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:58:24
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:58:25
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp/RdmCert/AddCert.bat" "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem""
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:58:25
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:58:25
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c dir /B "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\.default"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:58:25
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit):	true
Commandline:	certutil.exe -A -n "RDM_Device" -t "TCu,TCu,TCu" -d "C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\." -i "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem"
Imagebase:	0xd0000
File size:	1'277'440 bytes
MD5 hash:	0DDA4F16AE041578B4E250AE12E06EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:58:25
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32/certutil.exe" f p rdm736 importpfx "C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\rdm.pfx"
Imagebase:	0xd0000
File size:	1'277'440 bytes
MD5 hash:	0DDA4F16AE041578B4E250AE12E06EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:58:25
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:58:26
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" stop "RDMAppweb"
Imagebase:	0xf60000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	12:58:26
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:58:26
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "RDMAppweb"
Imagebase:	0xc90000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:58:26
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" stop "Embedthis Rdmappweb"
Imagebase:	0xf60000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 stop "Embedthis Rdmappweb"
Imagebase:	0xc90000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" start "RDMAppweb"
Imagebase:	0xf60000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 start "RDMAppweb"
Imagebase:	0xc90000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" start "Embedthis Rdmappweb"
Imagebase:	0xf60000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:58:27
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 start "Embedthis Rdmappweb"
Imagebase:	0xc90000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	53%
Signature Coverage:	16.8%
Total number of Nodes:	1743
Total number of Limit Nodes:	10

Executed Functions

Function 0100197F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptMsgClose.CRYPT32(00000000), ref: 010019EC
CertCloseStore.CRYPT32(00000000,00000000), ref: 010019FD

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Strings

P/n, xrefs: 010019DC
P>n, xrefs: 010019CD
PMn, xrefs: 010019BE

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Close$CertCryptStorevwprintf
String ID: P/n$P>n$PMn
API String ID: 3389936734-1834489009
Opcode ID: 63eb66c14e7fda0570ea376976dc1e18f64bbe9a91587ae554e77367a3c350e3
Instruction ID: 42b3134e16393f13461df84badb692253946a8e87c09028ea51888cae73f54e6
Opcode Fuzzy Hash: 63eb66c14e7fda0570ea376976dc1e18f64bbe9a91587ae554e77367a3c350e3
Instruction Fuzzy Hash: 6E215330B04301EAFF679B69ED09B993BF9BF48341F184065AAC0920E4DF7ACA40D715

Function 01001AD0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 01001ADF
CryptInitOIDFunctionSet.CRYPT32(CryptDllFormatObject,00000000), ref: 01001AF5
CryptInstallOIDFunctionAddress.CRYPT32(00000000,CryptDllFormatObject,01001328,00000000), ref: 01001B1F
CryptRegisterOIDInfo.CRYPT32(0000001C,00000000), ref: 01001B97

Strings

CryptDllFormatObject, xrefs: 01001AEE, 01001AF4, 01001B17

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Crypt$Function$AddressHandleInfoInitInstallModuleRegister
String ID: CryptDllFormatObject
API String ID: 2804595984-3973519293
Opcode ID: 4c74154022490254554ef6326925eb3718cf50a35f994ad4199bc7a9ad7ba923
Instruction ID: 6f13abbe2aab8b1e5bb8b6f4405c84a7c177d83238a80c1cc21b34735506dcde
Opcode Fuzzy Hash: 4c74154022490254554ef6326925eb3718cf50a35f994ad4199bc7a9ad7ba923
Instruction Fuzzy Hash: 502180B1E40708EBF7239F65EC84EEA7BB9FB04340F004526F295A2084E77AD9458B50

Function 010018CB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 63
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptMsgClose.CRYPT32(00000000), ref: 010019EC
CertCloseStore.CRYPT32(00000000,00000000), ref: 010019FD

Strings

P/n, xrefs: 010019DC
P>n, xrefs: 010019CD
PMn, xrefs: 010019BE

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Close$CertCryptStore
String ID: P/n$P>n$PMn
API String ID: 1306282253-1834489009
Opcode ID: 10a47abec8d88a5924ec7f7d0afb7ba57d3237583ddbfdd2884d6f74a2bf1f38
Instruction ID: dbb7c2de19337d5fef51ebb3680b7a4a5f2b0570c407ca8ccf1c5ea7785461a4
Opcode Fuzzy Hash: 10a47abec8d88a5924ec7f7d0afb7ba57d3237583ddbfdd2884d6f74a2bf1f38
Instruction Fuzzy Hash: 9611FC71B04205EAFB63AB69E948BA937F8BB44340F048065EAC1D71C0EB75DA40CB60

Function 01001965 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

CryptMsgClose.CRYPT32(00000000), ref: 010019EC
CertCloseStore.CRYPT32(00000000,00000000), ref: 010019FD

Part of subcall function 01008811: free.MSVCRT(00000000,010019E2,00000000), ref: 0100881C

Strings

P/n, xrefs: 010019DC
P>n, xrefs: 010019CD
PMn, xrefs: 010019BE

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Close$CertCryptStorefreevwprintf
String ID: P/n$P>n$PMn
API String ID: 1118940313-1834489009
Opcode ID: 76a2339dfe4cb4e017245fc44dcbcfbfc9c8a530502f8862358d6e7c4aa865a9
Instruction ID: 77acb240a226d128f079d2490b685ddcd47dd1abc9d13d3f23a27c0d587eddd9
Opcode Fuzzy Hash: 76a2339dfe4cb4e017245fc44dcbcfbfc9c8a530502f8862358d6e7c4aa865a9
Instruction Fuzzy Hash: 99F01971B05301EAFA23AB28FC49B993BB8BB44341F14806AB6C4D70C4DA7ADA419710

Function 01003185 Relevance: 37.9, APIs: 25, Instructions: 423
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000), ref: 01003200
CertFindCertificateInStore.CRYPT32(?,00000000,00010000,?,00000000), ref: 01003291

Part of subcall function 01003C14: CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 01003C35
Part of subcall function 01003C14: CertDuplicateCertificateContext.CRYPT32(00000000), ref: 01003C42
Part of subcall function 01003C14: CertDeleteCTLFromStore.CRYPT32(00000000,?,00000001), ref: 01003C49
Part of subcall function 01003C14: CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 01003C5F
Part of subcall function 01003C14: CertDuplicateCTLContext.CRYPT32(00000000,?,00000001), ref: 01003C6C
Part of subcall function 01003C14: CertDeleteCTLFromStore.CRYPT32(00000000,?,00000001), ref: 01003C73
Part of subcall function 01003C14: CertGetCRLFromStore.CRYPT32(?,00000000,00000000,00000002), ref: 01003C91
Part of subcall function 01003C14: CertDuplicateCTLContext.CRYPT32(00000000,?,00000001), ref: 01003C9E
Part of subcall function 01003C14: CertDeleteCTLFromStore.CRYPT32(00000000,?,00000001), ref: 01003CA5
Part of subcall function 01003C14: CertFreeCTLContext.CRYPT32(00000000,00000000,?,?,00000001), ref: 01003CC4
Part of subcall function 01003C14: CertFreeCTLContext.CRYPT32(00000000,00000000,?,?,00000001), ref: 01003CCF
Part of subcall function 01003C14: CertFreeCTLContext.CRYPT32(00000000,00000000,?,?,00000001), ref: 01003CDA

CertFreeCTLContext.CRYPT32(?,?), ref: 01003510
CertFreeCTLContext.CRYPT32(?,?), ref: 01003520
CertFreeCTLContext.CRYPT32(?,?), ref: 0100352A
CertFreeCTLContext.CRYPT32(?,?), ref: 0100354E
free.MSVCRT(?,?), ref: 0100355E
CertFreeCTLContext.CRYPT32(?,?), ref: 01003579
free.MSVCRT(?,?), ref: 01003589
CertFreeCTLContext.CRYPT32(?,?), ref: 010035A4
free.MSVCRT(?,?), ref: 010035B8
CertCloseStore.CRYPT32(?,00000000), ref: 010035CD
CertDuplicateCertificateContext.CRYPT32(?), ref: 01003662
CertDuplicateCertificateContext.CRYPT32(?), ref: 0100368F
CertDeleteCTLFromStore.CRYPT32(?), ref: 0100369E

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$Store$Free$DuplicateFrom$CertificateDelete$free$Enum$CertificatesCloseFindOpen
String ID:
API String ID: 2937819547-0
Opcode ID: 00397b16635c81cae4848901f55ef5f8b817b23ffd5f059c687f173048bbcf1c
Instruction ID: ceba202226e1c52c8d753938b8a5235e252ee34b61ded21cb78c9f9364dbaa25
Opcode Fuzzy Hash: 00397b16635c81cae4848901f55ef5f8b817b23ffd5f059c687f173048bbcf1c
Instruction Fuzzy Hash: B5F12371A04209EFEF63DF94D944AEDBBF5FB48301F104069E581EB294EB369A41CB11

Function 01002558 Relevance: 16.7, APIs: 11, Instructions: 189
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32(0000000A,00000000,?,?), ref: 010025B4
CertCloseStore.CRYPT32(00000000,00000000), ref: 010025CF
CertOpenStore.CRYPT32(0000000A,00000000,?,?), ref: 010025F5
CertOpenStore.CRYPT32(00000006,00000000,00000000,?), ref: 01002770

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertStore$Open$Close
String ID:
API String ID: 2754197958-0
Opcode ID: 66eb3ab7076ffe95061d62a5c389f5189901e907c95eb4f1a77a95065bf80f19
Instruction ID: c9ddbc5a20286c3309f0bfccd5a5b6e99f19dee535933a9edc4c3c0e3cdfaecd
Opcode Fuzzy Hash: 66eb3ab7076ffe95061d62a5c389f5189901e907c95eb4f1a77a95065bf80f19
Instruction Fuzzy Hash: 00517E31600614FBEF339FA99C4CEAE7BB8FB89741F140259F6D9A2084D73A8940DB55

Function 01003F3F Relevance: 16.6, APIs: 11, Instructions: 127
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 01003F72
realloc.MSVCRT ref: 01003F8E
CertDuplicateCertificateContext.CRYPT32(?), ref: 01003FA3
CertEnumCertificatesInStore.CRYPT32(?,?), ref: 01003FC1
CertFindCertificateInStore.CRYPT32(?,00000000,00080007,?,00000000,00000000), ref: 01003FE2
realloc.MSVCRT ref: 01003FFA
CertDuplicateCertificateContext.CRYPT32(?), ref: 0100400B
CertFindCertificateInStore.CRYPT32(?,00000000,00080007,?,?), ref: 01004034
CertFreeCTLContext.CRYPT32(?,?,?,?,01002BE8,?,00000000,?,?), ref: 01004062
free.MSVCRT(?,?,?,?,01002BE8,?,00000000,?,?), ref: 01004070
CertFreeCTLContext.CRYPT32(?,?,?,?,01002BE8,?,00000000,?,?), ref: 01004090

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$CertificateContextStore$CertificatesDuplicateEnumFindFreerealloc$free
String ID:
API String ID: 1636303725-0
Opcode ID: 1f4ee6068f1e8aea42f31af4c687cb09dde60afd68d6b8c1d34b77a0c8dda3a4
Instruction ID: 9782e854247bb6023672c0a45df3072e1ed033e8617539a9c2345dc92b0eb93d
Opcode Fuzzy Hash: 1f4ee6068f1e8aea42f31af4c687cb09dde60afd68d6b8c1d34b77a0c8dda3a4
Instruction Fuzzy Hash: D1413871604246EFEB22DF68D8848AD7BF1FB44341F20486DF6D5E7290CB329994DB10

Function 010083A0 Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 010083CF
__p__fmode.MSVCRT ref: 010083EC
__p__commode.MSVCRT ref: 010083FA
_initterm.MSVCRT ref: 01008440
__wgetmainargs.MSVCRT ref: 01008468
_initterm.MSVCRT ref: 0100847B
__p___winitenv.MSVCRT ref: 01008483

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: _initterm$__p___winitenv__p__commode__p__fmode__set_app_type__wgetmainargs
String ID:
API String ID: 1994959623-0
Opcode ID: ae44a37183254d00835b9000c12113839250642764c810b338a186780a498866
Instruction ID: 5570a4e0811c03a8a4a44dfca9dc969cf19f863603b224f5608ae785088c858c
Opcode Fuzzy Hash: ae44a37183254d00835b9000c12113839250642764c810b338a186780a498866
Instruction Fuzzy Hash: 1B216DB5A00308EFD726DF99DC45EDA77B8BB48710F108219F5A5A73C8DB3A95008B61

Function 01008423 Relevance: 9.1, APIs: 6, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__setusermatherr.MSVCRT ref: 01008428

Part of subcall function 01008500: _controlfp.MSVCRT ref: 0100850A

_initterm.MSVCRT ref: 01008440
__wgetmainargs.MSVCRT ref: 01008468
_initterm.MSVCRT ref: 0100847B
__p___winitenv.MSVCRT ref: 01008483
exit.KERNELBASE ref: 010084A6

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: _initterm$__p___winitenv__setusermatherr__wgetmainargs_controlfpexit
String ID:
API String ID: 2704923724-0
Opcode ID: b6ec3d73afdbacb6fb99eaf93588aeee621479e86df01ea7de40f688c0e2ecdb
Instruction ID: 315827a1ee821c1f4935d66a40762d536e8d1ce74b8fac43ed90e89bc0abd2dc
Opcode Fuzzy Hash: b6ec3d73afdbacb6fb99eaf93588aeee621479e86df01ea7de40f688c0e2ecdb
Instruction Fuzzy Hash: 3E1182B2E00208DBD716DFD8EC45DEE7774BB9C315F048129F549A3284EA3695048B71

Function 0100885A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100871B: LoadStringW.USER32(?,?,00000200,?), ref: 01008739

vwprintf.MSVCRT ref: 0100887A

Strings

CertMgr Failed, xrefs: 0100885B, 01008866, 01008879
CryptDllFormatObject, xrefs: 0100885A

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: LoadStringvwprintf
String ID: CertMgr Failed$CryptDllFormatObject
API String ID: 1051060134-3788540627
Opcode ID: d0190c0cfcd4c59cea5f43fc1432d9acab967ab62127b66740c1381843548774
Instruction ID: 0b99e269634fa5a0d08168cef0d2f09bb0364d49c9215f1acf8a3bd6d1372054
Opcode Fuzzy Hash: d0190c0cfcd4c59cea5f43fc1432d9acab967ab62127b66740c1381843548774
Instruction Fuzzy Hash: 3DD09232409221AAEB179F54BC05CDB7BA9FB89221F04041AF58492094D72698649BA6

Non-executed Functions

Function 010045F3 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 408
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptReleaseContext.ADVAPI32(?,00000000,MD5,?,?), ref: 01004643
CertGetCertificateContextProperty.CRYPT32(00000000,00000002,00000000,00000000), ref: 01004656
printf.MSVCRT ref: 0100472A
CryptHashPublicKeyInfo.CRYPT32(?,00008003,00000000,?,?,?), ref: 01004615

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Part of subcall function 01005D22: printf.MSVCRT ref: 01005D54
Part of subcall function 01005D22: printf.MSVCRT ref: 01005D5D

printf.MSVCRT ref: 010047DC
printf.MSVCRT ref: 01004849

Part of subcall function 010087DF: malloc.MSVCRT ref: 010087E6

CertGetPublicKeyLength.CRYPT32(?,00000003), ref: 0100494E
printf.MSVCRT ref: 01004990
printf.MSVCRT ref: 01004AA6
printf.MSVCRT ref: 01004AF6

Strings

MD5, xrefs: 01004634
<NULL>, xrefs: 010047B5, 010047CE, 010047DA, 01004821
@, xrefs: 0100476F
%s (%S), xrefs: 010047D5, 010047DB, 01004848
, xrefs: 010047E8, 0100480E, 01004887, 010048E7, 01004905, 01004923, 010049A9, 01004A00, 01004A3C, 01004AB6, 01004B06
"@, xrefs: 01004833

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CertContextCryptPublic$CertificateHashInfoLengthPropertyReleasemallocvwprintf
String ID: $%s (%S)$<NULL>$MD5$"@$@
API String ID: 3252116695-720032102
Opcode ID: 5f47ba163a8f5487d697a36692f403af8a0e254acf5a77b92a6cb57bb1b12a27
Instruction ID: 86ecd996dec41b75314290f4de11290c562387a63d4e99c161d87747d2f252fd
Opcode Fuzzy Hash: 5f47ba163a8f5487d697a36692f403af8a0e254acf5a77b92a6cb57bb1b12a27
Instruction Fuzzy Hash: 11E18B71A00700EFFB17AF14EC85EAA3BB5FB18310F14C569F6849A1E1EB76D9119B18

Function 010037EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 188encryptionstringCOMMON

Download Yara Rule

APIs

Part of subcall function 0100894A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,76323D80,?,?,0100227A,00000000,0100A688), ref: 0100896D

strtok.MSVCRT ref: 01003835
CryptEncodeObject.CRYPT32(00000001,2.5.29.37,?,00000000,01002A8D), ref: 010038EE
CryptEncodeObject.CRYPT32(00000001,2.5.29.37,?,00000000,01002A8D), ref: 01003910

Strings

2.5.29.37, xrefs: 010038E6, 010038EB, 0100390D

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptEncodeObject$ByteCharMultiWidestrtok
String ID: 2.5.29.37
API String ID: 722503527-3842544949
Opcode ID: a292249613b1763ea29f4c1edc6f4f1df83ed2498d6ccd8199e275abe18d0251
Instruction ID: b860460594227b93c8124e25a01a2def9a46fe50629c487eb601de37f54bba0f
Opcode Fuzzy Hash: a292249613b1763ea29f4c1edc6f4f1df83ed2498d6ccd8199e275abe18d0251
Instruction Fuzzy Hash: F8516375D0021AAFEF139FA9CC809AEBBF9FF04240F1440A9E695A7190D7319E45DBA0

Function 010052A5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 134encryptionCOMMON

Download Yara Rule

APIs

CryptSIPRetrieveSubjectGuid.CRYPT32(00000014,00000000,?), ref: 010052C9
CryptSIPLoad.CRYPT32(?,00000000,?,00000000,00000000,74E894E0), ref: 010052F0

Part of subcall function 010087DF: malloc.MSVCRT ref: 010087E6

CertOpenStore.CRYPT32(00000005,00000000,00000000,00000014), ref: 01005393
CryptMsgOpenToDecode.CRYPT32(00000000,?,00000000,00000000,00000000,?), ref: 010053C5
CertCloseStore.CRYPT32(00000000,00000000), ref: 010053D6
CryptMsgUpdate.CRYPT32(00000000,?,00000014,00000001), ref: 010053EA
CertCloseStore.CRYPT32(00000000,00000000), ref: 010053F6
CryptMsgClose.CRYPT32 ref: 01005405

Strings

P, xrefs: 01005333

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Crypt$CertCloseStore$Open$DecodeGuidLoadRetrieveSubjectUpdatemalloc
String ID: P
API String ID: 2612970599-3110715001
Opcode ID: adec96a5f5fa256dc24dddbe384e1a1c19b6a707cc696c539e4dedd743b142a4
Instruction ID: b79b5d030fb68defac3c4168e1d0e744cba54ef8a6fd8182e5e4b2aa1f9a581b
Opcode Fuzzy Hash: adec96a5f5fa256dc24dddbe384e1a1c19b6a707cc696c539e4dedd743b142a4
Instruction Fuzzy Hash: 3741EA71A01228ABEF229B95DC48ADFBFBDFB08751F008066F695E2154DB758644CFA0

Function 010050E8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 153encryptionCOMMON

Download Yara Rule

APIs

CryptMsgGetAndVerifySigner.CRYPT32(?,00000000,00000000,00000004,?,00000014), ref: 010051B3
CertFreeCTLContext.CRYPT32(?,?,?), ref: 010051E7

Part of subcall function 01008186: CryptMsgGetParam.CRYPT32(00000014,00000006,?,00000000,?), ref: 010081A1
Part of subcall function 01008186: CryptMsgGetParam.CRYPT32(00000014,00000006,?,00000000,00000000), ref: 010081CD

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Part of subcall function 010059BD: printf.MSVCRT ref: 01005A0E

Part of subcall function 01008811: free.MSVCRT(00000000,010019E2,00000000), ref: 0100881C

Strings

<NULL>, xrefs: 010050EF, 01005149
%s (%S), xrefs: 01005110, 0100516A
, xrefs: 01005138, 01005192

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Crypt$Param$CertContextFreeSignerVerifyfreeprintfvwprintf
String ID: $%s (%S)$<NULL>
API String ID: 1607567234-2923719891
Opcode ID: a2cc370de8905cfd463e87757b93c377935dc9b7d348b015e306b42786883676
Instruction ID: 92bca0db7f65d22edff000fd8d56fbaab9da7fa5f8df34a42b6d8fa7d1a7d36a
Opcode Fuzzy Hash: a2cc370de8905cfd463e87757b93c377935dc9b7d348b015e306b42786883676
Instruction Fuzzy Hash: 4C41AC32A40204FEFB23AB50ED41DEE7BBAFF54710F108519FAC4660E0EB729A519B50

Function 01007FF1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90encryptionCOMMON

Download Yara Rule

APIs

CryptGetOIDFunctionAddress.CRYPT32(00001BB1,00000000,00001BB1,?,?,-00001BAE), ref: 01008042
wprintf.MSVCRT ref: 010080A1
CryptFreeOIDFunctionAddress.CRYPT32(?,00000000), ref: 010080C3

Strings

%s, xrefs: 0100809C

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: AddressCryptFunction$Freewprintf
String ID: %s
API String ID: 1836932162-620797490
Opcode ID: dd37bf7ee46febbc036273550b200ea95b8f3cf3d889ab71ea1f4efa0ccecf7e
Instruction ID: ae9ebcde7074f3427b28406c2ea721576cd98c390dd7c43420ce9a5e998d0c75
Opcode Fuzzy Hash: dd37bf7ee46febbc036273550b200ea95b8f3cf3d889ab71ea1f4efa0ccecf7e
Instruction Fuzzy Hash: D1211636A01228FBEB62DFA5DC48DEF7FB9FB04751F008056FA4492090C7768654DBA0

Function 010076EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(2.5.29.21,?,?,00000000,?,?), ref: 01007711

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 0100778C
printf.MSVCRT ref: 01007795

Strings

2.5.29.21, xrefs: 01007706

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CryptDecodeObjectvwprintf
String ID: 2.5.29.21
API String ID: 141116906-359661889
Opcode ID: 636bbf38a5d317e38e3c6387f97156947c477660528b6178884334b33cab2109
Instruction ID: 604cb0df0c639c08ae5e724361b11889c9a03312fa331b237a752a71003b9e20
Opcode Fuzzy Hash: 636bbf38a5d317e38e3c6387f97156947c477660528b6178884334b33cab2109
Instruction Fuzzy Hash: 3E011E75689309FAF7175B50AC42EDD3765F704791F10801AB7C9A90D0EBB9B9018A91

Function 0100826B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Strings

1.2.840.113549.1.9.5, xrefs: 01008275

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObject
String ID: 1.2.840.113549.1.9.5
API String ID: 1207547050-925610549
Opcode ID: bda695397514f3fee6e3046ae6edda84bebadf11517ceb8097cdc9ec799a9215
Instruction ID: 846f05ef3e627ff923ec03161ef7dbed8af35a42488942c709b8441ef5f5e21e
Opcode Fuzzy Hash: bda695397514f3fee6e3046ae6edda84bebadf11517ceb8097cdc9ec799a9215
Instruction Fuzzy Hash: EC112A76A00609BFEF128E989D80DAF7AADBB08244F108476FA4096190D671DE109B20

Function 01006F21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(1.3.6.1.4.1.311.2.1.27,?,?,00000000,?,?), ref: 01006F49

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01006FA8

Strings

1.3.6.1.4.1.311.2.1.27, xrefs: 01006F3E

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObjectprintfvwprintf
String ID: 1.3.6.1.4.1.311.2.1.27
API String ID: 2064051232-3254324927
Opcode ID: 50587eb5af338e51fadaf433e0fe8bb0e14413c90f8a0a40aed8e81b19aa8bce
Instruction ID: a40f8fcbc5df7a7741f39d032763650f3e7bbc26de7a4f6c5f7eb4b792bec615
Opcode Fuzzy Hash: 50587eb5af338e51fadaf433e0fe8bb0e14413c90f8a0a40aed8e81b19aa8bce
Instruction Fuzzy Hash: 5B014F71A48305FEFF275B50FC46F9C3BB5AB04701F60816EF284A50D4DBB666648B45

Function 01006FB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35encryptionCOMMON

Download Yara Rule

APIs

CryptDecodeObject.CRYPT32(1.3.6.1.4.1.311.2.1.26,?,?,00000000,?,?), ref: 01006FD9

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01007019

Strings

1.3.6.1.4.1.311.2.1.26, xrefs: 01006FCE

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObjectprintfvwprintf
String ID: 1.3.6.1.4.1.311.2.1.26
API String ID: 2064051232-3070115369
Opcode ID: ce6be71bbfede8040b3dd8588647cbc673b80bbafdea763f8c919ec8b6e125fe
Instruction ID: c880fe999930be683d3f2e77d68b54266f9f90a4ee39e2af295de1dd9e8f41b0
Opcode Fuzzy Hash: ce6be71bbfede8040b3dd8588647cbc673b80bbafdea763f8c919ec8b6e125fe
Instruction Fuzzy Hash: A1F03076644308FAFB279B50EC06FDD3BB8FB04760F10C11AF685590D0DBBAA6149B58

Function 010082F1 Relevance: 4.5, APIs: 3, Instructions: 32timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?,?,?,?,?,?,01004C36,00000000,?,?,?,?,00000001,0000000A), ref: 01008302
SystemTimeToFileTime.KERNEL32(?,01004C36,?,?,?,?,01004C36,00000000,?,?,?,?,00000001,0000000A), ref: 01008310
CompareFileTime.KERNEL32(E80100CA,01004C36,?,?,?,?,01004C36,00000000,?,?,?,?,00000001,0000000A), ref: 0100832A

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Time$FileSystem$Compare
String ID:
API String ID: 2701012859-0
Opcode ID: 29485ba8917972643eb751f90bc0b0930ff26f685867e9332db32897801ae220
Instruction ID: 4aba3ffc9628d597b2dade0704a49769f045ab056c2b93999336ab32b65d5af0
Opcode Fuzzy Hash: 29485ba8917972643eb751f90bc0b0930ff26f685867e9332db32897801ae220
Instruction Fuzzy Hash: 41F05471900209EFEB11DB95D849FDA7BFCBB04354F408556F682D3090E7B4E289CBA4

Function 0100812A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24encryptionCOMMON

Download Yara Rule

APIs

CryptFindOIDInfo.CRYPT32(00000001,?,00000004), ref: 01008142

Strings

, xrefs: 0100812F

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptFindInfo
String ID:
API String ID: 4232373045-399585960
Opcode ID: 82cb662c5139adc79914bdd92f9a03b1b13f993d0efccfc6ee54132e69f199d6
Instruction ID: 2c12d7960dfe1052e08b092bc00a13c045acbfa13a3bc0b070c4649c9602dbe5
Opcode Fuzzy Hash: 82cb662c5139adc79914bdd92f9a03b1b13f993d0efccfc6ee54132e69f199d6
Instruction Fuzzy Hash: 30F032326043028FE725CF08D841F96B7E8FF94721F21484AE2D19B290D3B0E860CBA5

Function 01007E5A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11encryptionCOMMON

Download Yara Rule

APIs

CryptFindOIDInfo.CRYPT32(00000001,?,?), ref: 01007E64

Strings

<UNKNOWN OID>, xrefs: 01007E77

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptFindInfo
String ID: <UNKNOWN OID>
API String ID: 4232373045-3377398671
Opcode ID: 7980f1f6f52001df9c7e8d35204e7d8dde8c049863cb83881a6129005cb12277
Instruction ID: 784702876f8729f255bafaaaf60c1ad1af978e134d3cbec85b0a87c43ac6ec32
Opcode Fuzzy Hash: 7980f1f6f52001df9c7e8d35204e7d8dde8c049863cb83881a6129005cb12277
Instruction Fuzzy Hash: B6D0C9356042419EE7539B48C804E557AE5BB48380F00C444F2C48B0F1C3B5DC94D721

Function 01008186 Relevance: 3.0, APIs: 2, Instructions: 46encryptionCOMMON

Download Yara Rule

APIs

CryptMsgGetParam.CRYPT32(00000014,00000006,?,00000000,?), ref: 010081A1

Part of subcall function 010087DF: malloc.MSVCRT ref: 010087E6

CryptMsgGetParam.CRYPT32(00000014,00000006,?,00000000,00000000), ref: 010081CD

Part of subcall function 01008811: free.MSVCRT(00000000,010019E2,00000000), ref: 0100881C

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptParam$freemalloc
String ID:
API String ID: 2367485992-0
Opcode ID: adf3a42ce27c442b389434658677714e6a74ce59a07f4cbf9e2db1c4dc5a88bb
Instruction ID: b3c547420d5a6bd63a33aa8aa87b0f3f52753ff7fbb4b7b0f3ac1b29e9df4a44
Opcode Fuzzy Hash: adf3a42ce27c442b389434658677714e6a74ce59a07f4cbf9e2db1c4dc5a88bb
Instruction Fuzzy Hash: 4701EC36A00209FAEF129E55CD00FEF3BBEFF84650F148066BE4596194D771DA11EB60

Function 0100877A Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000), ref: 010087B2

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: ac5f0212b35ebecbe4954b66f4b7803148b0c8486a6e16b36b63e5b5f9e79701
Instruction ID: 32b058e7832969f901bcf3efe038367cb72c475154847f14ec00cf830c866a46
Opcode Fuzzy Hash: ac5f0212b35ebecbe4954b66f4b7803148b0c8486a6e16b36b63e5b5f9e79701
Instruction Fuzzy Hash: 6EF05E35B01304DFEB328B38ED09B8677F4A798308F0044A59289A7284D7B9D586CF41

Function 01008168 Relevance: 1.5, APIs: 1, Instructions: 10encryptionCOMMON

Download Yara Rule

APIs

CryptFindOIDInfo.CRYPT32(00000001,00000000,00000000), ref: 01008172

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptFindInfo
String ID:
API String ID: 4232373045-0
Opcode ID: 682c5f194ba7d06e2907ea4b456c06efcc41087d9342ac626dd1fc760805c02b
Instruction ID: ca48236bc263845dfec324a9d0da35e7288f0e0fb88e63e53fe64c0a53713fbf
Opcode Fuzzy Hash: 682c5f194ba7d06e2907ea4b456c06efcc41087d9342ac626dd1fc760805c02b
Instruction Fuzzy Hash: 44C01232B04201FBE7828A60C809E8ABEA9BF54780F08C885B2C4860A4CB72C0509B51

Function 01002CED Relevance: 36.3, APIs: 24, Instructions: 299
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertFindCertificateInStore.CRYPT32(?,?,?,?), ref: 01002D16
CertAddCertificateContextToStore.CRYPT32(?,?), ref: 01002D37
CertFreeCTLContext.CRYPT32(?,?,?,?,?,?), ref: 01002D48
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FC7
CertFreeCTLContext.CRYPT32(00000014,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FD5
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FE3
CertFreeCTLContext.CRYPT32(00000001,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FF1
CertFreeCTLContext.CRYPT32(00000000,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FFF
CertFreeCTLContext.CRYPT32(01001A87,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100300D
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100302F
free.MSVCRT(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003043
CertFreeCTLContext.CRYPT32(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100305C
free.MSVCRT(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003070
CertFreeCTLContext.CRYPT32(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003089
free.MSVCRT(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100309D
CertCloseStore.CRYPT32(0000000A,00000000), ref: 010030A9

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$Free$Storefree$Certificate$CloseFind
String ID:
API String ID: 130065044-0
Opcode ID: 3bdfc37a5d618b4b03b1f22adc64ee428c58dd3893b6d4778e4e88838572d4ec
Instruction ID: eb9862162d1094444616c4199cfab3bfad784c34e436f95c684893f0ed41291d
Opcode Fuzzy Hash: 3bdfc37a5d618b4b03b1f22adc64ee428c58dd3893b6d4778e4e88838572d4ec
Instruction Fuzzy Hash: 06C11670A04248EFEF23DF98DD489EEBBB5FF44340F24416AF581A61A4D7768A54DB10

Function 01002798 Relevance: 33.4, APIs: 22, Instructions: 392
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000), ref: 010027EC
CertFreeCTLContext.CRYPT32(?,?), ref: 01002AD2
CertFreeCTLContext.CRYPT32(?,?), ref: 01002AE0
CertFreeCTLContext.CRYPT32(?,?), ref: 01002AEE
CertFreeCTLContext.CRYPT32(?,?), ref: 01002B10
free.MSVCRT(?,?), ref: 01002B24
CertFreeCTLContext.CRYPT32(?,?), ref: 01002B3D
free.MSVCRT(?,?), ref: 01002B51
CertFreeCTLContext.CRYPT32(?,?), ref: 01002B6A
free.MSVCRT(?,?), ref: 01002B7E
CertCloseStore.CRYPT32(?,00000000), ref: 01002B8A
CertAddCertificateContextToStore.CRYPT32(?,?,00000003,00000000), ref: 01002C48

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$Free$Storefree$CertificateCloseOpen
String ID:
API String ID: 1406681850-0
Opcode ID: 045ae89b60602ae98f6894c9f6585b8c08aa957313f1b1a0f09ef2c55fd5420a
Instruction ID: 34fd6ed0ad1e52c2d3e3974f2dbc3af9f0b04a175075539df2dc6701a0a6086b
Opcode Fuzzy Hash: 045ae89b60602ae98f6894c9f6585b8c08aa957313f1b1a0f09ef2c55fd5420a
Instruction Fuzzy Hash: F4E13B70E04609EFEF23DF99DD48AEEBBB9FF45340F14409AE581A2194D7768A80CB10

Function 010061B4 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 200
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

printf.MSVCRT ref: 0100625D
printf.MSVCRT ref: 0100627C
printf.MSVCRT ref: 0100628E
CertRDNValueToStrA.CRYPT32(?,00000008,00000000,00000000), ref: 0100629F
CertRDNValueToStrA.CRYPT32(?,00000008,00000000,?), ref: 010062C5
printf.MSVCRT ref: 010062E2
CertRDNValueToStrW.CRYPT32(?,00000008,00000000,00000000), ref: 010062FD

Part of subcall function 01008811: free.MSVCRT(00000000,010019E2,00000000), ref: 0100881C

printf.MSVCRT ref: 010063C9
printf.MSVCRT ref: 010063E9

Strings

0x%08X, xrefs: 01006277
<NULL>, xrefs: 0100621A, 01006248, 0100624F
%s, xrefs: 010062DD
[%d,%d] %s (%S) %s, xrefs: 010063C4
[%d,%d] %s (%S) %S, xrefs: 010063AE
[%d,%d] %s (%S) , xrefs: 010063E4
[%d,%d] %s (%S), xrefs: 01006258
, xrefs: 0100640A

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CertValue$CryptDecodeObject$free
String ID: $ [%d,%d] %s (%S)$ [%d,%d] %s (%S) $ [%d,%d] %s (%S) %S$ [%d,%d] %s (%S) %s$ 0x%08X$%s$<NULL>
API String ID: 2812972246-790891399
Opcode ID: 6111c4928c2ac3d638f084be19f3e276c73f52cde3cdc2ced2399629f530f36e
Instruction ID: e74627299f22922c4e45c7e90be67055b470c84a2c9a99562eac8e0645b30a3a
Opcode Fuzzy Hash: 6111c4928c2ac3d638f084be19f3e276c73f52cde3cdc2ced2399629f530f36e
Instruction Fuzzy Hash: 91518B71504305AFE712AF54DC41A6BBBEAFF84744F00882DF6C5961A1D672ED208B62

Function 01004B7B Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 145
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

printf.MSVCRT ref: 01004B84
printf.MSVCRT ref: 01004BE6
CertGetCRLContextProperty.CRYPT32(00000000,00000003,?,00000014), ref: 01004C5D
CertGetCRLContextProperty.CRYPT32(00000000,00000004,?,00000014), ref: 01004C82
printf.MSVCRT ref: 01004CD4

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Strings

M<, xrefs: 01004C08
MD5, xrefs: 01004C8B
%s , xrefs: 01004CCF
<NULL>, xrefs: 01004CB7, 01004CCE
SHA1, xrefs: 01004C66
-<, xrefs: 01004C28
, xrefs: 01004BB6, 01004CFA
[%d] %s, xrefs: 01004B7F

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CertContextProperty$vwprintf
String ID: $ [%d] %s$%s $<NULL>$MD5$SHA1$-<$M<
API String ID: 21191961-3450786771
Opcode ID: 82275641a5fc0f0d39834bc25ecf01e808d18fe86dbd4543574247826e20e04b
Instruction ID: 9d0a5b4a088e6354c4df037c23d7952e0cd7c073e0700367d6bff15a6fcff5f6
Opcode Fuzzy Hash: 82275641a5fc0f0d39834bc25ecf01e808d18fe86dbd4543574247826e20e04b
Instruction Fuzzy Hash: EB41B032A40305FAFB276BA0EC41EDE3BB9FF44710F10851AF6C5A64D0DB76A6118B14

Function 01002EB2 Relevance: 22.6, APIs: 15, Instructions: 123encryptionCOMMON

Download Yara Rule

APIs

CertAddCTLContextToStore.CRYPT32(?,?), ref: 01002EDC
CertSaveStore.CRYPT32(0000000A,00000002,00000004,00000000,?,00000014), ref: 01002F11
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FC7
CertFreeCTLContext.CRYPT32(00000014,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FD5
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FE3
CertFreeCTLContext.CRYPT32(00000001,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FF1
CertFreeCTLContext.CRYPT32(00000000,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FFF
CertFreeCTLContext.CRYPT32(01001A87,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100300D
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100302F
free.MSVCRT(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003043
CertFreeCTLContext.CRYPT32(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100305C
free.MSVCRT(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003070
CertFreeCTLContext.CRYPT32(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003089
free.MSVCRT(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100309D
CertCloseStore.CRYPT32(0000000A,00000000), ref: 010030A9

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$Free$Storefree$CloseSavevwprintf
String ID:
API String ID: 3899236436-0
Opcode ID: 82ccb76044befd0f0c9d8df628e9aa3788654e2b0cee29a206605203eb8ba0fc
Instruction ID: 0d48f32fa6eb499900837a5549afe58c902de287f41537b1617c15c5d5e4c5f9
Opcode Fuzzy Hash: 82ccb76044befd0f0c9d8df628e9aa3788654e2b0cee29a206605203eb8ba0fc
Instruction Fuzzy Hash: E741C630E04508EFEB23DF98E8589ADBBB2FB44751F20416AF181A61A4D7764990DF10

Function 01002ECA Relevance: 21.1, APIs: 14, Instructions: 105encryptionCOMMON

Download Yara Rule

APIs

CertAddCTLContextToStore.CRYPT32(?,?), ref: 01002EDC
CertSaveStore.CRYPT32(0000000A,00000002,00000004,00000000,?,00000014), ref: 01002F11
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FC7
CertFreeCTLContext.CRYPT32(00000014,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FD5
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FE3
CertFreeCTLContext.CRYPT32(00000001,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FF1
CertFreeCTLContext.CRYPT32(00000000,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FFF
CertFreeCTLContext.CRYPT32(01001A87,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100300D
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100302F
free.MSVCRT(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003043
CertFreeCTLContext.CRYPT32(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100305C
free.MSVCRT(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003070
CertFreeCTLContext.CRYPT32(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003089
free.MSVCRT(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100309D
CertCloseStore.CRYPT32(0000000A,00000000), ref: 010030A9

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$Free$Storefree$CloseSave
String ID:
API String ID: 2383314234-0
Opcode ID: 44f24ea2f3b1b9111daca72f347d77c9825db06b8cf0918004aecb4cbf145063
Instruction ID: 7a6e763276f1ff6a1583ed280b2d0cd277c8e7bb0b8b454caa168fca8f759725
Opcode Fuzzy Hash: 44f24ea2f3b1b9111daca72f347d77c9825db06b8cf0918004aecb4cbf145063
Instruction Fuzzy Hash: 5741A230D01509EFEF63DF98E8588ADBBB2FF44351F2041AAF181A61A4D7365A90DF10

Function 01002CD5 Relevance: 19.6, APIs: 13, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FC7
CertFreeCTLContext.CRYPT32(00000014,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FD5
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FE3
CertFreeCTLContext.CRYPT32(00000001,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FF1
CertFreeCTLContext.CRYPT32(00000000,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01002FFF
CertFreeCTLContext.CRYPT32(01001A87,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100300D
CertFreeCTLContext.CRYPT32(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100302F
free.MSVCRT(?,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003043
CertFreeCTLContext.CRYPT32(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100305C
free.MSVCRT(00001B59,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003070
CertFreeCTLContext.CRYPT32(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 01003089
free.MSVCRT(0000000A,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001,00000000), ref: 0100309D
CertCloseStore.CRYPT32(0000000A,00000000), ref: 010030A9

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$ContextFree$free$CloseStore
String ID:
API String ID: 912534999-0
Opcode ID: 0b9b1a8d95d0a15ebdfa217c3d6cb6d1215d841cd4f5a3eacdf94ecb0c9337c0
Instruction ID: 99188bbe496bf8758c5ea39b80305226f1081637001da1457b9d533289462e6a
Opcode Fuzzy Hash: 0b9b1a8d95d0a15ebdfa217c3d6cb6d1215d841cd4f5a3eacdf94ecb0c9337c0
Instruction Fuzzy Hash: 48419F30D01518EFDB63DB98E8588ADBBB2FF44351F2041AAF181B61A4DB765A90DF10

Function 01004B5E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 141encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01004BE6
CertGetCRLContextProperty.CRYPT32(00000000,00000003,?,00000014), ref: 01004C5D
CertGetCRLContextProperty.CRYPT32(00000000,00000004,?,00000014), ref: 01004C82
printf.MSVCRT ref: 01004CD4

Strings

M<, xrefs: 01004C08
MD5, xrefs: 01004C8B
%s , xrefs: 01004CCF
<NULL>, xrefs: 01004CB7, 01004CCE
SHA1, xrefs: 01004C66
-<, xrefs: 01004C28
, xrefs: 01004BB6, 01004CFA

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertContextPropertyprintf$vwprintf
String ID: $%s $<NULL>$MD5$SHA1$-<$M<
API String ID: 965754941-1913507623
Opcode ID: bc194e09554f3ad080c54f1c94400a3d217923589b23381cf0e65655e601a870
Instruction ID: 1b0accdc72fc96e108dfb705b1481be5d94914ce0dba3e5b056fda0701430da9
Opcode Fuzzy Hash: bc194e09554f3ad080c54f1c94400a3d217923589b23381cf0e65655e601a870
Instruction Fuzzy Hash: 6A41BF32A44305FAFB277B60EC41E9A3BB9FB54710F10851AF6C5AA4D0DB76A6118B14

Function 01003C14 Relevance: 18.1, APIs: 12, Instructions: 85encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 01003C35
CertDuplicateCertificateContext.CRYPT32(00000000), ref: 01003C42
CertDeleteCTLFromStore.CRYPT32(00000000,?,00000001), ref: 01003C49
CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 01003C5F
CertDuplicateCTLContext.CRYPT32(00000000,?,00000001), ref: 01003C6C
CertDeleteCTLFromStore.CRYPT32(00000000,?,00000001), ref: 01003C73
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,00000002), ref: 01003C91
CertDuplicateCTLContext.CRYPT32(00000000,?,00000001), ref: 01003C9E
CertDeleteCTLFromStore.CRYPT32(00000000,?,00000001), ref: 01003CA5
CertFreeCTLContext.CRYPT32(00000000,00000000,?,?,00000001), ref: 01003CC4
CertFreeCTLContext.CRYPT32(00000000,00000000,?,?,00000001), ref: 01003CCF
CertFreeCTLContext.CRYPT32(00000000,00000000,?,?,00000001), ref: 01003CDA

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$ContextStore$From$DeleteDuplicateFree$Enum$CertificateCertificates
String ID:
API String ID: 4186978145-0
Opcode ID: 69323ae7f165615aa63ff37f18db1fa40dddc2f2f00fb5c5464ccbf51c553884
Instruction ID: 3d4f8e321d260166deb2c37b4722702f530a5fe9b12f1c2784a3adff5fa3238a
Opcode Fuzzy Hash: 69323ae7f165615aa63ff37f18db1fa40dddc2f2f00fb5c5464ccbf51c553884
Instruction Fuzzy Hash: BB219F31208389AFF3238F66994CF6BBADCBB80B00F04051DFAC6D5184DBBAD4088761

Function 010058ED Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

wprintf.MSVCRT ref: 01005928
wprintf.MSVCRT ref: 0100594D
wprintf.MSVCRT ref: 01005964
wprintf.MSVCRT ref: 0100596F
wprintf.MSVCRT ref: 0100598F
wprintf.MSVCRT ref: 010059A9

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Strings

, xrefs: 0100595F
%02X, xrefs: 01005948
', xrefs: 0100596A

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: wprintf$vwprintf
String ID: $ '$ %02X
API String ID: 3863390932-3839679036
Opcode ID: 245ba5faa3f9159075175ac61e8e4ce443989ae8e7eac280a279cfb65d9a8e45
Instruction ID: 119df7375fa19e6f2ab5bdbf58a660095d498569f61a997e21fed4e990c2eee5
Opcode Fuzzy Hash: 245ba5faa3f9159075175ac61e8e4ce443989ae8e7eac280a279cfb65d9a8e45
Instruction Fuzzy Hash: 48212733644319AAFB174E5AAC81ABD7B55EB82731F10412FFBC4490C0DBB189518FA5

Function 01004DE4 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 134encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Part of subcall function 01005D9D: FileTimeToLocalFileTime.KERNEL32(00000001,?,00001B9E,?,00000032,00001B9D,?,00000032,00000000,?,00000000), ref: 01005E22
Part of subcall function 01005D9D: FileTimeToSystemTime.KERNEL32(?,01004BFC), ref: 01005E30
Part of subcall function 01005D9D: _wasctime.MSVCRT ref: 01005E7F
Part of subcall function 01005D9D: wcscpy.MSVCRT ref: 01005E8D
Part of subcall function 01005D9D: wcslen.MSVCRT ref: 01005E9C
Part of subcall function 01005D9D: wcslen.MSVCRT ref: 01005EAE
Part of subcall function 01005D9D: swprintf.MSVCRT(00000000,?,?), ref: 01005EC5

CertGetCRLContextProperty.CRYPT32(?,00000003,?,00000000), ref: 01004E6A

Part of subcall function 01005D22: printf.MSVCRT ref: 01005D54
Part of subcall function 01005D22: printf.MSVCRT ref: 01005D5D

CertGetCRLContextProperty.CRYPT32(?,00000004,?,00000000), ref: 01004E8B

Part of subcall function 01005D22: printf.MSVCRT ref: 01005D88
Part of subcall function 01005D22: printf.MSVCRT ref: 01005D98

printf.MSVCRT ref: 01004EE7

Strings

MD5, xrefs: 01004E94
%s , xrefs: 01004EE2
<NULL>, xrefs: 01004ECA, 01004EE1
SHA1, xrefs: 01004E73
, xrefs: 01004F13

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$Time$File$CertContextPropertywcslen$LocalSystem_wasctimeswprintfvwprintfwcscpy
String ID: $%s $<NULL>$MD5$SHA1
API String ID: 877868225-3298317204
Opcode ID: ef0dc58a638ec4c96e9b5cf8bc8724160ce880f0840a3869fb4893d97a94868a
Instruction ID: 7f8b3de2b8d94eedb18c579de51c5a4a42e3cc02c95025c86376e5c6403baddd
Opcode Fuzzy Hash: ef0dc58a638ec4c96e9b5cf8bc8724160ce880f0840a3869fb4893d97a94868a
Instruction Fuzzy Hash: 2A41AE32A40305EFEB17AB50EC45EDA7BB5EF54320F14851AF6889B1E0D732EA11DB04

Function 01003B26 Relevance: 13.6, APIs: 9, Instructions: 94encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 01003B4F
CertAddCertificateContextToStore.CRYPT32(?,00000000,00000003,00000000), ref: 01003B5E
CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 01003B7E
CertAddCTLContextToStore.CRYPT32(?,00000000,00000003,00000000), ref: 01003B8E
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 01003BB5
CertAddCTLContextToStore.CRYPT32(?,00000000,00000003,00000000), ref: 01003BC5
CertFreeCTLContext.CRYPT32(00000000,?,00000000,00000000), ref: 01003BE8
CertFreeCTLContext.CRYPT32(?,?,00000000,00000000), ref: 01003BF6
CertFreeCTLContext.CRYPT32(?,?,00000000,00000000), ref: 01003C04

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$ContextStore$Free$Enum$CertificateCertificatesFrom
String ID:
API String ID: 1456163896-0
Opcode ID: c3a9a6b756158b32af717f50f29f024c4bfb7f9630b8aa6ffe042a46a28ae4e2
Instruction ID: 62fc009a319d8c0195a875f5ee685bc7a5d0235e1fb2cd9ae9274de3586ab868
Opcode Fuzzy Hash: c3a9a6b756158b32af717f50f29f024c4bfb7f9630b8aa6ffe042a46a28ae4e2
Instruction Fuzzy Hash: E9312E30A00658BFEB239F99DD44AEE7FB9FF00744F144095FA85A6090C7B6DA50DB90

Function 010089CF Relevance: 13.6, APIs: 9, Instructions: 92fileCOMMON

Download Yara Rule

APIs

CreateFileU.CRYPT32(00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8,00000014,?), ref: 01008A15
GetFileSize.KERNEL32(00000000,00000014,00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8), ref: 01008A27
CreateFileMappingA.KERNEL32(00000014,00000000,00000002,00000000,00000000,00000000), ref: 01008A49
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008A5C
GetLastError.KERNEL32(00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8,00000014,?), ref: 01008A6C
GetLastError.KERNEL32(?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?,?,00000014,?,SHA1,0000000A), ref: 01008A72
GetLastError.KERNEL32(?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?,?,00000014,?,SHA1,0000000A), ref: 01008A78
CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AA0
CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AAB

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: File$ErrorLast$CloseCreateHandle$MappingSizeView
String ID:
API String ID: 524788506-0
Opcode ID: 96daecd4b54f800760b7eba25ae76a1021dbf1a70837195a7a57605f8b42a680
Instruction ID: 0b943f0ce0dfe5c40595c24f9d9a73b7fc00af20ea95221383c830475f75e040
Opcode Fuzzy Hash: 96daecd4b54f800760b7eba25ae76a1021dbf1a70837195a7a57605f8b42a680
Instruction Fuzzy Hash: 0F218031D41125FBFB228F58CC44A9E7EA8FB067A0F148166FA85A65C0D7749AC0CBE0

Function 01008ABD Relevance: 13.6, APIs: 9, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileU.CRYPT32(00000014,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000001,?,?,01002FA4,?,?,?,00000014), ref: 01008AF1
GetLastError.KERNEL32(00000014,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000001,?,?,01002FA4,?,?,?,00000014), ref: 01008B03
GetLastError.KERNEL32(?,01002FA4,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001), ref: 01008B09
GetLastError.KERNEL32(?,01002FA4,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001), ref: 01008B0F
WriteFile.KERNEL32(00000000,?,?,?,00000000,00000014,40000000,00000000,00000000,00000002,00000000,00000000,00000000,00000001,?), ref: 01008B2D
GetLastError.KERNEL32(?,01002FA4,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001), ref: 01008B3D
GetLastError.KERNEL32(?,01002FA4,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000,00000001), ref: 01008B43
CloseHandle.KERNEL32(00000000,?,01002FA4,?,?,?,00000014,?,?,?,?,?,?,?,01001A87,00000000), ref: 01008B6C

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: ErrorLast$File$CloseCreateHandleWrite
String ID:
API String ID: 1274442398-0
Opcode ID: 017fd4a2c61951ceca550178e63e1fe5baddd7945ade91736ae77703dc99b890
Instruction ID: ca36d6a8c764a1ad78762d8e90c0044b46dda13cbba7938ceeca0ec5e291ba97
Opcode Fuzzy Hash: 017fd4a2c61951ceca550178e63e1fe5baddd7945ade91736ae77703dc99b890
Instruction Fuzzy Hash: AC11B772D05935EBE7324E698C049AE7EA8BF457B0F05C277BC85A7180D2789D418BD0

Function 010059BD Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 186COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 01005A0E

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Part of subcall function 01008811: free.MSVCRT(00000000,010019E2,00000000), ref: 0100881C

Strings

[%d,%d] %s, xrefs: 01005A09
<NULL>, xrefs: 010059E9, 01005A02
1.2.840.113549.1.9.5, xrefs: 01005AD7
1.2.840.113549.1.9.6, xrefs: 01005A86
1.3.6.1.4.1.311.10.2, xrefs: 01005A35
, xrefs: 01005A2B

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObject$freeprintfvwprintf
String ID: $ [%d,%d] %s$1.2.840.113549.1.9.5$1.2.840.113549.1.9.6$1.3.6.1.4.1.311.10.2$<NULL>
API String ID: 1924496982-3034289211
Opcode ID: dc4e416ac7ec221467000f34955533da29cb243de22aa6c715d33c878ee53ce2
Instruction ID: dc23ba973dc3d7395123d3090bad1c8b21ddef8e4e577f654d15181199a09b3c
Opcode Fuzzy Hash: dc4e416ac7ec221467000f34955533da29cb243de22aa6c715d33c878ee53ce2
Instruction Fuzzy Hash: FA510230900646ABFB136F288C90AED7BEAEF06214F1485A0EAD5972D1E7329955CF50

Function 01005D9D Relevance: 12.1, APIs: 8, Instructions: 110timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(00000001,?,00001B9E,?,00000032,00001B9D,?,00000032,00000000,?,00000000), ref: 01005E22
FileTimeToSystemTime.KERNEL32(?,01004BFC), ref: 01005E30
_wasctime.MSVCRT ref: 01005E7F
wcscpy.MSVCRT ref: 01005E8D
wcslen.MSVCRT ref: 01005E9C
wcslen.MSVCRT ref: 01005EAE
swprintf.MSVCRT(00000000,?,?), ref: 01005EC5
swprintf.MSVCRT(0100A138,?,?,00000001), ref: 01005EE2

Part of subcall function 0100871B: LoadStringW.USER32(?,?,00000200,?), ref: 01008739

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Time$File$swprintfwcslen$LoadLocalStringSystem_wasctimewcscpy
String ID:
API String ID: 1198059487-0
Opcode ID: 9cb0004046fe059e89af9bf4c2c924899fde024fb2407f6cb232af7db561f201
Instruction ID: 80bea964167c077ebb7f29613c425d7d5d4cc7692e59d2015936a7dcd1f1c136
Opcode Fuzzy Hash: 9cb0004046fe059e89af9bf4c2c924899fde024fb2407f6cb232af7db561f201
Instruction Fuzzy Hash: B5414D71D00218EAEF26DF98DC459FEB7B8FF08341F10406AF9C5A2180E7798A41CB64

Function 0100573B Relevance: 10.6, APIs: 7, Instructions: 117COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 01005769
towupper.MSVCRT ref: 010057B6
towupper.MSVCRT ref: 010057BD
towupper.MSVCRT ref: 010057D3
towupper.MSVCRT ref: 010057FC
towupper.MSVCRT ref: 01005804
towupper.MSVCRT ref: 01005817

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: towupper$wcslen
String ID:
API String ID: 1941851458-0
Opcode ID: cbfc4fe8f45473ed4f58da605a210825dd77f785ce66fbee264452b09ad26d69
Instruction ID: 3e599955c825a32831a7801ae95c97f7390e987df3e4e7e2b89ac7e520e1f868
Opcode Fuzzy Hash: cbfc4fe8f45473ed4f58da605a210825dd77f785ce66fbee264452b09ad26d69
Instruction Fuzzy Hash: 51312435500225ABEB165F2CCC84AAEBBE8EF05720F21805AFD94DB6D0D638C941CFA1

Function 010040A4 Relevance: 10.6, APIs: 7, Instructions: 93encryptionCOMMON

Download Yara Rule

APIs

CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 010040DB
realloc.MSVCRT ref: 010040F3
CertDuplicateCTLContext.CRYPT32(?), ref: 01004104
CertGetCRLFromStore.CRYPT32(?,00000000,?,?), ref: 01004123
CertFreeCTLContext.CRYPT32(?), ref: 01004151
free.MSVCRT(?), ref: 0100415F
CertFreeCTLContext.CRYPT32(?), ref: 0100417F

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$FreeFromStore$Duplicatefreerealloc
String ID:
API String ID: 706885998-0
Opcode ID: a4579f29af3d61a213aa29d82e2a73b783707612c536d4dd2498aed8bbe69d25
Instruction ID: 06b2f77ad534f3675ef950e49a2527f6f29af8039c94654542f0ba4c1af1809e
Opcode Fuzzy Hash: a4579f29af3d61a213aa29d82e2a73b783707612c536d4dd2498aed8bbe69d25
Instruction Fuzzy Hash: CC310475A00249EFEB228F98D8848ADBBF5FB54344F2084AEF695D7290C7319A40CF14

Function 010071FD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01007271
printf.MSVCRT ref: 010072A3
printf.MSVCRT ref: 010072D7

Strings

[%d] %s, xrefs: 0100729E
[%d] %s, xrefs: 0100726C
, xrefs: 010072C6

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CryptDecodeObject$vwprintf
String ID: $ [%d] %s$ [%d] %s
API String ID: 3452401527-2298187835
Opcode ID: b312dbc6e18425c30db84d4642973e5e972353b81b3877b2819612ac7e623f52
Instruction ID: 882fe6f7da37c13c2543c962c30eb4a42de4d7b53b3bc19d79fce25d7286019f
Opcode Fuzzy Hash: b312dbc6e18425c30db84d4642973e5e972353b81b3877b2819612ac7e623f52
Instruction Fuzzy Hash: CF317C32900715FBFB235F44EC81A997BB0FB04721F14852AFED82A1C0D77AB9509B94

Function 01004193 Relevance: 10.6, APIs: 7, Instructions: 90encryptionCOMMON

Download Yara Rule

APIs

CertEnumCTLsInStore.CRYPT32(00000014,00000000), ref: 010041C7
realloc.MSVCRT ref: 010041D9
CertDuplicateCTLContext.CRYPT32(?,?,01002E96,?,0000000A,00000000,?,00000014), ref: 010041EA
CertEnumCTLsInStore.CRYPT32(00000014,?), ref: 01004205
CertFreeCTLContext.CRYPT32(?,?,?,?,01002E96,?,0000000A,00000000), ref: 01004235
free.MSVCRT(?,?,?,?,01002E96,?,0000000A,00000000), ref: 01004243
CertFreeCTLContext.CRYPT32(?,?,?,?,01002E96,?,0000000A,00000000), ref: 01004263

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$EnumFreeStore$Duplicatefreerealloc
String ID:
API String ID: 2405492650-0
Opcode ID: 0d1ffa640bb80b646c121726a86532bd0176b07425315ef086298706068492f2
Instruction ID: b8602d62794de092fa67e34e8c73dc166317c74f750f4fddc74d5c51a450e016
Opcode Fuzzy Hash: 0d1ffa640bb80b646c121726a86532bd0176b07425315ef086298706068492f2
Instruction Fuzzy Hash: 3A314774604204EFEB238F69D88489DBBF5FF94310F60846AEAD5D72A4D7729980CF14

Function 01006449 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 79COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 01006462

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01006487

Part of subcall function 01007E5A: CryptFindOIDInfo.CRYPT32(00000001,?,?), ref: 01007E64

Part of subcall function 01008884: wprintf.MSVCRT ref: 010088BA

Strings

<NULL>, xrefs: 01006449
2.5.29.1, xrefs: 010064EE
YYj, xrefs: 0100648D
, xrefs: 010064CA

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CryptFindInfovwprintfwprintf
String ID: $2.5.29.1$<NULL>$YYj
API String ID: 2372032126-1827054270
Opcode ID: 3ce55a3ac641689d4da5e610dd0a21e4a884b30f0edf9fdab88a9a4ee829ef21
Instruction ID: e2173d48011786a04bbbd323a138fdd67020d4b7a5b54f531858a7685aed5299
Opcode Fuzzy Hash: 3ce55a3ac641689d4da5e610dd0a21e4a884b30f0edf9fdab88a9a4ee829ef21
Instruction Fuzzy Hash: 7E219C32900605FBEB131F68EC41AD97FA3BF09324F25C664F9D45A1E0E73799249B80

Function 01005D22 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01005D54
printf.MSVCRT ref: 01005D5D
printf.MSVCRT ref: 01005D88
printf.MSVCRT ref: 01005D98

Strings

<NULL>, xrefs: 01005D4A
%02X, xrefs: 01005D83

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$vwprintf
String ID: %02X$<NULL>
API String ID: 4289833226-3318528641
Opcode ID: 4a137df0517ab863c06208d53aa088258c8621137941eede9edbcf4e6dfd2ce9
Instruction ID: f9fe6916a933d13dcca72205d7af782751b05d53ef6a1981e00ced3b7e208adc
Opcode Fuzzy Hash: 4a137df0517ab863c06208d53aa088258c8621137941eede9edbcf4e6dfd2ce9
Instruction Fuzzy Hash: 5DF0F932B487115AF32366696C05A2A6BE1DBC46A1F15046FF6C4D71C1FD61D8028B62

Function 01004277 Relevance: 9.1, APIs: 6, Instructions: 145encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 010042A3

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

CertEnumCTLsInStore.CRYPT32(?,00000000), ref: 0100431C
CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 0100439B
CertFreeCTLContext.CRYPT32(00000000), ref: 01004411
CertFreeCTLContext.CRYPT32(00000000), ref: 0100441C
CertFreeCTLContext.CRYPT32(00000000,?,?,?,?,?,?,?,01001A2A,?), ref: 0100442D

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$ContextFreeStore$Enum$CertificatesFromvwprintf
String ID:
API String ID: 1639122641-0
Opcode ID: c9073336187c8e82f2f2bd043e5061598acd76ff3d8de0184bc67dfcab132269
Instruction ID: b52028145a84832f983472691433bc19133d5d9b79e4e00939670f7ef0bddb46
Opcode Fuzzy Hash: c9073336187c8e82f2f2bd043e5061598acd76ff3d8de0184bc67dfcab132269
Instruction Fuzzy Hash: A441DF32608302EBF7239F54AC44B6A7FF9BB94701F04492EFBC4920D5DBBA94088759

Function 010039BF Relevance: 9.1, APIs: 6, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 010039D2
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 010039F3
CertSetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000,00000000), ref: 01003A08
CertSetCertificateContextProperty.CRYPT32(00000000,0000000B,00000000,?), ref: 01003A17
CertEnumCertificatesInStore.CRYPT32(?,00000000), ref: 01003A21
CertFreeCTLContext.CRYPT32(00000000), ref: 01003A35

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$CertificateCertificatesEnumPropertyStore$Freewcslen
String ID:
API String ID: 1159493799-0
Opcode ID: 21b92ba0d5092098acfdb986d0ebb50d72bb8a6cadc2bcb0498bba632f6abb39
Instruction ID: 00b4ee517128738ce0e66dfd4b50f8033352f8963b99a324ced2bd7391445894
Opcode Fuzzy Hash: 21b92ba0d5092098acfdb986d0ebb50d72bb8a6cadc2bcb0498bba632f6abb39
Instruction Fuzzy Hash: 21018476E01214FBE733DB69DC44F9E7BB8AB09750F114151FA40AB2C4D775DA008BA4

Function 01006045 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

printf.MSVCRT ref: 01006092

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Strings

<NULL>, xrefs: 0100606C, 01006085, 0100608C
%s (%S), xrefs: 0100608D
(, xrefs: 01006136
, xrefs: 01006063, 0100609F, 010060BE, 010060E6, 01006151, 01006187

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObject$printfvwprintf
String ID: $%s (%S)$($<NULL>
API String ID: 3955122273-3389890325
Opcode ID: 6d2ef1b96f2741b592e2059373e4232a5f5b25b1d4095d31cea419576d6f5ea0
Instruction ID: fdd8930d580e06e56ed02b80320afa0a1d12be04b54cc1497755a94cb02b1a5c
Opcode Fuzzy Hash: 6d2ef1b96f2741b592e2059373e4232a5f5b25b1d4095d31cea419576d6f5ea0
Instruction Fuzzy Hash: E931E472540701FEFB272B50EC85EEA3BB9FF14710F14812AF6C5250D1EB769A649B11

Function 01007601 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01007666
printf.MSVCRT ref: 01007692

Strings

<NULL>, xrefs: 01007659, 01007683
[%d,*] %s, xrefs: 01007661
[%d,%d] %s, xrefs: 0100768D

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObjectprintf$vwprintf
String ID: [%d,%d] %s$ [%d,*] %s$<NULL>
API String ID: 3053794160-3661550745
Opcode ID: f89045c4d54666e58aebac5b30074587f46f9c4f2cbc8131f8b47ed58dfb799d
Instruction ID: eb1ce1aba800e34c694246015e497e9ac9b31efe6a12d2fbde37d99fb5c947bb
Opcode Fuzzy Hash: f89045c4d54666e58aebac5b30074587f46f9c4f2cbc8131f8b47ed58dfb799d
Instruction Fuzzy Hash: C121DE75604206FFFB125FACECC0C997BA0FB09364F24C02AF6D94A280D776A960CB54

Function 01005EFB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82encryptionCOMMON

Download Yara Rule

APIs

CertEnumCertificateContextProperties.CRYPT32(?,00000000), ref: 01005F07
CertGetCertificateContextProperty.CRYPT32(?,00000000,00000000,?), ref: 01005F4A
CertGetCertificateContextProperty.CRYPT32(?,00000000,00000000,?), ref: 01005F6A
CertEnumCertificateContextProperties.CRYPT32(?,00000000), ref: 01005FBF

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Strings

, xrefs: 01005F74

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertCertificateContext$EnumPropertiesProperty$vwprintf
String ID:
API String ID: 2836338242-399585960
Opcode ID: 8551b7d497840789ec1c4916242e124f8ad2d69c5eda4b00177c1361a1591910
Instruction ID: 7f24652fe2f217508ea7fcbb6c712aeaf65bf0a7948b9f041a1daa78529b24be
Opcode Fuzzy Hash: 8551b7d497840789ec1c4916242e124f8ad2d69c5eda4b00177c1361a1591910
Instruction Fuzzy Hash: B8218472904219FFFB236B94DC85CFE7E6DEB10294F114069FA8862090D7768E109B61

Function 01007D47 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01007D8F
printf.MSVCRT ref: 01007DC5
printf.MSVCRT ref: 01007DEE

Strings

%02X, xrefs: 01007D8A
, xrefs: 01007DCD

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf$CryptDecodeObject$vwprintf
String ID: $ %02X
API String ID: 3452401527-2119626176
Opcode ID: 8e908ba8431071937f372095f3a21809828b6f7e6a604cacfb8711bd09aac418
Instruction ID: 3791f41939ce4824e053cc04017bcd257817170b35b011f1549c8897ff7e117b
Opcode Fuzzy Hash: 8e908ba8431071937f372095f3a21809828b6f7e6a604cacfb8711bd09aac418
Instruction Fuzzy Hash: 8D110432601712EBF7273B64FC40D9A3BA5FF88710F24892AF5C09A1D0DB66ED119B50

Function 01003A45 Relevance: 7.6, APIs: 5, Instructions: 90encryptionCOMMON

Download Yara Rule

APIs

CertGetCRLFromStore.CRYPT32(?,00000000,00000000,?), ref: 01003A78
CertGetCRLContextProperty.CRYPT32(?,00000003,00000000,?), ref: 01003A95
CertGetCRLContextProperty.CRYPT32(?,00000003,?,?), ref: 01003AB8
CertGetCRLFromStore.CRYPT32(?,00000000,?,?), ref: 01003AE1
CertFreeCTLContext.CRYPT32(?), ref: 01003B13

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: Cert$Context$FromPropertyStore$Free
String ID:
API String ID: 1268920413-0
Opcode ID: 38caa68dd6e200693609f83d9f2fc5759b66c8bbbdb8d6b27bc93e4fa8dece61
Instruction ID: 2d6f6cedad14925c553a5a531fc029d50201c4a55b32bf08b2cbf524748e4937
Opcode Fuzzy Hash: 38caa68dd6e200693609f83d9f2fc5759b66c8bbbdb8d6b27bc93e4fa8dece61
Instruction Fuzzy Hash: 4A310471D01129FFEF23CBD8D9449AEBFB9FF05650F1480A6E640AA190D7709B80DBA0

Function 0100894A Relevance: 7.6, APIs: 5, Instructions: 63COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,76323D80,?,?,0100227A,00000000,0100A688), ref: 0100896D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0100227A,00000000,0100A688), ref: 01008998
GetLastError.KERNEL32(?,?,0100227A,00000000,0100A688,?,00000014,?,?,0100192D,00001B5B,<UNKNOWN OID>,00000014,00001B5A,MD5,0000000A), ref: 010089B2
GetLastError.KERNEL32(?,?,0100227A,00000000,0100A688,?,00000014,?,?,0100192D,00001B5B,<UNKNOWN OID>,00000014,00001B5A,MD5,0000000A), ref: 010089B8

Part of subcall function 010087DF: malloc.MSVCRT ref: 010087E6

GetLastError.KERNEL32(?,?,0100227A,00000000,0100A688,?,00000014,?,?,0100192D,00001B5B,<UNKNOWN OID>,00000014,00001B5A,MD5,0000000A), ref: 010089BC

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$malloc
String ID:
API String ID: 3472615102-0
Opcode ID: d06ba5bac7a6af725c550f3c2cebc075e7a3ac333290ac74100df823bac362df
Instruction ID: 6a107113e91b84a03d814a294c1758f0eb4b117dcdb9fe8ebaf36570cdc106f5
Opcode Fuzzy Hash: d06ba5bac7a6af725c550f3c2cebc075e7a3ac333290ac74100df823bac362df
Instruction Fuzzy Hash: D1018432902139BAA7227A5A8C44DDF7E9CFF066B0B14C222F598D61D0C675D840C7F2

Function 01006D5E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

printf.MSVCRT ref: 01006DCE
printf.MSVCRT ref: 01006E02

Strings

[%d] %s (%S), xrefs: 01006DC9
, xrefs: 01006DF1

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObjectprintf$vwprintf
String ID: $ [%d] %s (%S)
API String ID: 3053794160-4092857480
Opcode ID: ed17a94d53a8b843a2ed15e62e7b675af76c9e425c7016927d0d2750494a233a
Instruction ID: 01505842b482cc6809bb7b9b6da085859eaf2e3d688aaf3425822afcafecb341
Opcode Fuzzy Hash: ed17a94d53a8b843a2ed15e62e7b675af76c9e425c7016927d0d2750494a233a
Instruction Fuzzy Hash: EC112632644701EBF7232F84EC41FAA7BA5FB95711F14842EF6C01A0D0DB7798619B51

Function 01007E7F Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000000EA), ref: 01007FC2

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

swprintf.MSVCRT(?,01001600,?,?,00001BDE,?,00001C08,?,00001BE2,?,00001BDD,0000000F,?,?,00000000), ref: 01007F67
wcscat.MSVCRT ref: 01007F7B
wcslen.MSVCRT ref: 01007FA9

Part of subcall function 01001A9B: wcscat.MSVCRT ref: 01001AC4

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObjectwcscat$ErrorLastswprintfwcslen
String ID:
API String ID: 3517545609-0
Opcode ID: a34ae2b90946bb38d713910c960b8082deca7e3b1e347333ff75163c7fe83b1e
Instruction ID: c549eef07bb15a57e9c452e6f139c625c5f846825e59a85b576ac9db3539dcee
Opcode Fuzzy Hash: a34ae2b90946bb38d713910c960b8082deca7e3b1e347333ff75163c7fe83b1e
Instruction Fuzzy Hash: 724192716406599AEB33DB54DC40EFE77F9EB48700F1484AAE6CAA60C0E735A9858B50

Function 01006E49 Relevance: 6.1, APIs: 4, Instructions: 77encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

CertRDNValueToStrW.CRYPT32(00000000,00000004,00000000,00000000), ref: 01006E8E
CertRDNValueToStrW.CRYPT32(00000000,00000004,00000000,00000000), ref: 01006EB1
wprintf.MSVCRT ref: 01006ED8
printf.MSVCRT ref: 01006EF7

Part of subcall function 010087DF: malloc.MSVCRT ref: 010087E6

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertCryptDecodeObjectValue$mallocprintfvwprintfwprintf
String ID:
API String ID: 422403839-0
Opcode ID: 73c6a995ae2694a5e3f543555c47f27e60e0e45555cabc846884b01f5d2a93d0
Instruction ID: 949d65c3e3cb98c50c9d180278654844201179eb9e933f5cff64211629e52488
Opcode Fuzzy Hash: 73c6a995ae2694a5e3f543555c47f27e60e0e45555cabc846884b01f5d2a93d0
Instruction Fuzzy Hash: F6119F32904341EBF7236B15EC49EABBBAAFB84750F10492EF1C4520D0EB738920C761

Function 01005638 Relevance: 6.0, APIs: 4, Instructions: 47encryptionfileCOMMON

Download Yara Rule

APIs

Part of subcall function 010089CF: CreateFileU.CRYPT32(00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8,00000014,?), ref: 01008A15
Part of subcall function 010089CF: GetFileSize.KERNEL32(00000000,00000014,00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8), ref: 01008A27
Part of subcall function 010089CF: CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AA0
Part of subcall function 010089CF: CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AAB

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000,00000000), ref: 0100565E
CertAddEncodedCertificateToStore.CRYPT32(00000000,00000014,?,00000004,00000000), ref: 0100567A
CertCloseStore.CRYPT32(00000000,00000000), ref: 01005686
UnmapViewOfFile.KERNEL32(00000014,?,?,01002666,?,?,?,?,00000014,?,SHA1,0000000A), ref: 01005696

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertCloseFileStore$Handle$CertificateCreateEncodedOpenSizeUnmapView
String ID:
API String ID: 2836849460-0
Opcode ID: ca1aa411c66d1c0410b41a7702d1f43bb57505d1c654becfd7533e8ffcd0176d
Instruction ID: 37cb10d7b76febe12317a3c067e934ed60c0cbf2470bde60b70878876058a3cd
Opcode Fuzzy Hash: ca1aa411c66d1c0410b41a7702d1f43bb57505d1c654becfd7533e8ffcd0176d
Instruction Fuzzy Hash: 9D014B76201128BBEB235B66DC48EEF7EADEF497D0F004025FA89D6044DA768501DBA5

Function 010056A4 Relevance: 6.0, APIs: 4, Instructions: 47encryptionfileCOMMON

Download Yara Rule

APIs

Part of subcall function 010089CF: CreateFileU.CRYPT32(00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8,00000014,?), ref: 01008A15
Part of subcall function 010089CF: GetFileSize.KERNEL32(00000000,00000014,00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8), ref: 01008A27
Part of subcall function 010089CF: CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AA0
Part of subcall function 010089CF: CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AAB

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000,00000000), ref: 010056CA
CertAddEncodedCTLToStore.CRYPT32(00000000,00000014,?,00000004,00000000), ref: 010056E6
CertCloseStore.CRYPT32(00000000,00000000), ref: 010056F2
UnmapViewOfFile.KERNEL32(00000014,?,?,01002606,?,?,00000014,?,SHA1,0000000A), ref: 01005702

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertCloseFileStore$Handle$CreateEncodedOpenSizeUnmapView
String ID:
API String ID: 2155480357-0
Opcode ID: 5e0100efab947cc34f2bedc1425696db73913a2c09c0408946b5dc9015651bd9
Instruction ID: 2c05ff15c60448d41003a431b096c5c9d90047f6d8fd11dadf97d1566b7af47f
Opcode Fuzzy Hash: 5e0100efab947cc34f2bedc1425696db73913a2c09c0408946b5dc9015651bd9
Instruction Fuzzy Hash: 2F01FF76201114FBEB235B66EC48DEF7EADFB497D1F004025FA8A95054DA758501DBA0

Function 010055CC Relevance: 6.0, APIs: 4, Instructions: 47encryptionfileCOMMON

Download Yara Rule

APIs

Part of subcall function 010089CF: CreateFileU.CRYPT32(00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8,00000014,?), ref: 01008A15
Part of subcall function 010089CF: GetFileSize.KERNEL32(00000000,00000014,00000014,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000014,?,?,?,?,010056B8), ref: 01008A27
Part of subcall function 010089CF: CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AA0
Part of subcall function 010089CF: CloseHandle.KERNEL32(00000000,?,?,?,010056B8,00000014,?,00000014,?,?,01002606,?), ref: 01008AAB

CertOpenStore.CRYPT32(00000002,00000000,00000000,00000000,00000000), ref: 010055F2
CertAddEncodedCRLToStore.CRYPT32(00000000,00000014,?,00000004,00000000), ref: 0100560E
CertCloseStore.CRYPT32(00000000,00000000), ref: 0100561A
UnmapViewOfFile.KERNEL32(00000014,?,?,01002636,?,?,?,00000014,?,SHA1,0000000A), ref: 0100562A

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CertCloseFileStore$Handle$CreateEncodedOpenSizeUnmapView
String ID:
API String ID: 2155480357-0
Opcode ID: 6b5c87c6544a87be6891c55ebf2ade5181a0901a2ddd9f5bc5ebbc01311d5002
Instruction ID: e54639ea79bd19f13beabd818f347e3bab6400d40fb3b860ed1ea97a6c7ab2b3
Opcode Fuzzy Hash: 6b5c87c6544a87be6891c55ebf2ade5181a0901a2ddd9f5bc5ebbc01311d5002
Instruction Fuzzy Hash: 91016D36201124BBEB235B66DC4CEDF7EADEF4A7D1F008021FA8996044D636C645DBE0

Function 01005C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 01005CDC

Strings

%s, xrefs: 01005CD7
, xrefs: 01005CB6

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: printf
String ID: $%s
API String ID: 3524737521-1620431320
Opcode ID: 832a939498ca5c54dccd47193ac068a8b9a4694dd7b43a4c8c9ae73bb091ee82
Instruction ID: 54b9187c37f542afa39c023b547ba663b869e8c4564ba06dc11e8b2b1756b5f6
Opcode Fuzzy Hash: 832a939498ca5c54dccd47193ac068a8b9a4694dd7b43a4c8c9ae73bb091ee82
Instruction Fuzzy Hash: 74113036148705FEF7172B50FD06CA97BA2FB14B10F108A2EF2CA154E0EB6655129F05

Function 01007B59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 0100885A: vwprintf.MSVCRT ref: 0100887A

Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,?), ref: 010082A0
Part of subcall function 0100826B: CryptDecodeObject.CRYPT32(00010001,?,00000000,00000011,00000001,00000000,12345678), ref: 010082CC

printf.MSVCRT ref: 01007BFB

Strings

2.5.29.1, xrefs: 01007B59
, xrefs: 01007BA4

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: CryptDecodeObject$printfvwprintf
String ID: $2.5.29.1
API String ID: 3955122273-3951722430
Opcode ID: 7ca381df2652aa7d180789d9e66e273edfc9d45d98226173321b015fd8576d13
Instruction ID: cf0fc0226f966f60d2a764fd71cbc4d2b005ec1c3172848fb35415eb3df189f1
Opcode Fuzzy Hash: 7ca381df2652aa7d180789d9e66e273edfc9d45d98226173321b015fd8576d13
Instruction Fuzzy Hash: 0611A032544B02EAF7372B14FC06F8A7BA1FB44B11F24891EE2C4254E0DB6AA8519B51

Function 01003EBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

scanf.MSVCRT ref: 01003F03

Strings

_I, xrefs: 01003EF6
,I, xrefs: 01003F29

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: scanf
String ID: ,I$_I
API String ID: 1199118012-3940272718
Opcode ID: ca101df3259d03fc336c4c528397dc519d8e31adbb33dc6afae083b1c29359d4
Instruction ID: 323b94659c0a78f8425be748a0ea1a1aa538074ebec5e4d42bbeafb621d42eda
Opcode Fuzzy Hash: ca101df3259d03fc336c4c528397dc519d8e31adbb33dc6afae083b1c29359d4
Instruction Fuzzy Hash: 8E01F732748302EEF7275F10BC45AD92FB1FB54760F24852EE6C49E0D0D55298418744

Function 01007024 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

wprintf.MSVCRT ref: 01007057

Strings

%s, xrefs: 01007052
, xrefs: 0100707D

Memory Dump Source

Source File: 00000008.00000002.2131457537.0000000001001000.00000020.00000001.01000000.00000009.sdmp, Offset: 01000000, based on PE: true

Associated: 00000008.00000002.2131426911.0000000001000000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131477940.000000000100A000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2131499489.000000000100C000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1000000_certmgr.jbxd

Similarity

API ID: wprintf
String ID: $%s
API String ID: 3614878089-1620431320
Opcode ID: 0cfcd77455245e8f38bf2108cdf96b010bc0f7eb2ddf4a18d3689b7d5f2d12cf
Instruction ID: 61e4408ed4a96367af9554db99206b70cdff698fab4a52f2a8054b871a27b1a4
Opcode Fuzzy Hash: 0cfcd77455245e8f38bf2108cdf96b010bc0f7eb2ddf4a18d3689b7d5f2d12cf
Instruction Fuzzy Hash: 2FF0A479204706EAF6779B50EC01CA67BE5FB14700F148A1EF3C6554D0EB6AB440CB51

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RDM_Root_Cert_Update_Windows.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Mozilla Firefox\defaults\pref\firefox-windows-truststore.js (copy)

C:\Program Files\Mozilla Firefox\defaults\pref\is-K76D6.tmp

C:\Program Files\Mozilla Firefox\defaults\pref\is-PMF5D.tmp

C:\Program Files\Mozilla Firefox\defaults\pref\local-settings.js (copy)

C:\Program Files\Mozilla Firefox\is-PGH5D.tmp

C:\Program Files\Mozilla Firefox\umbrella.cfg (copy)

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\901deee3b5b74cb155b513ccd57a4a2e_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f624068db13c5397a4560b17ec912efa_9e146be9-c76a-4720-bcdb-53011b87bd06

C:\Users\user\AppData\Local\Temp\is-BUL6H.tmp\RDM_Root_Cert_Update_Windows.tmp

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\AddCert.bat (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM.ico (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\RDM_RootCA.pem (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certmgr.exe (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\certremoval.bat (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\firefox-windows-truststore.js (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\freebl3.dll (copy)

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-1QMJT.tmp

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-3KPG9.tmp

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-514DN.tmp

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-7LAUR.tmp

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8C4S6.tmp

C:\Users\user\AppData\Local\Temp\is-N6PB1.tmp\RdmCert\is-8I24T.tmp

Windows Analysis Report
RDM_Root_Cert_Update_Windows.exe