Edit tour

Windows Analysis Report
ibaAnalyzerSetup_x64_v7.3.6.exe

Overview

General Information

Sample Name:	ibaAnalyzerSetup_x64_v7.3.6.exe
Analysis ID:	632527
MD5:	c1ae350f67039cbe69f10df9b8001371
SHA1:	6362ba848a6027939c642d4b405994ca5a96272c
SHA256:	fbf6ebb863e6ee15a9fbe144116fc568d929cdb560ad1380a45c71f761946cd1
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Compliance

Score:	34
Range:	0 - 100

Signatures

Found evasive API chain (may stop execution after checking mutex)

Tries to detect virtualization through RDTSC time measurements

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Found evasive API chain (date check)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Contains functionality to get notified if a device is plugged in / out

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Found inlined nop instructions (likely shell or obfuscated code)

DLL planting / hijacking vulnerabilities found

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to delete services

Contains functionality for read data from the clipboard

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Process Tree

System is w10x64

ibaAnalyzerSetup_x64_v7.3.6.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe" MD5: C1AE350F67039CBE69F10DF9B8001371)

regsvr32.exe (PID: 3544 cmdline: C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 4904 cmdline: /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx" MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 5848 cmdline: C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 6048 cmdline: /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx" MD5: D78B75FC68247E8A63ACBA846182740E)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.ibaAnalyzerSetup_x64_v7.3.6.exe.411c52.1.unpack

Avira: Label: TR/Patched.Ren.Gen

Privilege Escalation

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: USP10.dll
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: mpiwin32.dll
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: VERSION.dll
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: SHFOLDER.DLL
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: RichEd20.DLL
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: msls31.dll

Compliance

Uses 32bit PE files

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

DLL planting / hijacking vulnerabilities found

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: USP10.dll
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: mpiwin32.dll
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: VERSION.dll
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: SHFOLDER.DLL
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: RichEd20.DLL
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	DLL: msls31.dll

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Window detected: < &BackI &AgreeCanceliba AG iba AGLicense AgreementPlease review the license terms before installing ibaAnalyzer v7.3.6 (x64).Press Page Down to see the rest of the agreement.LICENSE AGREEMENT for ibaAnalyzer (hereinafter referred to as SOFTWARE)Copyright iba AG. All Rights Reserved.YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT BY INSTALLING COPYING OR OTHERWISE USING THE SOFTWARE. IF YOU DO NOT AGREE DO NOT INSTALL COPY OR USE THE SOFTWARE 1. GRANT OF LICENSE. iba AG grants the customer a non-transferable non-exclusive right to use the SOFTWARE under the provisions of this LICENSE AGREEMENT.(1) LICENSE PROTECTIONThe SOFTWARE provided contains technical features intended to prevent unlicensed use. (a) Cost free license for standard functions iba AG grants a cost free license for use of the standard features of the product if a genuine iba file format is opened. Each time such a genuine file is opened a cost free single use license for this program is intrinsically granted. Genuine in this context means that the measurement file has been produced with a correctly licensed iba SOFTWARE which can be ibaPDA ibaLogic ibaAnalyzer ibaDatCoordinator or ibaFiles. (b) Purchased license for special functions Use of special functions in the SOFTWARE requires a purchased license. The use of these functions is allowed only if the purchased license dongle (USB hardware key) carries the associated license information. The license dongle must be plugged into a port on the PC suitable for the purpose and may not be removed while the functions requiring the license are being used. The license is issued to the end user name specified in the order and is not transferrable. The license may also be managed by a license server for multiple users within the same organization. (2) ACTIONS EXCLUDED FROM THE LICENSE(a) You may not amend modify or edit the SOFTWARE. The modification or removal of trademarks copyrights and other IP protection notices is expressively forbidden. (b) You may not reverse engineer decompile or disassemble the SOFTWARE except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.(c) You may not reproduce the SOFTWARE for the purpose of passing it to third parties.(3) NON TRANSFERABILITYThe license is not transferable. The customer only has the right to transfer the rights of use of the SOFTWARE to a third party if the license has already been issued in the name of this third party or has been changed to this name by iba AG.(4) GENUINE iba FILE FORMATThe genuine iba file formats in its different versions are intellectual property of iba AG. Any file generated by a third party product with a similar or different format requires the purchase of a proper license from iba AG. Unlicensed generation of the genuine iba file format is illegal and subject to legal action. iba AG reserves the right to modify the genuine file formats at any time without notice.2. DESCRIPTION OF OTH

Creates license or readme file

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf			Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf			Jump to behavior

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\SciLexer.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\versions.htm	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\support.htm	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractor.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractorMC.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\reg_dataextractorMC.bat	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\reg_dataextractor.bat	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\mkl64_parallel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\libiomp5md.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\msvcp100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Data.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Printing.v16.1.Core.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Sparkline.v16.1.Core.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Utils.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraEditors.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraGrid.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraPrinting.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DotNetMagic2005.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdClientInterfaces.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdCommon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaUser.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaUser.Forms.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaHdViewUtilities.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaLogger.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaViewInterfaces.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaViewUtilities.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaPdaServerInterfaces.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaExpressions.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaPdaPluginInterface.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\OverlayWindow.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\PowerCollections.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\View.ibaEventTable.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\View.ibaGraphManager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaHDOffline.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaHdOfflineActiveX.ocx	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdClient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdCore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaRunTime64.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\hdClient.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaHDOffline.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\hdCommon.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.Forms.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaViewUtilities.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaEventTable.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaShared.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaSharedGui.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaFFT.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaOrbit.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.GeoView.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\hdClient.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaHDOffline.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\hdCommon.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.Forms.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaViewUtilities.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaEventTable.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaShared.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaSharedGui.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaFFT.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaOrbit.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.GeoView.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHost.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostViewWrapper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaShared.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaSharedGui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaManagedFFT.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaThreadSafeNativeFFT.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaFFT.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaOrbit.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaGraphManager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaAnalyzerViewHostGraphManager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.GeoView.dll	Jump to behavior

PE / OLE file has a valid certificate

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\proj\ibafft\ibaNativeFFTWrapper\bin\x64\Release\ibaThreadSafeNativeFFT.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaThreadSafeNativeFFT.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\bin\x64\Release\ibaAnalyzer.pdb source: ibaAnalyzer.exe.0.dr
Source:	Binary string: F:\LL\LL.Export_20\combit.ListLabel.Export.x64\bin\Release\v4.0\AnyCPU\DllExporter\combit.ListLabel20.Export.x64.pdbBSJB source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100.dll.0.dr
Source:	Binary string: C:\Users\mistachkin\Documents\checkouts\sqlite\dotnet\bin\2017\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.Core\obj\Release\net40\GMap.NET.Core.pdbSHA256 source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHost\obj\Release\ibaAnalyzerViewHost.pdb source: ibaAnalyzerViewHost.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostMaps\obj\Release\View.GeoView.pdbV7 source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.716046472.0000000000409000.00000004.00000001.01000000.00000003.sdmp, View.GeoView.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostMaps\obj\Release\View.GeoView.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.716046472.0000000000409000.00000004.00000001.01000000.00000003.sdmp, View.GeoView.dll.0.dr
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.WindowsForms\obj\Release\net40\GMap.NET.WindowsForms.pdbSHA256 source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaHDOffline\ibaHDOfflineActiveX\bin\x64\Release\ibaHDOfflineActiveX.pdb source: regsvr32.exe, 0000000F.00000002.664864019.00000000029A1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: V:\_Project\scintilla410\scintilla\win32\x64\Release\SciLexer.pdb source: SciLexer.dll.0.dr
Source:	Binary string: D:\proj\ibaFFT\ibaManagedFFT\obj\Release\ibaManagedFFT.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaManagedFFT.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostActiveX\bin\x64\Release\ibaAnalyzerViewHostActiveX.pdb source: regsvr32.exe, 00000016.00000002.720287948.0000000002726000.00000002.00000001.01000000.00000012.sdmp, regsvr32.exe, 00000016.00000002.722962885.00007FFA66866000.00000002.00000001.01000000.00000012.sdmp, ibaAnalyzerViewHostActiveX.ocx.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\bin\x64\Release\ibaAnalyzer.pdbf source: ibaAnalyzer.exe.0.dr
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.Core\obj\Release\net40\GMap.NET.Core.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr
Source:	Binary string: c:\dev\sqlite\dotnet\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.WindowsForms\obj\Release\net40\GMap.NET.WindowsForms.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpziplib\src\ICSharpCode.SharpZipLib\obj\Release\net45\ICSharpCode.SharpZipLib.pdbSHA256 source: regsvr32.exe, 0000000F.00000002.665830211.000000001B5A2000.00000002.00000001.01000000.00000011.sdmp, regsvr32.exe, 00000016.00000002.720664341.00000000027E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostActiveX\bin\x64\Release\ibaAnalyzerViewHostActiveX.pdbBB' source: regsvr32.exe, 00000016.00000002.720287948.0000000002726000.00000002.00000001.01000000.00000012.sdmp, regsvr32.exe, 00000016.00000002.722962885.00007FFA66866000.00000002.00000001.01000000.00000012.sdmp, ibaAnalyzerViewHostActiveX.ocx.0.dr
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaGraphManager\obj\Release\View.ibaGraphManager.pdb source: View.ibaGraphManager.dll.0.dr
Source:	Binary string: c:\Projects\16.1\BuildLabel\Temp\NetStudio.v16.1.2005\Win\DevExpress.XtraCharts\DevExpress.Sparkline.Core\obj\Release\DevExpress.Sparkline.v16.1.Core.pdb source: DevExpress.Sparkline.v16.1.Core.dll.0.dr
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaViewInterfaces\obj\Release\ibaViewInterfaces.pdb source: ibaViewInterfaces.dll.0.dr
Source:	Binary string: C:\Proj\ibaPDA_7.3.x\Installer\nsSCMEx\Release\nsSCMEx.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.749000339.00000000032DC000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\projects\sharpziplib\src\ICSharpCode.SharpZipLib\obj\Release\net45\ICSharpCode.SharpZipLib.pdb source: regsvr32.exe, 0000000F.00000002.665830211.000000001B5A2000.00000002.00000001.01000000.00000011.sdmp, regsvr32.exe, 00000016.00000002.720664341.00000000027E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaHDOffline\ibaHDOfflineActiveX\bin\x64\Release\ibaHDOfflineActiveX.pdb::' source: regsvr32.exe, 0000000F.00000002.664864019.00000000029A1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaOnlineFFT\obj\Release\View.ibaFFT.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: F:\LL\LL.Export_20\combit.ListLabel.Export.x64\bin\Release\v4.0\AnyCPU\DllExporter\combit.ListLabel20.Export.x64.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaSharedGui\obj\Release\ibaSharedGui.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\proj\ibaFFT\ibaManagedFFT\obj\Release\ibaManagedFFT.pdb, source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaManagedFFT.dll.0.dr
Source:	Binary string: D:\proj\ibafft\ibaNativeFFTWrapper\bin\x64\Release\ibaThreadSafeNativeFFT.pdb!! source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaThreadSafeNativeFFT.dll.0.dr

Spreading

Contains functionality to get notified if a device is plugged in / out

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032ABFD0 WaitForInputIdle,GetCurrentProcess,GetCurrentProcess,WaitForInputIdle,FindWindowA,GetWindowThreadProcessId,PostThreadMessageA,RegisterClassExA,GetModuleHandleA,GetProcAddress,ShowWindow,RegisterDeviceNotificationA,PeekMessageA,DispatchMessageA,Sleep,GetLastError,FormatMessageA,UnregisterDeviceNotification,GetModuleHandleA,GetProcAddress,UnregisterClassA,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,SHELL32_IconCache_DoneExtractingIcons,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D1866 FindFirstFileExW,

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movsxd rcx, qword ptr [r12+10h]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov rax, rcx
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then lea rbx, qword ptr [rsp+70h]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov rax, qword ptr [rdx]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx eax, byte ptr [rdx]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp r9, qword ptr [rax+18h]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx eax, byte ptr [rcx+rdx]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov eax, r10d
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov rcx, rax
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp dword ptr [rsp+rax*4+28h], edi
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp dword ptr [rsp+rcx*4+28h], ebx
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov edx, dword ptr [rsp+r8*4+28h]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp rcx, r8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h

Networking

Source: support.htm.0.dr	String found in binary or memory: </p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://twitter.com/ibaagcom"><i class="fab fa-twitter-square"></i></a></div><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/iba-ag/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.xing.com/companies/ibaag-messtechnik-undautomatisierungssysteme"><i class="fab fa-xing"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/ibaagcom/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div id="c1653" class="frame frame-default frame-type-text frame-layout-0 frame-background-none frame-no-backgroundimage frame-space-before-none frame-space-after-none"><div class="frame-container"><div class="frame-inner"><header class="frame-header"><h3 class="element-header text-left"><span>Europe</span></h3></header></div></div></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Austria & Hungary</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Austria GmbH</span><br></div><div class="row"><div class="col-lg-7"><p>Hafenstra equals www.facebook.com (Facebook)
Source: support.htm.0.dr	String found in binary or memory: </p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://twitter.com/ibaagcom"><i class="fab fa-twitter-square"></i></a></div><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/iba-ag/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.xing.com/companies/ibaag-messtechnik-undautomatisierungssysteme"><i class="fab fa-xing"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/ibaagcom/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div id="c1653" class="frame frame-default frame-type-text frame-layout-0 frame-background-none frame-no-backgroundimage frame-space-before-none frame-space-after-none"><div class="frame-container"><div class="frame-inner"><header class="frame-header"><h3 class="element-header text-left"><span>Europe</span></h3></header></div></div></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Austria & Hungary</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Austria GmbH</span><br></div><div class="row"><div class="col-lg-7"><p>Hafenstra equals www.linkedin.com (Linkedin)
Source: support.htm.0.dr	String found in binary or memory: </p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://twitter.com/ibaagcom"><i class="fab fa-twitter-square"></i></a></div><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/iba-ag/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.xing.com/companies/ibaag-messtechnik-undautomatisierungssysteme"><i class="fab fa-xing"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/ibaagcom/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div id="c1653" class="frame frame-default frame-type-text frame-layout-0 frame-background-none frame-no-backgroundimage frame-space-before-none frame-space-after-none"><div class="frame-container"><div class="frame-inner"><header class="frame-header"><h3 class="element-header text-left"><span>Europe</span></h3></header></div></div></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Austria & Hungary</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Austria GmbH</span><br></div><div class="row"><div class="col-lg-7"><p>Hafenstra equals www.twitter.com (Twitter)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:info@iba-scandinavia.com">info@iba-scandinavia.com</a></p><!-- KONTAKT 2 --><p><a href="mailto:"></a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/begner-agenturer-ab/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/begneragenturer/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Russian Federation</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">OOO iba Russia</span><br></div><div class="row"><div class="col-lg-7"><p>Prospekt Pobedy 29, Off. 411<br> 398024 Lipetsk</p> equals www.facebook.com (Facebook)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:info@iba-scandinavia.com">info@iba-scandinavia.com</a></p><!-- KONTAKT 2 --><p><a href="mailto:"></a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/begner-agenturer-ab/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/begneragenturer/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Russian Federation</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">OOO iba Russia</span><br></div><div class="row"><div class="col-lg-7"><p>Prospekt Pobedy 29, Off. 411<br> 398024 Lipetsk</p> equals www.linkedin.com (Linkedin)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:sales@iba-benelux.com">sales@iba-benelux.com</a></p><!-- KONTAKT 2 --><p><small class="text-muted" style="opacity: 0.8">Support:</small><br><!--f:translate key="LLL:fileadmin/templates/lang/locallang.xlf:email" />: --><a href="mailto:support@iba-benelux.com">support@iba-benelux.com</a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/ibabeneluxbvba/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/iba-Benelux-BV-107066907754065"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Spain, Portugal</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Ib equals www.facebook.com (Facebook)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:sales@iba-benelux.com">sales@iba-benelux.com</a></p><!-- KONTAKT 2 --><p><small class="text-muted" style="opacity: 0.8">Support:</small><br><!--f:translate key="LLL:fileadmin/templates/lang/locallang.xlf:email" />: --><a href="mailto:support@iba-benelux.com">support@iba-benelux.com</a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/ibabeneluxbvba/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/iba-Benelux-BV-107066907754065"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Spain, Portugal</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Ib equals www.linkedin.com (Linkedin)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:support@iba-italia.com">support@iba-italia.com</a></p><!-- KONTAKT 2 --><p><a href="mailto:"></a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/iba-italia-srl/"><i class="fab fa-linkedin"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Poland</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Polska</span><br> equals www.linkedin.com (Linkedin)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:support@iba-polska.com">support@iba-polska.com</a></p><!-- KONTAKT 2 --><p><a href="mailto:"></a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/adegis/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/ADEGIS.we.care.a.lot/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Denmark, Finland, Norway, Sweden</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Scandinavia</span><br> equals www.facebook.com (Facebook)
Source: support.htm.0.dr	String found in binary or memory: <br><!--small class="text-muted">Email:</small><br--><a href="mailto:support@iba-polska.com">support@iba-polska.com</a></p><!-- KONTAKT 2 --><p><a href="mailto:"></a></p><!-- KONTAKT 3 --><p><a href="mailto:"></a></p></div></div></div><div class="col-md-1 offset-md-0 col-12"><div class="row dce-addresses-social-media-wrap"><div class="col-12"><a target="_blank" href="https://www.linkedin.com/company/adegis/"><i class="fab fa-linkedin"></i></a></div><div class="col-12"><a target="_blank" href="https://www.facebook.com/ADEGIS.we.care.a.lot/"><i class="fab fa-facebook-square"></i></a></div></div></div></div><hr></div> <div class="container" style="padding: 0px;"><div class="row" style="padding: 0px; padding-bottom: 10px;"><div class="col-md-3 col-12"><span style="font-weight: 100; margin-bottom: 30px; max-width: 90%; line-height: 0.9; color: #037748;">Denmark, Finland, Norway, Sweden</span></div><div class="col-md-8 col-12"><div style="padding-left: 20px;"><span style="font-size: 20px; font-weight: 600;">iba Scandinavia</span><br> equals www.linkedin.com (Linkedin)

Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://4umaps.eu/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.css
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.1.min.js
Source: ibaAnalyzer.exe.0.dr	String found in binary or memory: http://analyzer-doc.iba-ag.com/%TEMP%
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/jquery-1.9.1.min.js
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.css
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.js
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dc1.maps.lt/cache/mapslt_25d_vkkp/map/_alllayers/L
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dc1.maps.lt/cache/mapslt_ortofoto_2010/map/_alllayers/L
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dc5.maps.lt/cache/mapslt/map/_alllayers/L
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dc5.maps.lt/cache/mapslt_ortofoto/map/_alllayers/L
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dc5.maps.lt/cache/mapslt_ortofoto_overlay/map/_alllayers/L
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dc5.maps.lt/cache/mapslt_relief_vector/map/_alllayers/L
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dev.virtualearth.net/REST/V1/Imagery/Metadata/
Source: GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dev.virtualearth.net/REST/V1/Routes/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dev.virtualearth.net/REST/v1/Locations?
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=0&fmt=1&type=
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://earth.google.com/kml/2.0
Source: GMap.NET.Core.dll.0.dr	String found in binary or memory: http://ecn.t
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://greatmaps.codeplex.com
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://greatmaps.codeplex.com/discussions/252531
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://mapbender.wheregroup.com/cgi-bin/mapserv?map=/data/umn/osm/osm_basic.map&VERSION=1.1.1&REQUES
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://maps.yahoo.com/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ibaAnalyzerSetup_x64_v7.3.6.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://openseamap.org/ghttp://tiles.openseamap.org/seamark/
Source: versions.htm.0.dr	String found in binary or memory: http://redmine.iba-ag.local/issues/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://routes.cloudmade.com/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_Imagery_World_2D/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_ShadedRelief_World_2D/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_StreetMap_World_2D/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/NGS_Topo_US_2D/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/World_Physical_Map/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/World_Shaded_Relief/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/World_Street_Map/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/World_Terrain_Base/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://server.arcgisonline.com/ArcGIS/rest/services/World_Topo_Map/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://services.maps.lt/mapsk_services/rest/services/ikartelv/MapServer/tile/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://sigpac.mapa.es/kmlserver/raster/
Source: regsvr32.exe, 0000000F.00000002.665662339.000000001B422000.00000002.00000010.01000000.00000010.sdmp, regsvr32.exe, 00000016.00000002.719288765.00000000025D2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://sourceforge.net/projects/nspring)
Source: regsvr32.exe, 0000000F.00000002.665662339.000000001B422000.00000002.00000010.01000000.00000010.sdmp, regsvr32.exe, 00000016.00000002.719288765.00000000025D2000.00000002.00000001.01000000.00000010.sdmp	String found in binary or memory: http://sourceforge.net/projects/nspring).
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://tiles.ump.waw.pl/ump_tiles/
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://ump.waw.pl/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://wego.here.com/w
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://where.yahooapis.com/geocode?country=
Source: GMap.NET.Core.dll.0.dr	String found in binary or memory: http://where.yahooapis.com/geocode?q=
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://wikimapia.org/S
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.4umaps.eu/map.htmu
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.darb.ae/ArcGIS/rest/services/BaseMaps/Q2_2011_NAVTQ_Eng_V5/MapServer/tile/
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: http://www.devexpress.com/0/
Source: regsvr32.exe, 0000000F.00000002.665556769.000000001B39F000.00000002.00000001.01000000.0000000F.sdmp, ibaRunTime64.dll.0.dr	String found in binary or memory: http://www.dnguard.net/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000003.498976131.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iba-ag.com.
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.ikarte.lv/default.aspx?lang=en
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.maps.lt/map/K
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.mapy.cz/I6A1AF99A-84C6-4EF6-91A5-77B9D03257C2
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.nearmap.com/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.opencyclemap.org/whttp://
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.topografix.com/GPX/1/1
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.topografix.com/GPX/1/1D
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.topografix.com/GPX/1/1T
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: http://www.yournavigation.org/api/1.0/gosmore.php?format=kml&flat=
Source: View.GeoView.dll.0.dr	String found in binary or memory: https://api.maptiler.com/maps/
Source: View.GeoView.dll.0.dr	String found in binary or memory: https://api.maptiler.com/maps/tiles/Basic?key=_Software
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: https://kso.etjanster.lantmateriet.se/?lang=en#
Source: GMap.NET.Core.dll.0.dr	String found in binary or memory: https://kso.etjanster.lantmateriet.se/karta/topowebb/v1.1/wmts?SERVICE=WMTS&REQUEST=GetTile&VERSION=
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: https://mapserver.mapy.cz/turist-m/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: https://nominatim.openstreetmap.org/reverse?format=xml&lat=
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: https://nominatim.openstreetmap.org/search?q=
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	String found in binary or memory: https://nominatim.openstreetmap.org/search?street=
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: support.htm.0.dr	String found in binary or memory: https://twitter.com/ibaagcom
Source: support.htm.0.dr	String found in binary or memory: https://www.linkedin.com/company/adegis/
Source: support.htm.0.dr	String found in binary or memory: https://www.linkedin.com/company/begner-agenturer-ab/
Source: support.htm.0.dr	String found in binary or memory: https://www.linkedin.com/company/iba-ag/
Source: support.htm.0.dr	String found in binary or memory: https://www.linkedin.com/company/iba-italia-srl/
Source: support.htm.0.dr	String found in binary or memory: https://www.linkedin.com/company/ibabeneluxbvba/
Source: View.GeoView.dll.0.dr	String found in binary or memory: https://www.maptiler.com/#providersComboBox
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/copyright.html2
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: DevExpress.Sparkline.v16.1.Core.dll.0.dr	String found in binary or memory: https://www.thawte.com/repository0W
Source: support.htm.0.dr	String found in binary or memory: https://www.xing.com/companies/ibaag-messtechnik-undautomatisierungssysteme

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032A7450 GetTickCount,select,GetTickCount,GetTickCount,recv,recv,__WSAFDIsSet,__WSAFDIsSet,

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_031C1D4E GetDlgCtrlID,OpenClipboard,GetClipboardData,GlobalLock,lstrlenA,SendMessageA,GlobalUnlock,CloseClipboard,CallWindowProcA,

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Uses 32bit PE files

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Detected potential crypto function

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_00404853
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_00406131
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032DB348
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A5220
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A2200
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032B9290
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032C41D8
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032DB081
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032DB603
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032C440C
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D44CD
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D94C3
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D5B1A
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032DAA65
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032C7930
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A2970
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032CF8AE
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032C3FA4
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D7EA8
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A2EE0
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D7D84
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A1DF0
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032DADD7
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B38E9F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B38DD2C
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B2447C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B394A2E
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B241A00
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B233420
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B263920
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B3929AB
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B38C811
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B264F60
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B26BFE0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B262FF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B25CEF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B393C30
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B39331A
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B25B300
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B266300
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B261350
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B260220
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B26C240
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B2641F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B26B1C0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B238FF0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B25C050
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B24F470
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B266080
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B269080
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B23B740
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B38D750
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B2637B0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B2341D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B26A510
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B23B580
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B267430
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B265410
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FF9EE5F2509
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FF9EE5F1337
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FF9EE5ED90A
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FF9EE5EC330

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: String function: 032BE8A0 appears 44 times

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032B5800 MultiByteToWideChar,MultiByteToWideChar,GlobalAlloc,GlobalAlloc,MultiByteToWideChar,MultiByteToWideChar,GlobalAlloc,MultiByteToWideChar,MultiByteToWideChar,GlobalAlloc,MultiByteToWideChar,MultiByteToWideChar,GlobalAlloc,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GlobalAlloc,MultiByteToWideChar,CreateProcessWithLogonW,CloseHandle,CloseHandle,CloseHandle,GetLastError,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032A1780: DeviceIoControl,CloseHandle,DeviceIoControl,CloseHandle,CloseHandle,CloseHandle,

Sample file is different than original file name gathered from version info

Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.716046472.0000000000409000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameView.GeoView.dll8 vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lbHash%lbOriginalFilename vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 2>>lbOriginalFilename.Name vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6>>lbOriginalFilename.Parent vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 2>>lbOriginalFilename.Type vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6>>lbOriginalFilename.ZOrder vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6lbOriginalFilename.AutoSize vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6lbOriginalFilename.Location vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .lbOriginalFilename.SizeS vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6lbOriginalFilename.TabIndex vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .lbOriginalFilename.Text vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: lbOriginalFilename vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameibaSharedGui.dll. vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameibaManagedFFT.dll< vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameibaThreadSafeNativeFFT_2015. vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGMap.NET.Core.dll< vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameGMap.NET.WindowsForms.dllL vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Data.SQLite.dllH vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSQLite.Interop.dllF vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameView.ibaFFT.dll. vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecombit.ListLabel20.Export.x64.dll< vs ibaAnalyzerSetup_x64_v7.3.6.exe
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.749163612.00000000032F4000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamensSCMEx.dllZ vs ibaAnalyzerSetup_x64_v7.3.6.exe

PE file contains strange resources

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Section loaded: mpiwin32.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll

Contains functionality to delete services

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032B45E0 Remove,OpenSCManagerA,CloseServiceHandle,GlobalAlloc,wsprintfA,GlobalAlloc,lstrcpyA,GlobalFree,OpenServiceA,GlobalFree,DeleteService,CloseServiceHandle,CloseServiceHandle,GlobalFree,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

File read: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Jump to behavior

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe "C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe"
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx"
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx"
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx"
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx"

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032AE6D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032B5A00 MultiByteToWideChar,GlobalFree,GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,GetShellWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,GetLastError,DuplicateTokenEx,LoadLibraryA,GetProcAddress,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,GetLastError,

Source: C:\Windows\System32\regsvr32.exe

File created: C:\Users\user\AppData\Roaming\iba

Jump to behavior

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

File created: C:\Users\user\AppData\Local\Temp\nshAD.tmp

Jump to behavior

Source: classification engine

Classification label: sus24.evad.winEXE@9/99@0/0

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: Install,OpenSCManagerA,CloseServiceHandle,GlobalAlloc,wsprintfA,GlobalAlloc,lstrcpyA,GlobalFree,GlobalFree,GlobalAlloc,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalAlloc,GlobalFree,GlobalFree,GlobalFree,GlobalAlloc,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalAlloc,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalAlloc,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,___from_strstr_to_strchr,GlobalAlloc,lstrcpyA,GlobalFree,GlobalAlloc,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,CreateServiceA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetLastError,CloseServiceHandle,CloseServiceHandle,GlobalFree,GlobalFree,GlobalFree,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHAutoComplete,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceExA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	Binary or memory string: INSERT INTO Tiles(X, Y, Zoom, Type, CacheTime) SELECT X, Y, Zoom, Type, CacheTime FROM Source.Tiles WHERE id={0}; INSERT INTO TilesData(id, Tile) Values((SELECT last_insert_rowid()), (SELECT Tile FROM Source.TilesData WHERE id={0}));/DETACH DATABASE Source;
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	Binary or memory string: SELECT id FROM Tiles WHERE X={0} AND Y={1} AND Zoom={2} AND Type={3};
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	Binary or memory string: create table large (a); insert into large values (zeroblob({0})); drop table large;
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS TilesData (id INTEGER NOT NULL PRIMARY KEY CONSTRAINT fk_Tiles_id REFERENCES Tiles(id) ON DELETE CASCADE, Tile BLOB NULL);
Source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\regsvr32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\regsvr32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032B4D00 Start,OpenSCManagerA,CloseServiceHandle,GlobalAlloc,wsprintfA,GlobalAlloc,lstrcpyA,GlobalFree,OpenServiceA,GlobalFree,GetLastError,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GlobalFree,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\System32\regsvr32.exe

Code function: 15_2_1B246890 FindResourceA,LoadResource,LockResource,SizeofResource,WideCharToMultiByte,WideCharToMultiByte,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

File created: C:\Program Files\iba

Jump to behavior

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

File written: C:\Users\user\AppData\Local\Temp\nss310.tmp\licenseserveroptions.ini

Jump to behavior

Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Zip/Compression/Streams/DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.0.dr, ICSharpCode.SharpZipLib/Encryption/ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Found GUI installer (many successful clicks)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Automated click: Next >
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Automated click: I Agree
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Automated click: Next >
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Automated click: Next >
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Automated click: Install

Found installer window with terms and condition text

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Windows\System32\regsvr32.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Submission file is bigger than most known malware samples

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static file information: File size 69983376 > 1048576

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzer.exe	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\SciLexer.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\versions.htm	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\support.htm	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractor.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractorMC.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\reg_dataextractorMC.bat	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\reg_dataextractor.bat	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\mkl64_parallel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\libiomp5md.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\msvcp100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Data.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Printing.v16.1.Core.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Sparkline.v16.1.Core.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Utils.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraEditors.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraGrid.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraPrinting.v16.1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\DotNetMagic2005.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdClientInterfaces.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdCommon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaUser.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaUser.Forms.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaHdViewUtilities.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaLogger.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaViewInterfaces.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaViewUtilities.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaPdaServerInterfaces.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaExpressions.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaPdaPluginInterface.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\OverlayWindow.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\PowerCollections.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\View.ibaEventTable.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\View.ibaGraphManager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaHDOffline.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaHdOfflineActiveX.ocx	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdClient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\hdCore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaRunTime64.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\hdClient.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaHDOffline.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\hdCommon.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.Forms.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaViewUtilities.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaEventTable.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaShared.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaSharedGui.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaFFT.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaOrbit.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.GeoView.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\hdClient.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaHDOffline.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\hdCommon.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.Forms.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaViewUtilities.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaEventTable.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaShared.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaSharedGui.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaFFT.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaOrbit.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.GeoView.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHost.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostViewWrapper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaShared.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaSharedGui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaManagedFFT.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\ibaThreadSafeNativeFFT.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\System.Data.SQLite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\SQLite.Interop.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaFFT.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaOrbit.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaGraphManager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaAnalyzerViewHostGraphManager.dll	Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Directory created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.GeoView.dll	Jump to behavior

PE / OLE file has a valid certificate

Source: ibaAnalyzerSetup_x64_v7.3.6.exe

Static PE information: certificate valid

Binary contains paths to debug symbols

Source:	Binary string: D:\proj\ibafft\ibaNativeFFTWrapper\bin\x64\Release\ibaThreadSafeNativeFFT.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaThreadSafeNativeFFT.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\bin\x64\Release\ibaAnalyzer.pdb source: ibaAnalyzer.exe.0.dr
Source:	Binary string: F:\LL\LL.Export_20\combit.ListLabel.Export.x64\bin\Release\v4.0\AnyCPU\DllExporter\combit.ListLabel20.Export.x64.pdbBSJB source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msvcr100.amd64.pdb source: msvcr100.dll.0.dr
Source:	Binary string: C:\Users\mistachkin\Documents\checkouts\sqlite\dotnet\bin\2017\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.Core\obj\Release\net40\GMap.NET.Core.pdbSHA256 source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHost\obj\Release\ibaAnalyzerViewHost.pdb source: ibaAnalyzerViewHost.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostMaps\obj\Release\View.GeoView.pdbV7 source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.716046472.0000000000409000.00000004.00000001.01000000.00000003.sdmp, View.GeoView.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostMaps\obj\Release\View.GeoView.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.716046472.0000000000409000.00000004.00000001.01000000.00000003.sdmp, View.GeoView.dll.0.dr
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.WindowsForms\obj\Release\net40\GMap.NET.WindowsForms.pdbSHA256 source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaHDOffline\ibaHDOfflineActiveX\bin\x64\Release\ibaHDOfflineActiveX.pdb source: regsvr32.exe, 0000000F.00000002.664864019.00000000029A1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: V:\_Project\scintilla410\scintilla\win32\x64\Release\SciLexer.pdb source: SciLexer.dll.0.dr
Source:	Binary string: D:\proj\ibaFFT\ibaManagedFFT\obj\Release\ibaManagedFFT.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaManagedFFT.dll.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostActiveX\bin\x64\Release\ibaAnalyzerViewHostActiveX.pdb source: regsvr32.exe, 00000016.00000002.720287948.0000000002726000.00000002.00000001.01000000.00000012.sdmp, regsvr32.exe, 00000016.00000002.722962885.00007FFA66866000.00000002.00000001.01000000.00000012.sdmp, ibaAnalyzerViewHostActiveX.ocx.0.dr
Source:	Binary string: D:\proj\PdaOffline_7.3.x\bin\x64\Release\ibaAnalyzer.pdbf source: ibaAnalyzer.exe.0.dr
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.Core\obj\Release\net40\GMap.NET.Core.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr
Source:	Binary string: c:\dev\sqlite\dotnet\obj\2010\System.Data.SQLite.2010\Release\System.Data.SQLite.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\jleon\Source\Repos\GMap.NET\GMap.NET\GMap.NET.WindowsForms\obj\Release\net40\GMap.NET.WindowsForms.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\projects\sharpziplib\src\ICSharpCode.SharpZipLib\obj\Release\net45\ICSharpCode.SharpZipLib.pdbSHA256 source: regsvr32.exe, 0000000F.00000002.665830211.000000001B5A2000.00000002.00000001.01000000.00000011.sdmp, regsvr32.exe, 00000016.00000002.720664341.00000000027E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaAnalyzerViewHost\ibaAnalyzerViewHostActiveX\bin\x64\Release\ibaAnalyzerViewHostActiveX.pdbBB' source: regsvr32.exe, 00000016.00000002.720287948.0000000002726000.00000002.00000001.01000000.00000012.sdmp, regsvr32.exe, 00000016.00000002.722962885.00007FFA66866000.00000002.00000001.01000000.00000012.sdmp, ibaAnalyzerViewHostActiveX.ocx.0.dr
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaGraphManager\obj\Release\View.ibaGraphManager.pdb source: View.ibaGraphManager.dll.0.dr
Source:	Binary string: c:\Projects\16.1\BuildLabel\Temp\NetStudio.v16.1.2005\Win\DevExpress.XtraCharts\DevExpress.Sparkline.Core\obj\Release\DevExpress.Sparkline.v16.1.Core.pdb source: DevExpress.Sparkline.v16.1.Core.dll.0.dr
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaViewInterfaces\obj\Release\ibaViewInterfaces.pdb source: ibaViewInterfaces.dll.0.dr
Source:	Binary string: C:\Proj\ibaPDA_7.3.x\Installer\nsSCMEx\Release\nsSCMEx.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.749000339.00000000032DC000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\projects\sharpziplib\src\ICSharpCode.SharpZipLib\obj\Release\net45\ICSharpCode.SharpZipLib.pdb source: regsvr32.exe, 0000000F.00000002.665830211.000000001B5A2000.00000002.00000001.01000000.00000011.sdmp, regsvr32.exe, 00000016.00000002.720664341.00000000027E2000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\proj\PdaOffline_7.3.x\ibaHDOffline\ibaHDOfflineActiveX\bin\x64\Release\ibaHDOfflineActiveX.pdb::' source: regsvr32.exe, 0000000F.00000002.664864019.00000000029A1000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaOnlineFFT\obj\Release\View.ibaFFT.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: F:\LL\LL.Export_20\combit.ListLabel.Export.x64\bin\Release\v4.0\AnyCPU\DllExporter\combit.ListLabel20.Export.x64.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\proj\ibaPDAv7.3.x\ibaSharedGui\obj\Release\ibaSharedGui.pdb source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\proj\ibaFFT\ibaManagedFFT\obj\Release\ibaManagedFFT.pdb, source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaManagedFFT.dll.0.dr
Source:	Binary string: D:\proj\ibafft\ibaNativeFFTWrapper\bin\x64\Release\ibaThreadSafeNativeFFT.pdb!! source: ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, ibaThreadSafeNativeFFT.dll.0.dr

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032DA528 push ecx; ret
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032BE8E6 push ecx; ret
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_10002A10 push eax; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_02977357 push 00000028h; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_02974FDB push 00000028h; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B2DCE8E push rdi; ret
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B296C2C push rdi; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFA668C4FDB push 00000028h; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_00007FFA668C7357 push 00000028h; iretd
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_027170A9 push 00000028h; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_02716F05 push 00000028h; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_00007FFA66856F05 push 00000028h; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 22_2_00007FFA668570A9 push 00000028h; retf

PE file contains sections with non-standard names

Source: ibaRunTime64.dll.0.dr	Static PE information: section name: .hvm
Source: ibaRunTime64.dll.0.dr	Static PE information: section name: .hvm0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Binary contains a suspicious time stamp

Source: ICSharpCode.SharpZipLib.dll.0.dr

Static PE information: 0xEE450951 [Mon Sep 3 09:09:37 2096 UTC]

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaPdaServerInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaOrbit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaUser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaFFT.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\View.ibaGraphManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaExpressions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\hdCommon.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\libiomp5md.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\msvcp100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaRunTime64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\mkl64_parallel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Utils.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.GeoView.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaShared.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\OverlayWindow.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaHdViewUtilities.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\hdCommon.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaHDOffline.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaShared.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaViewUtilities.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaManagedFFT.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Users\user\AppData\Local\Temp\nss310.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Users\user\AppData\Local\Temp\nss310.tmp\SimpleSC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\View.GeoView.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaViewUtilities.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Users\user\AppData\Local\Temp\nss310.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaUser.Forms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostViewWrapper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\View.GeoView.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraGrid.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\hdCore.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\hdClient.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaHDOffline.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Sparkline.v16.1.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaGraphManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaSharedGui.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaOrbit.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DotNetMagic2005.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraEditors.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaEventTable.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaFFT.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\SciLexer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaAnalyzerViewHostGraphManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Printing.v16.1.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\hdClient.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaShared.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaSharedGui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\hdClientInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\View.ibaEventTable.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaHDOffline.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaPdaPluginInterface.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaOrbit.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Users\user\AppData\Local\Temp\nss310.tmp\nsSCMEx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.Data.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\hdCommon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaEventTable.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractorMC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\hdClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\PowerCollections.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaHdOfflineActiveX.ocx	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaFFT.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraPrinting.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\de\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaLogger.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaViewUtilities.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Users\user\AppData\Local\Temp\nss310.tmp\UserInfo.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaViewInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\fr\ibaSharedGui.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\ibaThreadSafeNativeFFT.dll	Jump to dropped file

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_031C1410 wsprintfA,lstrcpyA,GetPrivateProfileStringA,lstrcpyA,CharNextA,

Creates license or readme file

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf			Jump to behavior
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File created: C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf			Jump to behavior

Boot Survival

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032BD7A0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\regsvr32.exe

RDTSC instruction interceptor: First address: 000000001B393905 second address: 000000001B393921 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bl 0x00000005 bts dx, ax 0x00000009 movsx edx, di 0x0000000c inc ebp 0x0000000d xor eax, dword ptr [ebx+ecx*4+00000858h] 0x00000014 inc ebp 0x00000015 add eax, dword ptr [ebx+eax*4+00000C58h] 0x0000001c rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\regsvr32.exe TID: 5916	Thread sleep count: 117 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 5916	Thread sleep time: -922337203685477s >= -30000s

Found evasive API chain (date check)

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\System32\regsvr32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: EnumServicesStatusExA,GetLastError,GetLastError,CloseServiceHandle,EnumServicesStatusExA,GetLastError,GetLastError,

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaPdaServerInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaUser.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaOrbit.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\View.ibaFFT.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\View.ibaGraphManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaExpressions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\hdCommon.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\msvcp100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\libiomp5md.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaRunTime64.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\msvcr100.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\mkl64_parallel.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.Utils.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\Plugins\View.GeoView.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaShared.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\OverlayWindow.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaHdViewUtilities.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\hdCommon.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaHDOffline.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaShared.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaViewUtilities.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaManagedFFT.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\SQLite.Interop.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\View.GeoView.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaViewUtilities.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\View.ibaGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaUser.Forms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostViewWrapper.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\View.GeoView.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraGrid.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaUser.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\hdCore.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\hdClient.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaHDOffline.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.Sparkline.v16.1.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaUser.Forms.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHost.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaGraphManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaSharedGui.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\View.ibaOrbit.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DotNetMagic2005.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraEditors.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaFFT.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\View.ibaEventTable.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\SciLexer.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaAnalyzerViewHostGraphManager.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.Printing.v16.1.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\View.ibaAnalyzerViewHostGraphManager.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\hdClient.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaShared.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaSharedGui.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\hdClientInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\View.ibaEventTable.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaHDOffline.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaPdaPluginInterface.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaOrbit.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.Data.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\hdCommon.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\View.ibaEventTable.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaDataExtractorMC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\hdClient.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\PowerCollections.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaFFT.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraPrinting.v16.1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\de\ibaAnalyzerViewHostViewWrapper.resources.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaViewUtilities.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaLogger.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaThreadSafeNativeFFT.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\ibaViewInterfaces.dll	Jump to dropped file
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Dropped PE file which has not been started: C:\Program Files\iba\ibaAnalyzer\fr\ibaSharedGui.resources.dll	Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\regsvr32.exe

Code function: 15_2_1B3929AB rdtsc

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\regsvr32.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032B30E0 GetOsVersion,GetModuleHandleA,GetProcAddress,GetProcAddress,GetVersionExW,GlobalFree,GlobalFree,GetProcAddress,GetModuleHandleA,GetProcAddress,GetSystemInfo,RegOpenKeyExA,RegQueryValueExA,_strstr,RegCloseKey,_strstr,RegCloseKey,_strstr,RegCloseKey,GlobalAlloc,GlobalAlloc,lstrcpynA,GlobalAlloc,wsprintfA,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,SHELL32_IconCache_DoneExtractingIcons,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_0040263E FindFirstFileA,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D1866 FindFirstFileExW,

Source: C:\Windows\System32\regsvr32.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\System32\regsvr32.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File Volume queried: C:\Program Files FullSizeInformation
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	File Volume queried: C:\Program Files FullSizeInformation

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032C925B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\regsvr32.exe

Code function: 15_2_0297C60C GetLastError,IsDebuggerPresent,OutputDebugStringW,

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032B53E5 GetProcessHeap,

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\System32\regsvr32.exe

Code function: 15_2_1B3929AB rdtsc

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032C8252 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D1474 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032D14BA mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\regsvr32.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032BE334 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032C925B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032BE719 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B25BB70 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B25BB40 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B25DD3F RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B264360 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B259280 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B259160 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B2590C0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\regsvr32.exe	Code function: 15_2_1B258680 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032AC740 InterlockedCompareExchange,GetModuleFileNameA,LoadLibraryA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CloseHandle,WaitForSingleObject,CloseHandle,

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Program Files\iba\ibaAnalyzer\ibaHdOfflineActiveX.ocx VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Program Files\iba\ibaAnalyzer\ibaLogger.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\System32\regsvr32.exe	Queries volume information: C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetLocaleInfoW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: EnumSystemLocalesW,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoA,

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032BE8FB cpuid

Source: C:\Windows\System32\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032BB350 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032C9A43 _free,_free,_free,GetTimeZoneInformation,_free,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe

Code function: 0_2_032B52F0 GlobalFree,GetProcessHeap,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameA,GetLastError,GetProcessHeap,HeapReAlloc,GetProcessHeap,HeapReAlloc,

Remote Access Functionality

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A77C0 socket,WSAGetLastError,bind,WSAGetLastError,GetTickCount,ioctlsocket,connect,ioctlsocket,select,__WSAFDIsSet,GetTickCount,GetTickCount,closesocket,WSAGetLastError,getsockname,htons,closesocket,
Source: C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe	Code function: 0_2_032A7A20 socket,bind,WSAGetLastError,Sleep,connect,Sleep,WSAGetLastError,getsockname,htons,closesocket,closesocket,WSAGetLastError,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	13 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	12 Service Execution	1 DLL Search Order Hijacking	1 DLL Search Order Hijacking	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Peripheral Device Discovery	Remote Desktop Protocol	2 Clipboard Data	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 Valid Accounts	1 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	12 Windows Service	11 Access Token Manipulation	1 Software Packing	NTDS	1 System Service Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	12 Windows Service	1 Timestomp	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	137 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Search Order Hijacking	DCSync	1 Query Registry	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Masquerading	Proc Filesystem	14 Security Software Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Valid Accounts	/etc/passwd and /etc/shadow	22 Virtualization/Sandbox Evasion	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	22 Virtualization/Sandbox Evasion	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	11 Access Token Manipulation	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	1 Process Injection	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ibaAnalyzerSetup_x64_v7.3.6.exe	0%	Virustotal		Browse
ibaAnalyzerSetup_x64_v7.3.6.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files\iba\ibaAnalyzer\DevExpress.Data.v16.1.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DevExpress.Printing.v16.1.Core.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DevExpress.Sparkline.v16.1.Core.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DevExpress.Utils.v16.1.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraEditors.v16.1.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraGrid.v16.1.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraPrinting.v16.1.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\DotNetMagic2005.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll	0%	Metadefender	Browse
C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll	0%	Metadefender	Browse
C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll	0%	Metadefender	Browse
C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\OverlayWindow.dll	0%	ReversingLabs
C:\Program Files\iba\ibaAnalyzer\Plugins\View.GeoView.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.ibaAnalyzerSetup_x64_v7.3.6.exe.411c52.1.unpack	100%	Avira	TR/Patched.Ren.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.darb.ae/ArcGIS/rest/services/BaseMaps/Q2_2011_NAVTQ_Eng_V5/MapServer/tile/	0%	Avira URL Cloud	safe
http://www.iba-ag.com.	0%	Virustotal		Browse
http://www.iba-ag.com.	0%	Avira URL Cloud	safe
http://www.opencyclemap.org/whttp://	0%	Avira URL Cloud	safe
http://tiles.ump.waw.pl/ump_tiles/	0%	Avira URL Cloud	safe
http://www.topografix.com/GPX/1/1	0%	Avira URL Cloud	safe
http://www.4umaps.eu/map.htmu	0%	Avira URL Cloud	safe
https://api.maptiler.com/maps/	0%	Avira URL Cloud	safe
http://4umaps.eu/	0%	Avira URL Cloud	safe
http://www.ikarte.lv/default.aspx?lang=en	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://analyzer-doc.iba-ag.com/%TEMP%	0%	Avira URL Cloud	safe
http://ump.waw.pl/	0%	Avira URL Cloud	safe
https://www.maptiler.com/#providersComboBox	0%	Avira URL Cloud	safe
http://mapbender.wheregroup.com/cgi-bin/mapserv?map=/data/umn/osm/osm_basic.map&VERSION=1.1.1&REQUES	0%	Avira URL Cloud	safe
http://www.topografix.com/GPX/1/1T	0%	Avira URL Cloud	safe
https://api.maptiler.com/maps/tiles/Basic?key=_Software	0%	Avira URL Cloud	safe
http://routes.cloudmade.com/	0%	Avira URL Cloud	safe
http://www.topografix.com/GPX/1/1D	0%	Avira URL Cloud	safe
http://ecn.t	0%	Avira URL Cloud	safe
http://www.dnguard.net/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://dc5.maps.lt/cache/mapslt_relief_vector/map/_alllayers/L	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_ShadedRelief_World_2D/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://www.darb.ae/ArcGIS/rest/services/BaseMaps/Q2_2011_NAVTQ_Eng_V5/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://www.linkedin.com/company/iba-italia-srl/	support.htm.0.dr	false		high
http://www.maps.lt/map/K	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://www.xing.com/companies/ibaag-messtechnik-undautomatisierungssysteme	support.htm.0.dr	false		high
http://greatmaps.codeplex.com	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://twitter.com/ibaagcom	support.htm.0.dr	false		high
https://www.linkedin.com/company/iba-ag/	support.htm.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_StreetMap_World_2D/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/ESRI_Imagery_World_2D/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://www.iba-ag.com.	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000003.498976131.00000000006F6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/X	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dev.virtualearth.net/REST/v1/Locations?	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://www.opencyclemap.org/whttp://	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://server.arcgisonline.com/ArcGIS/rest/services/World_Shaded_Relief/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://sourceforge.net/projects/nspring).	regsvr32.exe, 0000000F.00000002.665662339.000000001B422000.00000002.00000010.01000000.00000010.sdmp, regsvr32.exe, 00000016.00000002.719288765.00000000025D2000.00000002.00000001.01000000.00000010.sdmp	false		high
http://tiles.ump.waw.pl/ump_tiles/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://kso.etjanster.lantmateriet.se/?lang=en#	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=0&fmt=1&type=	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://www.linkedin.com/company/begner-agenturer-ab/	support.htm.0.dr	false		high
http://wego.here.com/w	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://www.topografix.com/GPX/1/1	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	DevExpress.Sparkline.v16.1.Core.dll.0.dr	false		high
http://dc5.maps.lt/cache/mapslt/map/_alllayers/L	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://where.yahooapis.com/geocode?q=	GMap.NET.Core.dll.0.dr	false		high
http://www.4umaps.eu/map.htmu	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://mapserver.mapy.cz/turist-m/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://sigpac.mapa.es/kmlserver/raster/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://api.maptiler.com/maps/	View.GeoView.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://kso.etjanster.lantmateriet.se/karta/topowebb/v1.1/wmts?SERVICE=WMTS&REQUEST=GetTile&VERSION=	GMap.NET.Core.dll.0.dr	false		high
http://dc5.maps.lt/cache/mapslt_ortofoto/map/_alllayers/L	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://dc5.maps.lt/cache/mapslt_ortofoto_overlay/map/_alllayers/L	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/World_Topo_Map/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://sourceforge.net/projects/nspring)	regsvr32.exe, 0000000F.00000002.665662339.000000001B422000.00000002.00000010.01000000.00000010.sdmp, regsvr32.exe, 00000016.00000002.719288765.00000000025D2000.00000002.00000001.01000000.00000010.sdmp	false		high
https://nominatim.openstreetmap.org/search?street=	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://ajax.aspnetcdn.com/ajax/jquery/jquery-1.9.1.min.js	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nominatim.openstreetmap.org/reverse?format=xml&lat=	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.css	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://where.yahooapis.com/geocode?country=	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/World_Terrain_Base/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://wikimapia.org/S	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/World_Street_Map/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://www.linkedin.com/company/adegis/	support.htm.0.dr	false		high
http://4umaps.eu/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.ikarte.lv/default.aspx?lang=en	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	DevExpress.Sparkline.v16.1.Core.dll.0.dr	false	URL Reputation: safe	unknown
http://openseamap.org/ghttp://tiles.openseamap.org/seamark/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://analyzer-doc.iba-ag.com/%TEMP%	ibaAnalyzer.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://dev.virtualearth.net/REST/V1/Routes/	GMap.NET.Core.dll.0.dr	false		high
http://ump.waw.pl/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ibaAnalyzerSetup_x64_v7.3.6.exe	false		high
https://www.linkedin.com/company/ibabeneluxbvba/	support.htm.0.dr	false		high
https://www.sqlite.org/copyright.html2	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dc1.maps.lt/cache/mapslt_25d_vkkp/map/_alllayers/L	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://www.maptiler.com/#providersComboBox	View.GeoView.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.css	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dev.virtualearth.net/REST/V1/Imagery/Metadata/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://services.maps.lt/mapsk_services/rest/services/ikartelv/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://dc1.maps.lt/cache/mapslt_ortofoto_2010/map/_alllayers/L	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://nominatim.openstreetmap.org/search?q=	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/World_Physical_Map/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://www.yournavigation.org/api/1.0/gosmore.php?format=kml&flat=	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://nsis.sf.net/NSIS_Error	ibaAnalyzerSetup_x64_v7.3.6.exe	false		high
http://www.mapy.cz/I6A1AF99A-84C6-4EF6-91A5-77B9D03257C2	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://mapbender.wheregroup.com/cgi-bin/mapserv?map=/data/umn/osm/osm_basic.map&VERSION=1.1.1&REQUES	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://www.thawte.com/cps0/	DevExpress.Sparkline.v16.1.Core.dll.0.dr	false		high
http://www.topografix.com/GPX/1/1T	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://maps.yahoo.com/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
https://www.thawte.com/repository0W	DevExpress.Sparkline.v16.1.Core.dll.0.dr	false		high
http://earth.google.com/kml/2.0	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://code.jquery.com/jquery-1.9.1.min.js	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.maptiler.com/maps/tiles/Basic?key=_Software	View.GeoView.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://greatmaps.codeplex.com/discussions/252531	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://code.jquery.com/mobile/1.3.2/jquery.mobile-1.3.2.min.js	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://routes.cloudmade.com/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.topografix.com/GPX/1/1D	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ajax.aspnetcdn.com/ajax/jquery.mobile/1.3.2/jquery.mobile-1.3.2.min.js	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ecn.t	GMap.NET.Core.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.dnguard.net/	regsvr32.exe, 0000000F.00000002.665556769.000000001B39F000.00000002.00000001.01000000.0000000F.sdmp, ibaRunTime64.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://www.nearmap.com/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high
http://server.arcgisonline.com/ArcGIS/rest/services/NGS_Topo_US_2D/MapServer/tile/	ibaAnalyzerSetup_x64_v7.3.6.exe, 00000000.00000002.719730623.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, GMap.NET.Core.dll.0.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	632527
Start date and time: 23/05/202218:41:07	2022-05-23 18:41:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ibaAnalyzerSetup_x64_v7.3.6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus24.evad.winEXE@9/99@0/0
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 6.6% (good quality ratio 6.2%) Quality average: 71.1% Quality standard deviation: 29.9%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target regsvr32.exe, PID 6048 because there are no executed function
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Process:	C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	5392112
Entropy (8bit):	6.386730970129271
Encrypted:	false
SSDEEP:	49152:7606CzFcJD5WL1S1dFw9jO6XXls/+wNAY2lQgS1Fh8DGQn4larvhBHQ:7aXWL1S1dFAjO6XVsW2yw
MD5:	46D4548EE2FFE0211B4200E08B2BF9A9
SHA1:	AC232FF3F1B0CCDAE4274788FFD7FF7D077B1761
SHA-256:	626D27108093E90ECB3FE3B0909C11008843D379528182360E33FAB823BF9AE6
SHA-512:	957C84FA82219A3907450F130440E5EAAECB74DBE8E28FEADD7664A9BBA421587B21FAFB3390B0B1A86B0A322F9C26FCB8F1A37ACE2EFDC60B1C3B9AB842084F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...El.Y...........!.....&R.........>ER.. ...`R...... ........................R...........@..................................DR.K....`R.X............0R.......R......CR.............................................. ............... ..H............text...D%R.. ...&R................. ..`.rsrc...X....`R......(R.............@..@.reloc........R.......R.............@..B................ ER.....H.........2.0............L...S!.P ......................................[..S.O...QK....3.i]..........Q6.B..Lc.:w....Mj.+D%.._.Y.i....'T..J..b...M.%.T._.F.d...&.!..Q.....YN".....h.zw.=.......<..(.....s....z....(........s....}.....s....}.....(......}......}......}.......}.....0..~..........{....(......o`T..-...-).{....,!.{.....o`T..{....(.L....,..o.L....- ...oaT....o......,...o`T..otH....-...o`T..{....(.........0.............(....,..{.....{.....{.....o....o....

Process:	C:\Windows\System32\regsvr32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.367899416177239
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
MD5:	7115A3215A4C22EF20AB9AF4160EE8F5
SHA1:	A4CAB34355971C1FBAABECEFA91458C4936F2C24
SHA-256:	A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
SHA-512:	2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999990419784602
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ibaAnalyzerSetup_x64_v7.3.6.exe
File size:	69983376
MD5:	c1ae350f67039cbe69f10df9b8001371
SHA1:	6362ba848a6027939c642d4b405994ca5a96272c
SHA256:	fbf6ebb863e6ee15a9fbe144116fc568d929cdb560ad1380a45c71f761946cd1
SHA512:	032cde395658b300fc1d6e79a04c6da04169d35cfbd277ec6cb5044f391ae8ed88d31ec653be87cbfc8823e2a21918d2d269217c8e4f04e30138907243d7b635
SSDEEP:	1572864:tzpBbJ2s2nciVKOUmUQyja9kAdvnyRe/WhIS:L2RciCmUjaiAdvEhhIS
TLSH:	4FE733D85E1E8039E2684475D46AB8F11F3458F6A438C0932607BFFFD78F3E66026699
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\.........

Entrypoint:	0x40323c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3C6 [Sat Dec 5 22:50:46 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	11/24/2021 4:00:00 PM 11/26/2024 3:59:59 PM
Subject Chain	CN=iba AG, OU=iba AG, O=iba AG, L=FÃ¼rth, C=DE
Version:	3
Thumbprint MD5:	CB5010FA85020150A3B61712597B8B2E
Thumbprint SHA-1:	ED30F5B2E756DD3CAFB89E5055E5823BD9D82FE3
Thumbprint SHA-256:	062CF22CB3B0087BBB7D6F3193B43CDA8A2C76E205310D729B82D8557C675D8D
Serial:	0DB533CEF828D7CC61E6D2ABB9AFECE1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30000	0x65d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x42bba10	0x2280
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5a5a	0x5c00	False	0.660453464674	data	6.41769823686	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.4453125	data	5.18162709925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55859375	data	4.70902740305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0xc000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x30000	0x65d0	0x6600	False	0.37779564951	data	5.22258519203	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country
RT_ICON	0x302c8	0x25a8	data	English	United States
RT_ICON	0x32870	0x1bd9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x34450	0x10a8	data	English	United States
RT_ICON	0x354f8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x35960	0xb4	data	English	United States
RT_DIALOG	0x35a18	0x120	data	English	United States
RT_DIALOG	0x35b38	0x200	data	English	United States
RT_DIALOG	0x35d38	0xf8	data	English	United States
RT_DIALOG	0x35e30	0xee	data	English	United States
RT_GROUP_ICON	0x35f20	0x3e	data	English	United States
RT_VERSION	0x35f60	0x2ac	data	English	United States
RT_MANIFEST	0x36210	0x3ba	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Description	Data
LegalCopyright	iba AG. All rights reserved
FileVersion	7.3.6.0
CompanyName	iba AG
LegalTrademarks
Comments
ProductName	ibaAnalyzer (x64)
ProductVersion	7.3.6
FileDescription	ibaAnalyzer installer
Translation	0x0409 0x0000

Target ID:	0
Start time:	18:42:27
Start date:	23/05/2022
Path:	C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ibaAnalyzerSetup_x64_v7.3.6.exe"
Imagebase:	0x400000
File size:	69983376 bytes
MD5 hash:	C1AE350F67039CBE69F10DF9B8001371
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Target ID:	14
Start time:	18:43:53
Start date:	23/05/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx
Imagebase:	0x1290000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	15
Start time:	18:43:56
Start date:	23/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	/s "C:\Program Files\iba\ibaAnalyzer\ibaHDOfflineActiveX.ocx"
Imagebase:	0x7ff73dea0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Target ID:	21
Start time:	18:44:30
Start date:	23/05/2022
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx
Imagebase:	0x1290000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	22
Start time:	18:44:31
Start date:	23/05/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	/s "C:\Program Files\iba\ibaAnalyzer\ibaAnalyzerViewHostActiveX.ocx"
Imagebase:	0x7ff73dea0000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ibaAnalyzerSetup_x64_v7.3.6.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\iba\ibaAnalyzer\DevExpress.Data.v16.1.dll

C:\Program Files\iba\ibaAnalyzer\DevExpress.Printing.v16.1.Core.dll

C:\Program Files\iba\ibaAnalyzer\DevExpress.Sparkline.v16.1.Core.dll

C:\Program Files\iba\ibaAnalyzer\DevExpress.Utils.v16.1.dll

C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraEditors.v16.1.dll

C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraGrid.v16.1.dll

C:\Program Files\iba\ibaAnalyzer\DevExpress.XtraPrinting.v16.1.dll

C:\Program Files\iba\ibaAnalyzer\DotNetMagic2005.dll

C:\Program Files\iba\ibaAnalyzer\GMap.NET.Core.dll

C:\Program Files\iba\ibaAnalyzer\GMap.NET.WindowsForms.dll

C:\Program Files\iba\ibaAnalyzer\ICSharpCode.SharpZipLib.dll

C:\Program Files\iba\ibaAnalyzer\License_Agreement_ibaAnalyzer.pdf

C:\Program Files\iba\ibaAnalyzer\OverlayWindow.dll

C:\Program Files\iba\ibaAnalyzer\Plugins\View.GeoView.dll

C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaAnalyzerViewHostGraphManager.dll

C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaFFT.dll

C:\Program Files\iba\ibaAnalyzer\Plugins\View.ibaGraphManager.dll

Windows Analysis Report
ibaAnalyzerSetup_x64_v7.3.6.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre