Loading ...

Play interactive tourEdit tour

Analysis Report Rubberduck.Setup.2.5.0.5244.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218151
Start date:26.03.2020
Start time:10:03:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Rubberduck.Setup.2.5.0.5244.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean5.winEXE@3/91@0/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 14.6% (good quality ratio 12.4%)
  • Quality average: 73.7%
  • Quality standard deviation: 35.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold50 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold10 - 5true
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2Modify Existing Service1Exploitation for Privilege Escalation1Masquerading1Input Capture11System Time Discovery1Application Deployment SoftwareScreen Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Replication Through Removable MediaGraphical User Interface2Registry Run Keys / Startup Folder1Access Token Manipulation1Access Token Manipulation1Network SniffingProcess Discovery1Remote ServicesInput Capture11Exfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection2Process Injection2Input CaptureApplication Window Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Owner/User Discovery3Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceSecurity Software Discovery11Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionFile and Directory Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery35Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,0_2_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004AD600 FindFirstFileW,GetLastError,2_2_004AD600
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004D62F8 FindFirstFileW,FindNextFileW,FindClose,2_2_004D62F8
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004C1640 SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,2_2_004C1640
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004C1AFC SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,2_2_004C1AFC
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004FFC74 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,2_2_004FFC74
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004BFEBC FindFirstFileW,FindNextFileW,FindClose,2_2_004BFEBC

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: is-0674U.tmp.2.drString found in binary or memory: $http://www.twitter.com/rubberduckvba? equals www.twitter.com (Twitter)
Urls found in memory or binary dataShow sources
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.945209378.00000000021F9000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939628394.000000000224A000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.770133639.0000000004F3A000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000002.944688745.0000000004F42000.00000004.00000001.sdmpString found in binary or memory: http://fsf.org/
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-N32S7.tmp.2.drString found in binary or memory: http://github.com/rubberduck-vba/Rubberduck
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-N32S7.tmp.2.drString found in binary or memory: http://github.com/rubberduck-vba/Rubberduck/Issues/New
Source: is-N5CL2.tmp.2.dr, is-0674U.tmp.2.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit
Source: is-N5CL2.tmp.2.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.Highlighting
Source: is-N5CL2.tmp.2.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/avalonedit#ICSharpCode.AvalonEdit.HighlightingQ
Source: is-N5CL2.tmp.2.dr, is-0674U.tmp.2.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008
Source: is-N5CL2.tmp.2.drString found in binary or memory: http://icsharpcode.net/sharpdevelop/syntaxdefinition/20081Error
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp, Rubberduck VBA website.url.2.dr, is-N32S7.tmp.2.drString found in binary or memory: http://rubberduckvba.com
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.945319099.000000000224D000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmpString found in binary or memory: http://rubberduckvba.com)
Source: is-0674U.tmp.2.drString found in binary or memory: http://rubberduckvba.com/?
Source: is-0674U.tmp.2.drString found in binary or memory: http://rubberduckvba.com/build/version/stablechttp://rubberduckvba.com/build/version/prerelease
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.737925995.0000000002370000.00000004.00000001.sdmpString found in binary or memory: http://rubberduckvba.com0http://rubberduckvba.com0http://rubberduckvba.com
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmpString found in binary or memory: http://rubberduckvba.comq
Source: is-39G8U.tmp.2.drString found in binary or memory: http://stackoverflow.com/a/3652980/1188513
Source: is-3FMOJ.tmp.2.drString found in binary or memory: http://www.castleproject.org/
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.770100128.0000000004F43000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.945209378.00000000021F9000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939628394.000000000224A000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.770133639.0000000004F3A000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/.
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.945209378.00000000021F9000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939628394.000000000224A000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.770100128.0000000004F43000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000002.944672184.0000000004F39000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.738355965.00000000024B0000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000000.739898906.0000000000401000.00000020.00020000.sdmpString found in binary or memory: http://www.innosetup.com/
Source: Rubberduck.Setup.2.5.0.5244.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: Rubberduck.Setup.2.5.0.5244.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.738355965.00000000024B0000.00000004.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmpString found in binary or memory: http://www.remobjects.com/ps
Source: is-0674U.tmp.2.drString found in binary or memory: http://www.twitter.com/rubberduckvba?
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: is-0674U.tmp.2.drString found in binary or memory: https://github.com/icsharpcode/AvalonEdit
Source: is-0SEC8.tmp.2.drString found in binary or memory: https://github.com/icsharpcode/SharpDevelop.git
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-N32S7.tmp.2.dr, is-0SEC8.tmp.2.drString found in binary or memory: https://github.com/rubberduck-vba/Rubberduck/issues/new
Source: is-0674U.tmp.2.drString found in binary or memory: https://github.com/rubberduck-vba/Rubberduck/issues/new/choose?
Source: is-0674U.tmp.2.drString found in binary or memory: https://github.com/rubberduck-vba/Rubberduck/releases
Source: is-0674U.tmp.2.drString found in binary or memory: https://github.com/rubberduck-vba/Rubberduck/releases/latest
Source: is-0674U.tmp.2.drString found in binary or memory: https://github.com/rubberduck-vba/Rubberduck?
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-0SEC8.tmp.2.drString found in binary or memory: https://github.com/yusukekamiyamane/fugue-icons

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshotsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004344E0 GetObjectW,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,2_2_004344E0
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0045C61C GetKeyboardState,2_2_0045C61C

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00480964: CreateFileW,DeviceIoControl,GetLastError,CloseHandle,SetLastError,2_2_00480964
Contains functionality to shutdown / reboot the systemShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040E550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040E550
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004B0418 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004B0418
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004022600_2_00402260
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040D33C0_2_0040D33C
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0041259C0_2_0041259C
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00411F980_2_00411F98
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004D01842_2_004D0184
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004E43642_2_004E4364
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00488CF02_2_00488CF0
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004737902_2_00473790
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004E38002_2_004E3800
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004F3B202_2_004F3B20
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004AC4E82_2_004AC4E8
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004EC9182_2_004EC918
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00481D1C2_2_00481D1C
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0049E1A42_2_0049E1A4
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004024742_2_00402474
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004FE7282_2_004FE728
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0044A7C42_2_0044A7C4
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004BB5782_2_004BB578
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004536682_2_00453668
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004C77502_2_004C7750
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004077F82_2_004077F8
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004EB8642_2_004EB864
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 00409620 appears 161 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 00405A34 appears 208 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 00406914 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 004B2F34 appears 148 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 0049EBD8 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 00406438 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 00406448 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 0040E2C8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 004ADE4C appears 75 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 004B31B8 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 0049EEBC appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 0040C2BC appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: String function: 00487D38 appears 40 times
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: String function: 00404C88 appears 36 times
PE file contains executable resources (Code or Archives)Show sources
Source: Rubberduck.Setup.2.5.0.5244.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Rubberduck.Setup.2.5.0.5244.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-NJCSS.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-NJCSS.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
PE file contains strange resourcesShow sources
Source: Rubberduck.Setup.2.5.0.5244.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rubberduck.Setup.2.5.0.5244.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rubberduck.Setup.2.5.0.5244.tmp.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Rubberduck.Setup.2.5.0.5244.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Rubberduck.Setup.2.5.0.5244.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-NJCSS.tmp.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-NJCSS.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-NJCSS.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.946199823.0000000002280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Rubberduck.Setup.2.5.0.5244.exe
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000003.738355965.00000000024B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Rubberduck.Setup.2.5.0.5244.exe
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.946093157.00000000008F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs Rubberduck.Setup.2.5.0.5244.exe
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.945576184.00000000001D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetmsg.DLLj% vs Rubberduck.Setup.2.5.0.5244.exe
.NET source code contains methods with suspicious namesShow sources
Source: is-JDT9P.tmp.2.dr, Antlr4.Runtime/Tree/ITree.csSuspicious method names: System.Object Antlr4.Runtime.Tree.ITree::get_Payload()
Source: is-JDT9P.tmp.2.dr, Antlr4.Runtime/Tree/TerminalNodeImpl.csSuspicious method names: System.Object Antlr4.Runtime.Tree.TerminalNodeImpl::Antlr4.Runtime.Tree.ITree.get_Payload()
Source: is-JDT9P.tmp.2.dr, Antlr4.Runtime/Tree/TerminalNodeImpl.csSuspicious method names: Antlr4.Runtime.IToken Antlr4.Runtime.Tree.TerminalNodeImpl::get_Payload()
Source: is-JDT9P.tmp.2.dr, Antlr4.Runtime/RuleContext.csSuspicious method names: Antlr4.Runtime.RuleContext Antlr4.Runtime.RuleContext::get_Payload()
Source: is-JDT9P.tmp.2.dr, Antlr4.Runtime/RuleContext.csSuspicious method names: System.Object Antlr4.Runtime.RuleContext::Antlr4.Runtime.Tree.ITree.get_Payload()
Binary contains paths to development resourcesShow sources
Source: is-N5CL2.tmp.2.drBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GLH6S.tmp.2.drBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VBA.VBProjects6AD60DF7
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GLH6S.tmp.2.drBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VBA.VBProjects.<>c
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-K2K92.tmp.2.drBinary or memory string: Rubberduck.VBEditor.Extensions.VBProjectExtensions28B9FD65
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VB6.VBProjects
Source: is-N5CL2.tmp.2.drBinary or memory string: <SyntaxDefinition name="XML" extensions=".xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec" xmlns="http://icsharpcode.net/sharpdevelop/syntaxdefinition/2008">
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GLH6S.tmp.2.drBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VBA.VBProject
Source: is-N5CL2.tmp.2.drBinary or memory string: c.xml;.xsl;.xslt;.xsd;.manifest;.config;.addin;.xshd;.wxs;.wxi;.wxl;.proj;.csproj;.vbproj;.ilproj;.booproj;.build;.xfrm;.targets;.xaml;.xpt;.xft;.map;.wsdl;.disco;.ps1xml;.nuspec
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VB6.VBProjects.<>cA8E7F603
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GLH6S.tmp.2.drBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VBA.VBProjects
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GLH6S.tmp.2.drBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VBA.VBProjects.<>c42FCEC09
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-K2K92.tmp.2.drBinary or memory string: Rubberduck.VBEditor.Extensions.VBProjectExtensions
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GLH6S.tmp.2.drBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VBA.VBProject2B3EDBA9
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VB6.VBProject
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VB6.VBProjectA5C11EAC
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VB6.VBProjectsFCAF4172
Source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmpBinary or memory string: Rubberduck.VBEditor.SafeComWrappers.VB6.VBProjects.<>c
Classification labelShow sources
Source: classification engineClassification label: clean5.winEXE@3/91@0/1
Contains functionality for error loggingShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0043293C GetLastError,FormatMessageW,2_2_0043293C
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040E550 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_0040E550
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004B0418 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,2_2_004B0418
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040805C GetDiskFreeSpaceW,0_2_0040805C
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004CCDB4 GetVersion,CoCreateInstance,2_2_004CCDB4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040EE2C FindResourceW,SizeofResource,LoadResource,LockResource,0_2_0040EE2C
Creates files inside the user directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeFile created: C:\Users\user\AppData\Local\Temp\is-R48VO.tmpJump to behavior
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Reads ini filesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the Windows registered organization settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Sample might require command line argumentsShow sources
Source: Rubberduck.Setup.2.5.0.5244.exeString found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co
Source: Rubberduck.Setup.2.5.0.5244.exeString found in binary or memory: /LOADINF="filename"
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeFile read: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exe 'C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmp 'C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmp' /SL5='$110216,3831797,121344,C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exe'
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeProcess created: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmp 'C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmp' /SL5='$110216,3831797,121344,C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exe' Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Reads the Windows registered owner settingsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpWindow found: window name: TSelectLanguageFormJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: OK
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpAutomated click: I accept the agreement
Uses Rich Edit ControlsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Creates a software uninstall entryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpRegistry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{979AFF96-DD9E-4FC2-802D-9E0C36A60D09}_is1Jump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: Rubberduck.Setup.2.5.0.5244.exeStatic file information: File size 4516350 > 1048576
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Rubberduck.Setup.2.5.0.5244.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: {app}\Rubberduck.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939938252.000000000231A000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.UnitTesting\obj\Release\net46\Rubberduck.UnitTesting.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.VBEEditor\obj\Release\net46\Rubberduck.VBEditor.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.VBEditor.VB6\obj\Release\net46\Rubberduck.VBEditor.VB6.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.VBEditor.VBA\obj\Release\net46\Rubberduck.VBEditor.VBA.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-EFARP.tmp.2.dr
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.JunkDrawer.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939416610.0000000003426000.00000004.00000001.sdmp
Source: Binary string: 4C:\ProgramData\Rubberduck\Rubberduck.Interaction.pdbg source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: 5C:\ProgramData\Rubberduck\Rubberduck.CodeAnalysis.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.Refactorings\obj\Release\net46\Rubberduck.Refactorings.pdblU source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-AG1J8.tmp.2.dr
Source: Binary string: C:\projects\rubberduck\Rubberduck.SmartIndenter\obj\Release\net46\Rubberduck.SmartIndenter.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: %{app}\Rubberduck.SettingsProvider.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\projects\windsor\src\Castle.Windsor\obj\Release\net45\Castle.Windsor.pdb source: is-6139T.tmp.2.dr
Source: Binary string: "{app}\Rubberduck.SmartIndenter.pdb)j0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.RegexAssistant.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939837927.00000000022CB000.00000004.00000001.sdmp
Source: Binary string: C:\projects\windsor\src\Castle.Windsor\obj\Release\net45\Castle.Windsor.pdb4 source: is-6139T.tmp.2.dr
Source: Binary string: C:\projects\core\src\Castle.Core\obj\Release\net45\Castle.Core.pdbG source: is-3FMOJ.tmp.2.dr
Source: Binary string: 5C:\ProgramData\Rubberduck\Rubberduck.Refactorings.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: !{app}\Rubberduck.VBEditor.VBA.pdbQo0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdbT source: is-N5CL2.tmp.2.dr
Source: Binary string: D:\projects\git\gong-wpf-dragdrop\src\GongSolutions.WPF.DragDrop\obj\Release_NET46\GongSolutions.WPF.DragDrop.pdb source: is-PEVQ9.tmp.2.dr
Source: Binary string: C:\projects\easyhook\EasyHookSvc\obj\netfx4-Release\EasyHookSvc.pdb source: is-DCICL.tmp.2.dr
Source: Binary string: C:\projects\easyhook\Build\netfx4-Release\x64\EasyHook64.pdb source: is-73R19.tmp.2.dr
Source: Binary string: C:\projects\rubberduck\Rubberduck.Main\obj\Release\net46\Rubberduck.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-GM1J0.tmp.2.dr
Source: Binary string: !{app}\Rubberduck.CodeAnalysis.pdb)_0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: Creating or setting the value.ubberduck\Rubberduck.Core.pdb0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939790727.00000000022B4000.00000004.00000001.sdmp
Source: Binary string: {app}\Rubberduck.Parsing.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939938252.000000000231A000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: {app}\Rubberduck.VBEditor.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939938252.000000000231A000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.Parsing.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939390285.0000000003416000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.VBEditor.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939416610.0000000003426000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.SettingsProvider\obj\Release\net46\Rubberduck.SettingsProvider.pdb|O source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: #{app}\Rubberduck.RegexAssistant.pdbig0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.SmartIndenter\obj\Release\net46\Rubberduck.SmartIndenter.pdb0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.Resources\obj\Release\net46\Rubberduck.Resources.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-0SEC8.tmp.2.dr
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.VBEditor.VB6.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939837927.00000000022CB000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Collections.Immutable\netstandard1.3\System.Collections.Immutable.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.JunkDrawer\obj\Release\net46\Rubberduck.JunkDrawer.pdb source: is-E8TFE.tmp.2.dr
Source: Binary string: J:\dev\github\sharwell\antlr4cs\Runtime\CSharp\Antlr4.Runtime\obj\net45\Release\Antlr4.Runtime.pdb source: is-JDT9P.tmp.2.dr
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.Refactorings.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939837927.00000000022CB000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.Resources.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939416610.0000000003426000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.Core.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939390285.0000000003416000.00000004.00000001.sdmp
Source: Binary string: {app}\Rubberduck.Resources.pdb1 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939938252.000000000231A000.00000004.00000001.sdmp
Source: Binary string: {app}\Rubberduck.JunkDrawer.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939938252.000000000231A000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.CodeAnalysis\obj\Release\net46\Rubberduck.CodeAnalysis.pdb source: is-8EO6T.tmp.2.dr
Source: Binary string: C:\projects\rubberduck\Rubberduck.RegexAssistant\obj\Release\net46\Rubberduck.RegexAssistant.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.UnitTesting\obj\Release\net46\Rubberduck.UnitTesting.pdbD source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: J:\dev\github\sharwell\antlr4cs\Runtime\CSharp\Antlr4.Runtime\obj\net45\Release\Antlr4.Runtime.pdbPB source: is-JDT9P.tmp.2.dr
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.CodeAnalysis.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939837927.00000000022CB000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.Interaction\obj\Release\net46\Rubberduck.Interaction.pdb source: is-DCG1S.tmp.2.dr
Source: Binary string: !{app}\Rubberduck.VBEditor.VB6.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.CodeAnalysis\obj\Release\net46\Rubberduck.CodeAnalysis.pdbX source: is-8EO6T.tmp.2.dr
Source: Binary string: {app}\Rubberduck.Interaction.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.Core\obj\Release\net46\Rubberduck.Core.pdbM source: is-0674U.tmp.2.dr
Source: Binary string: !{app}\Rubberduck.Refactorings.pdbf0 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.Resources\obj\Release\net46\Rubberduck.Resources.pdbH{ source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-0SEC8.tmp.2.dr
Source: Binary string: {app}\Rubberduck.Core.pdbI source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.SmartIndenter.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939837927.00000000022CB000.00000004.00000001.sdmp
Source: Binary string: D:\Temp\Rubberduck\Infralution.Localization.Wpf\obj\Release\Infralution.Localization.Wpf.pdb source: is-91D1U.tmp.2.dr
Source: Binary string: 6C:\ProgramData\Rubberduck\Rubberduck.SmartIndenter.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.Interaction.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939416610.0000000003426000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.SettingsProvider\obj\Release\net46\Rubberduck.SettingsProvider.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.UnitTesting.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939416610.0000000003426000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.VBEEditor\obj\Release\net46\Rubberduck.VBEditor.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Collections.Immutable\netstandard1.3\System.Collections.Immutable.pdbSHA256 source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.JunkDrawer\obj\Release\net46\Rubberduck.JunkDrawer.pdb/ source: is-E8TFE.tmp.2.dr
Source: Binary string: c:\work\AvalonEdit\ICSharpCode.AvalonEdit\obj\Release\ICSharpCode.AvalonEdit.pdb source: is-N5CL2.tmp.2.dr
Source: Binary string: C:\projects\core\src\Castle.Core\obj\Release\net45\Castle.Core.pdb source: is-3FMOJ.tmp.2.dr
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.VBEditor.VBA.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939837927.00000000022CB000.00000004.00000001.sdmp
Source: Binary string: C:\projects\easyhook\EasyHookSvc\obj\x86\netfx4-Release\EasyHookSvc.pdb source: is-4E2I9.tmp.2.dr
Source: Binary string: 4C:\ProgramData\Rubberduck\Rubberduck.UnitTesting.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: {app}\Rubberduck.UnitTesting.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939913011.00000000022FD000.00000004.00000001.sdmp
Source: Binary string: C:\projects\rubberduck\Rubberduck.Refactorings\obj\Release\net46\Rubberduck.Refactorings.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.935440001.0000000005600000.00000004.00000001.sdmp, is-AG1J8.tmp.2.dr
Source: Binary string: C:\projects\rubberduck\Rubberduck.Core\obj\Release\net46\Rubberduck.Core.pdb source: is-0674U.tmp.2.dr
Source: Binary string: 7C:\ProgramData\Rubberduck\Rubberduck.RegexAssistant.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939572113.000000000222D000.00000004.00000001.sdmp
Source: Binary string: C:\ProgramData\Rubberduck\Rubberduck.SettingsProvider.pdb source: Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000003.939312612.00000000033F1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040D034 push ecx; mov dword ptr [esp], eax0_2_0040D039
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040E0E8 push 0040E130h; ret 0_2_0040E128
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004100F0 push 00410158h; ret 0_2_00410150
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00406944 push 00406986h; ret 0_2_0040697E
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040B104 push 0040B2B0h; ret 0_2_0040B2A8
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00406A50 push 00406A88h; ret 0_2_00406A80
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040E268 push 0040E294h; ret 0_2_0040E28C
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00406A92 push 00406AC0h; ret 0_2_00406AB8
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00406A94 push 00406AC0h; ret 0_2_00406AB8
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004064A6 push 0040650Dh; ret 0_2_00406505
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004064A8 push 0040650Dh; ret 0_2_00406505
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004034A8 push eax; ret 0_2_004034E4
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_0040DD50 push 0040DD93h; ret 0_2_0040DD8B
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004115BC push 0041163Ah; ret 0_2_00411632
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00411658 push 00411685h; ret 0_2_0041167D
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00501B88 push 00501C0Eh; ret 2_2_00501C06
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004B3224 push 004B3296h; ret 2_2_004B328E
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004BC1D0 push ecx; mov dword ptr [esp], ecx2_2_004BC1D4
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0044C28C push 0044C2B8h; ret 2_2_0044C2B0
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0045C35C push ecx; mov dword ptr [esp], ecx2_2_0045C360
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004AC308 push 004AC350h; ret 2_2_004AC348
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00454394 push 004543FFh; ret 2_2_004543F7
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0049C400 push ecx; mov dword ptr [esp], ecx2_2_0049C404
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004FC420 push 004FC463h; ret 2_2_004FC45B
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004AC4E8 push ecx; mov dword ptr [esp], eax2_2_004AC4ED
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004D8570 push 004D85C8h; ret 2_2_004D85C0
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00420520 push 0042056Dh; ret 2_2_00420565
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004E85CC push 004E88CCh; ret 2_2_004E88C4
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004385DC push 00438608h; ret 2_2_00438600
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00500908 push 0050092Eh; ret 2_2_00500926
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004849F0 push 00484A6Dh; ret 2_2_00484A65

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-DCICL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-SCVVC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-6139T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-8EO6T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-6DB7Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-DCG1S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-4E2I9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-EP739.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-IRNHI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-T7A3B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-N5CL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-N32S7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-2DSCH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\Installers\is-NJCSS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-6I25M.tmpJump to dropped file
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeFile created: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-UO7SR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-EFARP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-FHM01.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-TLAFF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-AG1J8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-3FMOJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-SQ0SL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-EJGEV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-JDT9P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-N94B5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-V3S61.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-73R19.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Local\Temp\is-FH4FB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-M2M7U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-7B3VN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\it\is-NQPPD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-TS2KA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-LQRTP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-EDIVT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-0674U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-6MJ4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-LOU08.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-PEVQ9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-PRBLH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-V0F11.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-MHC4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-8MSQQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-AC06O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-M9IFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-DBMR2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-91D1U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-EEB2T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-KR79E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-GM1J0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-IS6B9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-E8TFE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-EJ118.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-6478P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-QS3PA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-OA2KE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-0SEC8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-GAITA.tmpJump to dropped file
Drops PE files to the application program directory (C:\ProgramData)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-DCICL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-SCVVC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-6139T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-8EO6T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-6DB7Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-DCG1S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-4E2I9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-EP739.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-IRNHI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-T7A3B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-N5CL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-N32S7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-2DSCH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\Installers\is-NJCSS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-6I25M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-UO7SR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-EFARP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-FHM01.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-TLAFF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-AG1J8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-3FMOJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-SQ0SL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-EJGEV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-JDT9P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-N94B5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-V3S61.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-73R19.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-M2M7U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-7B3VN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\it\is-NQPPD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-TS2KA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-LQRTP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-EDIVT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-0674U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-6MJ4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-LOU08.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-PEVQ9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-PRBLH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-V0F11.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-MHC4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-8MSQQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-AC06O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-M9IFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-DBMR2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-91D1U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-EEB2T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-KR79E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-GM1J0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\cs\is-IS6B9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-E8TFE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\es\is-EJ118.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-6478P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-QS3PA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\fr\is-OA2KE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\is-0SEC8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\ProgramData\Rubberduck\de\is-GAITA.tmpJump to dropped file
Creates install or setup log fileShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Local\Temp\Setup Log 2020-03-26 #001.txtJump to behavior

Boot Survival:

barindex
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\RubberduckJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rubberduck\is-8IFB4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rubberduck\is-D5TT3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rubberduck\Rubberduck VBA website.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rubberduck\Uninstall Rubberduck.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rubberduck\Repair VBE Addin registration.lnkJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00470B44 GetWindowLongW,IsIconic,IsWindowVisible,ShowWindow,SetWindowLongW,SetWindowLongW,ShowWindow,ShowWindow,2_2_00470B44
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00473790 IsIconic,SetFocus,GetParent,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,2_2_00473790
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00470AC4 IsIconic,2_2_00470AC4
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004812D0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,2_2_004812D0
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_0042DC64 IsIconic,GetWindowPlacement,GetWindowRect,2_2_0042DC64
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00462A84 IsIconic,GetCapture,2_2_00462A84
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004633F4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,2_2_004633F4
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00463E60 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongW,GetWindowLongW,GetWindowLongW,ScreenToClient,ScreenToClient,2_2_00463E60
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004E7E70 IsIconic,GetWindowLongW,ShowWindow,ShowWindow,2_2_004E7E70
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sandboxes (mouse cursor move detection)Show sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,2_2_0047A598
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-DCICL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\fr\is-SCVVC.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-6139T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-8EO6T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\fr\is-6DB7Q.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-DCG1S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-4E2I9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\es\is-EP739.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\de\is-IRNHI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\fr\is-T7A3B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-N5CL2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\es\is-N32S7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-2DSCH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\Installers\is-NJCSS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-6I25M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-UO7SR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-EFARP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-FHM01.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-TLAFF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-AG1J8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-3FMOJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-SQ0SL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\de\is-EJGEV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\cs\is-N94B5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-JDT9P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-V3S61.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-73R19.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-FH4FB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-M2M7U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\es\is-7B3VN.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\it\is-NQPPD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\de\is-TS2KA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-LQRTP.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-EDIVT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\fr\is-6MJ4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-0674U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-LOU08.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-PEVQ9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-PRBLH.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-V0F11.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-MHC4M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-8MSQQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-AC06O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\de\is-DBMR2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\cs\is-M9IFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-91D1U.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\cs\is-EEB2T.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-KR79E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-GM1J0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\cs\is-IS6B9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-E8TFE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\es\is-EJ118.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-6478P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-QS3PA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\fr\is-OA2KE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\is-0SEC8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpDropped PE file which has not been started: C:\ProgramData\Rubberduck\de\is-GAITA.tmpJump to dropped file
Queries keyboard layoutsShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00405BEC GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,0_2_00405BEC
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004AD600 FindFirstFileW,GetLastError,2_2_004AD600
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004D62F8 FindFirstFileW,FindNextFileW,FindClose,2_2_004D62F8
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00408174 GetModuleHandleW,GetProcAddress,lstrcpynW,lstrcpynW,lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,2_2_00408174
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004C1640 SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,2_2_004C1640
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004C1AFC SetErrorMode,FindFirstFileW,FindNextFileW,FindClose,SetErrorMode,2_2_004C1AFC
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004FFC74 FindFirstFileW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,2_2_004FFC74
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004BFEBC FindFirstFileW,FindNextFileW,FindClose,2_2_004BFEBC
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_00406458 GetSystemInfo,0_2_00406458
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.946199823.0000000002280000.00000002.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000002.942094962.00000000023F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.946199823.0000000002280000.00000002.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000002.942094962.00000000023F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.946199823.0000000002280000.00000002.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000002.942094962.00000000023F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Rubberduck.Setup.2.5.0.5244.exe, 00000000.00000002.946199823.0000000002280000.00000002.00000001.sdmp, Rubberduck.Setup.2.5.0.5244.tmp, 00000002.00000002.942094962.00000000023F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to launch a program with higher privilegesShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004DA4C8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_004DA4C8
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00480ED0 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,2_2_00480ED0
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_00480084 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_00480084

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,0_2_00405DE8
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: GetLocaleInfoW,0_2_0040E658
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: GetLocaleInfoW,0_2_00408EB4
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: GetLocaleInfoW,0_2_00408F00
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,0_2_00405F23
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: GetModuleFileNameW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,2_2_00408370
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: lstrcpynW,GetThreadLocale,GetLocaleInfoW,lstrlenW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,lstrcpynW,LoadLibraryExW,2_2_004084AB
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: GetLocaleInfoW,2_2_0041107C
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: GetLocaleInfoW,2_2_0041102E
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: GetLocaleInfoW,2_2_00411030
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: GetLocaleInfoW,2_2_004B1118
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to create pipes for IPCShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004B39E4 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,2_2_004B39E4
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004CDA64 GetLocalTime,2_2_004CDA64
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\is-R48VO.tmp\Rubberduck.Setup.2.5.0.5244.tmpCode function: 2_2_004B03CC GetUserNameW,2_2_004B03CC
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\Rubberduck.Setup.2.5.0.5244.exeCode function: 0_2_004110C4 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,0_2_004110C4

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Rubberduck.Setup.2.5.0.5244.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\ProgramData\Rubberduck\de\is-EJGEV.tmp0%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.innosetup.com/1%VirustotalBrowse
http://www.innosetup.com/0%URL Reputationsafe
http://rubberduckvba.com)0%Avira URL Cloudsafe
http://rubberduckvba.com/?0%Avira URL Cloudsafe
http://rubberduckvba.com0http://rubberduckvba.com0http://rubberduckvba.com0%Avira URL Cloudsafe
http://rubberduckvba.com0%VirustotalBrowse
http://rubberduckvba.com0%Avira URL Cloudsafe
http://rubberduckvba.com/build/version/stablechttp://rubberduckvba.com/build/version/prerelease0%Avira URL Cloudsafe
http://www.remobjects.com/ps3%VirustotalBrowse
http://www.remobjects.com/ps0%URL Reputationsafe
http://rubberduckvba.comq0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
AS3215FRupdata.ps1Get hashmaliciousBrowse
  • 90.19.52.217
Stellar Phoenix Repair for SQLite 2.0.0.0.exeGet hashmaliciousBrowse
  • 2.0.0.0
JLeGioH Soft Mineza6u9ka.exeGet hashmaliciousBrowse
  • 2.0.0.0
sample.pdfGet hashmaliciousBrowse
  • 3.3.0.2
Finance Projects.pdfGet hashmaliciousBrowse
  • 3.3.0.2
19document.exeGet hashmaliciousBrowse
  • 194.206.15.194
INV 27300.pdfGet hashmaliciousBrowse
  • 3.3.0.2
Document137.pdfGet hashmaliciousBrowse
  • 3.3.0.2
Invoice 56720.pdfGet hashmaliciousBrowse
  • 3.3.0.2
Transaction_lateRelease.pdfGet hashmaliciousBrowse
  • 3.3.0.2
INV 383000.pdfGet hashmaliciousBrowse
  • 3.3.0.2
invoice-00976.pdfGet hashmaliciousBrowse
  • 3.3.0.2
http://play.leadzutw.com/Get hashmaliciousBrowse
  • 3.120.20.115
quote-1.pdfGet hashmaliciousBrowse
  • 3.3.0.2
WestpacOne#Statement.pdfGet hashmaliciousBrowse
  • 3.3.0.2
Purchase Order-510661.docGet hashmaliciousBrowse
  • 3.120.20.115
55JrupkKav3F.exeGet hashmaliciousBrowse
  • 81.48.92.129
Document rcvd 10924 .pdfGet hashmaliciousBrowse
  • 3.3.0.2
file _1.pdfGet hashmaliciousBrowse
  • 3.3.0.2

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.