Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report E196fncR4E.exe

Overview

General Information

Sample Name:E196fncR4E.exe
Analysis ID:534010
MD5:a15f089ed04672a843dbe2fa9ca3c69a
SHA1:8761c4ac67f6faa8b6e05a6844f3b24d33a35fe2
SHA256:79682758e1c5e1b4796f6882bd35890e84d3f6de23c445e79d7df25de67721c8
Tags:exeRedLineStealer
Infos:

Most interesting Screenshot:

Errors
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database
  • Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service
  • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP
  • Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog
  • Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy
  • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Antivirus / Scanner detection for submitted sample
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Microsoft Workflow Compiler
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • E196fncR4E.exe (PID: 2224 cmdline: "C:\Users\user\Desktop\E196fncR4E.exe" MD5: A15F089ED04672A843DBE2FA9CA3C69A)
    • RegSvcs.exe (PID: 4240 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • dfsvc.exe (PID: 6628 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)
    • Microsoft.Workflow.Compiler.exe (PID: 6604 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4)
    • InstallUtil.exe (PID: 6692 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.251.73.109:37261"], "Bot Id": "@"}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.674383078.00000000061D0000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000005.00000000.659360737.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000005.00000002.721305659.0000000000402000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 10 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.E196fncR4E.exe.28c0000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                1.2.E196fncR4E.exe.61d0000.9.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  1.2.E196fncR4E.exe.3a35530.6.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    1.2.E196fncR4E.exe.3a55550.7.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      1.2.E196fncR4E.exe.6240000.11.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 13 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                        Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\E196fncR4E.exe" , ParentImage: C:\Users\user\Desktop\E196fncR4E.exe, ParentProcessId: 2224, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4240
                        Sigma detected: Microsoft Workflow CompilerShow sources
                        Source: Process startedAuthor: Nik Seetharaman, frack113: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe, NewProcessName: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe, OriginalFileName: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe, ParentCommandLine: "C:\Users\user\Desktop\E196fncR4E.exe" , ParentImage: C:\Users\user\Desktop\E196fncR4E.exe, ParentProcessId: 2224, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe, ProcessId: 6604
                        Sigma detected: Possible Applocker BypassShow sources
                        Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\E196fncR4E.exe" , ParentImage: C:\Users\user\Desktop\E196fncR4E.exe, ParentProcessId: 2224, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 4240

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 5.0.InstallUtil.exe.400000.4.unpackMalware Configuration Extractor: RedLine {"C2 url": ["87.251.73.109:37261"], "Bot Id": "@"}
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: E196fncR4E.exeAvira: detected
                        Machine Learning detection for sampleShow sources
                        Source: E196fncR4E.exeJoe Sandbox ML: detected
                        Source: E196fncR4E.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior
                        Source: E196fncR4E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                        Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: E196fncR4E.exe, 00000001.00000002.668718465.00000000028F0000.00000004.00020000.sdmp, E196fncR4E.exe, 00000001.00000002.670790857.0000000002C34000.00000004.00000001.sdmp
                        Source: Binary string: csc.pdb2 source: E196fncR4E.exe, 00000001.00000002.673506483.0000000003A73000.00000004.00000001.sdmp
                        Source: Binary string: InstallUtil.pdb source: E196fncR4E.exe, 00000001.00000002.668718465.00000000028F0000.00000004.00020000.sdmp, E196fncR4E.exe, 00000001.00000002.670790857.0000000002C34000.00000004.00000001.sdmp
                        Source: Binary string: csc.pdb source: E196fncR4E.exe, 00000001.00000002.673506483.0000000003A73000.00000004.00000001.sdmp

                        Networking:

                        barindex
                        Connects to many ports of the same IP (likely port scanning)Show sources
                        Source: global trafficTCP traffic: 87.251.73.109 ports 37261,1,2,3,6,7
                        Source: Joe Sandbox ViewASN Name: ASKONTELRU ASKONTELRU
                        Source: global trafficTCP traffic: 192.168.2.4:49740 -> 87.251.73.109:37261
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: unknownTCP traffic detected without corresponding DNS query: 87.251.73.109
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: l9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725749858.000000000307C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: E196fncR4E.exe, 00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmp, E196fncR4E.exe, 00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmp, E196fncR4E.exe, 00000001.00000002.673461133.0000000003A55000.00000004.00000001.sdmp, E196fncR4E.exe, 00000001.00000002.673366720.0000000003A31000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000000.659360737.0000000000402000.00000040.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725749858.000000000307C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: InstallUtil.exe, 00000005.00000002.725749858.000000000307C000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_ne
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabt
                        Source: InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725749858.000000000307C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/search
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725749858.000000000307C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: InstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725749858.000000000307C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                        System Summary:

                        barindex
                        PE file contains section with special charsShow sources
                        Source: E196fncR4E.exeStatic PE information: section name: A(!@(!
                        Source: E196fncR4E.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0070356C
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0070513E
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_00703D1A
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_007051E4
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_028022B8
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_028013A0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_02800429
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_028045A9
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_02803550
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_02809BA8
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280C9B0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280ADE8
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280B0BE
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280B141
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280046B
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_02802AB0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_02809B71
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280C9A0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0280ADD9
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_063424F8
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_06340040
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_06347FE0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_063424E7
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_063435B0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_063435C0
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_06348EF8
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_06348EE9
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02EAEC68
                        Source: E196fncR4E.exeBinary or memory string: OriginalFilename vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.668718465.00000000028F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecsc.exeT vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenamePalpus.exe4 vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.673461133.0000000003A55000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePalpus.exe4 vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.667879654.00000000006F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameZakrytyeKupla.exe< vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.670790857.0000000002C34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInstallUtil.exeT vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.668982998.0000000002A8A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePalpus.exe4 vs E196fncR4E.exe
                        Source: E196fncR4E.exe, 00000001.00000002.673366720.0000000003A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePalpus.exe4 vs E196fncR4E.exe
                        Source: E196fncR4E.exeBinary or memory string: OriginalFilenameZakrytyeKupla.exe< vs E196fncR4E.exe
                        Source: E196fncR4E.exeStatic PE information: Section: A(!@(! ZLIB complexity 1.00119357639
                        Source: C:\Users\user\Desktop\E196fncR4E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\E196fncR4E.exe "C:\Users\user\Desktop\E196fncR4E.exe"
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\E196fncR4E.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E196fncR4E.exe.logJump to behavior
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@0/1
                        Source: C:\Users\user\Desktop\E196fncR4E.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: E196fncR4E.exeString found in binary or memory: " /add
                        Source: E196fncR4E.exeString found in binary or memory: /add
                        Source: E196fncR4E.exeString found in binary or memory: " /add[SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                        Source: E196fncR4E.exeString found in binary or memory: /add5localgroup administrators
                        Source: C:\Users\user\Desktop\E196fncR4E.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                        Source: E196fncR4E.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: E196fncR4E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                        Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: E196fncR4E.exe, 00000001.00000002.668718465.00000000028F0000.00000004.00020000.sdmp, E196fncR4E.exe, 00000001.00000002.670790857.0000000002C34000.00000004.00000001.sdmp
                        Source: Binary string: csc.pdb2 source: E196fncR4E.exe, 00000001.00000002.673506483.0000000003A73000.00000004.00000001.sdmp
                        Source: Binary string: InstallUtil.pdb source: E196fncR4E.exe, 00000001.00000002.668718465.00000000028F0000.00000004.00020000.sdmp, E196fncR4E.exe, 00000001.00000002.670790857.0000000002C34000.00000004.00000001.sdmp
                        Source: Binary string: csc.pdb source: E196fncR4E.exe, 00000001.00000002.673506483.0000000003A73000.00000004.00000001.sdmp
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_006F606A push 581B4B53h; ret
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_006F6771 pushad ; retf
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_00709845 push esp; iretd
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_0070A833 push cs; ret
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_00709822 push esp; iretd
                        Source: C:\Users\user\Desktop\E196fncR4E.exeCode function: 1_2_028058C0 push eax; retf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02EA3CAF push esp; iretd
                        Source: E196fncR4E.exeStatic PE information: section name: A(!@(!
                        Source: E196fncR4E.exeStatic PE information: 0xC564A029 [Mon Dec 10 22:22:33 2074 UTC]
                        Source: initial sampleStatic PE information: section name: A(!@(! entropy: 7.9791679085
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Contains functionality to hide user accountsShow sources
                        Source: E196fncR4E.exeString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                        Source: E196fncR4E.exe, 00000001.00000002.667879654.00000000006F6000.00000002.00020000.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                        Source: E196fncR4E.exe, 00000001.00000002.668781953.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                        Source: E196fncR4E.exe, 00000001.00000002.668781953.0000000002A31000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                        Source: E196fncR4E.exe, 00000001.00000002.674301991.00000000050A1000.00000004.00000001.sdmpString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                        Source: E196fncR4E.exe, 00000001.00000002.674301991.00000000050A1000.00000004.00000001.sdmpString found in binary or memory: aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
                        Source: E196fncR4E.exeString found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v 3 /t REG_DWORD /d 0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion:

                        barindex
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)Show sources
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Source: C:\Users\user\Desktop\E196fncR4E.exe TID: 6348Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 5672Thread sleep time: -11990383647911201s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6672Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\Desktop\E196fncR4E.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 2181
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 4839
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\Desktop\E196fncR4E.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess token adjusted: Debug
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory allocated: page read and write | page guard

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        Writes to foreign memory regionsShow sources
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41C000
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 41E000
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C53008
                        Allocates memory in foreign processesShow sources
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and write
                        Injects a PE file into a foreign processesShow sources
                        Source: C:\Users\user\Desktop\E196fncR4E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                        Source: C:\Users\user\Desktop\E196fncR4E.exeQueries volume information: C:\Users\user\Desktop\E196fncR4E.exe VolumeInformation
                        Source: C:\Users\user\Desktop\E196fncR4E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\Desktop\E196fncR4E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe VolumeInformation
                        Source: C:\Users\user\Desktop\E196fncR4E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Users\user\Desktop\E196fncR4E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected RedLine StealerShow sources
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28c0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.61d0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a35530.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a55550.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.6240000.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.61d0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a35530.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28c0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28a0000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.6240000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a55550.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.674383078.00000000061D0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.659360737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.721305659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.673461133.0000000003A55000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.674538239.0000000006240000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.660068047.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.660369622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.659685845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.673366720.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.668653404.00000000028A0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: E196fncR4E.exe PID: 2224, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6692, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Tries to steal Crypto Currency WalletsShow sources
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6692, type: MEMORYSTR

                        Remote Access Functionality:

                        barindex
                        Yara detected RedLine StealerShow sources
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28c0000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.61d0000.9.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a35530.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a55550.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.6240000.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.61d0000.9.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a35530.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28c0000.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28a0000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.28a0000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.6240000.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.E196fncR4E.exe.3a55550.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.674383078.00000000061D0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.659360737.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.721305659.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.673461133.0000000003A55000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.674538239.0000000006240000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.660068047.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.660369622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.659685845.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.673366720.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.668653404.00000000028A0000.00000004.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: E196fncR4E.exe PID: 2224, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6692, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation221Path InterceptionProcess Injection311Masquerading1OS Credential Dumping1Query Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery22Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion231Security Account ManagerProcess Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection311NTDSVirtualization/Sandbox Evasion231Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Users1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery123VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        E196fncR4E.exe100%AviraHEUR/AGEN.1133806
                        E196fncR4E.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        1.2.E196fncR4E.exe.6f0000.0.unpack100%AviraHEUR/AGEN.1133806Download File
                        1.0.E196fncR4E.exe.6f0000.0.unpack100%AviraHEUR/AGEN.1133806Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://service.r0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://tempuri.org/Entity/Id40%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://support.a0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://forms.rea0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpfalse
                              		high
                              http://service.rInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://tempuri.org/Entity/Id2ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id21ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id9InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id5InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id4InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id7InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id6InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                              		high
                                              https://support.google.com/chrome/?p=plugin_realInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id19ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.interoperabilitybridges.com/wmp-extension-for-chromeInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://support.google.com/chrome/?p=plugin_pdfInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsatInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id15ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://forms.real.com/real/realone/download.html?type=rpsp_usInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://support.aInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id6ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://api.ip.sb/ipE196fncR4E.exe, 00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmp, E196fncR4E.exe, 00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmp, E196fncR4E.exe, 00000001.00000002.673461133.0000000003A55000.00000004.00000001.sdmp, E196fncR4E.exe, 00000001.00000002.673366720.0000000003A31000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000000.659360737.0000000000402000.00000040.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeInstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://support.google.com/chrome/?p=plugin_quicktimeInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/04/scInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id9ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726111500.00000000031FF000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726864451.000000000418C000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.727145655.00000000041FD000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725981944.000000000313D000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id20InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id21InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://tempuri.org/Entity/Id22InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id23InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id24InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id24ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://tempuri.org/Entity/Id1ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.google.com/chrome/?p=plugin_shockwaveInstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://search.yahoo.com/searchInstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://forms.reaInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id10InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id11InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id12InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id16ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id13InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id14InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id15InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id16InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id17InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id18InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id5ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id19InstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultDInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id10ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id8ResponseInstallUtil.exe, 00000005.00000002.725171915.0000000002F11000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.726148823.0000000003216000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://support.google.com/chrome/?p=plugin_wmpInstallUtil.exe, 00000005.00000002.726016690.0000000003154000.00000004.00000001.sdmp, InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0InstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://support.google.com/chrome/answer/6258784InstallUtil.exe, 00000005.00000002.725809252.0000000003092000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/ws/2006/02/addressingidentityInstallUtil.exe, 00000005.00000002.725413839.0000000002FA0000.00000004.00000001.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                87.251.73.109
                                                                                                                                                		unknownRussian Federation
                                                                                                                                                		204490ASKONTELRUtrue

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                Analysis ID:534010
                                                                                                                                                Start date:05.12.2021
                                                                                                                                                Start time:00:07:37
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 6m 5s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:E196fncR4E.exe
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Number of analysed new started processes analysed:11
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@9/2@0/1
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:
                                                                                                                                                • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                                                                                                                • Quality average: 83%
                                                                                                                                                • Quality standard deviation: 0%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 93%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                • Stop behavior analysis, all processes terminated
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com, arc.msn.com
                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                Errors:
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Backup Database
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: Stop Or Remove Antivirus Service
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: Conti Volume Shadow Listing
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With 7-ZIP
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: Disable or Delete Windows Eventlog
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: PowerShell SAM Copy
                                                                                                                                                • Sigma runtime error: Invalid condition: all of selection* Rule: Compress Data and Lock With Password for Exfiltration With WINZIP

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                00:08:55API Interceptor37x Sleep call for process: InstallUtil.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                87.251.73.109466c4a9f01e7b04499eafee7a9283df00ed06c00134cc.exeGet hashmaliciousBrowse
                                                                                                                                                  EV49Im3Lnd.exeGet hashmaliciousBrowse
                                                                                                                                                    9820500aae4c3b3b5ab38a63f9776a75cfb2203a20798.exeGet hashmaliciousBrowse

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASN

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      ASKONTELRU466c4a9f01e7b04499eafee7a9283df00ed06c00134cc.exeGet hashmaliciousBrowse
                                                                                                                                                      • 87.251.73.109
                                                                                                                                                      Kq8hjfiv87.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      pgOVV6yBlF.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      jvclBMP1vW.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      9wHCL2s0mn.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      lqzq58DLHP.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      ZU7aA39iRz.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      OTYlygnSWX.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      KQ9j4VJ0f8.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      r3vhW8dfrr.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      70h2dF8m45.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      mGRHBSEOZW.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      lnlJCR9JVn.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      EOGcyVU7U3.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      VF78jGjtCG.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.166
                                                                                                                                                      EV49Im3Lnd.exeGet hashmaliciousBrowse
                                                                                                                                                      • 87.251.73.109
                                                                                                                                                      9820500aae4c3b3b5ab38a63f9776a75cfb2203a20798.exeGet hashmaliciousBrowse
                                                                                                                                                      • 87.251.73.109
                                                                                                                                                      6093384421389c5a04411fe0807a20ec283ef9bbb248b.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.143.241
                                                                                                                                                      swift_mt103.xlsxGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.132
                                                                                                                                                      outstanding_remit111921.xlsxGet hashmaliciousBrowse
                                                                                                                                                      • 185.186.142.132

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\E196fncR4E.exe.log
                                                                                                                                                      Process:C:\Users\user\Desktop\E196fncR4E.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):624
                                                                                                                                                      Entropy (8bit):5.347301286976015
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4MqmI+DLI4M9s:ML9E4Ks2wKDE4KhK3VZ9pKhg84xmIeEw
                                                                                                                                                      MD5:5D8E90786245BC9A124C0F045E69D4B0
                                                                                                                                                      SHA1:C318D99F7C812F42D811BD70B37B682101785028
                                                                                                                                                      SHA-256:83920340DA936F72DF8B5876526B01675916AF7DEA377613808985220CC9432E
                                                                                                                                                      SHA-512:77AB06E1741F94B4E356775E846DBA4BC5F178F5F972A8494A320C251E739C2DE267D947E1867795F901CE26C6A53A14EAB7CD454C23CE0CB1B8AAAB3145467E
                                                                                                                                                      Malicious:true
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log
                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2291
                                                                                                                                                      Entropy (8bit):5.3192079301865585
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:48:MOfHK5HKXAHKhBHKdHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHjHKdHAHDJn:vq5qXAqLqdqUqzcGYqhQnoPtIxHbqoL1
                                                                                                                                                      MD5:B8B968C6C5994E11C0AEF299F6CC13DF
                                                                                                                                                      SHA1:60351148A0D29E39DF51AE7F8D6DA7653E31BCF9
                                                                                                                                                      SHA-256:DD53198266985E5C23239DCDDE91B25CF1FC1F4266B239533C11DDF0EF0F958D
                                                                                                                                                      SHA-512:CFBCFCB650EF8C84A4BA005404E90ECAC9E77BDB618F53CD5948C085E44D099183C97C1D818A905B16C5E495FF167BD47347B14670A6E68801B0C01BC264F168
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Entropy (8bit):6.70800225309473
                                                                                                                                                      TrID:
                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                      File name:E196fncR4E.exe
                                                                                                                                                      File size:223744
                                                                                                                                                      MD5:a15f089ed04672a843dbe2fa9ca3c69a
                                                                                                                                                      SHA1:8761c4ac67f6faa8b6e05a6844f3b24d33a35fe2
                                                                                                                                                      SHA256:79682758e1c5e1b4796f6882bd35890e84d3f6de23c445e79d7df25de67721c8
                                                                                                                                                      SHA512:2f25c7854a2bf66c4c6f40e6eac9a143b33f4607d747696d60262da071a8f7d9cf4044f4f595db9129d9027e703fb0b78053b5a8d3eabe821e654ef3908c4167
                                                                                                                                                      SSDEEP:6144:yOyJYFq1ye0vCY839its1L+MXytKCaDEJw:F/F62FQ6SLzXQKCagw
                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...).d...............0..:...,......>....`... ....@.. ....................................`................................

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:00828e8e8686b000

                                                                                                                                                      Static PE Info

                                                                                                                                                      General

                                                                                                                                                      Entrypoint:0x43983e
                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                      Digitally signed:false
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                                                                                                                      Time Stamp:0xC564A029 [Mon Dec 10 22:22:33 2074 UTC]
                                                                                                                                                      TLS Callbacks:
                                                                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                                                                      OS Version Major:4
                                                                                                                                                      OS Version Minor:0
                                                                                                                                                      File Version Major:4
                                                                                                                                                      File Version Minor:0
                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                      Entrypoint Preview

                                                                                                                                                      Instruction
                                                                                                                                                      jmp dword ptr [00406000h]
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                      Data Directories

                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x397e80x53.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x5c6.rsrc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x3c0000xc.reloc
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x60000x8.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x60080x48.text
                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                      Sections

                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                      A(!@(! 0x20000x22e40x2400False1.00119357639data7.9791679085IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .text0x60000x338440x33a00False0.591059132869data6.6573114894IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                      .rsrc0x3a0000x5c60x600False0.419270833333data4.14050513885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                      .reloc0x3c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                      Resources

                                                                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                                                                      RT_VERSION0x3a0a00x33cdata
                                                                                                                                                      RT_MANIFEST0x3a3dc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                                      Imports

                                                                                                                                                      DLLImport
                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                      Version Infos

                                                                                                                                                      DescriptionData
                                                                                                                                                      Translation0x0000 0x04b0
                                                                                                                                                      LegalCopyrightCopyright 2021
                                                                                                                                                      Assembly Version1.0.0.0
                                                                                                                                                      InternalNameZakrytyeKupla.exe
                                                                                                                                                      FileVersion1.0.0.0
                                                                                                                                                      CompanyName
                                                                                                                                                      LegalTrademarks
                                                                                                                                                      Comments
                                                                                                                                                      ProductNameZakrytyeKupla
                                                                                                                                                      ProductVersion1.0.0.0
                                                                                                                                                      FileDescriptionZakrytyeKupla
                                                                                                                                                      OriginalFilenameZakrytyeKupla.exe

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Dec 5, 2021 00:08:41.378005028 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:41.434045076 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:41.435097933 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:41.830698013 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:41.887656927 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:41.940862894 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:44.244407892 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:44.301983118 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:44.344633102 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:50.433928013 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:50.502065897 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:50.502126932 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:50.502163887 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:50.502254963 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:50.550981045 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:53.710699081 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:53.792771101 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:53.832469940 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:53.865206003 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:53.923886061 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:53.953666925 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.012437105 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.013992071 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.075424910 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.086602926 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.148890018 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.166194916 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.224385023 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.270044088 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.399350882 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.506844997 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.514374971 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.532749891 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.593244076 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.609652996 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.668176889 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.709650040 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.839113951 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.896459103 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:54.941956997 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:54.949486971 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:55.005346060 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:55.005618095 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:55.006824970 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:55.051361084 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:55.329694986 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:55.388421059 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:55.391812086 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:55.448188066 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:55.488887072 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:56.222178936 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:56.280551910 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:56.333076954 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:56.404692888 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:56.460891962 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:56.461716890 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:56.504575968 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:56.543829918 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:56.600697994 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:56.645227909 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.253681898 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.309607983 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.309657097 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.309689999 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.309715033 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.309819937 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.309912920 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.310008049 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.310028076 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.310034037 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.365899086 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.366086960 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.366166115 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.366301060 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.366374969 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.366396904 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.366415977 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.366468906 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.366472006 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.366954088 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.367629051 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.367640018 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.367780924 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.368083954 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.421554089 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.421586990 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.421612978 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.421654940 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.421721935 CET4974037261192.168.2.487.251.73.109
                                                                                                                                                      Dec 5, 2021 00:08:57.421731949 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.421817064 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.421904087 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.421973944 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422243118 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422312975 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422338009 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422529936 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422580004 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422734976 CET372614974087.251.73.109192.168.2.4
                                                                                                                                                      Dec 5, 2021 00:08:57.422770977 CET372614974087.251.73.109192.168.2.4

                                                                                                                                                      Code Manipulations

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      Analysis Process: E196fncR4E.exe PID: 2224 Parent PID: 5516

                                                                                                                                                      General

                                                                                                                                                      Start time:00:08:26
                                                                                                                                                      Start date:05/12/2021
                                                                                                                                                      Path:C:\Users\user\Desktop\E196fncR4E.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:"C:\Users\user\Desktop\E196fncR4E.exe"
                                                                                                                                                      Imagebase:0x6f0000
                                                                                                                                                      File size:223744 bytes
                                                                                                                                                      MD5 hash:A15F089ED04672A843DBE2FA9CA3C69A
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.674383078.00000000061D0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.674103198.0000000003C6A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.668694127.00000000028C0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.673461133.0000000003A55000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.674538239.0000000006240000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.673366720.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.668653404.00000000028A0000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:low

                                                                                                                                                      Analysis Process: RegSvcs.exe PID: 4240 Parent PID: 2224

                                                                                                                                                      General

                                                                                                                                                      Start time:00:08:27
                                                                                                                                                      Start date:05/12/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Imagebase:0x110000
                                                                                                                                                      File size:45152 bytes
                                                                                                                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: dfsvc.exe PID: 6628 Parent PID: 2224

                                                                                                                                                      General

                                                                                                                                                      Start time:00:08:28
                                                                                                                                                      Start date:05/12/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
                                                                                                                                                      Imagebase:0x2509cd90000
                                                                                                                                                      File size:24160 bytes
                                                                                                                                                      MD5 hash:48FD4DD682051712E3E7757C525DED71
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: Microsoft.Workflow.Compiler.exe PID: 6604 Parent PID: 2224

                                                                                                                                                      General

                                                                                                                                                      Start time:00:08:29
                                                                                                                                                      Start date:05/12/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe
                                                                                                                                                      Imagebase:0x23f26ad0000
                                                                                                                                                      File size:32872 bytes
                                                                                                                                                      MD5 hash:D91462AE31562E241AF5595BA5E1A3C4
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:low

                                                                                                                                                      Analysis Process: InstallUtil.exe PID: 6692 Parent PID: 2224

                                                                                                                                                      General

                                                                                                                                                      Start time:00:08:30
                                                                                                                                                      Start date:05/12/2021
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                      Imagebase:0xbe0000
                                                                                                                                                      File size:41064 bytes
                                                                                                                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.659360737.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.721305659.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.660068047.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.660369622.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.659685845.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >