Windows Analysis Report
SetupSuite_21.8_win64_86_sm.exe

Overview

General Information

Sample name: SetupSuite_21.8_win64_86_sm.exe
Analysis ID: 1434176
MD5: ddda012671f0ca2ca213060073b063e2
SHA1: 462783a60146a405f20bba176c4d5f95bf5f785c
SHA256: 61b02846fae730a5b900745cf6fb113993254268609542a5a00404fe9ca985f2
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SetupSuite_21.8_win64_86_sm.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ejhooxmigi Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199658817715", "https://tufure.xyz"]}
Multi AV Scanner detection for submitted file
Source: SetupSuite_21.8_win64_86_sm.exe ReversingLabs: Detection: 54%
Source: SetupSuite_21.8_win64_86_sm.exe Virustotal: Detection: 39% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ejhooxmigi Joe Sandbox ML: detected
Uses 32bit PE files
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: RazerInstaller.exe
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll
Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdbh source: RazerInstaller.exe
Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdb source: AWSSDK.Kinesis.dll
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll
Source: Binary string: concrt140.i386.pdbGCTL source: concrt140.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb source: Razer.DetectManagerWrapper.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdbP\ source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll
Source: Binary string: C:\Users\shikang.neoh\Desktop\cpprestsdk-master\Binaries\Win32\Release\cpprest140_2_10.pdb source: cpprest140_2_10.dll
Source: Binary string: glu32.pdb source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll
Source: Binary string: wntdll.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Amsi.pdbGCTL source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb| source: RazerInstaller.exe
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdbSHA256 source: AWSSDK.Kinesis.dll
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll
Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb source: BLEConnectWrapper.dll
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll
Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\BLEConnect\obj\Release\BLEConnect.pdb source: BLEConnect.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb source: RazerInstaller.exe
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\SafeExtractor\Release\SafeExtractor.pdb source: SetupSuite_21.8_win64_86_sm.exe
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\InstallerCleaner\obj\Release\RazerInstallerCleaner.pdb source: Razer.RazerInstallerCommon.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll
Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: NLog.dll
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdbh<~< p<_CorDllMainmscoree.dll source: RazerInstaller.exe
Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb$$ source: Razer.DetectManagerWrapper.dll
Source: Binary string: C:\Dev\LightweightInstaller\3rd Party\DotNetZip\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: SetupSuite_21.8_win64_86_sm.exe, RazerInstaller.exe
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb|[ source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll
Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity.Configuration\Src\obj\Release\Microsoft.Practices.Unity.Configuration.pdb source: RazerInstaller.exe
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdbpZ source: RazerInstaller.exe
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdb source: Razer.RazerInstallerCommon.dll
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: RazerInstaller.exe
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdbl source: Razer.RazerInstallerCommon.dll
Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdb source: RazerInstaller.exe
Source: Binary string: c:\Code\Codeplex\Bootstrapper\Extensions\Bootstrapper.Unity\obj\Release\Bootstrapper.UnityExtension.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll
Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdbt source: RazerInstaller.exe
Source: Binary string: wntdll.pdbUGP source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb, source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll
Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb%% source: BLEConnectWrapper.dll
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll
Source: Binary string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb source: RazerInstaller.exe
Source: Binary string: glu32.pdbGCTL source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll
Source: Binary string: Amsi.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdb source: AWSSDK.Core.dll
Source: Binary string: c:\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation.PortableClassLibrary\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: RazerInstaller.exe
Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll
Source: Binary string: concrt140.i386.pdb source: concrt140.dll
Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256OY source: NLog.dll
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdbSHA256 source: AWSSDK.Core.dll
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199658817715
Source: Malware configuration extractor URLs: https://tufure.xyz
Yara detected Generic Downloader
Source: Yara match File source: RazerInstaller.exe, type: SAMPLE
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: https://www.facebook.com/razer equals www.facebook.com (Facebook)
Source: AWSSDK.Core.dll String found in binary or memory: http://169.254.169.254
Source: AWSSDK.Core.dll String found in binary or memory: http://169.254.170.2
Source: AWSSDK.Core.dll String found in binary or memory: http://169.254.170.2aUnable
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: http://DotNetZip.codeplex.com/
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-comms-usp.png
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://assets.razerzone.com/eeimages/categories/14594/razer-gaming-softwares-category-gamebooster-us
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://assets.razerzone.com/eeimages/products/17531/940x573-01-02.png
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RazerInstaller.exe String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: RazerInstaller.exe String found in binary or memory: http://compositewpf.codeplex.com/
Source: cpprest140_2_10.dll String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dll String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: RazerInstaller.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RazerInstaller.exe String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dll String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: RazerInstaller.exe String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AWSSDK.Core.dll String found in binary or memory: http://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/net-dg-config-creds.html
Source: RazerInstaller.exe String found in binary or memory: http://james.newtonking.com/projects/json
Source: RazerInstaller.exe String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: NLog.dll String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://ocsp.digicert.com0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://ocsp.digicert.com0A
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: AWSSDK.Core.dll, AWSSDK.Kinesis.dll String found in binary or memory: http://ocsp.digicert.com0I
Source: RazerInstaller.exe String found in binary or memory: http://ocsp.digicert.com0K
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: RazerInstaller.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://ocsp.digicert.com0X
Source: cpprest140_2_10.dll String found in binary or memory: http://ocsp.thawte.com0
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://razer.com/software
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://s2.symcb.com0
Source: RazerInstaller.exe String found in binary or memory: http://schemas.datacontract.org/2004/07/Razer.ActionService
Source: NLog.dll String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFL
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLCopyright
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLRazerF5Light
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLRazerF5LightItalic
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLRazerF5SemiBold
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLRazerF5SemiBoldItalic
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLRazerF5Thin
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://scripts.sil.org/OFLRazerF5ThinItalic
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://sv.symcd.com0&
Source: cpprest140_2_10.dll String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: cpprest140_2_10.dll String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: cpprest140_2_10.dll String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: http://www.2brightsparks.com/foc/foc-v-check.txt
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: http://www.2brightsparks.com/onclick/help/
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: http://www.2brightsparks.com/onclick/index.html
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Roboto
Source: RazerInstaller.exe String found in binary or memory: http://www.codeplex.com/CompositeWPF
Source: RazerInstaller.exe String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: RazerInstaller.exe String found in binary or memory: http://www.codeplex.com/prism
Source: RazerInstaller.exe String found in binary or memory: http://www.codeplex.com/prism#Microsoft.Practices.Prism.ViewModel
Source: RazerInstaller.exe String found in binary or memory: http://www.codeplex.com/prism:Microsoft.Practices.Prism.Interactivity.InteractionRequest
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://www.digicert.com/CPS0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.0000000005418000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.0000000005237000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000005.00000002.2412988200.000000000C085000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: cpprest140_2_10.dll String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: http://www.razer.com/sw-eula
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.razerzone.com
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.razerzone.com/comms
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.razerzone.com/cortex
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.razerzone.com/surround
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: http://www.razerzone.com/synapse
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://www.symauth.com/cps0(
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: http://www.symauth.com/rpa00
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: https://albedozero-staging.razerapi.com/password
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: https://albedozero.razerapi.com/datapipelineQhttps://albedozero.razerapi.com/passwordihttps://albedo
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: https://d.symcb.com/cps0%
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe, cpprest140_2_10.dll String found in binary or memory: https://d.symcb.com/rpa0
Source: RazerInstaller.exe String found in binary or memory: https://discovery.razerapi.com:https://manifest.razerapi.com
Source: AWSSDK.Core.dll String found in binary or memory: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json
Source: RazerInstaller.exe String found in binary or memory: https://ec.razer.com
Source: NLog.dll String found in binary or memory: https://github.com/NLog/NLog.git
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: https://insider.razer.com
Source: AWSSDK.Core.dll String found in binary or memory: https://ip-ranges.amazonaws.com/ip-ranges.json
Source: AWSSDK.Kinesis.dll String found in binary or memory: https://kinesis.us-gov-east-1.amazonaws.com
Source: AWSSDK.Kinesis.dll String found in binary or memory: https://kinesis.us-gov-west-1.amazonaws.com
Source: NLog.dll String found in binary or memory: https://nlog-project.org/
Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715
Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199658817715fgshMozilla/5.0
Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr String found in binary or memory: https://t.me/sa9ok
Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr String found in binary or memory: https://t.me/sa9okfgshhttps://steamcommunity.com/profiles/76561199658817715sql.dllsqlm.dllMozilla/5.
Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr String found in binary or memory: https://tufure.xyz
Source: cmd.exe, 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr String found in binary or memory: https://tufure.xyzCristina
Source: Razer.RazerInstallerCommon.resources.dll String found in binary or memory: https://twitter.com/intent/follow?screen_name=Razer
Source: Razer.RazerInstallerCommon.dll String found in binary or memory: https://u05srooyhc.execute-api.us-east-1.amazonaws.com/sts
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2289831307.000000000527F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp, RazerInstaller.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: RazerInstaller.exe String found in binary or memory: https://www.newtonsoft.com/json
Source: RazerInstaller.exe String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: NLog.dll String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Source: RazerInstaller.exe String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Code function: 0_2_005BFCEE NtQuerySystemInformation, 0_2_005BFCEE
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0A5890 5_2_0C0A5890
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0914E0 5_2_0C0914E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0A7900 5_2_0C0A7900
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0A39E0 5_2_0C0A39E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0A3DF0 5_2_0C0A3DF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0BA671 5_2_0C0BA671
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C08E6D0 5_2_0C08E6D0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0B1378 5_2_0C0B1378
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C08ABB0 5_2_0C08ABB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0A9700 5_2_0C0A9700
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\ejhooxmigi 53E1DB0A09087822E1A40B253C83ACD921F0CDCDF47F12C822ABD649FA17F990
One or more processes crash
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460
PE / OLE file has an invalid certificate
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
PE file contains more sections than normal
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000000.1975517741.00000000016F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRazer Installer.exe@ vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000000.1975517741.00000000016F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRzSDKClient.exeZ vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.0000000005330000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005C4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2061696248.000000000553E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2043957617.0000000004F01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRazer Installer.exe@ vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2043957617.0000000004F01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRzSDKClient.exeZ vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: OriginalFilenameIonic.Zip.dllD vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: OriginalFilenameIonic.Zip-2023Jul28-021849-577cc2fa-e620-4ba0-86f6-f94884a6f6a6.exe@ vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: OriginalFilenameRazer Installer.exe@ vs SetupSuite_21.8_win64_86_sm.exe
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: OriginalFilenameRzSDKClient.exeZ vs SetupSuite_21.8_win64_86_sm.exe
Uses 32bit PE files
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: RazerInstaller.exe Binary or memory string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/8@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1360
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe File created: C:\Users\user\AppData\Local\Temp\ef788a7f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SetupSuite_21.8_win64_86_sm.exe ReversingLabs: Detection: 54%
Source: SetupSuite_21.8_win64_86_sm.exe Virustotal: Detection: 39%
Source: explorer.exe String found in binary or memory: more-help
Source: explorer.exe String found in binary or memory: wild-stop-dirs
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: <html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: n<html><head><META http-equiv=Content-Type content="text/html; charset=utf-8"></head><body><!--StartFragment-->
Source: SetupSuite_21.8_win64_86_sm.exe String found in binary or memory: <!--StartFragment -->
Source: RazerInstaller.exe String found in binary or memory: /Adding UnityBootstrapperExtension to container.
Source: RazerInstaller.exe String found in binary or memory: M{72FC5BA4-24F9-4011-9F3F-ADD27AFAD818}
Source: RazerInstaller.exe String found in binary or memory: Setting [#] additivity to [/Adding appender named [
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe File read: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe "C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe"
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 460
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SetupSuite_21.8_win64_86_sm.exe Static file information: File size 18984288 > 1048576
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x6d2c00
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa5e800
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: More than 200 imports for user32.dll
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: RazerInstaller.exe
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll
Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdbh source: RazerInstaller.exe
Source: Binary string: C:\projects\msgpack-cli-x2p85\src\MsgPack\obj\Release\net35\MsgPack.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdb source: AWSSDK.Kinesis.dll
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: api-ms-win-core-debug-l1-1-0.dll
Source: Binary string: concrt140.i386.pdbGCTL source: concrt140.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb source: Razer.DetectManagerWrapper.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdbP\ source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll
Source: Binary string: C:\Users\shikang.neoh\Desktop\cpprestsdk-master\Binaries\Win32\Release\cpprest140_2_10.pdb source: cpprest140_2_10.dll
Source: Binary string: glu32.pdb source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll
Source: Binary string: wntdll.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: Amsi.pdbGCTL source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb| source: RazerInstaller.exe
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Services\Kinesis\obj\AWSSDK.Kinesis.Net45\Release\net45\AWSSDK.Kinesis.pdbSHA256 source: AWSSDK.Kinesis.dll
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll
Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb source: BLEConnectWrapper.dll
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll
Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\BLEConnect\obj\Release\BLEConnect.pdb source: BLEConnect.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb source: RazerInstaller.exe
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\SafeExtractor\Release\SafeExtractor.pdb source: SetupSuite_21.8_win64_86_sm.exe
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\InstallerCleaner\obj\Release\RazerInstallerCleaner.pdb source: Razer.RazerInstallerCommon.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll
Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: NLog.dll
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.Interactivity\obj\Release\Microsoft.Practices.Prism.Interactivity.pdbh<~< p<_CorDllMainmscoree.dll source: RazerInstaller.exe
Source: Binary string: e:\ExpressionRTM\Sparkle\SDK\BlendWPFSDK\Build\Intermediate\Release\Libraries\System.Windows.Interactivity\Win32\Release\System.Windows.Interactivity.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\DetectManagerWrapper\bin\Razer.DetectManagerWrapper.pdb$$ source: Razer.DetectManagerWrapper.dll
Source: Binary string: C:\Dev\LightweightInstaller\3rd Party\DotNetZip\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: SetupSuite_21.8_win64_86_sm.exe, RazerInstaller.exe
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism.UnityExtensions\obj\Release\Microsoft.Practices.Prism.UnityExtensions.pdb|[ source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll
Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity.Configuration\Src\obj\Release\Microsoft.Practices.Unity.Configuration.pdb source: RazerInstaller.exe
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdbpZ source: RazerInstaller.exe
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerApp\obj\x86\Release\RazerInstaller.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdb source: Razer.RazerInstallerCommon.dll
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: RazerInstaller.exe
Source: Binary string: C:\jenkins\workspace\CommonTools\RazerInstaller_Master\RazerInstallerCommon\obj\x86\Release\Razer.RazerInstallerCommon.pdbl source: Razer.RazerInstallerCommon.dll
Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdb source: RazerInstaller.exe
Source: Binary string: c:\Code\Codeplex\Bootstrapper\Extensions\Bootstrapper.Unity\obj\Release\Bootstrapper.UnityExtension.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll
Source: Binary string: c:\Code\Codeplex\Bootstrapper\Core\Bootstrapper\obj\Release\Bootstrapper.pdbt source: RazerInstaller.exe
Source: Binary string: wntdll.pdbUGP source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2059867804.000000000520D000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2063756868.0000000005B20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2285453916.0000000004ED5000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000002.00000002.2290342600.0000000005320000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412874246.000000000BD2A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2413064510.000000000C170000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll
Source: Binary string: c:\prj\PrismNew\Prism4\WorkingDir\PrismLibraryBuild\PrismLibrary\Desktop\Prism\obj\Release\Microsoft.Practices.Prism.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: api-ms-win-core-datetime-l1-1-0.dll
Source: Binary string: C:\jenkins\workspace\CommonTools\Natasha_Master\Updater\UpdateUtility\obj\x86\Release\UpdateUtility.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Core\obj\Release\Microsoft.WindowsAPICodePack.pdb, source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll
Source: Binary string: c:\Users\Aybe\Documents\GitHub\Windows API Code Pack 1.1\source\WindowsAPICodePack\Shell\obj\Release\Microsoft.WindowsAPICodePack.Shell.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll
Source: Binary string: C:\Kat\source_git\synapse3_tools\BLEConnect\Release\BLEConnectWrapper.pdb%% source: BLEConnectWrapper.dll
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll
Source: Binary string: c:\b\4741\2098\src\intermediate\System.Net.Http.2.0.csproj_f5d23ea6\Release\System.Net.Http.pdb source: RazerInstaller.exe
Source: Binary string: glu32.pdbGCTL source: cmd.exe, 00000002.00000002.2285116581.00000000033A3000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.2412634634.00000000003E8000.00000008.00000001.01000000.00000000.sdmp, ejhooxmigi.2.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll
Source: Binary string: Amsi.pdb source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003C11000.00000004.00000020.00020000.00000000.sdmp, SetupSuite_21.8_win64_86_sm.exe, 00000000.00000002.2042878907.0000000003CBF000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdb source: AWSSDK.Core.dll
Source: Binary string: c:\Projects\CommonServiceLocator\main\Microsoft.Practices.ServiceLocation.PortableClassLibrary\obj\Release\Microsoft.Practices.ServiceLocation.pdb source: RazerInstaller.exe
Source: Binary string: c:\tfs\EL\V5-SL\UnityTemp\Compile\Unity\Unity\Src\obj\Release\Microsoft.Practices.Unity.pdb source: RazerInstaller.exe
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll
Source: Binary string: concrt140.i386.pdb source: concrt140.dll
Source: Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256OY source: NLog.dll
Source: Binary string: D:\JenkinsWorkspaces\trebuchet-stage-release\AWSDotNetPublic\sdk\src\Core\obj\AWSSDK.Core.Net45\Release\net45\AWSSDK.Core.pdbSHA256 source: AWSSDK.Core.dll
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll
PE file contains an invalid checksum
Source: ejhooxmigi.2.dr Static PE information: real checksum: 0x409b9 should be: 0x351d8
PE file contains sections with non-standard names
Source: SetupSuite_21.8_win64_86_sm.exe Static PE information: section name: .didata
Source: ejhooxmigi.2.dr Static PE information: section name: gbdqkb
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0ACA00 push eax; ret 5_2_0C0ACA2E
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\ejhooxmigi Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\ejhooxmigi Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\EJHOOXMIGI
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: explorer.exe, 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp Binary or memory string: AVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Source: ejhooxmigi.2.dr Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ejhooxmigi Jump to dropped file
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SetupSuite_21.8_win64_86_sm.exe, 00000000.00000000.1974195403.00000000005A1000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: TatVirtualMachine|*
Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: VirtualMachines
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: TatVirtualMachine|*~
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: TatVirtualMachine;
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: :TatVirtualMachine.:5
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: :TatVirtualMachine.:1
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: :TatVirtualMachine.:3
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: :TatVirtualMachine.:4
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: VirtualMachine
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: FVirtualMachine
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: explorer.exe, 00000005.00000002.2412988200.000000000C0CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: TatVirtualMachines
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: TatVirtualMachine|*~\
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: FVirtualMachines
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: TatVirtualMachine
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: TatVirtualMachines#
Source: SetupSuite_21.8_win64_86_sm.exe Binary or memory string: :TatVirtualMachine.:2
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\explorer.exe Process queried: DebugPort Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Code function: 0_2_005C03BE mov eax, dword ptr fs:[00000030h] 0_2_005C03BE
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0C0873E0 mov eax, dword ptr fs:[00000030h] 5_2_0C0873E0

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe NtSetInformationThread: Direct from: 0x5C105F Jump to behavior
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe NtQuerySystemInformation: Direct from: 0x76EE7B2E Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1360 base: 3100000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1360 base: 33DC2D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1360 base: 33DD1E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1360 base: CA79C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1360 base: 33DD008 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 1360 base: 1A0000 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: CA79C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 33DD008 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 1A0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SetupSuite_21.8_win64_86_sm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ef788a7f VolumeInformation Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: 2.2.cmd.exe.33700c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.cmd.exe.33700c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1360, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ejhooxmigi, type: DROPPED

Remote Access Functionality
barindex
Yara detected Vidar stealer
Source: Yara match File source: 2.2.cmd.exe.33700c8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.cmd.exe.33700c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2412537891.00000000001C3000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2285116581.0000000003370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cmd.exe PID: 3092, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1360, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\ejhooxmigi, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434176 Sample: SetupSuite_21.8_win64_86_sm.exe Startdate: 30/04/2024 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Antivirus detection for dropped file 2->26 28 Antivirus / Scanner detection for submitted sample 2->28 30 6 other signatures 2->30 8 SetupSuite_21.8_win64_86_sm.exe 2 2->8         started        process3 signatures4 32 Maps a DLL or memory area into another process 8->32 34 Found direct / indirect Syscall (likely to bypass EDR) 8->34 11 cmd.exe 2 8->11         started        process5 file6 22 C:\Users\user\AppData\Local\Temp\ejhooxmigi, PE32 11->22 dropped 36 Injects code into the Windows Explorer (explorer.exe) 11->36 38 Writes to foreign memory regions 11->38 40 Found hidden mapped module (file has been removed from disk) 11->40 42 Maps a DLL or memory area into another process 11->42 15 explorer.exe 11->15         started        18 conhost.exe 11->18         started        signatures7 process8 signatures9 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->44 20 WerFault.exe 20 16 15->20         started        process10
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://tufure.xyz true
  • 2%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://steamcommunity.com/profiles/76561199658817715 false
    		high